[PATCH] fastboot: add UUU command UCmd and ACmd support

Roman Stratiienko r.stratiienko at gmail.com
Wed Jan 27 10:34:04 CET 2021 

Hello Heiko,

Looks like these commands will provide full access to any u-boot
commands, including working with memory.
It can be used to read/set any registers/data which is not in the
trust zone, thus opening a huge backdoor.

This command could be useful for debug/CI purposes, but do you really
want this in release builds?

Best regards,
Roman

пн, 11 янв. 2021 г. в 12:19, Heiko Schocher <hs at denx.de>:
>
> add support for the UUU commands ACmd and UCmd.
>
> Enable them through the Kconfig option
> CONFIG_FASTBOOT_UUU_SUPPORT
>
> base was commit in NXP kernel
> 9b149c2a2882: ("MLK-18591-3 android: Add FSL android fastboot support")
>
> and ported it to current mainline. Tested this patch
> on imx6ul based board.
>
> Signed-off-by: Heiko Schocher <hs at denx.de>
> ---
> azure build:
> https://dev.azure.com/hs0298/hs/_build/results?buildId=57&view=results
>
> version uuu tool used for tests:
> commit 3870fb781b35: ("fastboot: default to logical-block-size 4096")
>
>  doc/android/fastboot-protocol.rst |  5 +++
>  doc/android/fastboot.rst          |  2 +
>  drivers/fastboot/Kconfig          |  7 ++++
>  drivers/fastboot/fb_command.c     | 62 +++++++++++++++++++++++++++++++
>  drivers/usb/gadget/f_fastboot.c   | 17 +++++++++
>  include/fastboot.h                |  7 ++++
>  6 files changed, 100 insertions(+)
>
> diff --git a/doc/android/fastboot-protocol.rst b/doc/android/fastboot-protocol.rst
> index e723659e49c..e8cbd7f24ea 100644
> --- a/doc/android/fastboot-protocol.rst
> +++ b/doc/android/fastboot-protocol.rst
> @@ -144,6 +144,11 @@ Command Reference
>
>    "powerdown"          Power off the device.
>
> +  "ucmd"               execute any bootloader command and wait until it
> +                       finishs.
> +
> +  "acmd"               execute any bootloader command, do not wait.
> +
>  Client Variables
>  ----------------
>
> diff --git a/doc/android/fastboot.rst b/doc/android/fastboot.rst
> index 2877c3cbaaa..b58d1b5b31a 100644
> --- a/doc/android/fastboot.rst
> +++ b/doc/android/fastboot.rst
> @@ -19,6 +19,8 @@ The current implementation supports the following standard commands:
>  - ``reboot``
>  - ``reboot-bootloader``
>  - ``set_active`` (only a stub implementation which always succeeds)
> +- ``ucmd`` (if enabled)
> +- ``acmd`` (if enabled)
>
>  The following OEM commands are supported (if enabled):
>
> diff --git a/drivers/fastboot/Kconfig b/drivers/fastboot/Kconfig
> index 4352ba67a71..b1f8cd74a15 100644
> --- a/drivers/fastboot/Kconfig
> +++ b/drivers/fastboot/Kconfig
> @@ -72,6 +72,13 @@ config FASTBOOT_FLASH
>           the downloaded image to a non-volatile storage device. Define
>           this to enable the "fastboot flash" command.
>
> +config FASTBOOT_UUU_SUPPORT
> +       bool "Enable FASTBOOT i.MX UUU special command"
> +       default y if ARCH_MX7 || ARCH_MX6 || ARCH_IMX8 || ARCH_IMX8M || ARCH_MX7ULP
> +       select FSL_FASTBOOT
> +       help
> +         The fastboot protocol includes "UCmd" command and "ACmd" command
> +
>  choice
>         prompt "Flash provider for FASTBOOT"
>         depends on FASTBOOT_FLASH
> diff --git a/drivers/fastboot/fb_command.c b/drivers/fastboot/fb_command.c
> index d3c578672dc..31a47e46386 100644
> --- a/drivers/fastboot/fb_command.c
> +++ b/drivers/fastboot/fb_command.c
> @@ -43,6 +43,11 @@ static void reboot_recovery(char *, char *);
>  static void oem_format(char *, char *);
>  #endif
>
> +#if CONFIG_IS_ENABLED(FASTBOOT_UUU_SUPPORT)
> +static void run_ucmd(char *, char *);
> +static void run_acmd(char *, char *);
> +#endif
> +
>  static const struct {
>         const char *command;
>         void (*dispatch)(char *cmd_parameter, char *response);
> @@ -99,6 +104,16 @@ static const struct {
>                 .dispatch = oem_format,
>         },
>  #endif
> +#if CONFIG_IS_ENABLED(FASTBOOT_UUU_SUPPORT)
> +       [FASTBOOT_COMMAND_UCMD] = {
> +               .command = "UCmd",
> +               .dispatch = run_ucmd,
> +       },
> +       [FASTBOOT_COMMAND_ACMD] = {
> +               .command = "ACmd",
> +               .dispatch = run_acmd,
> +       },
> +#endif
>  };
>
>  /**
> @@ -309,6 +324,53 @@ static void erase(char *cmd_parameter, char *response)
>  }
>  #endif
>
> +#if CONFIG_IS_ENABLED(FASTBOOT_UUU_SUPPORT)
> +/**
> + * run_ucmd() - Execute the UCmd command
> + *
> + * @cmd_parameter: Pointer to command parameter
> + * @response: Pointer to fastboot response buffer
> + */
> +static void run_ucmd(char *cmd_parameter, char *response)
> +{
> +       if (!cmd_parameter) {
> +               pr_err("missing slot suffix\n");
> +               fastboot_fail("missing command", response);
> +               return;
> +       }
> +
> +       if (run_command(cmd_parameter, 0))
> +               fastboot_fail("", response);
> +       else
> +               fastboot_okay(NULL, response);
> +}
> +
> +static char g_a_cmd_buff[64];
> +
> +void fastboot_acmd_complete(void)
> +{
> +       run_command(g_a_cmd_buff, 0);
> +}
> +
> +/**
> + * run_acmd() - Execute the ACmd command
> + *
> + * @cmd_parameter: Pointer to command parameter
> + * @response: Pointer to fastboot response buffer
> + */
> +static void run_acmd(char *cmd_parameter, char *response)
> +{
> +       if (!cmd_parameter) {
> +               pr_err("missing slot suffix\n");
> +               fastboot_fail("missing command", response);
> +               return;
> +       }
> +
> +       strcpy(g_a_cmd_buff, cmd_parameter);
> +       fastboot_okay(NULL, response);
> +}
> +#endif
> +
>  /**
>   * reboot_bootloader() - Sets reboot bootloader flag.
>   *
> diff --git a/drivers/usb/gadget/f_fastboot.c b/drivers/usb/gadget/f_fastboot.c
> index d1d087e12b2..bf52d2505f4 100644
> --- a/drivers/usb/gadget/f_fastboot.c
> +++ b/drivers/usb/gadget/f_fastboot.c
> @@ -419,6 +419,18 @@ static void do_bootm_on_complete(struct usb_ep *ep, struct usb_request *req)
>         do_exit_on_complete(ep, req);
>  }
>
> +#if CONFIG_IS_ENABLED(FASTBOOT_UUU_SUPPORT)
> +static void do_acmd_complete(struct usb_ep *ep, struct usb_request *req)
> +{
> +       /* When usb dequeue complete will be called
> +        *  Need status value before call run_command.
> +        * otherwise, host can't get last message.
> +        */
> +       if (req->status == 0)
> +               fastboot_acmd_complete();
> +}
> +#endif
> +
>  static void rx_handler_command(struct usb_ep *ep, struct usb_request *req)
>  {
>         char *cmdbuf = req->buf;
> @@ -457,6 +469,11 @@ static void rx_handler_command(struct usb_ep *ep, struct usb_request *req)
>                 case FASTBOOT_COMMAND_REBOOT_RECOVERY:
>                         fastboot_func->in_req->complete = compl_do_reset;
>                         break;
> +#if CONFIG_IS_ENABLED(FASTBOOT_UUU_SUPPORT)
> +               case FASTBOOT_COMMAND_ACMD:
> +                       fastboot_func->in_req->complete = do_acmd_complete;
> +                       break;
> +#endif
>                 }
>         }
>
> diff --git a/include/fastboot.h b/include/fastboot.h
> index 8e9ee80907d..ef8cd842bb3 100644
> --- a/include/fastboot.h
> +++ b/include/fastboot.h
> @@ -38,6 +38,10 @@ enum {
>  #if CONFIG_IS_ENABLED(FASTBOOT_CMD_OEM_FORMAT)
>         FASTBOOT_COMMAND_OEM_FORMAT,
>  #endif
> +#if CONFIG_IS_ENABLED(FASTBOOT_UUU_SUPPORT)
> +       FASTBOOT_COMMAND_ACMD,
> +       FASTBOOT_COMMAND_UCMD,
> +#endif
>
>         FASTBOOT_COMMAND_COUNT
>  };
> @@ -172,4 +176,7 @@ void fastboot_data_download(const void *fastboot_data,
>   */
>  void fastboot_data_complete(char *response);
>
> +#if CONFIG_IS_ENABLED(FASTBOOT_UUU_SUPPORT)
> +void fastboot_acmd_complete(void);
> +#endif
>  #endif /* _FASTBOOT_H_ */
> --
> 2.25.4
>

More information about the U-Boot mailing list