[U-Boot-Users] Overwriting protected flash memory!!!

Wolfgang Denk wd at denx.de
Thu Dec 9 19:35:45 CET 2004 

Kevin,

in message <0843D0F1EEBB2E49A2156C6981B4A17E53B6BA at CGYSVW100.gdcan.com> you wrote:
> I'm trying to experiment with u-boot as a possible replacement 
> for my current bootloader (iboot). I've encountered a problem 
> where u-boot is overwriting flash protected memory on my cerfcube 
> pxa250. 

I hope you don't blame this on U-Boot, as you are doing quite  a  lot
of things that plain wrong or are explicitely unsupported.

> Here is the flash layout
>   - Bootloader = 0x0 - 0x3FFFF      Flash Block 0
>   - Bootloader Reserved = 0x40000 - 0xBFFFF Flash Blocks 1 and 2
>   - Kernel     = 0xC0000 - 0x1BFFFF Flash Blocks 3 - 10 (inclusive)
>   - FS         = 0x1C0000 - end*    Flash blocks 11-127* (inclusive)
...
> in flash memory at sector 0. I've been trying to experiment 
> with u-boot by loading it into RAM and then downloading a 

This is an explicitely unsupported mode of use, and reason enough NOT
to answer any of your other questions in this message.  See  the  FAQ
(http://www.denx.de/twiki/bin/view/DULG/CanUBootBeConfiguredSuchThatItCanBeStartedInRAM)

> On my host PC I ran mkimage to generate the tag header for my kernel:
> 	$ ./mkimage -A arm -O linux -T kernel -C none -a 0x8000 -e 0x8000 -n
> "Linux 2.6.9-Cerf1" -d zImage uImage

This is plain wrong. How do you expect U-Boot to be able to load  the
kernel  at  a load address of 0x8000 when your above memory map shows
clearly that there is no RAM but flash at this address?

> On my target platform I downloaded the kernel image and booted from it
> 	uboot$ tftp 0xa0300000 uImage
> 	uboot$ bootm 0xa0300000 uImage

And this is wrong, too, as a second argument to "bootm" is  taken  as
the  address of a ramdisk image - which will be interpreted as 0x0000
in your case.

> ## Loading Ramdisk Image at 00000000 ...
> Bad Magic Number

Logical consequence.

> **************************************************
> ** Intrinsyc Bootloader (IBoot)                 **
> ** Copyright 2001-2003 Intrinsyc Software Inc.  **
> ** Version: 1.8 (Jun 11 2003) PXA255            **
> ** Support: http://www.intrinsyc.com            **
> **************************************************
> Using FFUART
> 24LC64 not detected! (using 000000AC)
> SMSC LAN91C111 Found at Address 0x04000000
> Auto-negotiation result: 100BaseT Full-Duplex
> 0
> Storing EEPROM contents in tagged format
> Relocating zImage from 000C0000 to A0008000 (len=00100000)
> Proper ARM zImage ID found. Booting...
> Uncompressing Linux...
> 
> invalid compressed format (err=2)
...
> I just realized while writing this post that I had accidently 
> passed in an extra argument into bootm, which was "uImage". 
> This probably led to the error "## Loading Ramdisk Image at 00000000 
> ... Bad Magic Number". Regardless of this error, the default 
> bootloader (iboot) is now corrupt and the kernel that was 

What makes you think so? The boot messages  above  seem  to  indicate
that  the  old  boot loader came up just fine and started to load the
linux kernel.

> originally stored in flash @ 0xC0000 (sector 3) is also corrupt.

You mentioned that only the  first  3  sectors  (0,  1,  and  2)  are
protected,  and  that you have the Linux kernel staruing in sector 4,
which is NOT protected.

> This means that the bootm command must have tried to copy the 
> kernel image to the load address (0x8000) specified in the tag 
> header in uImage. Thus, overwriting flash memory. I do understand 

Of course U-Boot tried to copy the kernel to that address. What  else
should it do? It just did what you asked for.

> have loaded from RAM but even making a mistake like that should 
> not have overwritten flash memory or even protected flash memory!!!

There is no indication to me that any of the protected sectors  were
overwritten.

> I thought that as long as my first 3 sectors in flash were write 
> protected that it wouldn't be able to overwrite them. Is this a 

No, this is wrong. The "protect" feature in U-Boot just prevents  you
from  accidential  data loss when using the "erase" or "cp" commands.
It does NOT (and  usually  cannot)  protect  you  from  doing  stupid
things,  or  from  overwriting  these  areas whith some other command
which creates an erase or programming sequence (like a couple of "mm"
commands, or copying arbitrary binary data to that area).  There  are
flash  chips  which expect a specific programming sequence written to
specific addresses - these are pretty safe;  there  are  other  flash
chips which are plain dump, and copying a binary file to such a flash
chip may result in unexpected programing accesses.

> bug or a known behavior of u-boot? Could someone please shed 
> some light on why this might have happened.

What you see is a combination of (1) unsupported use, (2) combination
of at least 2 serious user errors and  (3)  a  poor  hardware  design
(chosing dumb flash chips).

I'm sorry, but even if we add an AI machine to U-Boot this would  not
protect you in such a situation.

You got what you asked for (even if you did not ask explicitely ;-)

Best regards,

Wolfgang Denk

-- 
Software Engineering:  Embedded and Realtime Systems,  Embedded Linux
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
: 1.  What is the possibility of this being added in the future?
In the near future, the probability is close to zero. In the  distant
future, I'll be dead, and posterity can do whatever they like... :-)
                                                              - lwall

More information about the U-Boot mailing list