[g1-hackers] fastboot "USB loader" protocol

Jay Freeman (saurik) saurik at saurik.com
Sun Dec 7 00:30:53 UTC 2008


So, in digging through the dump (just by strings, haven't broken out anything more awesome yet), I noticed the following block:

reboot-bootloader
reboot
powerdown
getvar:
CMD:getvar: %s
download:
CMD:download: %s
FAILdata too large
recv data addr=%x size=%x
DATA
status: %s
erase:
flash:
security=0x%x
verified by test key
verified by engineering key
FAILsignature did not verify
boot
signature
FAILsignature not 256 bytes long
SetFlag:
ClearFlag:
oem

These are the commands from the Android part of the bootloader, specifically the USB part. The source code for that is here:
http://android.git.kernel.org/?p=platform/bootloader/legacy.git;a=blob_plain;f=usbloader/usbloader.c

Unfortunately, supposedly this is off inside of the production G1 shipments:
http://groups.google.com/group/android-porting/browse_thread/thread/4990ffe551844860

However, as I hear that some people have engineering builds of the bootloader, this still might be useful to look at.

The code is a little out of date, but weirdly enough the strings we have better match the documentation from here:
http://android.git.kernel.org/?p=platform/bootloader/legacy.git;a=blob_plain;f=fastboot_protocol.txt

The documentation mentions two commands that are not present in the dump: "verify:", and "continue". Meanwhile, the dump has the following commands not in our copy of the code: "reboot-bootloader", "powerdown", and maybe "SetFlag:", "ClearFlag:" (capital letters indicate device-specific extensions).

What I'm most interested in, though, is flash:. It has a security= string near it, and mentions a "test key". Here's the code we have:

    452 #if REQUIRE_SIGNATURE
    453         {
    454             unsigned char digest[DIGEST_SIZE];
    455             compute_digest((void*) kernel_addr, kernel_size, digest);
    456             if (is_signature_okay(digest, signature, key_engineering)) {
    457                 dprintf("verified by engineering key\n");
    458             } else {
    459                 tx_status("FAILsignature did not verify");
    460                 rx_cmd();
    461                 return;
    462             }
    463         }
    464 #endif

Note that it only mentions engineering key. Maybe the bootloader was changed to make it easier to install test files on it? (I still haven't had a chance to really read any code, just look at strings output.)

-J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.telesphoreo.org/pipermail/g1-hackers/attachments/20081206/e27c8df3/attachment-0001.htm 


More information about the G1-Hackers mailing list