board/bootstub.c

#define VERS_TAG 0x53524556
#define MIN_VERSION 2

// ********************* Includes *********************
#include "board/config.h"

#include "board/drivers/led.h"
#include "board/drivers/pwm.h"
#include "board/drivers/usb.h"

#include "board/early_init.h"
#include "board/provision.h"

#include "crypto/rsa.h"
#include "crypto/sha.h"

#include "board/obj/cert.h"
#include "board/obj/gitversion.h"
#include "board/flasher.h"

// cppcheck-suppress unusedFunction ; used in headers not included in cppcheck
void __initialize_hardware_early(void) {
  early_initialization();
}

void fail(void) {
  soft_flasher_start();
}

// know where to sig check
extern void *_app_start[];

int main(void) {
  // Init interrupt table
  init_interrupts(true);

  disable_interrupts();
  clock_init();
  detect_board_type();

#ifdef PANDA_JUNGLE
  current_board->set_panda_power(true);
#endif

  if (enter_bootloader_mode == ENTER_SOFTLOADER_MAGIC) {
    enter_bootloader_mode = 0;
    soft_flasher_start();
  }

  // validate length
  int len = (int)_app_start[0];
  if ((len < 8) || (len > (0x1000000 - 0x4000 - 4 - RSANUMBYTES))) goto fail;

  // compute SHA hash
  uint8_t digest[SHA_DIGEST_SIZE];
  SHA_hash(&_app_start[1], len-4, digest);

  // verify version, last bytes in the signed area
  uint32_t vers[2] = {0};
  memcpy(&vers, ((void*)&_app_start[0]) + len - sizeof(vers), sizeof(vers));
  if (vers[0] != VERS_TAG || vers[1] < MIN_VERSION) {
    goto fail;
  }

  // verify RSA signature
  if (RSA_verify(&release_rsa_key, ((void*)&_app_start[0]) + len, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {
    goto good;
  }

  // allow debug if built from source
#ifdef ALLOW_DEBUG
  if (RSA_verify(&debug_rsa_key, ((void*)&_app_start[0]) + len, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {
    goto good;
  }
#endif

// here is a failure
fail:
  fail();
  return 0;
good:
  // jump to flash
  ((void(*)(void)) _app_start[1])();
  return 0;
}
security upgrades (#397) * security upgrades * Gated DFU entry from debug console as well 2019-12-10 08:14:30 -08:00			`#define VERS_TAG 0x53524556`
			`#define MIN_VERSION 2`

Refactor HAL (#656) * Let refactoring begin! * Fix pedal build * Fix pedal safety tests * Forgot few TIM2 instances * Try this way with misra * More misras... * More misras... * Still fighting with misra blindfolded * Almost got it! * Last misra error.. * Last misra error.. * Misra works locally.. * Maybe this? * Looks like it was cppcheck bug, revert changes * Suggested changes and reverts * File structure change * revert includes * remove spaces * remove timer delay * endings * more typing * rename early to early_initialization * Remove delay_us * Revert RTC default values * Revert initialization sequence * Fix quotes * Revert * Return TIM6EN * Alias slow timer to TICK_TIMER * Refactor files structure * Remove definition of PANDA * Abstract timers * Fix include * tick_timer_init * Split usb driver * Move LL stuff: adc * Move LL stuff: usb * Fix include again... * Will check pedal builds also locally.. * Move LL stuff: CAN * Move LL stuff: clock * Rename common to peripherals and move * Move board HAL * Change include, not needed for pedal * llgpio to gpio and new lines fix * remove board_has_relay, not used * Remove board_functions.h and add to board struct * Move include * Fk MISRA... * has_onboard_gmlan to has_hw_gmlan * Typos * Move board_declarations include * Shuffle * More abstraction * fix paths, fix cppcheck test * Fix for pedal build with USB 2021-07-02 18:25:35 -07:00			`// ******************* Includes *******************`
Include from project root (#2232) * fix include paths * cleanup 2025-07-19 21:58:58 -07:00			`#include "board/config.h"`
initial commit 2017-04-06 18:11:36 -07:00
Include from project root (#2232) * fix include paths * cleanup 2025-07-19 21:58:58 -07:00			`#include "board/drivers/led.h"`
			`#include "board/drivers/pwm.h"`
			`#include "board/drivers/usb.h"`
Refactor HAL (#656) * Let refactoring begin! * Fix pedal build * Fix pedal safety tests * Forgot few TIM2 instances * Try this way with misra * More misras... * More misras... * Still fighting with misra blindfolded * Almost got it! * Last misra error.. * Last misra error.. * Misra works locally.. * Maybe this? * Looks like it was cppcheck bug, revert changes * Suggested changes and reverts * File structure change * revert includes * remove spaces * remove timer delay * endings * more typing * rename early to early_initialization * Remove delay_us * Revert RTC default values * Revert initialization sequence * Fix quotes * Revert * Return TIM6EN * Alias slow timer to TICK_TIMER * Refactor files structure * Remove definition of PANDA * Abstract timers * Fix include * tick_timer_init * Split usb driver * Move LL stuff: adc * Move LL stuff: usb * Fix include again... * Will check pedal builds also locally.. * Move LL stuff: CAN * Move LL stuff: clock * Rename common to peripherals and move * Move board HAL * Change include, not needed for pedal * llgpio to gpio and new lines fix * remove board_has_relay, not used * Remove board_functions.h and add to board struct * Move include * Fk MISRA... * has_onboard_gmlan to has_hw_gmlan * Typos * Move board_declarations include * Shuffle * More abstraction * fix paths, fix cppcheck test * Fix for pedal build with USB 2021-07-02 18:25:35 -07:00
Include from project root (#2232) * fix include paths * cleanup 2025-07-19 21:58:58 -07:00			`#include "board/early_init.h"`
			`#include "board/provision.h"`
remove some dumb prints 2017-07-29 18:16:08 -07:00
signing is coming along 2017-04-25 18:03:58 -07:00			`#include "crypto/rsa.h"`
			`#include "crypto/sha.h"`

Include from project root (#2232) * fix include paths * cleanup 2025-07-19 21:58:58 -07:00			`#include "board/obj/cert.h"`
			`#include "board/obj/gitversion.h"`
			`#include "board/flasher.h"`
add bootloader lock support 2017-04-27 20:32:16 -07:00
(almost) enable cppcheck unusedFunction (#1875) * remove some unused * more * kinda works * rest are false positives * disable for now * add back exhaustive 2024-02-17 14:16:15 -08:00			`// cppcheck-suppress unusedFunction ; used in headers not included in cppcheck`
Fix strict compiler on bootstub build 2019-07-07 15:05:47 -07:00			`void __initialize_hardware_early(void) {`
Refactor HAL (#656) * Let refactoring begin! * Fix pedal build * Fix pedal safety tests * Forgot few TIM2 instances * Try this way with misra * More misras... * More misras... * Still fighting with misra blindfolded * Almost got it! * Last misra error.. * Last misra error.. * Misra works locally.. * Maybe this? * Looks like it was cppcheck bug, revert changes * Suggested changes and reverts * File structure change * revert includes * remove spaces * remove timer delay * endings * more typing * rename early to early_initialization * Remove delay_us * Revert RTC default values * Revert initialization sequence * Fix quotes * Revert * Return TIM6EN * Alias slow timer to TICK_TIMER * Refactor files structure * Remove definition of PANDA * Abstract timers * Fix include * tick_timer_init * Split usb driver * Move LL stuff: adc * Move LL stuff: usb * Fix include again... * Will check pedal builds also locally.. * Move LL stuff: CAN * Move LL stuff: clock * Rename common to peripherals and move * Move board HAL * Change include, not needed for pedal * llgpio to gpio and new lines fix * remove board_has_relay, not used * Remove board_functions.h and add to board struct * Move include * Fk MISRA... * has_onboard_gmlan to has_hw_gmlan * Typos * Move board_declarations include * Shuffle * More abstraction * fix paths, fix cppcheck test * Fix for pedal build with USB 2021-07-02 18:25:35 -07:00			`early_initialization();`
initial commit 2017-04-06 18:11:36 -07:00			`}`

Fix strict compiler on bootstub build 2019-07-07 15:05:47 -07:00			`void fail(void) {`
write soft flasher 2017-07-24 15:16:22 -07:00			`soft_flasher_start();`
signing is coming along 2017-04-25 18:03:58 -07:00			`}`

fix bootstub 2017-07-22 14:28:11 -07:00			`// know where to sig check`
			`extern void *_app_start[];`

Fix strict compiler on bootstub build 2019-07-07 15:05:47 -07:00			`int main(void) {`
Revert "Revert "Register readback on most modules. Still need to convert the other ones (#396)"" This reverts commit 56ec215024d23681ed89cfbefeafb8ba200a664b. 2019-12-05 14:19:29 -08:00			`// Init interrupt table`
			`init_interrupts(true);`
Interrupt refactor (NVIC_SM_1: #334) and Fault handling (#377) (PR #373) 2019-11-27 18:11:21 -08:00
Gpio race condition fix (#263) * Fixed pedal not initializing * Interrupt changes * More changes 2019-08-28 12:53:51 -07:00			`disable_interrupts();`
add mock stuff for signing 2017-04-17 13:57:34 -07:00			`clock_init();`
Black (#254) * late usb * Added type support for black panda * Added harness presence and orientation detection * harness relay driving code * Added intercept support in black panda code. Switched around can0 and can2 * Disable ADCs after orientation detection. Ignition interrupts via harness * WIP: Hardware abstraction layer + black panda bringup * Fixed bootstub build * Fixed bootstub for pedal * Fixed infinite loops * Got CAN buses working on white again * Fixed pedal build and black can interfaces * Got CAN buses working on black panda * Finished loopback test for black panda * Erase all flash sectors on the panda. Increased binary limit. Added extra python functions. * Fixed python * Made new code MISRA compliant * Cleaned up ignition. Fixed build * Fixed health packet * Fixed CAN mode on black bug. Changed OBD to switch on ELM mode * Fixes from Github review * Fixed MISRA issue for pedal * Fixed failing gmlan tests * ELM327 safety: allow diagnostic on all buses * Cleaned up EON relay code * delete only 3 sectors instead of 11 to allow a new build to be flashed. Much faster to flash * Removed CAN only can0 output mode. Does not make sense on black panda due to reversibility issues. * Added heartbeat logic for EON code on panda. Go to NOOUTPUT if EON does not send a heartbeat for 5 seconds. * Remove all CAN buses live on EON startup. Shouldn't be necessary to have this separate case * Formatting * Added file I forgot to push * Added heartbeat to testing code to make sure EON tests don't fail. Should probably find a better way to do this though. Heartbeat thread didn't work, concurrent USB connection issues... * Safety: support black panda for Honda Bosch * Disable OBD2 if setting to NOOUTPUT mode * Run safety tests for all hw_types * Fail test if subtest fails * fix safety tests 2019-07-23 15:07:06 -07:00			`detect_board_type();`
wait up to 15 seconds, and detect rev c in bootstub 2017-08-25 12:02:26 -07:00
panda jungle (#1547) * mv jungle * match pedal style * fix linter * fix fw path * fix paths * safety! 2023-08-03 23:55:13 -07:00			`#ifdef PANDA_JUNGLE`
			`current_board->set_panda_power(true);`
			`#endif`

write soft flasher 2017-07-24 15:16:22 -07:00			`if (enter_bootloader_mode == ENTER_SOFTLOADER_MAGIC) {`
			`enter_bootloader_mode = 0;`
			`soft_flasher_start();`
			`}`

signing is coming along 2017-04-25 18:03:58 -07:00			`// validate length`
fix warnings in board build 2017-05-01 22:59:10 -07:00			`int len = (int)_app_start[0];`
add uart to spi flasher 2017-07-27 15:54:55 -07:00			`if ((len < 8) \|\| (len > (0x1000000 - 0x4000 - 4 - RSANUMBYTES))) goto fail;`
signing is coming along 2017-04-25 18:03:58 -07:00
			`// compute SHA hash`
fix warnings in board build 2017-05-01 22:59:10 -07:00			`uint8_t digest[SHA_DIGEST_SIZE];`
signature checking works on ST 2017-04-26 10:41:57 -07:00			`SHA_hash(&_app_start[1], len-4, digest);`
signing is coming along 2017-04-25 18:03:58 -07:00
security upgrades (#397) * security upgrades * Gated DFU entry from debug console as well 2019-12-10 08:14:30 -08:00			`// verify version, last bytes in the signed area`
			`uint32_t vers[2] = {0};`
			`memcpy(&vers, ((void*)&_app_start[0]) + len - sizeof(vers), sizeof(vers));`
			`if (vers[0] != VERS_TAG \|\| vers[1] < MIN_VERSION) {`
			`goto fail;`
			`}`

signing is coming along 2017-04-25 18:03:58 -07:00			`// verify RSA signature`
add release cert support 2017-04-28 15:06:01 -07:00			`if (RSA_verify(&release_rsa_key, ((void*)&_app_start[0]) + len, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {`
			`goto good;`
signature checking works on ST 2017-04-26 10:41:57 -07:00			`}`
add mock stuff for signing 2017-04-17 13:57:34 -07:00
okay, release stuff is good 2017-04-28 20:13:00 -07:00			`// allow debug if built from source`
			`#ifdef ALLOW_DEBUG`
			`if (RSA_verify(&debug_rsa_key, ((void*)&_app_start[0]) + len, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {`
			`goto good;`
add release cert support 2017-04-28 15:06:01 -07:00			`}`
okay, release stuff is good 2017-04-28 20:13:00 -07:00			`#endif`
add release cert support 2017-04-28 15:06:01 -07:00
			`// here is a failure`
add uart to spi flasher 2017-07-27 15:54:55 -07:00			`fail:`
add release cert support 2017-04-28 15:06:01 -07:00			`fail();`
add uart to spi flasher 2017-07-27 15:54:55 -07:00			`return 0;`
add release cert support 2017-04-28 15:06:01 -07:00			`good:`
add mock stuff for signing 2017-04-17 13:57:34 -07:00			`// jump to flash`
Fix strict compiler on bootstub build 2019-07-07 15:05:47 -07:00			`((void(*)(void)) _app_start[1])();`
initial commit 2017-04-06 18:11:36 -07:00			`return 0;`
			`}`