-
Notifications
You must be signed in to change notification settings - Fork 421
Firmware m0801
Target
Purpose
Versions
Structure
Boot process
OS and Libraries
Flashing
Interfaces
The firmware programs SoC which handles video encoding and flight control. Location of this chip:
- in WM230, H3 Eagle SoC is on WM230 Main Core Processor board
- in WM240, H3 Eagle SoC is on WM240 Core Board
- in WM245, H3 Eagle SoC is on WM245 Core Board
- in other products, the location is unknown
Note that within WM100, WM220, WM330 and WM620, the m0801 module identifier is used to store something different - there's m0901 instead. So the information on this page does not apply to these platforms.
The module contains programming of a SoC which handles image sensor and video encoding, but also flight control. Additionally, it uses TrustZone to (semi)securely store cryptographic keys, and is the component which controls firmware update process of the drone.
TODO
The IM*H module within FW update package is always encrypted, with AES, using platform-specific UFIE key.
Decrypted firmware is a JAR file, which when unzipped reveals typical Android boot images (normal.img, recovery.img), and a bootloader (bootarea.img). It also contains new content for system and vendor partitions, as sparse filesystem images (*.new.dat, *.transfer.list).
The bootarea.img has the bootloader encrypted with TBIE key. Like the whole firmware file, it has IM*H format, though within the binary image that part is preceded by a little chunk of unencrypted data, usually public part of PRAK RSA key.
Boot partitions (normal.img, recovery.img) are encrypted with TBIE key, and have IM*H format as well.
Encryption keys, like in all DJI products, are identified by four-byte character code, comprising of English letters. Production keys have the letters in upper case. Most of the keys is derived within TrustZone, using CryptoCell algorithms, from several input character arrays, including: master key, public part of PRAK RSA key, and a string containing short description of the key. Not all of the information required to derive a key is included in the TZOS binary available within boot partitions.
After reset signal pulls to zero, control is given to embedded bootrom. The bootrom is programmed by DJI. It contains code to read IM*H images and includes encryption keys required to decrypt the bootloader. After bootloader is decrypted to memory, bootrom jumps to it with execution.
The bootloader behaves in similar manner to Android bootloader, with added IM*H format and TrustZone support. The bootloader selects boot of either normal.img or recovery.img, then decrypts the proper file and loads KERN Linux kernel on Normal side, and TZOS OP-TEE binary on Trusted side.
Trusted side boots and awaits SMC commands.
Standard Linux kernel boot proceeds on the Normal side, loading kernel modules, mounting filesystems and starting services.
The software is divided into normal side and trusted side. Normal side runs directly on the ARM CPU, while trusted side is executed within hardware-accelerated ARM TrustZone.
The firmware is based on Android, though it is cut down and heavily modified version. Embedded bootrom is designed to support IM*H images, and bootloader images are supplied in form of such encrypted files. The bootloader is also supplied as IM*H image, preceded by public RSA key used to sign its header. Note that bootrom is not loaded from eMMC - it is within internal ROM of the chip.
User space has the graphical interface part removed, and works like simple Linux distribution. There are several DJI-made native executables and libraries available within the file system. Some of them are running as services, performing designed functions of the module. Some tools, like dji_fw_verify (used to verify and decrypt firmware updates), are relaying encryption-related operations to TrustZone.
This part is based on OP-TEE OS which is stored within boot images (normal.img, recovery.img).
Encryption algorithms are hardware-accelerated using CryptoCell 310 SDK library provided by Nordic Semiconductor.
The Normal side sends commands to Trusted side using Secure Monitor Calls. Besides generic SMC commands from OP-TEE, the DJI firmware also defines few custom commands.
Trusted Applications running within the TrustZone are in standard TA format, but wrapped with IM*H header and encrypted. The application loading function decrypts the TA file automatically before execution.
TODO
TODO
This page is created by drone enthusiasts for drone enthusiasts.
If you see a mistake, or you know more about specific subject, or you see an area for improvement for the wiki - create an issue in this project and attach your patch (or describe the change you propose).