Firmware
Microsoft does not provide an Azure Sphere download link, and MediaTek's MT3620 integrates the flash storage, so we do not have an external flash chip from which to read the firmware. Microsoft's azpshere command line tool provides an option to recover and re-flash the device. In order to perform this action, the tool downloads the firmware from a Microsoft server, saves it to a temporary location, and then flashes the device. We can make a copy of the firmware after the tool downloads it:
- Connect an Azure Sphere device to your host
- Start a recovery session:
$ azsphere device recover - Hit Ctl-Z to pause the recovery session once it starts to erase the device.
- Copy the firmware files from the temporary directory.
user@ubuntu /> cd /tmp/AzureSphereRecoveryImages/5bdf45d3-a105-430d-8e35-de72c9135349/
user@ubuntu /t/A/5bdf45d3-a105-430d-8e35-de72c9135349> ls -l *
-rw-rw-r-- 1 user user 3386398 Sep 7 01:02 mt3620an.zip
mt3620an:
total 5424
-rw-rw-r-- 1 user user 26012 Aug 14 09:23 07f276d188f04211a8d59dc014df3f10.bin
-rw-rw-r-- 1 user user 102952 Aug 14 09:23 0a54493307e24cc0a19fabc4118dabcd.bin
-rw-rw-r-- 1 user user 30052 Aug 14 09:23 12e8b7c7ef5f46dfa2c045512fcddb0f.bin
-rw-rw-r-- 1 user user 392 Aug 14 09:24 2328e97d018042349990eebb34dde153.bin
-rw-rw-r-- 1 user user 1511660 Aug 14 09:24 2a12eef336074eacbb1081722cd5b6d6.bin
-rw-rw-r-- 1 user user 16384 Aug 14 09:24 7e5375de9f724851ba74e72c0cd7c151.bin
-rw-rw-r-- 1 user user 28884 Aug 14 09:24 7f8443b29af84677a7f601046ebf4759.bin
-rw-rw-r-- 1 user user 8396 Aug 14 09:24 8ab6393348374988bce8a081cc1ba957.bin
-rw-rw-r-- 1 user user 2376 Aug 14 09:24 92854503e1a4425ab9a81f990b6f03bc.bin
-rw-rw-r-- 1 user user 2593272 Aug 14 09:24 b8c30077b73943cc84b03e06820c76cb.bin
-rw-rw-r-- 1 user user 16612 Aug 14 09:24 bca46bd7a5c44856ab7d18924171a7c3.bin
-rw-rw-r-- 1 user user 102612 Aug 14 09:24 dbf8444b7cad4832872ac1e203004ccb.bin
-rw-rw-r-- 1 user user 65748 Aug 14 09:24 e1287450d1d240799cda7b314cfce13f.bin
-rw-rw-r-- 1 user user 24576 Aug 14 09:24 e5a6b6eed0ef432ba24c9e07f4198d30.bin
-rw-rw-r-- 1 user user 269980 Aug 14 09:25 e8433cd72a1949178be2fbf83dcd2e62.bin
-rw-rw-r-- 1 user user 622812 Aug 14 09:25 f73894e07fa1414bbcf46a080069d8c4.bin
-rw-rw-r-- 1 user user 16384 Aug 14 09:25 recovery-1bl-rtm.bin
-rw-rw-r-- 1 user user 1496 Aug 14 09:25 recovery.imagemanifest
-rw-rw-r-- 1 user user 62676 Aug 14 09:25 recovery-runtime.bin
Note: The filenames will change depending on the version of the firmware downloaded, as they are the hash of the file contents.
It would be advisable to save the archive recovered above. Archive downloads may not be available in the future, and Microsoft is releasing updates at a steady clip. The azsphere CLI tool can recover using an image saved on disk rather than downloading them. This feature can be used to recover using the saved recovery firmware archive:
> azsphere device recover -i mt3620an_saved_recovery_firmware/
Starting device recovery. Please note that this may take up to 10 minutes.
Detached 1 kernel modules
Board found. Sending recovery bootloader.
Erasing flash.
Sending 17 images. (5390752 bytes to send)
Sent 1 of 17 images. (5388376 of 5390752 bytes remaining)
Sent 2 of 17 images. (5361516 of 5390752 bytes remaining)
Sent 3 of 17 images. (5246616 of 5390752 bytes remaining)
Sent 4 of 17 images. (5246224 of 5390752 bytes remaining)
Sent 5 of 17 images. (4976244 of 5390752 bytes remaining)
Sent 6 of 17 images. (4959312 of 5390752 bytes remaining)
Sent 7 of 17 images. (4929580 of 5390752 bytes remaining)
Sent 8 of 17 images. (2438416 of 5390752 bytes remaining)
Sent 9 of 17 images. (861220 of 5390752 bytes remaining)
Sent 10 of 17 images. (836644 of 5390752 bytes remaining)
Sent 11 of 17 images. (738128 of 5390752 bytes remaining)
Sent 12 of 17 images. (123508 of 5390752 bytes remaining)
Sent 13 of 17 images. (57760 of 5390752 bytes remaining)
Sent 14 of 17 images. (41164 of 5390752 bytes remaining)
Sent 15 of 17 images. (32768 of 5390752 bytes remaining)
Sent 16 of 17 images. (16384 of 5390752 bytes remaining)
Sent 17 of 17 images. (0 of 5390752 bytes remaining)
Finished writing images; rebooting board.
Device ID: 7BEE580B2EB6391D272AB42BF62FDDCC4E0AAB7475C0B1AFFB0D5CE24F2AACBA1E424224D6B571005518AEFD89A900D9A33EB2E8795598CF63826E348CBCDAA2
Device recovered successfully.
After unpacking the recovery image, we have a number of .bin files with the file hash as the filename. Each file does have metadata that includes the name of the image. The following are the files within the recovery image and the friendly name:
| Filename | Image Name |
|---|---|
| e6159560434f47e89376b67d030628f8.bin | 1BL (Pluton Bootloader) |
| e783ef2f538441d99b8edf9a3d88dec2.bin | A7 NW loader |
| 6471c5a8d6f84a9995442d7ed2113092.bin | Device Capability |
| 0a9e76d0cee44716a5498dc72db215e0.bin | N9 Wifi Firmware |
| 3bceac8b52b247d3a2bb79414b5160fd.bin | NW Device Tree |
| 9db8ef72fb814f72a4624b274b1caf22.bin | NW Kernel |
| e1a9cb58c77b44e8b67b9bc2aece076b.bin | NW Root Filesystem |
| 2b9b33b4d6a040f09cc675a3003979be.bin | Pluton Runtime |
| b40ace52f2de46728da066f5165be8b6.bin | Security Monitor |
| 92854503e1a4425ab9a81f990b6f03bc.bin | Trusted Keystore |
| 7cb47d0f000341a4878f65c4b998ce03.bin | azcore |
| 80490e15d7194692be598a61585b2ec6.bin | azured |
| 600bca2d11e24df2a4ef766619614d02.bin | gatewayd |
| 31847582fa2f4581b5b18d339e6a4873.bin | networkd |
| 15f454190ad54d7da411ee70798f82b4.bin | rng-tools |
| e5a6b6eed0ef432ba24c9e07f4198d30.bin | update-cert-store |
| recovery-1bl-rtm.bin | |
| recovery-runtime.bin | |
| recovery.imagemanifest |
Three images are used to boot the device while in recovery mode:
- recovery-1bl-rtm.bin - When the chip is in recovery mode, this image is transferred via an xmodem transfer. This finishes initial boot and then accepts the second stage image.
- recovery-runtime.bin - This image contains the logic to erase the internal flash, and then transfers the rest of the images specified in the recovery.imagemanifest.
- recovery.imagemanifest - Contains a list of files that is part of the recover operation.
Each file within the recovery firmware image (and the application image files) has a metadata section and a signature appended to the end of the file.
The metadata section is a simple structure, starting with a magic value 0x4D345834 ("M4X4"), number of TLVs (Tag/Length/Value), followed by a sequence of TLVs. The metadata ends with a length field that contains the length of the metadata section, including the length field itself. A 64-byte signature is appended to the end:
0 4
+---------------------+---------------------+
0 | Magic (0x4D345834) | # of TLVs |
+---------------------+---------------------+
8 | Tag | Length | TLV Data |
+---------------------+---------------------+
| ... |
+ +---------------------+
n | | Metadata Length |
+---------------------+---------------------+
| |
+ |
| |
+ |
| |
+ |
| |
+ Signature (64-Bytes) |
| |
+ |
| |
+ |
| |
+ |
n + 64 | |
+---------------------+---------------------+
We built a Python script that parses and dumps the metadata section:
> ./image_metadata.py e1a9cb58c77b44e8b67b9bc2aece076b.bin
Metadata:
ID (0x4449): 08 00 00 00 88 0C FD F7 05 D0 C6 45 AC 4B 88 AF DB F2 DC 6A 58 CB A9 E1 7B C7 E8 44 B6 7B 9B C2 AE CE 07 6B
Component ID: f7fd0c88-d005-45c6-ac4b-88afdbf2dc6a
Image ID: e1a9cb58-c77b-44e8-b67b-9bc2aece076b
SG (0x4753): 20 00 B0 A7 DB 0E 5B B4 20 22 12 3B F4 DB 8B 35 74 45 AF 78 01 00 00 00
DB (0x4244): 8B 53 B3 5E 00 00 00 00 4E 57 20 52 6F 6F 74 20 46 69 6C 65 73 79 73 74 65 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NW Root Filesystem
RV (0x5652): 03 00 00 00
NP (0x504e): 02 00 00 00 05 00 00 00 03 00 00 00 01 00 00 00 02 00 00 00
ND (0x444e): 01 00 00 00 01 00 00 00 01 00 00 00
Signature:
00000000: 4B F9 ED 60 B3 3D 24 EE F7 02 B4 3A 86 63 44 A0 K..`.=$....:.cD.
00000010: 41 DE F4 7A FB F7 01 57 06 83 8D C1 2B 50 F8 05 A..z...W....+P..
00000020: 94 1D D0 AF 09 C9 48 5B 5E 89 99 B1 DD 24 D9 41 ......H[^....$.A
00000030: 70 07 E5 F5 5C 5D DF DB F9 35 6C DC A2 EE 7D 9C p...\]...5l...}.
We used our script mainly for building test cases. The same info with nicer names and decodings can be viewed using the azsphere image-package show command:
> azsphere image-package show -f ../../../Firmware/mt3620an_v4/e1a9cb58c77b44e8b67b9bc2aece076b.bin
Image package metadata:
Section: Identity
Image Type: System software image type 8
Component ID: f7fd0c88-d005-45c6-ac4b-88afdbf2dc6a
Image ID: e1a9cb58-c77b-44e8-b67b-9bc2aece076b
Section: Signature
Signing Type: ECDsa256
Cert: 2000b0a7db0e5bb42022123bf4db8b357445af78
Section: Debug
Image Name: NW Root Filesystem
Built On (UTC): 5/7/20 12:17:15 AM
Built On (Local): 5/7/20 12:17:15 AM
Section: Revocation
Security Version: 3
Section: ABI Provides
Provides: ApplicationRuntime, version 5
Provides: OSRuntime, version 1
Section: ABI Depends
The metadata value types:
- ID - The component and image UUIDs that uniquely identify this image.
- SG - Identifies the type of signature and the certificate used.
- DB - Debug, human-friendly name and build timestamp.
- RV - Revocation, blacklists old versions.
- NP - Provides dependencies, such as ApplicationRuntime, OSRuntime, SecureWorldRuntime and the version being provided.
- ND - Required dependencies, specifies which version of the ApplicationRuntime, OSRuntime, etc.... that is required
- TP - Temporary flags (remove on boot, in development)
The *.bin files are signed using the Elliptic Curve Digital Signature Algorithm (ECDSA). The signature uses a SHA256 hash of the data and follows FIPS-186-3.
Microsoft holds the production signing keys in the Azure Sphere cloud so your production app will be signed by Microsoft. For development, the azsphere CLI tool contains an embedded key that can be used to sign applications. These apps can only be run on devices where development mode has been enabled.
The development signing key and certificate can be extracted from the SDK's image_metadata.dll file using a C# decompiler, such as ILSpy. The DLL resources contain an Exp23.ImageMetadata.app_test.sign.pfx and Exp23.ImageMetadata.app_test.sign.cer entries:
In order to facilitate fuzzing of the image format and metadata, we built our own signing tool.