Actions
MidasBootloader¶
- Table of contents
- MidasBootloader
Accessing the bootloader console¶
When connected on the serial port, during boot, if you press the volume down button and press enter at least 4 times on the serial console, you can get a shell:
PMIC rev = PASS2(4) BUCK1OUT(vdd_mif) = 0x05 BUCK3DVS1(vdd_int) = 0x20 [MMC] there are pending interrupts 0x00010000 cardtype: 0x00000007 SB_MMC_HS_52MHZ_1_8V_3V_IO mmc->card_caps: 0x00000311 mmc->host_caps: 0x00000311 mmc_initialize: mmc->capacity = 30777344 Samsung S-Boot 4.0-2836504 for GT-I9300 (Jun 15 2015 - 22:47:58) EXYNOS4412(EVT 1.1) / 1022MB / 15028MB / Rev 12 / I9300XXUGOF1 /(PKG_ID 0x7050008) - read_bl1 pit_check_signature (PIT) valid. initialize_ddi_data: usable! (3:0xf) PARAM ENV VERSION: v1.0.. set_charger_current: chg curr(3f), in curr(17) set_charger_state: buck(1), chg(1), reg(0x05) microusb_get_attached_device: STATUS1:0x3d, 2:0x00 set_auto_current: ta_state(0), curr(1000) init_fuelgauge: fuelgauge power ok init_fuelgauge: POR status fuelgauge_por: POR start: vcell(4081), vfocv(4188), soc(100) fuelgauge_por: update SDI M0 parameter fuelgauge_por: RCOMP(0x0065), TEMPCO(0x0930) fuelgauge_por: POR finish: vcell(4079), vfocv(4310), soc(88) get_table_soc: vcell(4077) is caculated to t-soc(84.590) init_fuelgauge: start: vcell(4077), vfocv(4301), soc(88), table soc(84) init_fuelgauge: finish: vcell(4077), vfocv(4301), soc(88), table soc(84) init_microusb_ic: MUIC: CONTROL1:0x1b init_microusb_ic: MUIC: CONTROL1:0x1b init_microusb_ic: MUIC: CONTROL2:0x3b init_microusb_ic: MUIC: CONTROL2:0x3b PMIC_ID = 0x02 PMIC_IRQSRC = 0x00 PMIC_IRQ1 = 0x06 PMIC_IRQ2 = 0x00 PMIC_IRQ1M = 0xc0 PMIC_IRQ2M = 0x03 PMIC_STATUS1 = 0x11 PMIC_STATUS2 = 0x00 PMIC_PWRON = 0x03 PMIC_RTCINT = 0x00 PMIC_RTCINTM = 0x3f s5p_check_keypad: 0x1100000 s5p_check_reboot_mode: INFORM3 = 0 ... skip s5p_check_upload: MAGIC(0x277b3bbf), RST_STAT(0x10000) microusb_get_attached_device: STATUS1:0x3d, 2:0x00 s5p_check_download: 0 microusb_get_attached_device: STATUS1:0x3d, 2:0x00 check_pm_status: non chargable jig, bypass check power cmu_div:1, div:7, src_clk:800000000, pixel_clk:57153600 s5p_dsim_display_config : VIDEO MODE a2, 60, 90, autoboot aborted.. S-BOOT # S-BOOT # S-BOOT # S-BOOT # S-BOOT # S-BOOT # S-BOOT # S-BOOT # S-BOOT # S-BOOT # help Following commands are supported: * chipinfo * help * log * load_kernel * boot * reset * findenv * saveenv * setenv * printenv * checksum_need * usb * upload * keyread * readadc * printcsd * rpmbwritedata * rpmbreadcount * rpmbsetkey * rpmbclose * rpmbopen * sdcard_read * sdcard * fuelgauge * usb_write * usb_read To get commands help, Type "help <command>" S-BOOT #
Available commands¶
Here's the known list of commands:
S-BOOT # help Following commands are supported: * chipinfo * help * log * load_kernel * boot * reset * findenv * saveenv * setenv * printenv * checksum_need * usb * upload * keyread * readadc * printcsd * rpmbwritedata * rpmbreadcount * rpmbsetkey * rpmbclose * rpmbopen * sdcard_read * sdcard * fuelgauge * usb_write * usb_read To get commands help, Type "help <command>" S-BOOT #
And the respective help:
S-BOOT # help chipinfo * Help : chipinfo * Usage : display exynos chip info. S-BOOT # help help * Help : help * Usage : help [command] S-BOOT # help log * Help : log * Usage : *usage : log S-BOOT # help load_kernel * Help : load_kernel * Usage : load kernel image.. S-BOOT # help boot * Help : boot * Usage : boot [kernel options] Boot Linux with optional kernel options S-BOOT # help reset * Help : reset * Usage : reboot Reboot system S-BOOT # help findenv * Help : findenv * Usage : findenv [filename] S-BOOT # help saveenv * Help : saveenv * Usage : saveenv S-BOOT # help setenv * Help : setenv * Usage : setenv [name] [value] S-BOOT # help printenv * Help : printenv * Usage : printenv S-BOOT # help checksum_need * Help : checksum_need * Usage : Setting checksum need. 0 or 1 S-BOOT # help usb * Help : usb * Usage : usb download command. S-BOOT # help upload * Help : upload * Usage : usb upload command. S-BOOT # help keyread * Help : keyread * Usage : *Usage : keyread S-BOOT # help readadc * Help : readadc * Usage : *usage : readadc <channel> S-BOOT # help printcsd * Help : printcsd * Usage : printcsd S-BOOT # help rpmbwritedata * Help : rpmbwritedata * Usage : rpmbwritedata [data] S-BOOT # help rpmbreadcount * Help : rpmbreadcount * Usage : rpmbreadcount S-BOOT # help rpmbsetkey * Help : rpmbsetkey * Usage : rpmbsetkey [key] S-BOOT # help rpmbclose * Help : rpmbclose * Usage : rpmbclose S-BOOT # help rpmbopen * Help : rpmbopen * Usage : rpmbopen S-BOOT # help sdcard_read * Help : sdcard_read * Usage : sdcard_read test command S-BOOT # help sdcard * Help : sdcard * Usage : sdcard test command S-BOOT # help fuelgauge * Help : fuelgauge * Usage : *usage : fuelgauge S-BOOT # help usb_write * Help : usb_write * Usage : usb_write reg, val Read the usb ic register S-BOOT # help usb_read * Help : usb_read * Usage : usb_read reg Read the usb ic register S-BOOT #
Changing the kernel commandline arguments¶
By default we have console=ram and loglevel=4:
S-BOOT # printenv : REBOOT_MODE: 0 : SWITCH_SEL: 1 : DEBUG_LEVEL: 20300 : SUD_MODE: 0 : DN_ERROR: 0 : CHECKSUM: 3 : INT_RSVD6: 1 : INT_RSVD7: 0 : INT_RSVD8: 0 : INT_RSVD9: 0 : CMDLINE: console=ram loglevel=4 : STR_RSVD1: (null) : STR_RSVD2: (null)
However if we change that:
S-BOOT # setenv CMDLINE console=ram loglevel=8
argv[0]: setenv
argv[1]: CMDLINE
argv[2]: console=ram loglevel=8
S-BOOT # printenv
: REBOOT_MODE: 0
: SWITCH_SEL: 1
: DEBUG_LEVEL: 20300
: SUD_MODE: 0
: DN_ERROR: 0
: CHECKSUM: 3
: INT_RSVD6: 1
: INT_RSVD7: 0
: INT_RSVD8: 0
: INT_RSVD9: 0
: CMDLINE: console=ram loglevel=8
: STR_RSVD1: (null)
: STR_RSVD2: (null)
S-BOOT # saveenv
S-BOOT # reset
s5p_restart_handler ('N':null)
PMIC rev = PASS2(4)
[...]
Then after boot we can observe that the cmdline has changed:
$ adb root $ adb shell root@i9300:/ # cat /proc/cmdline console=ttySAC2,115200 consoleblank=0 androidboot.hardware=smdk4x12 console=ram loglevel=8 [...]
After complete power off (with battery removal) and power on, we can see that the modified cmdline has sticked:
S-BOOT # printenv : REBOOT_MODE: 0 : SWITCH_SEL: 1 : DEBUG_LEVEL: 20300 : SUD_MODE: 0 : DN_ERROR: 0 : CHECKSUM: 3 : INT_RSVD6: 1 : INT_RSVD7: 0 : INT_RSVD8: 0 : INT_RSVD9: 0 : CMDLINE: console=ram loglevel=8 : STR_RSVD1: (null) : STR_RSVD2: (null)
Other commands¶
S-BOOT # chipinfo 5VF4_0023_0190_0178
This seem to give the bootloader log including what the input and output of the commands the user typed:
S-BOOT # log PMIC rev = PASS2(4) BUCK1OUT(vdd_mif) = 0x05 BUCK3DVS1(vdd_int) = 0x20 [MMC] there are pending interrupts 0x00010000 cardtype: 0x00000007 SB_MMC_HS_52MHZ_1_8V_3V_IO mmc->card_caps: 0x00000311 mmc->host_caps: 0x00000311 mmc_initialize: mmc->capacity = 30777344 Samsung S-Boot 4.0-2836504 for GT-I9300 (Jun 15 2015 - 22:47:58) EXYNOS4412(EVT 1.1) / 1022MB / 15028MB / Rev 12 / I9300XXUGOF1 /(PKG_ID 0x7050008) - read_bl1 pit_check_signature (PIT) valid. initialize_ddi_data: usable! (3:0xf) PARAM ENV VERSION: v1.0.. set_charger_current: chg curr(3f), in curr(17) set_charger_state: buck(1), chg(1), reg(0x05) microusb_get_attached_device: STATUS1:0x3d, 2:0x00 set_auto_current: ta_state(0), curr(1000) init_fuelgauge: fuelgauge power ok init_fuelgauge: POR status fuelgauge_por: POR start: vcell(4146), vfocv(4256), soc(108) fuelgauge_por: update SDI M0 parameter fuelgauge_por: RCOMP(0x0065), TEMPCO(0x0930) fuelgauge_por: POR finish: vcell(4140), vfocv(4405), soc(94) get_table_soc: vcell(4138) is caculated to t-soc(89.939) init_fuelgauge: start: vcell(4138), vfocv(4396), soc(94), table soc(89) init_fuelgauge: finish: vcell(4138), vfocv(4396), soc(94), table soc(89) init_microusb_ic: MUIC: CONTROL1:0x1b init_microusb_ic: MUIC: CONTROL1:0x1b init_microusb_ic: MUIC: CONTROL2:0x3b init_microusb_ic: MUIC: CONTROL2:0x3b PMIC_ID = 0x02 PMIC_IRQSRC = 0x00 PMIC_IRQ1 = 0x04 PMIC_IRQ2 = 0x00 PMIC_IRQ1M = 0xc0 PMIC_IRQ2M = 0x03 PMIC_STATUS1 = 0x10 PMIC_STATUS2 = 0x00 PMIC_PWRON = 0x02 PMIC_RTCINT = 0x10 PMIC_RTCINTM = 0x3f s5p_check_keypad: 0x1000000 s5p_check_reboot_mode: INFORM3 = 0 ... skip s5p_check_upload: MAGIC(0x275b3bbb), RST_STAT(0x10000) microusb_get_attached_device: STATUS1:0x3d, 2:0x00 s5p_check_download: 0 microusb_get_attached_device: STATUS1:0x3d, 2:0x00 check_pm_status: non chargable jig, bypass check power cmu_div:1, div:7, src_clk:800000000, pixel_clk:57153600 s5p_dsim_display_config : VIDEO MODE a2, 60, 90, autoboot aborted.. S-BOOT # S-BOOT # S-BOOT # S-BOOT # S-BOOT # S-BOOT # S-BOOT # S-BOOT # S-BOOT # Following commands are supported: * chipinfo * help * log * load_kernel * boot * reset * findenv * saveenv * setenv * printenv
The battery fuel gauge. Note that soc probably means state of charge, not system on a chip:
S-BOOT # fuelgauge fuelgauge_cmd: vcell(4007), vfocv(4157), soc(86)
Boot modes¶
sec-reboot.c has the following code:
if (!strcmp(cmd, "fota"))
writel(REBOOT_MODE_PREFIX | REBOOT_MODE_FOTA,
S5P_INFORM3);
else if (!strcmp(cmd, "fota_bl"))
writel(REBOOT_MODE_PREFIX | REBOOT_MODE_FOTA_BL,
S5P_INFORM3);
else if (!strcmp(cmd, "recovery"))
writel(REBOOT_MODE_PREFIX | REBOOT_MODE_RECOVERY,
S5P_INFORM3);
else if (!strcmp(cmd, "bootloader"))
writel(REBOOT_MODE_PREFIX | REBOOT_MODE_DOWNLOAD,
S5P_INFORM3);
else if (!strcmp(cmd, "download"))
writel(REBOOT_MODE_PREFIX | REBOOT_MODE_DOWNLOAD,
S5P_INFORM3);
else if (!strcmp(cmd, "upload"))
writel(REBOOT_MODE_PREFIX | REBOOT_MODE_UPLOAD,
S5P_INFORM3);
else if (!strncmp(cmd, "debug", 5)
&& !kstrtoul(cmd + 5, 0, &value))
writel(REBOOT_SET_PREFIX | REBOOT_SET_DEBUG | value,
S5P_INFORM3);
else if (!strncmp(cmd, "swsel", 5)
&& !kstrtoul(cmd + 5, 0, &value))
writel(REBOOT_SET_PREFIX | REBOOT_SET_SWSEL | value,
S5P_INFORM3);
else if (!strncmp(cmd, "sud", 3)
&& !kstrtoul(cmd + 3, 0, &value))
writel(REBOOT_SET_PREFIX | REBOOT_SET_SUD | value,
S5P_INFORM3);
else if (!strncmp(cmd, "emergency", 9))
writel(0, S5P_INFORM3);
else
writel(REBOOT_MODE_PREFIX | REBOOT_MODE_NONE,
S5P_INFORM3);
We can test them with reboot <rebootcommand>. Here are the results:
| Device | Command | Comments |
| Galaxy SIII (GT-I9300) | fota | * Reboots * Adds bootmode=3 to the kernel command line (/proc/cmdline) |
| fota_bl | * Reboots * No kernel command line change * 'bl' might mean bootloader |
|
| recovery | * Reboots to the recovery | |
| bootloader | * Reboot in Thor mode | |
| download | ||
| upload | * Reboots * No kernel command line change |
|
| debug | * Reboots * No kernel command line change |
|
| swsel | * Reboots * No kernel command line change * might be related to the bootloader SWITCH_SEL variable |
|
| sud | * Reboots * No kernel command line change |
|
| emergency | * Reboots * No kernel command line change |
See also¶
- Forensics acquisition - Analysis and circumvention of samsung secure boot enforced common criteria mode : it has a lot of background in Samsung bootloader modes, variable namesm etc.
Updated by Denis 'GNUtoo' Carikli over 3 years ago · 21 revisions