panda/board/bootstub.c

#define BOOTSTUB

#define VERS_TAG 0x53524556
#define MIN_VERSION 2

// ********************* Includes *********************
#include "config.h"

#include "drivers/pwm.h"
#include "drivers/usb.h"

#include "early_init.h"
#include "provision.h"

#include "crypto/rsa.h"
#include "crypto/sha.h"

#include "obj/cert.h"
#include "obj/gitversion.h"
#include "flasher.h"

void __initialize_hardware_early(void) {
  early_initialization();
}

void fail(void) {
  soft_flasher_start();
}

// know where to sig check
extern void *_app_start[];

// FIXME: sometimes your panda will fail flashing and will quickly blink a single Green LED
// BOUNTY: $200 coupon on shop.comma.ai or $100 check.

int main(void) {
  // Init interrupt table
  init_interrupts(true);

  disable_interrupts();
  clock_init();
  detect_board_type();

  if (enter_bootloader_mode == ENTER_SOFTLOADER_MAGIC) {
    enter_bootloader_mode = 0;
    soft_flasher_start();
  }

  // validate length
  int len = (int)_app_start[0];
  if ((len < 8) || (len > (0x1000000 - 0x4000 - 4 - RSANUMBYTES))) goto fail;

  // compute SHA hash
  uint8_t digest[SHA_DIGEST_SIZE];
  SHA_hash(&_app_start[1], len-4, digest);

  // verify version, last bytes in the signed area
  uint32_t vers[2] = {0};
  memcpy(&vers, ((void*)&_app_start[0]) + len - sizeof(vers), sizeof(vers));
  if (vers[0] != VERS_TAG || vers[1] < MIN_VERSION) {
    goto fail;
  }

  // verify RSA signature
  if (RSA_verify(&release_rsa_key, ((void*)&_app_start[0]) + len, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {
    goto good;
  }

  // allow debug if built from source
#ifdef ALLOW_DEBUG
  if (RSA_verify(&debug_rsa_key, ((void*)&_app_start[0]) + len, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {
    goto good;
  }
#endif

// here is a failure
fail:
  fail();
  return 0;
good:
  // jump to flash
  ((void(*)(void)) _app_start[1])();
  return 0;
}
make flashing over SPI work 2017-04-29 10:32:09 +08:00			`#define BOOTSTUB`

security upgrades (#397) * security upgrades * Gated DFU entry from debug console as well 2019-12-11 00:14:30 +08:00			`#define VERS_TAG 0x53524556`
			`#define MIN_VERSION 2`

Refactor HAL (#656) * Let refactoring begin! * Fix pedal build * Fix pedal safety tests * Forgot few TIM2 instances * Try this way with misra * More misras... * More misras... * Still fighting with misra blindfolded * Almost got it! * Last misra error.. * Last misra error.. * Misra works locally.. * Maybe this? * Looks like it was cppcheck bug, revert changes * Suggested changes and reverts * File structure change * revert includes * remove spaces * remove timer delay * endings * more typing * rename early to early_initialization * Remove delay_us * Revert RTC default values * Revert initialization sequence * Fix quotes * Revert * Return TIM6EN * Alias slow timer to TICK_TIMER * Refactor files structure * Remove definition of PANDA * Abstract timers * Fix include * tick_timer_init * Split usb driver * Move LL stuff: adc * Move LL stuff: usb * Fix include again... * Will check pedal builds also locally.. * Move LL stuff: CAN * Move LL stuff: clock * Rename common to peripherals and move * Move board HAL * Change include, not needed for pedal * llgpio to gpio and new lines fix * remove board_has_relay, not used * Remove board_functions.h and add to board struct * Move include * Fk MISRA... * has_onboard_gmlan to has_hw_gmlan * Typos * Move board_declarations include * Shuffle * More abstraction * fix paths, fix cppcheck test * Fix for pedal build with USB 2021-07-03 09:25:35 +08:00			`// ******************* Includes *******************`
write soft flasher 2017-07-25 06:16:22 +08:00			`#include "config.h"`
initial commit 2017-04-07 09:11:36 +08:00
Uno (#274) * Added uno * Added usb switch support * Added PWM and IR power functions * Implemented bootkick * Added uno as a new hw type * Bumped version * Added fan control and tach readout * WIP: RTC support * Working RTC * Fixed python * Misra compliance * Added USB control messages for fan/IR power * Added USB commands + tests for fan & IR control. Fixed bootstub and pedal compilation * Added IR and fan to power saving mode * Changed defaults * Fix safety considering uno * passing safety now * Minor UNO tweaks * Fixed version * More minor temporary tweaks * Removed usb load switch from uno * Added power control for shutting down the fan completely * Disable IR LEDs by default * Fixed linter issue * Linter fix #2 2019-10-26 07:22:42 +08:00			`#include "drivers/pwm.h"`
write soft flasher 2017-07-25 06:16:22 +08:00			`#include "drivers/usb.h"`
Refactor HAL (#656) * Let refactoring begin! * Fix pedal build * Fix pedal safety tests * Forgot few TIM2 instances * Try this way with misra * More misras... * More misras... * Still fighting with misra blindfolded * Almost got it! * Last misra error.. * Last misra error.. * Misra works locally.. * Maybe this? * Looks like it was cppcheck bug, revert changes * Suggested changes and reverts * File structure change * revert includes * remove spaces * remove timer delay * endings * more typing * rename early to early_initialization * Remove delay_us * Revert RTC default values * Revert initialization sequence * Fix quotes * Revert * Return TIM6EN * Alias slow timer to TICK_TIMER * Refactor files structure * Remove definition of PANDA * Abstract timers * Fix include * tick_timer_init * Split usb driver * Move LL stuff: adc * Move LL stuff: usb * Fix include again... * Will check pedal builds also locally.. * Move LL stuff: CAN * Move LL stuff: clock * Rename common to peripherals and move * Move board HAL * Change include, not needed for pedal * llgpio to gpio and new lines fix * remove board_has_relay, not used * Remove board_functions.h and add to board struct * Move include * Fk MISRA... * has_onboard_gmlan to has_hw_gmlan * Typos * Move board_declarations include * Shuffle * More abstraction * fix paths, fix cppcheck test * Fix for pedal build with USB 2021-07-03 09:25:35 +08:00
			`#include "early_init.h"`
			`#include "provision.h"`
remove some dumb prints 2017-07-30 09:16:08 +08:00
signing is coming along 2017-04-26 09:03:58 +08:00			`#include "crypto/rsa.h"`
			`#include "crypto/sha.h"`

			`#include "obj/cert.h"`
Refactor HAL (#656) * Let refactoring begin! * Fix pedal build * Fix pedal safety tests * Forgot few TIM2 instances * Try this way with misra * More misras... * More misras... * Still fighting with misra blindfolded * Almost got it! * Last misra error.. * Last misra error.. * Misra works locally.. * Maybe this? * Looks like it was cppcheck bug, revert changes * Suggested changes and reverts * File structure change * revert includes * remove spaces * remove timer delay * endings * more typing * rename early to early_initialization * Remove delay_us * Revert RTC default values * Revert initialization sequence * Fix quotes * Revert * Return TIM6EN * Alias slow timer to TICK_TIMER * Refactor files structure * Remove definition of PANDA * Abstract timers * Fix include * tick_timer_init * Split usb driver * Move LL stuff: adc * Move LL stuff: usb * Fix include again... * Will check pedal builds also locally.. * Move LL stuff: CAN * Move LL stuff: clock * Rename common to peripherals and move * Move board HAL * Change include, not needed for pedal * llgpio to gpio and new lines fix * remove board_has_relay, not used * Remove board_functions.h and add to board struct * Move include * Fk MISRA... * has_onboard_gmlan to has_hw_gmlan * Typos * Move board_declarations include * Shuffle * More abstraction * fix paths, fix cppcheck test * Fix for pedal build with USB 2021-07-03 09:25:35 +08:00			`#include "obj/gitversion.h"`
Refactor flasher (#686) 2021-07-15 04:49:28 +08:00			`#include "flasher.h"`
add bootloader lock support 2017-04-28 11:32:16 +08:00
Fix strict compiler on bootstub build 2019-07-08 06:05:47 +08:00			`void __initialize_hardware_early(void) {`
Refactor HAL (#656) * Let refactoring begin! * Fix pedal build * Fix pedal safety tests * Forgot few TIM2 instances * Try this way with misra * More misras... * More misras... * Still fighting with misra blindfolded * Almost got it! * Last misra error.. * Last misra error.. * Misra works locally.. * Maybe this? * Looks like it was cppcheck bug, revert changes * Suggested changes and reverts * File structure change * revert includes * remove spaces * remove timer delay * endings * more typing * rename early to early_initialization * Remove delay_us * Revert RTC default values * Revert initialization sequence * Fix quotes * Revert * Return TIM6EN * Alias slow timer to TICK_TIMER * Refactor files structure * Remove definition of PANDA * Abstract timers * Fix include * tick_timer_init * Split usb driver * Move LL stuff: adc * Move LL stuff: usb * Fix include again... * Will check pedal builds also locally.. * Move LL stuff: CAN * Move LL stuff: clock * Rename common to peripherals and move * Move board HAL * Change include, not needed for pedal * llgpio to gpio and new lines fix * remove board_has_relay, not used * Remove board_functions.h and add to board struct * Move include * Fk MISRA... * has_onboard_gmlan to has_hw_gmlan * Typos * Move board_declarations include * Shuffle * More abstraction * fix paths, fix cppcheck test * Fix for pedal build with USB 2021-07-03 09:25:35 +08:00			`early_initialization();`
initial commit 2017-04-07 09:11:36 +08:00			`}`

Fix strict compiler on bootstub build 2019-07-08 06:05:47 +08:00			`void fail(void) {`
write soft flasher 2017-07-25 06:16:22 +08:00			`soft_flasher_start();`
signing is coming along 2017-04-26 09:03:58 +08:00			`}`

fix bootstub 2017-07-23 05:28:11 +08:00			`// know where to sig check`
			`extern void *_app_start[];`

Start introducing Bounties 2019-01-18 08:17:53 +08:00			`// FIXME: sometimes your panda will fail flashing and will quickly blink a single Green LED`
			`// BOUNTY: $200 coupon on shop.comma.ai or $100 check.`

Fix strict compiler on bootstub build 2019-07-08 06:05:47 +08:00			`int main(void) {`
Revert "Revert "Register readback on most modules. Still need to convert the other ones (#396)"" This reverts commit 56ec215024d23681ed89cfbefeafb8ba200a664b. 2019-12-06 06:19:29 +08:00			`// Init interrupt table`
			`init_interrupts(true);`
Interrupt refactor (NVIC_SM_1: #334) and Fault handling (#377) (PR #373) 2019-11-28 10:11:21 +08:00
Gpio race condition fix (#263) * Fixed pedal not initializing * Interrupt changes * More changes 2019-08-29 03:53:51 +08:00			`disable_interrupts();`
add mock stuff for signing 2017-04-18 04:57:34 +08:00			`clock_init();`
Black (#254) * late usb * Added type support for black panda * Added harness presence and orientation detection * harness relay driving code * Added intercept support in black panda code. Switched around can0 and can2 * Disable ADCs after orientation detection. Ignition interrupts via harness * WIP: Hardware abstraction layer + black panda bringup * Fixed bootstub build * Fixed bootstub for pedal * Fixed infinite loops * Got CAN buses working on white again * Fixed pedal build and black can interfaces * Got CAN buses working on black panda * Finished loopback test for black panda * Erase all flash sectors on the panda. Increased binary limit. Added extra python functions. * Fixed python * Made new code MISRA compliant * Cleaned up ignition. Fixed build * Fixed health packet * Fixed CAN mode on black bug. Changed OBD to switch on ELM mode * Fixes from Github review * Fixed MISRA issue for pedal * Fixed failing gmlan tests * ELM327 safety: allow diagnostic on all buses * Cleaned up EON relay code * delete only 3 sectors instead of 11 to allow a new build to be flashed. Much faster to flash * Removed CAN only can0 output mode. Does not make sense on black panda due to reversibility issues. * Added heartbeat logic for EON code on panda. Go to NOOUTPUT if EON does not send a heartbeat for 5 seconds. * Remove all CAN buses live on EON startup. Shouldn't be necessary to have this separate case * Formatting * Added file I forgot to push * Added heartbeat to testing code to make sure EON tests don't fail. Should probably find a better way to do this though. Heartbeat thread didn't work, concurrent USB connection issues... * Safety: support black panda for Honda Bosch * Disable OBD2 if setting to NOOUTPUT mode * Run safety tests for all hw_types * Fail test if subtest fails * fix safety tests 2019-07-24 06:07:06 +08:00			`detect_board_type();`
wait up to 15 seconds, and detect rev c in bootstub 2017-08-26 03:02:26 +08:00
write soft flasher 2017-07-25 06:16:22 +08:00			`if (enter_bootloader_mode == ENTER_SOFTLOADER_MAGIC) {`
			`enter_bootloader_mode = 0;`
			`soft_flasher_start();`
			`}`

signing is coming along 2017-04-26 09:03:58 +08:00			`// validate length`
fix warnings in board build 2017-05-02 13:59:10 +08:00			`int len = (int)_app_start[0];`
add uart to spi flasher 2017-07-28 06:54:55 +08:00			`if ((len < 8) \|\| (len > (0x1000000 - 0x4000 - 4 - RSANUMBYTES))) goto fail;`
signing is coming along 2017-04-26 09:03:58 +08:00
			`// compute SHA hash`
fix warnings in board build 2017-05-02 13:59:10 +08:00			`uint8_t digest[SHA_DIGEST_SIZE];`
signature checking works on ST 2017-04-27 01:41:57 +08:00			`SHA_hash(&_app_start[1], len-4, digest);`
signing is coming along 2017-04-26 09:03:58 +08:00
security upgrades (#397) * security upgrades * Gated DFU entry from debug console as well 2019-12-11 00:14:30 +08:00			`// verify version, last bytes in the signed area`
			`uint32_t vers[2] = {0};`
			`memcpy(&vers, ((void*)&_app_start[0]) + len - sizeof(vers), sizeof(vers));`
			`if (vers[0] != VERS_TAG \|\| vers[1] < MIN_VERSION) {`
			`goto fail;`
			`}`

signing is coming along 2017-04-26 09:03:58 +08:00			`// verify RSA signature`
add release cert support 2017-04-29 06:06:01 +08:00			`if (RSA_verify(&release_rsa_key, ((void*)&_app_start[0]) + len, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {`
			`goto good;`
signature checking works on ST 2017-04-27 01:41:57 +08:00			`}`
add mock stuff for signing 2017-04-18 04:57:34 +08:00
okay, release stuff is good 2017-04-29 11:13:00 +08:00			`// allow debug if built from source`
			`#ifdef ALLOW_DEBUG`
			`if (RSA_verify(&debug_rsa_key, ((void*)&_app_start[0]) + len, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {`
			`goto good;`
add release cert support 2017-04-29 06:06:01 +08:00			`}`
okay, release stuff is good 2017-04-29 11:13:00 +08:00			`#endif`
add release cert support 2017-04-29 06:06:01 +08:00
			`// here is a failure`
add uart to spi flasher 2017-07-28 06:54:55 +08:00			`fail:`
add release cert support 2017-04-29 06:06:01 +08:00			`fail();`
add uart to spi flasher 2017-07-28 06:54:55 +08:00			`return 0;`
add release cert support 2017-04-29 06:06:01 +08:00			`good:`
add mock stuff for signing 2017-04-18 04:57:34 +08:00			`// jump to flash`
Fix strict compiler on bootstub build 2019-07-08 06:05:47 +08:00			`((void(*)(void)) _app_start[1])();`
initial commit 2017-04-07 09:11:36 +08:00			`return 0;`
			`}`