Open Menu / doc / android / fastboot.rst
Loading...
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
.. SPDX-License-Identifier: GPL-2.0+

Android Fastboot
================

Overview
--------

The protocol that is used over USB and UDP is described in [1]_.

The current implementation supports the following standard commands:

- ``boot``
- ``continue``
- ``download``
- ``erase`` (if enabled)
- ``flash`` (if enabled)
- ``getvar``
- ``reboot``
- ``reboot-bootloader``
- ``set_active`` (only a stub implementation which always succeeds)
- ``ucmd`` (if enabled)
- ``acmd`` (if enabled)

The following OEM commands are supported (if enabled):

- ``oem format`` - this executes ``gpt write mmc %x $partitions``
- ``oem partconf`` - this executes ``mmc partconf %x <arg> 0`` to configure eMMC
  with <arg> = boot_ack boot_partition
- ``oem bootbus``  - this executes ``mmc bootbus %x %s`` to configure eMMC
- ``oem run`` - this executes an arbitrary U-Boot command
- ``oem console`` - this dumps U-Boot console record buffer
- ``oem board`` - this executes a custom board function which is defined by the vendor

Support for eMMC, NAND and SPI flash memory devices is included.

Client installation
-------------------

The counterpart to this is the fastboot client which can be found in
Android's ``platform/system/core`` repository in the fastboot
folder. It runs on Windows, Linux and OSX. The fastboot client is
part of the Android SDK Platform-Tools and can be downloaded from [2]_.

Board specific
--------------

USB configuration
^^^^^^^^^^^^^^^^^

The fastboot gadget relies on the USB download gadget, so the following
options must be configured:

::

   CONFIG_USB_GADGET_DOWNLOAD
   CONFIG_USB_GADGET_VENDOR_NUM
   CONFIG_USB_GADGET_PRODUCT_NUM
   CONFIG_USB_GADGET_MANUFACTURER

NOTE: The ``CONFIG_USB_GADGET_VENDOR_NUM`` must be one of the numbers
supported by the fastboot client. The list of vendor IDs supported can
be found in the fastboot client source code.

General configuration
^^^^^^^^^^^^^^^^^^^^^

The fastboot protocol requires a large memory buffer for
downloads. This buffer should be as large as possible for a
platform. The location of the buffer and size are set with
``CONFIG_FASTBOOT_BUF_ADDR`` and ``CONFIG_FASTBOOT_BUF_SIZE``. These
may be overridden on the fastboot command line using ``-l`` and
``-s``.

Fastboot environment variables
------------------------------

Partition aliases
^^^^^^^^^^^^^^^^^

Fastboot partition aliases can also be defined for devices where GPT
limitations prevent user-friendly partition names such as ``boot``, ``system``
and ``cache``.  Or, where the actual partition name doesn't match a standard
partition name used commonly with fastboot.

The current implementation checks aliases when accessing partitions by
name (flash_write and erase functions).  To define a partition alias
add an environment variable similar to::

    fastboot_partition_alias_<alias partition name>=<actual partition name>

for example::

    fastboot_partition_alias_boot=LNX

Raw partition descriptors
^^^^^^^^^^^^^^^^^^^^^^^^^

In cases where no partition table is present, a raw partition descriptor can be
defined, specifying the memory offset and size.

Currently, this support is available only for eMMC and SPI flash memory devices.

This is useful when using fastboot to flash files (e.g. SPL or U-Boot) to a
specific offset in the eMMC boot partition, without having to update the entire
boot partition.

To define a raw partition descriptor, add an environment variable similar to::

    fastboot_raw_partition_<raw partition name>=<offset> <size>

for example::

    fastboot_raw_partition_boot=0x100 0x1f00

Optionally, in the eMMC case, the hardware partition number can also be
specified for a given partition name::

    fastboot_raw_partition_<raw partition name>=<offset> <size> [mmcpart <num>]

for example::

    fastboot_raw_partition_boot=0x100 0x1f00 mmcpart 1

Variable overrides
^^^^^^^^^^^^^^^^^^

Variables retrived through ``getvar`` can be overridden by defining
environment variables of the form ``fastboot.<variable>``. These are
looked up first so can be used to override values which would
otherwise be returned. Using this mechanism you can also return types
for NAND filesystems, as the fully parameterised variable is looked
up, e.g.::

    fastboot.partition-type:boot=jffs2

Boot command
^^^^^^^^^^^^

When executing the fastboot ``boot`` command, if ``fastboot_bootcmd`` is set
then that will be executed in place of ``bootm <CONFIG_FASTBOOT_BUF_ADDR>``.

Partition Names
---------------

The Fastboot implementation in U-Boot allows to write images into disk
partitions. Target partitions are referred on the host computer by
their names.

For GPT/EFI the respective partition name is used.

For MBR the partitions are referred by generic names according to the
following schema::

    <device type><device index letter><partition index>

Example: ``hda3``, ``sdb1``, ``usbda1``.

The device type is as follows:

  * IDE, ATAPI and SATA disks: ``hd``
  * SCSI disks: ``sd``
  * USB media: ``usbd``
  * MMC and SD cards: ``mmcsd``
  * Disk on chip: ``docd``
  * other: ``xx``

The device index starts from ``a`` and refers to the interface (e.g. USB
controller, SD/MMC controller) or disk index. The partition index starts
from ``1`` and describes the partition number on the particular device.

Alternatively, partition types may be specified using :ref:`U-Boot's partition
syntax <partitions>`. This allows specifying partitions like ``0.1``,
``0#boot``, or ``:3``. The interface is always ``mmc``.

Writing Partition Table
-----------------------

Fastboot also allows to write the partition table to the media. This can be
done by writing the respective partition table image to a special target
"gpt" or "mbr". These names can be customized by defining the following
configuration options:

::

   CONFIG_FASTBOOT_GPT_NAME
   CONFIG_FASTBOOT_MBR_NAME

In Action
---------

Enter into fastboot by executing the fastboot command in U-Boot for either USB::

   => fastboot usb 0

or UDP::

   => fastboot udp
   link up on port 0, speed 100, full duplex
   Using ethernet@4a100000 device
   Listening for fastboot command on 192.168.0.102

On the client side you can fetch the bootloader version for instance::

   $ fastboot getvar version-bootloader
   version-bootloader: U-Boot 2019.07-rc4-00240-g00c9f2a2ec
   Finished. Total time: 0.005s

or initiate a reboot::

   $ fastboot reboot

and once the client comes back, the board should reset.

You can also specify a kernel image to boot. You have to either specify
the an image in Android format *or* pass a binary kernel and let the
fastboot client wrap the Android suite around it. On OMAP for instance you
take zImage kernel and pass it to the fastboot client::

   $ fastboot -b 0x80000000 -c "console=ttyO2 earlyprintk root=/dev/ram0 mem=128M" boot zImage
   creating boot image...
   creating boot image - 1847296 bytes
   downloading 'boot.img'...
   OKAY [  2.766s]
   booting...
   OKAY [ -0.000s]
   finished. total time: 2.766s

and on the U-Boot side you should see::

   Starting download of 1847296 bytes
   ........................................................
   downloading of 1847296 bytes finished
   Booting kernel..
   ## Booting Android Image at 0x81000000 ...
   Kernel load addr 0x80008000 size 1801 KiB
   Kernel command line: console=ttyO2 earlyprintk root=/dev/ram0 mem=128M
      Loading Kernel Image ... OK
   OK

   Starting kernel ...

Running Shell Commands
^^^^^^^^^^^^^^^^^^^^^^

Normally, arbitrary U-Boot command execution is not enabled. This is so
fastboot can be used to update systems using verified boot. However, such
functionality can be useful for production or when verified boot is not in use.
Enable ``CONFIG_FASTBOOT_OEM_RUN`` to use this functionality. This will enable
``oem run`` command, which can be used with the fastboot client. For example,
to print "Hello at 115200 baud" (or whatever ``CONFIG_BAUDRATE`` is), run::

    $ fastboot oem run:'echo Hello at $baudrate baud'

You can run any command you would normally run on the U-Boot command line,
including multiple commands (using e.g. ``;`` or ``&&``) and control structures
(``if``, ``while``, etc.). The exit code of ``fastboot`` will reflect the exit
code of the command you ran.

Running Custom Vendor Code
^^^^^^^^^^^^^^^^^^^^^^^^^^

U-Boot allows you to execute custom fastboot logic, which can be defined
in board/ files. It can still be used for production devices with verified
boot, because the vendor defines logic at compile time by implementing
fastboot_oem_board() function. The attacker will not be able to execute
custom commands / code. For example, this can be useful for custom flashing
or erasing protocols::

    $ fastboot stage bootloader.img
    $ fastboot oem board:write_bootloader

In this case, ``cmd_parameter`` argument of the function ``fastboot_oem_board()``
will contain string "write_bootloader" and ``data`` argument is a pointer to
fastboot input buffer, which contains the contents of bootloader.img file.

References
----------

.. [1] :doc:`fastboot-protocol`
.. [2] https://developer.android.com/studio/releases/platform-tools