Bootloader

This page describes layout of bootloader and auxiliary data. It is usually a file called fastboot.bin in upgrade packages.

S5 series

For 32-bit S5 series, if Secure Boot is not enabled, fastboot.bin contains only the bootloader (plain U-Boot), i.e. the first word must be a valid instruction.

If Secure Boot is enabled, fastboot.bin will be read after MBR (offset 0x200) from eMMC, and the following structure applies to fastboot.bin.

S5 series boootloader layout
Area	Offset	Name	Size	Description	Possible value
Key Area	`0x0000`	`Ext_RSA_Pub_Key`	`0x0100`	External RSA Public Key
	`0x0100`	RSA modulus	`0x0100`		`0x10001`
	`0x0200`	`MSID`	`0x0004`	Market Segment ID, must be same as `otp_getmsid`	`0`
	`0x0204`	Area Signature	`0x0100`	Signed by `Root_RSA_Pub_Key`
Param Area	`0x0304`	`CONFIG_OFF`	`0x0004`	CA Config offset in Param Area	`0x20`
	`0x0308`	`CHECK_AREA_OFF`	`0x0004`	Unckecked Area length	`0x20`
	`0x030c`	`CHECK_AREA_LEN`	`0x0004`	(Boot Area - Signature) length
	`0x0310`		`0x0004`	Signature offset?	`0`
	`0x0314`	`BOOT_AREA_LEN`	`0x0004`	(Unckecked Area + Boot Area) length
	`0x0318`		`0x0004`	flag
	`0x0304 + CONFIG_OFF`	CA Config	?	`*.cfg` file
	`0x1700`	Area Signature	`0x0100`	Signed by `Ext_RSA_Pub_Key`
Unckecked Area	`0x1800`		`CHECK_AREA_OFF`	Free for bootloader to use
Boot Area	`0x1800 + CHECK_AREA_OFF`	Bootloader	`CHECK_AREA_LEN - 8`	Vendor bootloader
	`offsetof(Signature) - 0x8`	Version ID	`0x0004`	Field defined by vendor bootloader	`0`
	`offsetof(Signature) - 0x4`	`MSID`	`0x0004`	Field defined and enforced by vendor bootloader	`0`
	aligned to `0x100`	Area Signature	`0x0100`	Signed by `Ext_RSA_Pub_Key`

This means you will need different offset when writing fastboot.bin.

# if SB not enabled
dd if=/mnt/fastboot.bin of=/dev/mmcblk0p1
# if SB enabled
dd if=/mnt/fastboot.bin of=/dev/mmcblk0p1 bs=512 skip=1

You can use ca_getsecbootstatus in vendor Fastboot to check Secure Boot status.

S40 series

A new layout is introduced on 64-bit S40 series, so same fastboot.bin could fit into both SB or non-SB environment.

While this means all SB-related fields could be reused if no Secure Boot is enforced, please notice S40 requires AUXIMAGE for proper initialization, thus layout is not complete free to change.

S40 series boootloader layout
Area	Offset	Name	Size	Description	Possible value
HSL Area	`-0x10000`	`HSLIMAGE`	`0x10000`	`hsl_sign.img` (only for v2)
Key Area	`0x0000`	Unused jump instruction	`0x0004`	Jump to `BOOT_ENTRY` target [1]
	`0x0004`	`Ext_RSA_Pub_Key`	`0x0100`	External RSA Public Key
	`0x0104`	RSA modulus	`0x0100`
	…
	`0x0300`	Area Signature	`0x0100`	Signed by `Root_RSA_Pub_Key`
Param Area	…
Param Area	`0x2ec0`	Area Signature	`0x0100`	Signed by `Ext_RSA_Pub_Key`
Unckecked Hisi Area	`0x2fc0`	`SCS_SIM_FLAG`	`0x0004`	SCS simulation flag	`0x69875ab4`
	`0x2fc4`	`BOOT_FLAG`	`0x0004`	Boot flag	`0x435a590d` [2]
	`0x2fc8`	`AUX_ENC_FLAG`	`0x0004`	Auxiliary Code encrypt flag	`0x2a13c812`
	`0x2fe0`	`SUPPORT_MULTI_PARAM`	`0x0004`	`bool`
	`0x2fe4`	`PARAM_START_ADDR`	`0x0004`	Param start offset
	`0x2fe8`	`PARAM_ITEM_LEN`	`0x0004`	Param item length	`0x2000`
	`0x2fec`	`BOOT_STORE_ADDR`	`0x0004`	Boot store address	`0x01000000`
Auxiliary Code Area	`0x0300`	`AUXIMAGE`	`AUXAREA_LEN`	`auxcode_sign.img`
ACPU Start Code Area	aligned to `0x100`	`ASC`	`ASCAREA_LEN`	`asc_sign.img`
Unckecked Area	aligned to `0x100`		`SCS_HASHED_AREA_OFF`	Free for bootloader to use
Boot Area	aligned to `0x100`	Bootloader	`SCS_HASHED_AREA_LEN`	Vendor bootloader
Boot Area	aligned to `0x100`	Area Signature	`0x0100`	Signed by `Ext_RSA_Pub_Key`
Reg list [3]	aligned to `0x100`	`BOOT_REG0`	`PARAM_ITEM_LEN`
	…	…	`PARAM_ITEM_LEN`
	aligned to `0x100`	`BOOT_REG7`	`PARAM_ITEM_LEN`

V1 layout
Area	Offset	Name	Size	Description	Possible value
Key Area	`0x0214`	`AUXAREA_ADR`	`0x0004`	`_auxcode_start - TEXT_BASE`	`0x0300`
	`0x0218`	`AUXAREA_LEN`	`0x0004`	Auxiliary Code length	`0x5400` or `0x3400`
	`0x021c`	`BOOT_ENTRY`	`0x0004`	Boot entry address
Param Area	`0x0400`	`SCS_HASHED_AREA_OFF`	`0x0004`	Unckecked Area length	`0x100`
	`0x0404`	`SCS_HASHED_AREA_LEN`	`0x0004`	Bootloader length
	`0x0408`	`TOTAL_BOOT_AREA_LEN`	`0x0004`	(Unckecked Area + Boot Area) length
	`0x0480`	`DEFAULT_BOOT_REG`	`0x2a40`	`*.reg` file

V2 layout
Area	Offset	Name	Size	Description	Possible value
Key Area	`0x0210`	`KEY_RIGHTS`	`0x0004`		`0x3c78962d`
	`0x0214`	`AUXAREA_LEN`	`0x0004`	Auxiliary Code length	`0x6000`
	`0x0218`	`ASCAREA_LEN`	`0x0004`	ACPU Start Code length	`0x6000`
	`0x0220`	`PROTECT_KEY1`	`0x0010`	Flash protection key	`0x12345678`
	`0x0230`	`PROTECT_KEY2`	`0x0010`	Flash protection key	`0x12345678`
	`0x0240`	`PROTECT_KEY3`	`0x0010`	Flash protection key	`0x12345678`
	`0x0250`	`AUXKEY`	`0x0010`	Auxiliary Code key
Param Area	`0x0400`	`SCS_HASHED_AREA_OFF`	`0x0004`	Unckecked Area length	`0x100`
	`0x0404`	`SCS_HASHED_AREA_LEN`	`0x0004`	Bootloader length
	`0x0408`	`TOTAL_BOOT_AREA_LEN`	`0x0004`	(Unckecked Area + Boot Area) length
	`0x040c`	`FLASH_BOOT_ENC_FLAG`	`0x0004`	Boot flag	`0x3c7896e1`
	`0x04b0`	`DEFAULT_BOOT_REG`	`0x2a40`	`*.reg` file

# no matter the status of SB
dd if=/mnt/fastboot.bin of=/dev/mmcblk0p1