| .. | ||
| assets | ||
| micro-ecc | ||
| releases | ||
| .gitignore | ||
| ae_config.h | ||
| ae.c | ||
| ae.h | ||
| aes.c | ||
| aes.h | ||
| basics.h | ||
| clocks.c | ||
| clocks.h | ||
| console.c | ||
| console.h | ||
| constant_time.c | ||
| constant_time.h | ||
| delay.c | ||
| delay.h | ||
| dispatch.c | ||
| dispatch.h | ||
| faster_sha256.c | ||
| faster_sha256.h | ||
| firewall.c | ||
| firmware-keys.h | ||
| flash-unlock.txt | ||
| gogo.gdb | ||
| gpio.c | ||
| gpio.h | ||
| hal_glue.c | ||
| keylayout.py | ||
| link-script.ld | ||
| main.c | ||
| main.h | ||
| Makefile | ||
| mathcheck.py | ||
| misc.h | ||
| mk-sigheader.py | ||
| oled.c | ||
| oled.h | ||
| pins.c | ||
| pins.h | ||
| psram.c | ||
| psram.h | ||
| README.md | ||
| rng.c | ||
| rng.h | ||
| sdcard.c | ||
| sdcard.h | ||
| se2.c | ||
| se2.h | ||
| secel_config.py | ||
| secel_debug.py | ||
| secrets.h | ||
| sigheader.h | ||
| sigheader.py | ||
| startup.S | ||
| stm32l4xx_hal_conf.h | ||
| stm32l4xx_hal_firewall.c | ||
| stm32l4xx_hal_gpio.c | ||
| stm32l4xx_hal_hash.c | ||
| stm32l4xx_hal_i2c.c | ||
| stm32l4xx_hal_ospi.c | ||
| stm32l4xx_hal_rcc_ex.c | ||
| stm32l4xx_hal_rcc.c | ||
| stm32l4xx_hal_sd.c | ||
| stm32l4xx_hal_spi.c | ||
| stm32l4xx_ll_sdmmc.c | ||
| storage.c | ||
| storage.h | ||
| verify.c | ||
| verify.h | ||
| version.c | ||
| version.h | ||
Coldcard Bootloader - Mk3 and Mk4
We have a bootloader. It does the usual code signature checking, but also offers some security features used during runtime. Part of this is keeping some bytes secret in the long term. It can never be field upgraded, and yet plays an important part in that process.
Firewalled Code/Data
This code is linked separately from other executables, and resides in its own reserved area at the start of flash memory. That area is protected from readback using chip features: "Proprietary Code Read-Out Protection (PCROP)" aka. firewall.
A very limited amount of security-sensitive code resides here. It protects your currency, but only indirectly. It's more about making your key storage per-system unique.
Notes
-
the most helpful file here is
bootloader.lsswhich is generated in build process -
using OpenOCD is prefered for lower level code like this (not GDB)
-
stm32l4x.cpu arm disassemble 0x000008 10 thumbis very helpful -
you can power cycle the board (to enter/exit DFU) and OpenOCD keeps working
-
for consistent reading of state, do this:
- power cycle
- "reset"
- "halt"
-
wipe chip with:
stm32l4x mass_erase 0in openocd monitor to bulk-erase whole chip
-
To clear flash with write protect on... FLASH regs at 0x40022000 base FLASH->CR = 0x40022014 FLASH->WRP1AR = 0x4002202c
this works on Mk4: with less weird errors/warnings.
have DFU active. doesn't work from running
halt
expect 0x40000000, if it's 0xc0000000, can't work; reboot w/ DFU pressed, to fix
mdw 0x40022014
ignore warning about "power cycle" from this:
stm32l4x unlock 0
expect 0 from this:
mdw 0x40022014
disable all write-protect (bank 1, A region)
mww 0x4002202c 0xff00ffff mww 0x40022030 0xff00ffff
commit change
mww 0x40022014 0x20000
read back in OB (expect ff00ffff NOT ff0fff00)
mdw 0x1FFF7818
launch changes? (causes weird reset)
mww 0x40022014 0x8000000
-
"stm32l4x.cpu mdb" is nice hexdump, much better than regular mdb
-
If you're having trouble getting the debugger to started / link up right, try in DFU mode.
-
You must always wipe flash when you change the 508/608 because no code to erase the pairing secret and can't rewrite flash.
halt stm32l4x unlock 0 stm32l4x mass_erase 0
Reading 'pairing secret'
This is a useful command, but only works on non-production units:
Mk1-3:
dfu-util -d 0483:df11 -a 0 -s 0x08007800:256 -U pairing.bin
Mk4:
dfu-util -d 0483:df11 -a 0 -s 0x0801c000:8192 -U pairing.bin
- but that file is misleading, because all the unused mcu key slots are un-programmed-cells (ones)
- will hit assert on new key attempt if you just write that back
- trim and write only actual non-ones content
Wiping Secrets
Mk4: flash erase_address 0x801c000 0x4000
Resources
Todo List
- measure OLED reset and CS pulse lengths, and SPI clk during boot w/ internal RC oscilator
- HAL code for SPI should be removed and replaced with a few one-liners
- GPIO code may be removed as well?
Bootloader upgrade 3.0.? to 3.0.2
-
capture pairing data:
dfu-util -d 0483:df11 -a 0 -s 0x0801e000:8192 -U pairing.bin
-
do the above unlock write-protect process, but don't erase any flash
- would only be required if "bag" operation done
-
then upload old pairing data
dfu-util -d 0483:df11 -a 0 -s 0x0801c000:8192 -D pairing.bin
-
unit will boot w/ no seed
-
for cleanest result, wipe last flash page:
flash erase_address 0x0801e000 0x2000
Bootloader upgrade 3.0.? to 3.1.?
- clear main PIN before install, or else you won't be able to get back in!
Re-do Bag Number
-
cannot writes ones, and then change flash cells; have to remain unprogrammed
dfu-util -d 0483:df11 -a 0 -s 0x0801c000:8192 -U pairing.bin
-
want 0..0x50 then 0x70
dd if=pairing.bin of=p1.bin bs=80 count=1 dd if=pairing.bin of=p2.bin bs=112 skip=1
-
two burns: => DFU does not work, each run erases other part of page => same with "program" cmd in openocd => these work tho:
flash erase_address 0x801c000 0x2000 flash write_image mk4-bootloader/p1.bin 0x0801c000 flash write_image mk4-bootloader/p2.bin 0x0801c070