1.. SPDX-License-Identifier: GPL-2.0+ 2 3Android Fastboot 4================ 5 6Overview 7-------- 8 9The protocol that is used over USB and UDP is described in [1]_. 10 11The current implementation supports the following standard commands: 12 13- ``boot`` 14- ``continue`` 15- ``download`` 16- ``erase`` (if enabled) 17- ``flash`` (if enabled) 18- ``getvar`` 19- ``reboot`` 20- ``reboot-bootloader`` 21- ``set_active`` (only a stub implementation which always succeeds) 22- ``ucmd`` (if enabled) 23- ``acmd`` (if enabled) 24 25The following OEM commands are supported (if enabled): 26 27- ``oem format`` - this executes ``gpt write mmc %x $partitions`` 28- ``oem partconf`` - this executes ``mmc partconf %x <arg> 0`` to configure eMMC 29 with <arg> = boot_ack boot_partition 30- ``oem bootbus`` - this executes ``mmc bootbus %x %s`` to configure eMMC 31- ``oem run`` - this executes an arbitrary U-Boot command 32- ``oem console`` - this dumps U-Boot console record buffer 33- ``oem board`` - this executes a custom board function which is defined by the vendor 34 35Support for both eMMC and NAND devices is included. 36 37Client installation 38------------------- 39 40The counterpart to this is the fastboot client which can be found in 41Android's ``platform/system/core`` repository in the fastboot 42folder. It runs on Windows, Linux and OSX. The fastboot client is 43part of the Android SDK Platform-Tools and can be downloaded from [2]_. 44 45Board specific 46-------------- 47 48USB configuration 49^^^^^^^^^^^^^^^^^ 50 51The fastboot gadget relies on the USB download gadget, so the following 52options must be configured: 53 54:: 55 56 CONFIG_USB_GADGET_DOWNLOAD 57 CONFIG_USB_GADGET_VENDOR_NUM 58 CONFIG_USB_GADGET_PRODUCT_NUM 59 CONFIG_USB_GADGET_MANUFACTURER 60 61NOTE: The ``CONFIG_USB_GADGET_VENDOR_NUM`` must be one of the numbers 62supported by the fastboot client. The list of vendor IDs supported can 63be found in the fastboot client source code. 64 65General configuration 66^^^^^^^^^^^^^^^^^^^^^ 67 68The fastboot protocol requires a large memory buffer for 69downloads. This buffer should be as large as possible for a 70platform. The location of the buffer and size are set with 71``CONFIG_FASTBOOT_BUF_ADDR`` and ``CONFIG_FASTBOOT_BUF_SIZE``. These 72may be overridden on the fastboot command line using ``-l`` and 73``-s``. 74 75Fastboot environment variables 76------------------------------ 77 78Partition aliases 79^^^^^^^^^^^^^^^^^ 80 81Fastboot partition aliases can also be defined for devices where GPT 82limitations prevent user-friendly partition names such as ``boot``, ``system`` 83and ``cache``. Or, where the actual partition name doesn't match a standard 84partition name used commonly with fastboot. 85 86The current implementation checks aliases when accessing partitions by 87name (flash_write and erase functions). To define a partition alias 88add an environment variable similar to:: 89 90 fastboot_partition_alias_<alias partition name>=<actual partition name> 91 92for example:: 93 94 fastboot_partition_alias_boot=LNX 95 96Raw partition descriptors 97^^^^^^^^^^^^^^^^^^^^^^^^^ 98 99In cases where no partition table is present, a raw partition descriptor can be 100defined, specifying the offset, size, and optionally the MMC hardware partition 101number for a given partition name. 102 103This is useful when using fastboot to flash files (e.g. SPL or U-Boot) to a 104specific offset in the eMMC boot partition, without having to update the entire 105boot partition. 106 107To define a raw partition descriptor, add an environment variable similar to:: 108 109 fastboot_raw_partition_<raw partition name>=<offset> <size> [mmcpart <num>] 110 111for example:: 112 113 fastboot_raw_partition_boot=0x100 0x1f00 mmcpart 1 114 115Variable overrides 116^^^^^^^^^^^^^^^^^^ 117 118Variables retrived through ``getvar`` can be overridden by defining 119environment variables of the form ``fastboot.<variable>``. These are 120looked up first so can be used to override values which would 121otherwise be returned. Using this mechanism you can also return types 122for NAND filesystems, as the fully parameterised variable is looked 123up, e.g.:: 124 125 fastboot.partition-type:boot=jffs2 126 127Boot command 128^^^^^^^^^^^^ 129 130When executing the fastboot ``boot`` command, if ``fastboot_bootcmd`` is set 131then that will be executed in place of ``bootm <CONFIG_FASTBOOT_BUF_ADDR>``. 132 133Partition Names 134--------------- 135 136The Fastboot implementation in U-Boot allows to write images into disk 137partitions. Target partitions are referred on the host computer by 138their names. 139 140For GPT/EFI the respective partition name is used. 141 142For MBR the partitions are referred by generic names according to the 143following schema:: 144 145 <device type><device index letter><partition index> 146 147Example: ``hda3``, ``sdb1``, ``usbda1``. 148 149The device type is as follows: 150 151 * IDE, ATAPI and SATA disks: ``hd`` 152 * SCSI disks: ``sd`` 153 * USB media: ``usbd`` 154 * MMC and SD cards: ``mmcsd`` 155 * Disk on chip: ``docd`` 156 * other: ``xx`` 157 158The device index starts from ``a`` and refers to the interface (e.g. USB 159controller, SD/MMC controller) or disk index. The partition index starts 160from ``1`` and describes the partition number on the particular device. 161 162Alternatively, partition types may be specified using :ref:`U-Boot's partition 163syntax <partitions>`. This allows specifying partitions like ``0.1``, 164``0#boot``, or ``:3``. The interface is always ``mmc``. 165 166Writing Partition Table 167----------------------- 168 169Fastboot also allows to write the partition table to the media. This can be 170done by writing the respective partition table image to a special target 171"gpt" or "mbr". These names can be customized by defining the following 172configuration options: 173 174:: 175 176 CONFIG_FASTBOOT_GPT_NAME 177 CONFIG_FASTBOOT_MBR_NAME 178 179In Action 180--------- 181 182Enter into fastboot by executing the fastboot command in U-Boot for either USB:: 183 184 => fastboot usb 0 185 186or UDP:: 187 188 => fastboot udp 189 link up on port 0, speed 100, full duplex 190 Using ethernet@4a100000 device 191 Listening for fastboot command on 192.168.0.102 192 193On the client side you can fetch the bootloader version for instance:: 194 195 $ fastboot getvar version-bootloader 196 version-bootloader: U-Boot 2019.07-rc4-00240-g00c9f2a2ec 197 Finished. Total time: 0.005s 198 199or initiate a reboot:: 200 201 $ fastboot reboot 202 203and once the client comes back, the board should reset. 204 205You can also specify a kernel image to boot. You have to either specify 206the an image in Android format *or* pass a binary kernel and let the 207fastboot client wrap the Android suite around it. On OMAP for instance you 208take zImage kernel and pass it to the fastboot client:: 209 210 $ fastboot -b 0x80000000 -c "console=ttyO2 earlyprintk root=/dev/ram0 mem=128M" boot zImage 211 creating boot image... 212 creating boot image - 1847296 bytes 213 downloading 'boot.img'... 214 OKAY [ 2.766s] 215 booting... 216 OKAY [ -0.000s] 217 finished. total time: 2.766s 218 219and on the U-Boot side you should see:: 220 221 Starting download of 1847296 bytes 222 ........................................................ 223 downloading of 1847296 bytes finished 224 Booting kernel.. 225 ## Booting Android Image at 0x81000000 ... 226 Kernel load addr 0x80008000 size 1801 KiB 227 Kernel command line: console=ttyO2 earlyprintk root=/dev/ram0 mem=128M 228 Loading Kernel Image ... OK 229 OK 230 231 Starting kernel ... 232 233Running Shell Commands 234^^^^^^^^^^^^^^^^^^^^^^ 235 236Normally, arbitrary U-Boot command execution is not enabled. This is so 237fastboot can be used to update systems using verified boot. However, such 238functionality can be useful for production or when verified boot is not in use. 239Enable ``CONFIG_FASTBOOT_OEM_RUN`` to use this functionality. This will enable 240``oem run`` command, which can be used with the fastboot client. For example, 241to print "Hello at 115200 baud" (or whatever ``CONFIG_BAUDRATE`` is), run:: 242 243 $ fastboot oem run:'echo Hello at $baudrate baud' 244 245You can run any command you would normally run on the U-Boot command line, 246including multiple commands (using e.g. ``;`` or ``&&``) and control structures 247(``if``, ``while``, etc.). The exit code of ``fastboot`` will reflect the exit 248code of the command you ran. 249 250Running Custom Vendor Code 251^^^^^^^^^^^^^^^^^^^^^^^^^^ 252 253U-Boot allows you to execute custom fastboot logic, which can be defined 254in board/ files. It can still be used for production devices with verified 255boot, because the vendor defines logic at compile time by implementing 256fastboot_oem_board() function. The attacker will not be able to execute 257custom commands / code. For example, this can be useful for custom flashing 258or erasing protocols:: 259 260 $ fastboot stage bootloader.img 261 $ fastboot oem board:write_bootloader 262 263In this case, ``cmd_parameter`` argument of the function ``fastboot_oem_board()`` 264will contain string "write_bootloader" and ``data`` argument is a pointer to 265fastboot input buffer, which contains the contents of bootloader.img file. 266 267References 268---------- 269 270.. [1] :doc:`fastboot-protocol` 271.. [2] https://developer.android.com/studio/releases/platform-tools 272