timg236
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 253
Joined: Thu Jun 21, 2018 4:30 pm

Updated bootloader for Pi4

Wed Jul 17, 2019 3:44 pm

There's a new release candidate image for the Raspberry Pi4 bootloader - see https://www.raspberrypi.org/forums/view ... 7&t=246027

This might be of interest to anyone implementing 'power off' buttons or HATS but should be invisible to most users.

Feel free to post any bug reports on this thread

trejan
Posts: 932
Joined: Tue Jul 02, 2019 2:28 pm

Re: Updated bootloader for Pi4

Wed Jul 17, 2019 4:20 pm

Reflashed the RPi 4 boards I've got and looks to be working here.

Is there going to be an easier procedure for updating in the future or is this it? e.g. it'll start booting instead of just rapidly blinking the LED once it has updated the EEPROM. Just wondering as an update process that doesn't require physical access would be nice.

timg236
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 253
Joined: Thu Jun 21, 2018 4:30 pm

Re: Updated bootloader for Pi4

Wed Jul 17, 2019 4:30 pm

trejan wrote:
Wed Jul 17, 2019 4:20 pm
Reflashed the RPi 4 boards I've got and looks to be working here.

Is there going to be an easier procedure for updating in the future or is this it? e.g. it'll start booting instead of just rapidly blinking the LED once it has updated the EEPROM. Just wondering as an update process that doesn't require physical access would be nice.
Yes, we are working on it, there will be an eeprom updater script and appropriate apt-package(s). Covering all the possible corner cases will requires quite a lot of testing and we'll beta-test the package files via the forums once we are happy with it.

For reference (advanced users only) the Linux tools to do this are as follows but beware that flashrom will do a chip-erase then flash which is not an atomic operation. There's a 'safe mode' recovery which will allow basic booting from sd-card to allow for a transaction but that's not ready just yet.

N.B. There will be mailbox all to turn the analog LDO off/on due to the shared GPIO pins for the EEPROM. Right now you will get some noise through the analog port!

Code: Select all

sudo apt-get install flashrom
sudo dtparam audio=off
sudo dtoverlay spi-gpio40-45
sudo modprobe spidev
sudo modprobe spi-bcm2835
sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=16000 | grep W25X
sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=16000 -r pieeprom-backup.bin
sudo flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=16000 -w pieeprom.bin

trejan
Posts: 932
Joined: Tue Jul 02, 2019 2:28 pm

Re: Updated bootloader for Pi4

Wed Jul 17, 2019 5:32 pm

Ahh. Thanks. I was just expecting the flash process to be handled by start.elf. I didn't expect direct access to the SPI EEPROM.

If anybody has SPI already enabled in /boot/config.txt then you need to run "rmmod spi-bcm2835" first or it won't pick up the devicetree change to use GPIOs connected to the boot EEPROM.

hippy
Posts: 6299
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Updated bootloader for Pi4

Wed Jul 17, 2019 7:40 pm

timg236 wrote:
Wed Jul 17, 2019 4:30 pm
There's a 'safe mode' recovery which will allow basic booting from sd-card to allow for a transaction but that's not ready just yet.
Is rescuing oneself from an erased / corrupted Bootloader Eeprom not covered by booting an SD Card with the SPI Bootloader Eeprom Recovery files on it ?

https://www.raspberrypi.org/downloads

timg236
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 253
Joined: Thu Jun 21, 2018 4:30 pm

Re: Updated bootloader for Pi4

Wed Jul 17, 2019 7:56 pm

hippy wrote:
Wed Jul 17, 2019 7:40 pm
timg236 wrote:
Wed Jul 17, 2019 4:30 pm
There's a 'safe mode' recovery which will allow basic booting from sd-card to allow for a transaction but that's not ready just yet.
Is rescuing oneself from an erased / corrupted Bootloader Eeprom not covered by booting an SD Card with the SPI Bootloader Eeprom Recovery files on it ?

https://www.raspberrypi.org/downloads
The sd-card rescue image will always work and also always resets any config i.e. it's a factory reset of the EEPROM. The ROM always runs recovery.bin on the sd-card in preference to the EEPROM so this will always be safe.

The 'safe mode' / minimal bootloader (could do with a better name) is just enough of a bootloader to load Linux from the sd-card in-case there's a power failure during flashrom. i.e. cp recovery-safe.bin /boot/recovery.bin && sync && apply-update && rm -f /boot/recovery.bin
This is intended to support unattended updates (e.g. for remote machines) in a safe manner.

hippy
Posts: 6299
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Updated bootloader for Pi4

Wed Jul 17, 2019 8:15 pm

timg236 wrote:
Wed Jul 17, 2019 7:56 pm
The sd-card rescue image will always work and also always resets any config i.e. it's a factory reset of the EEPROM. The ROM always runs recovery.bin on the sd-card in preference to the EEPROM so this will always be safe.

The 'safe mode' / minimal bootloader (could do with a better name) is just enough of a bootloader to load Linux from the sd-card in-case there's a power failure during flashrom. i.e. cp recovery-safe.bin /boot/recovery.bin && sync && apply-update && rm -f /boot/recovery.bin
This is intended to support unattended updates (e.g. for remote machines) in a safe manner.
Got it - Thanks.

Are there any specs on the Eeprom used you can publicly provide; part number, erase-write lifetime etc ?

trejan
Posts: 932
Joined: Tue Jul 02, 2019 2:28 pm

Re: Updated bootloader for Pi4

Wed Jul 17, 2019 8:19 pm

hippy wrote:
Wed Jul 17, 2019 8:15 pm
Are there any specs on the Eeprom used you can publicly provide; part number, erase-write lifetime etc ?
flashrom detects it as a Winbond W25X40. The USB controller uses a Winbond W25X10.

Assuming the boot EEPROM is actually a Winbond and not just a compatible clone then the datasheet says 100,000+ erase/write cycles with 20+ year data retention.
Last edited by trejan on Fri Oct 18, 2019 12:38 pm, edited 1 time in total.

hippy
Posts: 6299
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Updated bootloader for Pi4

Wed Jul 17, 2019 8:37 pm

Once again - Thanks.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 24192
Joined: Sat Jul 30, 2011 7:41 pm

Re: Updated bootloader for Pi4

Wed Jul 17, 2019 9:38 pm

If you reflash your bootrom 100k times, you are doing something wrong.

Also note, this part could change at any point, including size. We do not guarantee it will remain the same.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
“I think it’s wrong that only one company makes the game Monopoly.” – Steven Wright

hippy
Posts: 6299
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Updated bootloader for Pi4

Wed Jul 17, 2019 9:50 pm

jamesh wrote:
Wed Jul 17, 2019 9:38 pm
If you reflash your bootrom 100k times, you are doing something wrong.
Or something else is.

I was idly wondering how quickly one could brick someone else's Pi for them - not that I have any intention of doing so.

About an hour I reckon. Though erase-cycles are often conservatively stated so it could take a lot longer.

timg236
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 253
Joined: Thu Jun 21, 2018 4:30 pm

Re: Updated bootloader for Pi4

Thu Jul 18, 2019 6:24 am

hippy wrote:
Wed Jul 17, 2019 9:50 pm
jamesh wrote:
Wed Jul 17, 2019 9:38 pm
If you reflash your bootrom 100k times, you are doing something wrong.
Or something else is.

I was idly wondering how quickly one could brick someone else's Pi for them - not that I have any intention of doing so.

About an hour I reckon. Though erase-cycles are often conservatively stated so it could take a lot longer.
    • The current board revision has a standard Winbond flash as reported by flashrom. You can download the spec from the website
    • The component might get swapped for another flash without notice including smaller, slower parts.
    • It's not general purpose user modifiable storage, we might add some basic API as an alternative to to the user OTP rows or small blobs of configuration data. The expectation is that these would be set tens of times not thousands.
    • 100,000 erase write cycles are indeed possible. It will take a lot longer than an hour and it didn't fail for me. YMMV, but obviously don't actually do this. Testing things to destruction is an expensive hobby.
    • Conceptually it's the same as the bootcode in the Pi3 ROM, it's just possible to fix stuff after manufacture

hippy
Posts: 6299
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Updated bootloader for Pi4

Thu Jul 18, 2019 10:32 am

timg236 wrote:
Thu Jul 18, 2019 6:24 am
Conceptually it's the same as the bootcode in the Pi3 ROM, it's just possible to fix stuff after manufacture
Absolutely and it's a great idea. On the downside it's a potentially new attack vector which could be exploited by anyone who had malicious intent. Such malicious attacks are unlikely but it is useful to know how effective they could be.

I work for a company which makes embedded programmable systems so "what's the worse which could happen?" is something which has come to interest me.

In the past there was nothing programmable on a Pi which was persistent, except OTP bits, so the worst someone could maliciously do was to set an OTP configuration which prevented booting, set a GPIO configuration which burned out the SoC, or continually write to the SD Card in the hope of wearing it out or corrupting it.

More recent Pi have a PMIC which could theoretically be programmed not to work and now the Bootloader Eeprom which could be rendered unusable, both of which would brick the Pi and require a hardware fix to be usable.

A 100K erase-write lifetime for the Eeprom is perfectly adequate for normal use. A user would have to reprogram it ten times a day, every day for 30 years straight, to get close to expiring it. That's not going to happen.

But something executing autonomously could erase-write it, or parts of it, far more frequently, and one likely only needs to make the smallest part of the Eeprom unusable to bring everything down. I was basing my hour long prediction on 100K x 30ms typical Sector Erase being the fastest damage could be done. In practice it is likely to be longer than that, but a program has all the time in the world to do its damage.

It's not something I imagine happening but it does seem something which could potentially happen.

timg236
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 253
Joined: Thu Jun 21, 2018 4:30 pm

Re: Updated bootloader for Pi4

Thu Jul 18, 2019 10:38 am

hippy wrote:
Thu Jul 18, 2019 10:32 am
timg236 wrote:
Thu Jul 18, 2019 6:24 am
Conceptually it's the same as the bootcode in the Pi3 ROM, it's just possible to fix stuff after manufacture
But something executing autonomously could erase-write it, or parts of it, far more frequently, and one likely only needs to make the smallest part of the Eeprom unusable to bring everything down. I was basing my hour long prediction on 100K x 30ms typical Sector Erase being the fastest damage could be done. In practice it is likely to be longer than that, but a program has all the time in the world to do its damage.
Any scripts using flashrom should be safe because flashrom already avoids unnecessary erase/write cycles. The updater script also checks this because it stores a backup and we don't want to fill the disk with duplicate backups.

Anyone who knows enough to write their own scripts or roll their own flashrom does so at their own risk.

Return to “Advanced users”