30
30
#include <stdlib.h>
31
31
32
32
const char RomBOOT_Version [] = SAM_BA_VERSION ;
33
- const char RomBOOT_ExtendedCapabilities [] = "[Arduino:XYZ]" ;
33
+ // X = Chip Erase, Y = Write Buffer, Z = Checksum Buffer, P = Secure Bit Aware
34
+ const char RomBOOT_ExtendedCapabilities [] = "[Arduino:XYZP]" ;
34
35
35
36
/* Provides one common interface to handle both USART and USB-CDC */
36
37
typedef struct
@@ -83,6 +84,12 @@ const t_monitor_if usbcdc_if =
83
84
/* The pointer to the interface object use by the monitor */
84
85
t_monitor_if * ptr_monitor_if ;
85
86
87
+ #ifdef SECURE_BY_DEFAULT
88
+ bool b_security_enabled = true;
89
+ #else
90
+ bool b_security_enabled = false;
91
+ #endif
92
+
86
93
/* b_terminal_mode mode (ascii) or hex mode */
87
94
volatile bool b_terminal_mode = false;
88
95
volatile bool b_sam_ba_interface_usart = false;
@@ -222,9 +229,14 @@ void sam_ba_putdata_term(uint8_t* data, uint32_t length)
222
229
return ;
223
230
}
224
231
232
+ #ifndef SECURE_BY_DEFAULT
225
233
volatile uint32_t sp ;
226
234
void call_applet (uint32_t address )
227
235
{
236
+ if (b_security_enabled ) {
237
+ return ;
238
+ }
239
+
228
240
uint32_t app_start_address ;
229
241
230
242
__disable_irq ();
@@ -240,8 +252,10 @@ void call_applet(uint32_t address)
240
252
/* Jump to application Reset Handler in the application */
241
253
asm("bx %0" ::"r" (app_start_address ));
242
254
}
255
+ #endif
243
256
244
257
uint32_t current_number ;
258
+ uint32_t erased_from = 0 ;
245
259
uint32_t i , length ;
246
260
uint8_t command , * ptr_data , * ptr , data [SIZEBUFMAX ];
247
261
uint8_t j ;
@@ -264,6 +278,20 @@ static void put_uint32(uint32_t n)
264
278
sam_ba_putdata ( ptr_monitor_if , buff , 8 );
265
279
}
266
280
281
+ static void eraseFlash (uint32_t dst_addr )
282
+ {
283
+ erased_from = dst_addr ;
284
+ while (dst_addr < MAX_FLASH )
285
+ {
286
+ // Execute "ER" Erase Row
287
+ NVMCTRL -> ADDR .reg = dst_addr / 2 ;
288
+ NVMCTRL -> CTRLA .reg = NVMCTRL_CTRLA_CMDEX_KEY | NVMCTRL_CTRLA_CMD_ER ;
289
+ while (NVMCTRL -> INTFLAG .bit .READY == 0 )
290
+ ;
291
+ dst_addr += PAGE_SIZE * 4 ; // Skip a ROW
292
+ }
293
+ }
294
+
267
295
#ifdef ENABLE_JTAG_LOAD
268
296
static uint32_t offset = __UINT32_MAX__ ;
269
297
static bool flashNeeded = false;
@@ -284,7 +312,7 @@ static void sam_ba_monitor_loop(void)
284
312
{
285
313
sam_ba_putdata (ptr_monitor_if , "\n\r" , 2 );
286
314
}
287
- if (command == 'S' )
315
+ if (command == 'S' ) // Write memory (normally RAM, but might be flash, if client handles the Flash MCU commands?)
288
316
{
289
317
//Check if some data are remaining in the "data" buffer
290
318
if (length > i )
@@ -318,37 +346,81 @@ static void sam_ba_monitor_loop(void)
318
346
319
347
__asm("nop" );
320
348
}
321
- else if (command == 'R' )
349
+ else if (command == 'R' ) // Read memory (flash or RAM)
322
350
{
351
+ // Flash memory starts at address 0 and runs to flash size 0x40000 (256 KByte)
352
+
353
+ // Internal RWW section is at adress 0x400000. RWW is flash used for EEPROM emulation. Will not let anyone read that, when in secure mode, either.
354
+ // Bootloader ends at 0x1FFF, so user programs start at 0x2000
355
+ // RAM starts at 0x20000000, so redirect FLASH reads into RAM reads, when in secure mode
356
+ if (b_security_enabled && ((uint32_t )ptr_data >= 0x0000 && (uint32_t )ptr_data < 0x20000000 ))
357
+ {
358
+ ptr_data = (uint8_t * )0x20005000 ;
359
+ }
360
+
323
361
sam_ba_putdata_xmd (ptr_monitor_if , ptr_data , current_number );
324
362
}
325
- else if (command == 'O' )
363
+ else if (command == 'O' ) // write byte
326
364
{
327
365
* ptr_data = (char ) current_number ;
328
366
}
329
- else if (command == 'H' )
367
+ else if (command == 'H' ) // Write half word
330
368
{
331
369
* ((uint16_t * ) ptr_data ) = (uint16_t ) current_number ;
332
370
}
333
- else if (command == 'W' )
371
+ else if (command == 'W' ) // Write word
334
372
{
335
373
* ((int * ) ptr_data ) = current_number ;
336
374
}
337
- else if (command == 'o' )
375
+ else if (command == 'o' ) // Read byte
338
376
{
377
+ // Flash memory starts at address 0 and runs to flash size 0x40000 (256 KByte). RAM starts at 0x20000000.
378
+ // Intern RWW section is at adress 0x400000. RWW is flash used for EEPROM emulation. Will not let anyone read that, when in secure mode, either.
379
+ // BOSSA reads address 0 to check something, but using read word instead of read byte, but in any case allow reading first byte
380
+ // Bootloader ends at 0x1FFF, so user programs start at 0x2000
381
+ if (b_security_enabled && ((uint32_t )ptr_data > 0x0003 && (uint32_t )ptr_data < 0x20000000 ))
382
+ {
383
+ ptr_data = (uint8_t * ) & current_number ;
384
+ }
385
+
339
386
sam_ba_putdata_term (ptr_data , 1 );
340
387
}
341
- else if (command == 'h' )
388
+ else if (command == 'h' ) // Read half word
342
389
{
343
- current_number = * ((uint16_t * ) ptr_data );
390
+ // Flash memory starts at address 0 and runs to flash size 0x40000 (256 KByte). RAM starts at 0x20000000.
391
+ // Intern RWW section is at adress 0x400000. RWW is flash used for EEPROM emulation. Will not let anyone read that, when in secure mode, either.
392
+ // BOSSA reads address 0 to check something, but using read word instead of read byte, but in any case allow reading first byte
393
+ // Bootloader ends at 0x1FFF, so user programs start at 0x2000
394
+ if (b_security_enabled && ((uint32_t )ptr_data > 0x0003 && (uint32_t )ptr_data < 0x20000000 ))
395
+ {
396
+ current_number = 0 ;
397
+ }
398
+ else
399
+ {
400
+ current_number = * ((uint16_t * ) ptr_data );
401
+ }
402
+
344
403
sam_ba_putdata_term ((uint8_t * ) & current_number , 2 );
345
404
}
346
- else if (command == 'w' )
405
+ else if (command == 'w' ) // Read word
347
406
{
348
- current_number = * ((uint32_t * ) ptr_data );
407
+ // Flash memory starts at address 0 and runs to flash size 0x40000 (256 KByte). RAM starts at 0x20000000.
408
+ // Intern RWW section is at adress 0x400000. RWW is flash used for EEPROM emulation. Will not let anyone read that, when in secure mode, either.
409
+ // BOSSA reads address 0 to check something, but using read word instead of read byte, but in any case allow reading first byte
410
+ // Bootloader ends at 0x1FFF, so user programs start at 0x2000
411
+ if (b_security_enabled && ((uint32_t )ptr_data > 0x0003 && (uint32_t )ptr_data < 0x20000000 ))
412
+ {
413
+ current_number = 0 ;
414
+ }
415
+ else
416
+ {
417
+ current_number = * ((uint32_t * ) ptr_data );
418
+ }
419
+
349
420
sam_ba_putdata_term ((uint8_t * ) & current_number , 4 );
350
421
}
351
- else if (command == 'G' )
422
+ #ifndef SECURE_BY_DEFAULT
423
+ else if (!b_security_enabled && command == 'G' ) // Execute code. Will not allow when security is enabled.
352
424
{
353
425
call_applet (current_number );
354
426
/* Rebase the Stack Pointer */
@@ -358,40 +430,30 @@ static void sam_ba_monitor_loop(void)
358
430
ptr_monitor_if -> put_c (0x6 );
359
431
}
360
432
}
361
- else if (command == 'T' )
433
+ #endif
434
+ else if (command == 'T' ) // Turn on terminal mode
362
435
{
363
436
b_terminal_mode = 1 ;
364
437
sam_ba_putdata (ptr_monitor_if , "\n\r" , 2 );
365
438
}
366
- else if (command == 'N' )
439
+ else if (command == 'N' ) // Turn off terminal mode
367
440
{
368
441
if (b_terminal_mode == 0 )
369
442
{
370
443
sam_ba_putdata ( ptr_monitor_if , "\n\r" , 2 );
371
444
}
372
445
b_terminal_mode = 0 ;
373
446
}
374
- else if (command == 'V' )
447
+ else if (command == 'V' ) // Read version information
375
448
{
376
449
sam_ba_putdata ( ptr_monitor_if , "v" , 1 );
377
450
sam_ba_putdata ( ptr_monitor_if , (uint8_t * ) RomBOOT_Version , strlen (RomBOOT_Version ));
378
451
sam_ba_putdata ( ptr_monitor_if , " " , 1 );
379
452
sam_ba_putdata ( ptr_monitor_if , (uint8_t * ) RomBOOT_ExtendedCapabilities , strlen (RomBOOT_ExtendedCapabilities ));
380
- sam_ba_putdata ( ptr_monitor_if , " " , 1 );
381
- ptr = (uint8_t * ) & (__DATE__ );
382
- i = 0 ;
383
- while (* ptr ++ != '\0' )
384
- i ++ ;
385
- sam_ba_putdata ( ptr_monitor_if , (uint8_t * ) & (__DATE__ ), i );
386
- sam_ba_putdata ( ptr_monitor_if , " " , 1 );
387
- i = 0 ;
388
- ptr = (uint8_t * ) & (__TIME__ );
389
- while (* ptr ++ != '\0' )
390
- i ++ ;
391
- sam_ba_putdata ( ptr_monitor_if , (uint8_t * ) & (__TIME__ ), i );
392
- sam_ba_putdata ( ptr_monitor_if , "\n\r" , 2 );
453
+ ptr = (uint8_t * ) & (" " __DATE__ " " __TIME__ "\n\r" );
454
+ sam_ba_putdata ( ptr_monitor_if , ptr , strlen (ptr ));
393
455
}
394
- else if (command == 'X' )
456
+ else if (command == 'X' ) // Erase flash
395
457
{
396
458
// Syntax: X[ADDR]#
397
459
// Erase the flash memory starting from ADDR to the end of flash.
@@ -400,22 +462,13 @@ static void sam_ba_monitor_loop(void)
400
462
// Even if the starting address is the last byte of a ROW the entire
401
463
// ROW is erased anyway.
402
464
403
- uint32_t dst_addr = current_number ; // starting address
404
-
405
- while (dst_addr < MAX_FLASH )
406
- {
407
- // Execute "ER" Erase Row
408
- NVMCTRL -> ADDR .reg = dst_addr / 2 ;
409
- NVMCTRL -> CTRLA .reg = NVMCTRL_CTRLA_CMDEX_KEY | NVMCTRL_CTRLA_CMD_ER ;
410
- while (NVMCTRL -> INTFLAG .bit .READY == 0 )
411
- ;
412
- dst_addr += PAGE_SIZE * 4 ; // Skip a ROW
413
- }
414
-
465
+ // BOSSAC.exe always erase with 0x2000 as argument, but an attacker might try to erase just parts of the flash, to be able to copy or analyze the untouched parts.
466
+ // To mitigate this, always erase all sketch flash, that is, starting from address 0x2000. This butloader always assume 8 KByte for itself, and sketch starting at 0x2000.
467
+ eraseFlash (b_security_enabled ? 0x2000 : current_number );
415
468
// Notify command completed
416
469
sam_ba_putdata ( ptr_monitor_if , "X\n\r" , 3 );
417
470
}
418
- else if (command == 'Y' )
471
+ else if (command == 'Y' ) // Write buffer to flash
419
472
{
420
473
// This command writes the content of a buffer in SRAM into flash memory.
421
474
@@ -435,6 +488,13 @@ static void sam_ba_monitor_loop(void)
435
488
}
436
489
else
437
490
{
491
+ if (b_security_enabled && erased_from != 0x2000 )
492
+ {
493
+ // To mitigate that an attacker might not use the ordinary BOSSA method of erasing flash before programming,
494
+ // always erase flash, if it hasn't been done already.
495
+ eraseFlash (0x2000 );
496
+ }
497
+
438
498
// Write to flash
439
499
uint32_t size = current_number /4 ;
440
500
uint32_t * src_addr = src_buff_addr ;
@@ -546,7 +606,7 @@ static void sam_ba_monitor_loop(void)
546
606
// Notify command completed
547
607
sam_ba_putdata ( ptr_monitor_if , "Y\n\r" , 3 );
548
608
}
549
- else if (command == 'Z' )
609
+ else if (command == 'Z' ) // Calculate CRC16
550
610
{
551
611
// This command calculate CRC for a given area of memory.
552
612
// It's useful to quickly check if a transfer has been done
@@ -648,6 +708,12 @@ void sam_ba_monitor_run(void)
648
708
PAGES = NVMCTRL -> PARAM .bit .NVMP ;
649
709
MAX_FLASH = PAGE_SIZE * PAGES ;
650
710
711
+ #ifdef SECURE_BY_DEFAULT
712
+ b_security_enabled = true;
713
+ #else
714
+ b_security_enabled = NVMCTRL -> STATUS .bit .SB != 0 ;
715
+ #endif
716
+
651
717
ptr_data = NULL ;
652
718
command = 'z' ;
653
719
while (1 )
0 commit comments