Changes

Jump to navigation Jump to search
1,330 bytes added ,  05:07, 10 August 2021
m
Hallowizer2 moved page Espresso Boot ROM to Espresso boot ROM: Sentence case
The [[Espresso]] includes a special boot ROM that checks all software it boots. It only boots software in the form of an [[Ancast Image]].
 
== Process ==
:''A more visual explanation can be seen [https://fail0verflow.com/media/30c3-slides/#/18 here].''
 
First, the MMU, caches, and registers are all cleared. The boot ROM is mapped into translated mode as well, and two other regions of memory are mapped. The boot ROM then switches to translated mode, and remains in execution due to it being mapped there.
 
At this point, the L1 and L2 caches are enabled, and the L1 cache is locked. From here, the reset vector is replaced with an infinite loop, and the L1 cache is directly initialized. The boot ROM is then copied into main memory, and the copy being flushed to L2. Now, the copy of the boot ROM is jumped to.
 
AES keys are now taken from [[Hardware/OTP|OTP]] before locking OTP, and the Ancast Image signature is validated, as well as the cipher text decrypted.
 
The boot ROM now jumps back to its original location, and proceeds to clear the copy in RAM, as well as the L1 cache. The L1 cache is now disabled, and the memory previously used is now unmapped. The Ancast Header is now mapped into translated memory, and the L1 and L2 caches are reset.
 
Now, a special instruction to unmap the boot ROM is placed before the jumping point, and flushed to the L2 cache, and verified. The boot ROM then jumps to that instruction, allowing the code to begin executing.
336

edits

Navigation menu