#linux-amlogic on 2025-05-02 — irc logs at libera.catirclogs.org

2021-06-01 12:24 narmstrong changed the topic of #linux-amlogic to: Amlogic mainline kernel development discussion - our wiki http://linux-meson.com/ - ml linux-amlogic@lists.infradead.org - official channel moved from Freenode - publicly logged on https://libera.irclog.whitequark.org/linux-amlogic

00:00 luka177 has joined #linux-amlogic

00:12 luka177 has quit [Ping timeout: 260 seconds]

00:49 GNUtoo has quit [Ping timeout: 252 seconds]

00:51 GNUtoo has joined #linux-amlogic

02:19 hexdump0815 has quit [Ping timeout: 245 seconds]

02:21 hexdump0815 has joined #linux-amlogic

06:19 djrscally has joined #linux-amlogic

06:43 naoki has joined #linux-amlogic

06:51 konsgn has quit [Ping timeout: 252 seconds]

06:51 konsgn9 has joined #linux-amlogic

07:27 knuxify has quit [Quit: The Lounge - https://thelounge.chat]

07:28 knuxify2 has joined #linux-amlogic

07:40 paulk has quit [Ping timeout: 245 seconds]

07:54 paulk has joined #linux-amlogic

08:21 ldevulder has joined #linux-amlogic

08:28 ldevulder has quit [Quit: Leaving]

09:04 jacobk has quit [Ping timeout: 248 seconds]

09:05 jacobk has joined #linux-amlogic

11:13 konsgn has joined #linux-amlogic

11:15 konsgn9 has quit [Ping timeout: 276 seconds]

11:24 psydroid has joined #linux-amlogic

11:37 naoki has quit [Quit: naoki]

13:29 psydroid2 has joined #linux-amlogic

13:33 chewitt has joined #linux-amlogic

14:30 buzzmarshall has joined #linux-amlogic

15:03 konsgn8 has joined #linux-amlogic

15:05 <lvrp16> the new spicc dma patch does not send valid data on certain sizes like the old PIO code.

15:05 konsgn has quit [Ping timeout: 252 seconds]

15:05 konsgn8 is now known as konsgn

15:06 <lvrp16> some of the SPI_BURST_LEN logic does not look like it makes sense, I'll try to fix/rewrite it and try to test if I can shoehorn in DMA for small words in.

17:20 chewitt has quit [Quit: Zzz..]

17:39 vagrantc has joined #linux-amlogic

19:17 <f_> first time using b4 :P

20:24 <lvrp16> well, dma does not work on GXL. I've built a test suite for SPI and some certain speeds and bpw combinations don't work. spi is a mess.

20:24 <lvrp16> the current driver needs to be overhauled. will see if I finish it this weekend.

20:26 <lvrp16> and certain size transfers don't work either with the new dma code even though it should. 4136 bytes for example

20:27 <lvrp16> running an exhaustive test against every 8 byte transfer from 16B up to 1MB on GXL, G12B and SM1 right now, for 8 16 32 64 bpw.

20:56 psydroid has quit [Quit: KVIrc 5.2.6 Quasar http://www.kvirc.net/]

21:04 vagrantc has quit [Ping timeout: 265 seconds]

21:47 f_[x] is now known as funderscore

22:01 funderscore is now known as f_1

22:14 <f_> Ok so I'm wondering if I should upstream my tv stick u-boot patches after the DT patches..

22:15 <f_> that device is special in that regular amlogic bl2 will not work

22:15 <f_> because secureboot is enabled. So one needs to either patch bl2 to remove secureboot checks, or use the wip u-boot-spl stuff

22:16 <f_> speaking of U-Boot SPL I've been cleaning up the code lately

22:33 <lvrp16> wait, bl2 can be patched to remove secureboot?

22:33 <lvrp16> so for GXL, it's wide open?

22:34 <f_> lvrp16: you can do binary patching to remove BL2's secureboot checks once you gain unsigned code execution yeah.

22:34 <f_> either that or run u-boot-spl

22:34 <lvrp16> so there's no chain of trust from bl1 to bl2?

22:34 <lvrp16> eg, the bootrom does not verify bl2 signature?

22:34 <f_> BL1 does checks to BL2

22:35 <lvrp16> then how do you patch bl2 and still have the sig be valid?

22:35 <f_> when secureboot is enabled it checks BL2's signature. It can also decrypt BL2 if it's AES-encrypted and the efuses have been burned to allow it

22:35 <f_> lvrp16: this is where the amlogic-usbdl vuln comes in

22:36 <f_> https://fredericb.info/2021/02/amlogic-usbdl-unsigned-code-loader-for-amlogic-bootrom.html#amlogic-usbdl-unsigned-code-loader-for-amlogic-bootrom

22:36 <f_> ^ because of this, you can run unsigned code from the bootROM's USB mode

22:36 <f_> It's inconvenient to do, but allows you to do all sorts of fun stuff

22:37 <f_> like, run your own BL2 payload!

22:37 <f_> at this point the payload can be anything. So it can be u-boot-spl, just like it can be a BL2 patched to remove secureboot checks

22:38 <f_> The only way to mitigate it, is to lock USB mode behind a password.

22:38 <f_> and this affects almost all pre-2021 Amlogic SoCs, to my knowledge

22:39 <lvrp16> ahh did they ever patch bl1?

22:39 <f_> Not to my knowledge, no

22:40 <f_> My TV Stick's BL1 is identical to lepotato's BL1 which is identical to lafrite's BL1

22:40 <f_> so you can be certain all three have the vulnerability

22:40 <lvrp16> Well, that site said S905D3

22:40 <f_> yes, it was originally found on S905D3

22:41 <lvrp16> yeah so I'm wondering if they ever patches S905D3 and A311D bl1 since these chips are still active.

22:41 <f_> Good question

22:41 <f_> I could probably dump alta's ROM to compare

22:43 <f_> or, well, dump solitude's ROM too since that one has S905D3

22:50 <f_> If they patched it, could be worth documenting.

22:52 djrscally has quit [Ping timeout: 265 seconds]