Raspberry Pi 4 bootloader configuration
Editing the configuration
Before editing the bootloader configuration, update your system to get the latest version of the rpi-eeprom
package. Releases prior to the 2020-09-03 default/critical release will not support all features listed here.
To view the current EEPROM configuration:
rpi-eeprom-config
To edit it and apply the updates to latest EEPROM release:
sudo -E rpi-eeprom-config --edit
Please see the boot EEPROM page for more information about the EEPROM update process.
Configuration properties
This section describes all the configuration items available in the bootloader. The syntax is the same as config.txt but the properties are specific to the bootloader. Conditional filters are also supported except for EDID.
BOOT_UART
If 1
then enable UART debug output on GPIO 14 and 15. Configure the receiving debug terminal at 115200bps, 8 bits, no parity bits, 1 stop bit.
Default: 0
WAKE_ON_GPIO
If 1
then sudo halt
will run in a lower power mode until either GPIO3 or GLOBAL_EN are shorted to ground.
Default: 1
(0
in original version of bootloader 2019-05-10)
POWER_OFF_ON_HALT
If 1
and WAKE_ON_GPIO=0
then sudo halt
will switch off all PMIC outputs. This is lowest possible power state for halt but may cause problems with some HATs because 5V will still be on. GLOBAL_EN must be shorted to ground to boot.
Pi 400 has a dedicated power button which operates even if the processor is switched off. This behaviour is enabled by default, however, WAKE_ON_GPIO=2
may be set to use an external GPIO power button instead of the dedicated power button.
Default: 0
BOOT_ORDER
The BOOT_ORDER
setting allows flexible configuration for the priority of different bootmodes. It is represented as 32bit unsigned integer where each nibble represents a bootmode. The bootmodes are attempted in lowest significant nibble to highest significant nibble order.
E.g.0xf41
means continuously trying SD card followed by USB mass storage. Whereas, 0xf12
means continuously trying network boot followed by SD card boot.
The retry counters are reset when switching to the next boot mode.
BOOT_ORDER
fields
The BOOT_ORDER property defines the sequence for the different boot modes. It is read right to left and up to 8 digits may be defined.
Value | Mode | Description |
---|---|---|
0x1 | SD CARD | SD card (or eMMC on Compute Module 4) |
0x2 | NETWORK | Network boot |
0x3 | RPIBOOT | RPIBOOT - See usbboot (since 2020-09-03) |
0x4 | USB-MSD | USB mass storage boot (since 2020-09-03) |
0x5 | BCM-USB-MSD | USB 2.0 boot from USB Type-C socket or USB Type-A socket on CM4 IO board. (since 2020-12-14) |
0xe | STOP | Stop and display error pattern (since 2020-09-03). A power cycle is required to exit this state. |
0xf | RESTART | Start again with the first boot order field. (since 2020-09-03) |
After trying each non-zero boot mode the bootloader stops. However, from 2020-09-03 the bootloader will monitor the SD card detect pin and try SD boot if a new SD card is inserted.
Default: 0xf41
- Boot mode
0x0
will retry the SD boot if the SD card detect pin indicates that the card has been inserted or replaced. - The default boot order is
0xf41
which means continuously try SD then USB mass storage. RPIBOOT
is intended for use with Compute Module 4 to load a custom debug image (e.g. a Linux RAM-disk) instead of the normal boot. This should be the last boot option because it does not currently support timeouts or retries.BCM-USB-MSD
boot allows a Compute Module 4 to boot from USB without requiring an additional PCIe XHCI card. This USB controller does not support USB 3.0 and booting will be slower thanUSB-MSD
boot on a Pi 4 or Pi 400.
MAX_RESTARTS
If the RESTART (0xf
) boot mode is encountered more than MAX_RESTARTS times then a watchdog reset is triggered. This isn't recommended for general use but may be useful for test or remote systems where a full reset is needed to resolve issues with hardware or network interfaces.
Default: -1
(infinite)
SD_BOOT_MAX_RETRIES
The number of times that SD boot will be retried after failure before moving to the next boot mode defined by BOOT_ORDER
.
-1
means infinite retries.
Default: 0
NET_BOOT_MAX_RETRIES
The number of times that network boot will be retried after failure before moving to the next boot mode defined by BOOT_ORDER
.
-1
means infinite retries.
Default: 0
DHCP_TIMEOUT
The timeout in milliseconds for the entire DHCP sequence before failing the current iteration.
Minimum: 5000
Default: 45000
DHCP_REQ_TIMEOUT
The timeout in milliseconds before retrying DHCP DISCOVER or DHCP REQ.
Minimum: 500
Default: 4000
TFTP_FILE_TIMEOUT
The timeout in milliseconds for an individual file download via TFTP.
Minimum: 5000
Default: 30000
TFTP_IP
Optional dotted decimal ip address (e.g. 192.168.1.99
) for the TFTP server which overrides the server-ip from the DHCP request.
This may be useful on home networks because tftpd-hpa can be used instead of dnsmasq where broadband router is the DHCP server.
Default: ""
TFTP_PREFIX
In order to support unique TFTP boot directories for each Pi the bootloader prefixes the filenames with a device specific directory. If neither start4.elf nor start.elf are found in the prefixed directory then the prefix is cleared. On earlier models the serial number is used as the prefix, however, on Pi 4 the MAC address is no longer generated from the serial number making it difficult to automatically create tftpboot directories on the server by inspecting DHCPDISCOVER packets. To support this the TFTP_PREFIX may be customized to either be the MAC address, a fixed value or the serial number (default).
Value | Description |
---|---|
0 | Use the serial number e.g. 9ffefdef/ |
1 | Use the string specified by TFTP_PREFIX_STR |
2 | Use the MAC address e.g. dc-a6-32-01-36-c2/ |
Default: 0
TFTP_PREFIX_STR
Specify the custom directory prefix string used when TFTP_PREFIX
is set to 1. For example:- TFTP_PREFIX_STR=tftp_test/
Default: ""
Max length: 32 characters
PXE_OPTION43
Overrides the PXE Option43 match string with a different string. It's normally better to apply customisations to the DHCP server than change the client behaviour but this option is provided in case that's not possible.
Default: Raspberry Pi Boot
DHCP_OPTION97
In earlier releases the client GUID (Option97) was just the serial number repeated 4 times. By default, the new GUID format is the concatenation of the fourcc for RPi4 (0x34695052 - little endian), the board revision (e.g. 0x00c03111) (4-bytes), the least significant 4 bytes of the mac address and the 4-byte serial number. This is intended to be unique but also provide structured information to the DHCP server, allowing Raspberry Pi4 computers to be identified without relying upon the Ethernet MAC OUID.
Specify DHCP_OPTION97=0 to revert the the old behaviour or a non-zero hex-value to specify a custom 4-byte prefix.
Default: 0x34695052
Static IP address configuration
If TFTP_IP and the following options are set then DHCP is skipped and the static IP configuration is applied. If the TFTP server is on the same subnet as the client then GATEWAY may be omitted.
CLIENT_IP
The IP address of the client e.g. 192.168.0.32
Default: ""
SUBNET
The subnet address mask e.g. 255.255.255.0
Default: ""
GATEWAY
The gateway address to use if the TFTP server is on a differenet subnet e.g. 192.168.0.1
Default: ""
MAC_ADDRESS
Overrides the Ethernet MAC address with the given value. e.g. dc:a6:32:01:36:c2
Default: ""
DISABLE_HDMI
The HDMI boot diagnostics display is disabled if DISABLE_HDMI=1
. Other non-zero values are reserved for future use.
Default: 0
HDMI_DELAY
Skip rendering of the HDMI diagnostics display for up to N seconds (default 5) unless a fatal error occurs. The default behaviour is designed to avoid the bootloader diagnostics screen from briefly appearing during a normal SD / USB boot.
Default: 5
ENABLE_SELF_UPDATE
Enables the bootloader to update itself from a TFTP or USB mass storage device (MSD) boot filesystem.
If self update is enabled then the bootloader will look for the update files (.sig/.upd) in the boot file system. If the update image differs from the current image then the update is applied and system is reset. Otherwise, if the EEPROM images are byte-for-byte identical then boot continues as normal.
Notes:-
- Self-update is not enabled in SD boot; the ROM can already load recovery.bin from the SD card.
- Before self-update can be used the bootloader must have already been updated to a version which supports self update. The recommended approach would be to use the Raspberry Pi Imager and a spare SD card to update to pieeprom-2020-09-03 then use self-update for subsequent updates.
- For network boot make sure that the TFTP
boot
directory can be mounted via NFS and thatrpi-eeprom-update
can write to it.
Default: 1
(0
in versions prior to 2020-09-03)
FREEZE_VERSION
Previously this property was only checked by the rpi-eeprom-update
script. However, now that self-update is enabled the bootloader will also check this property. If set to 1, this overrides ENABLE_SELF_UPDATE
to stop automatic updates. To disable FREEZE_VERSION
you will have to use an SD card boot with recovery.bin.
Custom EEPROM update scripts must also check this flag.
Default: 0
NETCONSOLE - advanced logging
NETCONSOLE
duplicates debug messages to the network interface. The IP addresses and ports are defined by the NETCONSOLE
string.
N.B. NETCONSOLE blocks until the ethernet link is established or a timeout occurs. The timeout value is DHCP_TIMEOUT
although DHCP is not attempted unless network boot is requested.
Format
See https://wiki.archlinux.org/index.php/Netconsole
src_port@src_ip/dev_name,dst_port@dst_ip/dst_mac
E.g. 6665@169.254.1.1/,6666@/
In order to simplify parsing, the bootloader requires every field separator to be present. The source ip address must be specified but the following fields may be left blank and assigned default values.
- src_port - 6665
- dev_name - "" (the device name is always ignored)
- dst_port - 6666
- dst_ip - 255.255.255.255
- dst_mac - 00:00:00:00:00
One way to view the data is to connect the test Pi 4 to another Pi running WireShark and select “udp.srcport == 6665” as a filter and select Analyze -> Follow -> UDP stream
to view as an ASCII log.
NETCONSOLE
should not be enabled by default because it may cause network problems. It can be enabled on demand via a GPIO filter e.g.
# Enable debug if GPIO 7 is pulled low
[gpio7=0]
NETCONSOLE=6665@169.254.1.1/,6666@/
Default: "" (not enabled)
Max length: 32 characters
USB_MSD_EXCLUDE_VID_PID
A list of up to 4 VID/PID pairs specifying devices which the bootloader should ignore. If this matches a HUB then the HUB won’t be enumerated, causing all downstream devices to be excluded. This is intended to allow problematic (e.g. very slow to enumerate) devices to be ignored during boot enumeration. This is specific to the bootloader and is not passed to the OS.
The format is a comma-separated list of hexadecimal values with the VID as most significant nibble. Spaces are not allowed.
E.g. 034700a0,a4231234
Default: ""
USB_MSD_DISCOVER_TIMEOUT
If no USB mass storage devices are found within this timeout then USB-MSD is stopped and the next boot mode is selected
Default: 20000
(20 seconds)
Version: 2020-09-03
USB_MSD_LUN_TIMEOUT
How long to wait in milliseconds before advancing to the next LUN e.g. a multi-slot SD-CARD reader. This is still being tweaked but may help speed up boot if old/slow devices are connected as well as a fast USB-MSD device containing the OS.
Default: 2000
(2 seconds)
USB_MSD_PWR_OFF_TIME
During USB mass storage boot, power to the USB ports is switched off for a short time to ensure the correct operation of USB mass storage devices. Most devices work correctly using the default setting: change this only if you have problems booting from a particular device. Setting USB_MSD_PWR_OFF_TIME=0
will prevent power to the USB ports being switched off during USB mass storage boot.
Minimum: 250
Maximum: 5000
Default: 1000
(1 second)
XHCI_DEBUG
This property is a bit field which controls the verbosity of USB debug messages for mass storage boot mode. Enabling all of these messages generates a huge amount of log data which will slow down booting and may even cause boot to fail. For verbose logs it's best to use NETCONSOLE
.
Value | Log |
---|---|
0x1 | USB descriptors |
0x2 | Mass storage mode state machine |
0x4 | Mass storage mode state machine - verbose |
0x8 | All USB requests |
0x10 | Device and hub state machines |
0x20 | All xHCI TRBs (VERY VERBOSE) |
0x40 | All xHCI events (VERY VERBOSE) |
To combine values, add them together. For example:
# Enable mass storage and USB descriptor logging
XHCI_DEBUG=0x3
Default: 0x0
(no USB debug messages enabled)
config.txt - configuration properties
boot_load_flags
Experimental property for custom firmware (bare metal).
Bit 0 (0x1) indicates that the .elf file is custom firmware. This disables any compatiblity checks (e.g. is USB MSD boot supported) and resets PCIe before starting the executable.
Default: 0x0
uart_2ndstage
If set to 0x1 then enable debug logging to the UART. In newer firmware versions (Raspberry Pi OS 2020-08-20 and later) UART logging is also automatically enabled in start.elf. This is also described on the Boot options page.
The BOOT_UART
property also enables bootloader UART logging but does not enable UART logging in start.elf
unless uart_2ndstage=1
is also set.
Default: 0
eeprom_write_protect
The 2020-09-03
recovery.bin
EEPROM updater provides a feature to configure the EEPROM Write Status Register
. This can be set to either mark the entire EEPROM as write-protected or clear write-protection.
This option must be used in conjunction with the EEPROM /WP
pin which controls updates to the EEPROM Write Status Register
. Pulling /WP
low (CM4 EEPROM_nEP
or Pi4B TP5
) does NOT write-protect the EEPROM unless the Write Status Register
has also been configured.
See: Winbond W25x40cl datasheet
eeprom_write_protect
settings in config.txt
for recovery.bin
.
Value | Description |
---|---|
1 | Configures the write protect regions to cover the entire EEPROM. |
0 | Clears the write protect regions. |
-1 | Do nothing. |
N.B flashrom
does not support clearing of the write-protect regions and will fail to update the EEPROM if write-protect regions are defined.
Default: -1
bootloader_update
This option may be set to 0 to block self-update without requiring the EEPROM configuration to be updated. This is sometimes useful when updating multiple Pis via network boot because this option can be controlled per Raspberry Pi (e.g. via a serial number filter in config.txt).
Default: 1
(0
in versions prior to 2020-09-03)
Advanced boot modes - Network / USB mass storage boot.
For network or USB mass storage boot we recommend updating to bootloader version 2020-09-03 and Raspberry Pi OS 2020-08-20 or newer.
Updating the bootloader
Update using the Raspberry Pi Imager
The easiest method to update the bootloader with a factory default configuration supporting USB boot is to use the Raspberry Pi Imager.
- Download the Raspberry Pi Imager
- Download the latest EEPROM recovery image
- Select
Use Custom
to reformat and flash a blank SD card with the EEPROM update enabling USB MSD boot support.
Manual bootloader update
- From a Raspberry Pi OS 2020-08-20 or newer SD card:
sudo apt update sudo apt full-upgrade
- Run
vcgencmd bootloader_config
to check your current configuration and decide whether to use the factory default config or migrate your existing boot settings. - Update the bootloader
# Install with the factory default configuration (-d). sudo rpi-eeprom-update -a -d
Changing the boot mode
To change the default boot mode use the Boot Options
/Boot Order
option in raspi-config. Alternatively, edit the EEPROM configuration file manually and set the BOOT_ORDER
according to the desired boot mode then use rpi-eeprom-update -d -f
to update the bootloader.
USB mass storage boot
This is a new feature and we recommend you check the Raspberry Pi general discussion forum for queries or interoperability questions.
N.B. For other operating systems please check the maintainer's website for USB boot support.
Check that the USB mass storage device works under Linux
Before attempting to boot from a USB mass storage device it is advisible to verify that the device works correctly under Linux. Boot using an SD card and plug in the USB mass storage device. This should appears as a removable drive.
Spinning hard-disk drives nearly always require a powered USB hub. Even if it appears to work you are likely to encounter intermittent failures without a powered USB HUB
This is especially important with USB SATA adapters which may be supported by the bootloader in mass storage mode but fail if Linux selects USB Attached SCSI - UAS mode.
See this forum thread about UAS and how to add usb-storage.quirks to workaround this issue.
Multiple bootable drives
When searching for a bootable partition the bootloader scans all USB mass storage devices in parallel and will select the first to respond. If the boot partition does not contain a suitable start.elf file the next available device is selected.
As with earlier Raspberry Pi models there is no method for specifying the boot device according to the USB topology because this would slow down boot and adds unecessary and hard to support configuration complexity.
N.B. config.txt conditional filters can be used to select alternate firmware in complex device configurations.
Network boot server configuration
Network boot requires a TFTP and NFS server to be configured. See Network boot server tutorial
Additional notes:-
- The MAC address on the Pi 4 is programmed at manufacture and is not derived from the serial number.
# mac address (ip addr) - it should start with DC:A6:32 ip addr | grep ether | head -n1 | awk '{print $2}' | tr [a-z] [A-Z] # serial number vcgencmd otp_dump | grep 28: | sed s/.*://g