-
Notifications
You must be signed in to change notification settings - Fork 402
Firmware m0901
Target
Purpose
Versions
Structure
Boot process
OS and Libraries
Flashing
Interfaces
The firmware programs SoC with LTE modem, which handles radio communication (OcuSync) and controls intelligent flight functions (obstacle avoidance). Location of this chip:
- in WM220, LC1860C SoC is on WM220 Core Board A
- in WM100, LC1860C SoC is on WM100 Main Processing Core Board
- in WM240, LC1860C SoC is on WM240 Core Board
- in WM245, LC1860C SoC is on WM245 Core Board
- in other products, the location is unknown
This module flips its number between platforms. On WM100, WM220, WM330 and WM620 it's m0801, while on later platforms, it's m0901. The inconsistency happened because m0801 was used for different SoC (custom ASIC) in WM230, and then WM240 included both of these chips - so naming from WM230 was retained.
The module contains programming of a SoC originally designed as main processor in mobile phones; here software-defined part of LTE modem is re-programmed to create OcuSync protocol instead. All stages of the OcuSync transmission are closed within one chip. Remaining processing power and camera interfaces are used to implement obstacle avoidance system (called APAS - Advanced Pilot Assistance System). Specific responsibilities of this chip change between platforms, but its use for OcuSync is constant.
TODO
The IM*H module within FW update package is always encrypted, with AES, using platform-specific PUEK (in WM100, WM220, WM330, WM620) or UFIE (in WM240, WM245, WM246) key.
Decrypted firmware is a JAR file, which when unzipped reveals typical Android boot images (normal.img, recovery.img), and a bootloader (bootarea.img). It also contains new content for system and/or vendor partitions, either as individual files (in WM220) or as sparse filesystem images (in WM240).
The bootarea.img has the bootloader stored in plaintext form; it takes over 0x20000 bytes, and is always padded to 0x1000. After that code, there are 3 additional images which, like the whole firmware file, are stored in IM*H format (though the first one has PL*I magic value instead). The bootloader contains support of IM*H decryption, and uses IAEK key to unsign images.
Boot partitions (normal.img, recovery.img) have IM*H format as well, and are encrypted with IAEK key as well.
The process differs slightly between platforms. The specific process for WM220 will be described:
After reset signal goes down, embedded bootrom starts execution. Its code is prepared by Leadcore and not specific to DJI, but some aspects of it are still configurable, by other means. Based on partition status bits, bootrom loads to RAM either bootarea0 or bootarea1 from eMMC.
These partitions have public part of PRAK RSA-2048 key near their beginnings; bootrom computes SHA256 hash of that public key, and compares its value with one stored in EFUSE area. EFUSE area stores various configuration values embedded within the chip, so that they are separated from eMMC content. If SHA256 verification of bootarea passes, then bootrom jumps to it with execution.
The code within bootarea store a modified version of U-boot bootloader. Besides being able to load Linux kernel, this modification is also capable of verifying and decrypting IM*H and PL*I images.
U-Boot reads the PRAK key which was stored in front of it, and uses it to verify RSA signatures within several IM*H images. It will load Partition table PL*I image, then OTP keys from the EFUSES and Env partition and all of its variables.
Located after bootloader, the bootarea partition stores two additional IM*H images. The image named key is loaded first; it stores IAEK encryption key. Within firmware update, development version of the key is placed there, also called RIEK; but on actual product, the key is different. Then the bootloader reads the second of two images, named tl420. That second image contains code and data part used for programming a DSP.
Finally, U-Boot identifies the boot image and kernel parameters, based on environment variables and EFUSE values. It loads either normal, recovery or factory_out partition, provisioning TZOS chunk to TrustZone, and loading KERN chunk for Linux Kernel startup. It then executes the kernel.
Linux kernel boots, loading kernel modules and mounting file systems. Then user spece services are started.
The firmware is based on Android, though it is cut down and heavily modified version. Bootloader is designed to support IM*H images, and boot images are
supplied in form of such encrypted files. Part of the bootloader is also supplied as IM*H image. How much of it is encrypted changes between platforms.
While the platform supports TrustZone, encryption algorithms are implemented in software, so encryption keys are handled there directly. This means the keys used are accessible; though they are not stored in plain form.
User space has the graphical interface part removed, and works like simple Linux distribution. There are several DJI-made native executables and libraries available within the file system. Some of them are running as services, performing designed functions of the module.
TODO
TODO
This page is created by drone enthusiasts for drone enthusiasts.
If you see a mistake, or you know more about specific subject, or you see an area for improvement for the wiki - create an issue in this project and attach your patch (or describe the change you propose).