Optimus Black bootloader¶
- Table of contents
- Optimus Black bootloader
The Optimus Black comes with a bootrom and a set of two bootloaders. The bootrom is stored read-only on the OMAP3630 SoC chip. It loads the first bootloader, which loads the second bootloader.
More information on the booting sequence is available on the OMAP36xx Technical Reference Manual section 26 (Initialization).
Boot device priority¶
According to the OMAP36xx Technical Reference Manual, section 126.96.36.199 (Booting Device List Setup), the OMAP3630 platform will first choose devices to boot from based on the software booting configuration. If no valid software booting configuration is found, it will read the status of the SYS_BOOT pins to determine the boot device priority order.
Software booting configuration¶
According to the OMAP36xx Technical Reference Manual, section 188.8.131.52 (Software Booting Configuration), the software booting configuration is a data structure stored in scratchpad memory, at address 0x48002910. It is not cleared at reset and can be written with a valid structure before reboot, to take effect.
According to the OMAP36xx Technical Reference Manual, table 13-109 (CONTROL_STATUS), the CONTROL_STATUS register provides the values of the SYS_BOOT pins as sampled at reset time. It is located at address: 0x480022f0.
The register value can be read using:
$ devmem 0x480022f0 8 0x25
According to the OMAP36xx Technical Reference Manual, section 26.2.3 (Boot Configuration), the SYS_BOOT[5:0] pins are used to select the boot device priority. SYS_BOOT5 indicates whether peripheral booting is preferred.
According to the Optimus Black (P970) Service Manual:
Some of the resistors framed on the schematics were found not to be populated on the board. The actual layout is the following:
First boot device¶
According to the OMAP36xx Technical Reference Manual, section 26.2.3 (Boot Configuration), such a value (0x05) indicates MMC2 as first boot device and USB as second boot device.
With MMC2 as first boot device, there is no immediate and easy way to recover from flashing a non-functional bootloader. With that setup, the bootloader can only be updated from the bootloader itself or the running system, both of which require a working bootloader. This makes it nearly impossible to work on developing a bootloader, which may end up not working for unexpected reasons or during the initial bringup phase.
The easiest solution for a fail-proof boot method is to switch the boot device priority order to USB boot first. According to the OMAP36xx Technical Reference Manual, section 26.4.5 (Peripheral Booting), the bootrom allows loading an image from USB to the internal SRAM, at address 0x40200000 and will execute it in place. Note that the image must not have any header, unlike memory booting.
This can be achieved either by a temporary software-only solution or by a permanent hardware-only solution.
Loading an image via serial (UART3) is also possible, but given the necessity to solder connectors directly and the difficulty associated with it, this method is not described here.
Note that blanking the contents of MMC2 does not make the bootrom switch automatically to USB boot.
Temporary USB boot¶
The software booting configuration can be written to scratchpad memory to temporarily set the boot device priority to USB first, according to the OMAP36xx Technical Reference Manual, section 184.108.40.206 (Software Booting Configuration).
At this point, there is no readily available software that allows doing this from either the Android or GNU/Linux userspace.
Permanent USB boot¶
The boot device priority can be permanently switched to USB as first boot device and MMC2 as second boot device. This allows continuing a regular boot when USB is not connected or no image is loaded. Thus, the device can still be used regularly.
Note that permanently having USB as first boot device makes the device even more vulnerable to physical attacks, as it allows any attacker to run unverified code on the device.
On P970 devices, removing resistor R323 switches the SYS_BOOT value to 0x25, which indicates USB as first boot device and MMC2 as second boot device. The resistor is located according to the Optimus Black (P970) Service Manual:
The resistor is located on the board as shown:
As the resistor is very tiny, it is often easier to try to burn it instead of carefully removing it.
Note that USB boot is only effective at power-on reset and won't be triggered by a cold or warm reset.
These documents are the propriety of LG Electronics and Texas Instruments and are not hosted by the Replicant project.
However, some excerpts from these documents are provided, for the purpose of providing technical evidence of the facts that are mentioned in this page. We believe that this particular use of the copyrighted work is fair use.