-
Notifications
You must be signed in to change notification settings - Fork 421
Firmware m0801
Target
Purpose
Versions
Structure
OS and Libraries
Flashing
Interfaces
The firmware programs SoC which handles video encoding and flight control. Location of this chip:
- in WM230, H3 Eagle SoC is on WM230 Main Core Processor board
- in WM240, H3 Eagle SoC is on WM240 Core Board
- in other products, the location is unknown
Note that within WM220, the m0801 module identifier is used to store something different - there's m0901 instead. So the information on this page does not apply to WM220.
The module contains programming of a SoC which handles image sensor and video encoding, but also flight control. Additionally, it uses TrustZone to (semi)securely store cryptographic keys, and is the component which controls firmware update process on the drone.
TODO
The IM*H module within FW update package is always encrypted, with AES, using platform-specific UFIE key.
Decrypted firmware is a JAR file, which when unzipped reveals typical Android boot images (normal.img, recovery.img), and a 2nd stage bootloader (bootarea.img). It also contains new content for system and vendor partitions, as sparse filesystem images (*.new.dat, *.transfer.list).
The bootarea.img has the bootloader encrypted with TBIE key. Like the whole firmware file, it has IM*H format, though within the bootloader that part is preceded by a little chunk of unencrypted code.
Boot partitions (normal.img, recovery.img) are encrypted with TBIE key, and have IM*H format as well.
Since WM230, the software is divided into normal part and trusted part. Normal part runs directly on the ARM CPU, while trusted part is executed within hardware-accelerated ARM TrustZone.
The firmware is based on Android, though it is cut down and heavily modified version. Internal 1st stage bootloader is designed to support IM*H images, and boot images are supplied in form of such encrypted files. The 2nd stage bootloader is also supplied as IM*H image, preceded by public RSA key (PRAK) used to sign its header. Note that 1st stage bootloader is not loaded from eMMC - it is within internal ROM of the chip.
User space has the graphical interface part removed, and works like simple Linux distribution. There are several DJI-made native executables and libraries available within the file system. Some of them are running as services, performing designed functions of the module. Some tools, like dji_fw_verify (used to verify and decrypt firmware updates), are relaying encryption-related operations to TrustZone.
This part is based on OP-TEE OS which is stored within boot images (normal.img, recovery.img).
Encryption algorithms are hardware-accelerated using CryptoCell 310 SDK library provided by Nordic Semiconductor.
TODO
TODO
This page is created by drone enthusiasts for drone enthusiasts.
If you see a mistake, or you know more about specific subject, or you see an area for improvement for the wiki - create an issue in this project and attach your patch (or describe the change you propose).