Xrpc format
From OpenTViX
An early attempt to describe the xrpc format and contained formats used in xrpc_xload_vmlinux_ES4_prod.bin.
The format is mostly the same for the ucodes for video, dsp, etc, however, contrary to vmlinux, these are encrypted. As far as I can tell there is little reason to modify them anyway.
Almost all information on this page is extracted from scripts and sourcecode found in xbin/ and tools/ of the http://www.networkedmediatank.com/download/firmware/nmt/gpl/smp86xx_toolchain.20080505.tar.bz2 package. Considering this is released by Syabas from NMT, it should be legal.
Contents |
xrpc format
| Start Address | End Address | Description |
| 0x00 | 0x03 | int, Callerid (usually XRPC_CALLERID_IGNORED=0x0) |
| 0x04 | 0x07 | int, xrpc type, see xrpc type table below |
| 0x8 | 0x11 | int, size of padded payload |
| 0x12 | 0x15 | int, parameter1, TMPADDR (default 0x13000000) when xrpc contains kernel |
| 0x16 | 0x19 | int, parameter2 |
| 0x20 | 0x23 | int, parameter3 |
| 0x24 | 0x27 | int, parameter4 |
| 0x28 | 0x31 | int, size of xload payload + header |
| 0x32 | 0x32 + sizeof(xload_payload) - sizeof(xrpc_header) | Xload payload data |
| Type | ID' |
| XRPC_ID_GETSERIAL | 0x0 |
| XRPC_ID_GETRANDOM | 0x2 |
| XRPC_ID_BONDINGCOMMENT | x3 |
| XRPC_ID_SHA1XOS | 0x4 |
| XRPC_ID_XLOAD | 0x5 |
| XRPC_ID_DRAM | 0xf |
| XRPC_ID_XUNLOAD | 0x11 |
| XRPC_ID_CACHEDUMP | 0x12 |
| XRPC_ID_REBOOT | 0x13 |
| XRPC_ID_XBIND | 0x14 |
| XRPC_ID_XSTART | 0x15 |
| XRPC_ID_XKILL | 0x16 |
| XRPC_ID_GETPROTECTION | 0x17 |
| XRPC_ID_GETBINDING | 0x18 |
| XRPC_ID_GETOWNER | 0x19 |
| XRPC_ID_SETENHANCEDMODE | 0x1a |
| XRPC_ID_VERSION | 0x1b |
xload format
The specific file xrpc_xload_vmlinux_ES4_prod.bin contains an unencrypted zboot file in the payload of the xload part.
| Start Address | End Address | Description |
| 0x0000 | 0x0001 | short, ID of certificate used to sign data |
| 0x0002 | 0x0002 | char, Type of certificate used |
| 0x0003 | 0x0003 | char, Security ID. RSA or AES key used to encrypt sessionkey. (SecurityID=0xFF means no encryption) |
| 0x0004 | 0x0103 | Certificate used to sign payload |
| 0x0104 | 0x0203 | Signed signature of certificate, presumably signed by Sigma Designs |
| 0x0204 | 0x0303 | Signed signature of payload |
| 0x0304 | EOF | Payload data |
| ID | Description |
| 0x1 | XLOAD_CERTTYPE_CPU |
| 0x2 | XLOAD_CERTTYPE_XTASK1 |
| 0x3 | XLOAD_CERTTYPE_UCODE_VIDEO |
| 0x4 | XLOAD_CERTTYPE_UCODE_AUDIO |
| 0x5 | XLOAD_CERTTYPE_UCODE_DEMUX |
| 0x6 | XLOAD_CERTTYPE_IH |
| 0x7 | XLOAD_CERTTYPE_XTASK2 |
| 0x8 | XLOAD_CERTTYPE_XTASK3 |
| 0x9 | XLOAD_CERTTYPE_XTASK4 |
| 0xff | XLOAD_CERTTYPE_XOSU |
Zboot format
zboot is presumably the bootloader used to boot the kernel once the xload has passed verification by the XPU.
Notes:
- The prelimary fileformat is described here. Note that this format is a limited version with no encryption support.
- The compression attributes means that the payload is compressed with gzip.
- The checksum is simple and should be easy to reimplement if needed.
| Start Address | End Address | Description |
| 0x00 | 0x03 | unsigned long, signature (BINF, encoded as FNIB) |
| 0x04 | 0x07 | unsigned long, attributes |
| 0x08 | 0x11 | unsigned long, load address |
| 0x12 | 0x15 | unsigned long, start address |
| 0x16 | 0x19 | unsigned long, checksum |
| 0x20 | 0x23 | unsigned long, zboot version |
| 0x24 | 0x27 | unsigned long, size of payload |
| 0x28 | 0x31 | unsigned long, reserved (serves to align datastructure to 32 byte boundary) |
| 0x32 | 0x32 + payload_size | payload data |
| Symbolic name | Constant value | Description |
| ZBOOT_ATTR_LOAD | 0x00000001 | Load |
| ZBOOT_ATTR_EXEC | 0x00000002 | Executable |
| ZBOOT_ATTR_GZIP | 0x00000010 | Compressed |
| ZBOOT_ATTR_ENCRYPT | 0x00000100 | Encrypted |
| ZBOOT_ATTR_FINAL | 0x10000000 | Last to process |
Data extracted from xrpc_xload_vmlinux_ES4_prod.bin
xrpcheader.callerid=0x00000000 (XRPC_CALLERID_IGNORED) xrpcheader.type=0x00000005 (XRPC_ID_XLOAD) xrpcheader.unencrypted_size=0x004d5ff0 xrpcheader.load_address=0x13000000 xrpcheader.xload_size=0x004d6314
Certificate ID: 0x000c Certificate type: 0x01 Certificate SEKID: 0xff (SEKID=0xFF means payload not encrypted) Payload not encrypted, extracting Signature: FNIB Attributes: 0x10000011 Attributes set: Load,Compressed,Final Loadaddr: 0x90020000 Startaddr: 0x90020000 Checksum: 0x062ed461 Version: 0x02040000 Size: 0x004d5fca
Apart from the header values shown above, there is a vmlinux.bin.gz image inside the file. The uncompressed image is available here: Uncompressed vmlinux.bin
