## **Digging for Documentation**

A Tale of Reverse Engineering

Daniel Maslowski





## Hello, I am Daniel:-)



#### Work and education

- IT security and computer science
- software engineer
- infrastructure and web
- apps, UIs, ecommerce

#### **Open Source contributions**

- hardware and firmware
- operating systems
- software distributions
- reverse engineering



## Hello, I am Daniel :-)



#### Work and education

- IT security and computer science
- software engineer
- infrastructure and web
- apps, Uls, ecommerce

#### **Open Source contributions**

- hardware and firmware
- operating systems
- software distributions
- reverse engineering

I joined RISC-V International as an Individual Member.











Documentation is needed everywhere.

¹https://www.writethedocs.org/videos/eu/2017/the-four-kinds-of-documentation-and-why-you-need-to-understand-what-they-are-daniele-procida/

### Documentation...?

Documentation is needed everywhere.

There are different ways to categorize kinds of documentation<sup>1</sup>, e.g.:

- learning-oriented tutorials
- goal-oriented how-to guides
- understanding-oriented discussions
- information-oriented reference material
- miormation-oriented reference material

¹https://www.writethedocs.org/videos/eu/2017/the-four-kinds-of-documentation-and-why-you-need-to-understand-what-they-are-daniele-procida/

### Documentation...?

Documentation is needed everywhere.

There are different ways to categorize kinds of documentation<sup>1</sup>, e.g.:

- learning-oriented tutorials
- goal-oriented how-to guides
- understanding-oriented discussions
- information-oriented reference material
- Information-oriented reference material

We will look at ISAs as well as their implementations and applications.

¹https://www.writethedocs.org/videos/eu/2017/the-four-kinds-of-documentation-and-why-you-need-to-understand-what-they-are-daniele-procida/

# To Whom it Matters

#### **Individuals**

- **RISC-V International Slack**
- Telegram groups
- Matrix, e.g. Milk-V
- Reddit, /r/riscv
- Forums, e.g. StarFive
- OS distro communities





### To Whom it Matters

#### **Individuals**

- RISC-V International Slack
- Telegram groups
- Matrix, e.g. Milk-V
- Reddit, /r/riscv
- Forums, e.g. StarFive
- Forums, e.g. StarFiv
- OS distro communities

#### **Organizations**

- Academia, students & researchers
- Chip designers & vendors
- DEMs, e.g. Framework
- Industry groups, e.g. RISE
- OS distro vendors









## Status Quo at RISC-V International

RISC-V specifications are developed by groups and sources kept on GitHub.

There is a template and a guide:

- https://github.com/riscv/docs-spec-template
- https://github.com/riscv/docs-dev-guide





### Status Ouo at RISC-V International

RISC-V specifications are developed by groups and sources kept on GitHub.

There is a template and a guide:

- https://github.com/riscv/docs-spec-template
- https://github.com/riscv/docs-dev-guide

PDFs are created from the spec releases:

- https://github.com/riscv/riscv-isa-manual/releases
- https://github.com/riscv-non-isa/riscv-sbi-doc/releases/tag/v2.0





### Status Quo at RISC-V International

RISC-V specifications are developed by groups and sources kept on GitHub.

There is a template and a guide:

- https://github.com/riscv/docs-spec-template
- https://github.com/riscv/docs-dev-guide

PDFs are created from the spec releases:

- https://github.com/riscv/riscv-isa-manual/releases
- https://github.com/riscv-non-isa/riscv-sbi-doc/releases/tag/v2.0
- This allows everyone to easily contribute, raise questions, add clarifications, and join the development.





 $\ensuremath{\mathsf{RISC\text{-}V}}$  cores are implemented based on the RISC-V specs.





## Status Quo for Core and SoC Vendors

RISC-V cores are implemented based on the RISC-V specs.

Some implementations are open source, some are closed source, and some are derivatives of open source ones.





## Status Quo for Core and SoC Vendors

RISC-V cores are implemented based on the RISC-V specs.

Some implementations are open source, some are closed source, and some are derivatives of open source ones.

Cores are used in SoC design, with peripherals added, often from third parties.



## Status Quo for Core and SoC Vendors

RISC-V cores are implemented based on the RISC-V specs.

Some implementations are open source, some are closed source, and some are derivatives of open source ones.

Cores are used in SoC design, with peripherals added, often from third parties.

Documentation for cores and SoCs is, depending on the vendor,

- not publicly available
- available, but watermarked and restrictive
- published with delays or as drafts only
- sometimes in HTML, sometimes PDF form
- not possible to easily contribute to





More and more SBCs, tablets, laptops and other machines are being offered based on RISC-V cores.

- 2021: first SBCs
- 2024: multiple laptops



More and more SBCs, tablets, laptops and other machines are being offered based on RISC-V cores.

- 2021: first SBCs
- 2024: multiple laptops

End customers have received unfinished products sold as "open source".

Note: Sources were and are often not available, e.g. the SoC design / RTL.





More and more SBCs, tablets, laptops and other machines are being offered based on RISC-V cores.

- > 2021: first SBCs
- 2024: multiple laptops

End customers have received unfinished products sold as "open source".

Note: Sources were and are often not available, e.g. the SoC design / RTL.

Depending on the vendors, they may upstream software such as U-Boot, Linux, and OpenSBI. In some cases, community members do the work.



More and more SBCs, tablets, laptops and other machines are being offered based on RISC-V cores.

- > 2021: first SBCs
- 2024: multiple laptops

End customers have received unfinished products sold as "open source".

Note: Sources were and are often not available, e.g. the SoC design / RTL.

Depending on the vendors, they may upstream software such as U-Boot, Linux, and OpenSBI. In some cases, community members do the work.

Sometimes, short guides or manuals are available.

Schematics are mostly available, sometimes board designs.







## Lavers of Documentation for Hardware

- ISA specs
  - see RISC-V International on GitHub:-)
- public core manuals
  - consider community contributions
    - highlight implementation specifics
  - public SoC manuals
- - consider community contributions
    - third party components
- schematics and board designs
  - consider publishing sources
  - see also OSHWA certifications
  - mask ROMs and their protocols
- - signing, loading and flashing firmware
- firmware
  - sources, licenses, howtos, behavior, integration
- OS distributions
  - see also their wikis



## Full SoC and Core Manuals

- put them on GitHub, possibly as source
  - generate manuals from VHDL or similar
  - let community ask questions, file PRs/issues for clarification
  - use releases for artifacts, PDFs etc, link on vendor website
- including full memory map
- D register(s), efuses
- all peripherals (yes, also DRAM)

<sup>&</sup>lt;sup>2</sup>https://github.com/BPI-SINOVOIP/pi-u-boot/blob/2aa062b0567d3863d700021990de89 ba6b616c8f/drivers/ddr/spacemit/k1x/ddr\_init\_asic.h#L76

## Full SoC and Core Manuals

- put them on GitHub, possibly as source
  - generate manuals from VHDL or similar
  - let community ask questions, file PRs/issues for clarification
    - use releases for artifacts, PDFs etc, link on vendor website
- including full memory map
- ▶ ID register(s), efuses
- all peripherals (yes, also DRAM)

#### **DRAM** controllers

- see StarFive forum
  - https://forum.rvspace.org/t/dram-training-and-calibration/3224
  - note: we do have open source code, but it is hard to understand due to lack of documentation
- DRAM blobs are blocking progress
  - example: SpacemiT K1 DRAM training blob in header file<sup>2</sup>
- consider purchasing from more open suppliers

<sup>&</sup>lt;sup>2</sup>https://github.com/BPI-SINOVOIP/pi-u-boot/blob/2aa062b0567d3863d700021990de86ba6b616c8f/drivers/ddr/spacemit/k1x/ddr\_init\_asic.h#L76





Typical SoCs have early code in their mask ROM, sometimes also called BROM (boot ROM) or ZSBL (Zero Stage Boot Loader).





Typical SoCs have early code in their mask ROM, sometimes also called BROM (boot ROM) or ZSBL (Zero Stage Boot Loader).

Boot ROMs may offer protocols for loading over UART or USB, which is great for development, e.g., Allwinner FEL, JH71x0 Xmodem.



Typical SoCs have early code in their mask ROM, sometimes also called BROM (boot ROM) or ZSBL (Zero Stage Boot Loader).

Boot ROMs may offer protocols for loading over UART or USB, which is great for development, e.g., Allwinner FEL, JH71x0 Xmodem.

Depending on the platform design, multiple further stages are necessary.



Typical SoCs have early code in their mask ROM, sometimes also called BROM (boot ROM) or ZSBL (Zero Stage Boot Loader).

Boot ROMs may offer protocols for loading over UART or USB, which is great for development, e.g., Allwinner FEL, JH71x0 Xmodem.

Depending on the platform design, multiple further stages are necessary.

Developers need documentation:

https://github.com/sipeed/LicheePi4A/issues/12
I want to know how bromload uboot image(emmc) to ram, because
I'm try to upstream uboot. :) This is only vendor can know.





# Tracking Progress

#### Software upstream status

- https://linux-sunxi.org/Linux\_mainlining\_effort#Status\_Matrix
- https://wiki.rvspace.org/en/project/JH7110\_Upstream\_plan
- H1520:

https://docs.google.com/spreadsheets/d/1WzTS8zJ9ZbmBz3CO-ApQPiAtg7gl\_wJT2prRZQXDlqQ



# Tracking Progress

### Software upstream status

- https://linux-sunxi.org/Linux\_mainlining\_effort#Status\_Matrix
- https://wiki.rvspace.org/en/project/JH7110\_Upstream\_plan
- **TH1520:**

 $https://docs.google.com/spreadsheets/d/1WzTS8zJ9ZbmBz3CO-ApQPiAtg7gl\_wJT2prRZQXDlqQ\\$ 

### **Operating Systems**

FreeBSD needs help; see Mitchell Horne at BSDCan Developer Summit FreeBSD on RISC V - May 2024 FreeBSD Developer Summit https://www.youtube.com/watch?v=O7zW7Z9U0ns







### What we can do

#### **RISC-V International**

- guides towards upstream OS and firmware
- call for examples/tutorials; tutorials.riscv.org / examples.riscv.org ?
- curate contributions
- set up repos like for specs



### What we can do

#### RISC-V International

- guides towards upstream OS and firmware
- call for examples/tutorials; tutorials.riscv.org / examples.riscv.org ?
- curate contributions
- set up repos like for specs

#### **End Users**

When you receive hardware, see how it works. If you figure things out, share them with the community! :-) Dump mask ROMs and other binaries to reverse them.



### Ghidra?





- StarFive
  - Provide source code for jh7110-recovery-20221205.bin https://github.com/starfive-tech/Tools/issues/2
  - Document XMODEM behavior with good/bad chips https://github.com/starfive-tech/Tools/issues/6
  - document OTP fuses and secure boot flow https://github.com/starfive-tech/Tools/issues/8
    - https://github.com/orangecms/vf2-header

  - https://github.com/orangecms/vf2-loader



- StarFive
  - Provide source code for jh7110-recovery-20221205.bin https://github.com/starfive-tech/Tools/issues/2
  - Document XMODEM behavior with good/bad chips https://github.com/starfive-tech/Tools/issues/6
  - document OTP fuses and secure boot flow https://github.com/starfive-tech/Tools/issues/8
    - https://github.com/starfive-tech/Tools/issues/8 https://github.com/orangecms/vf2-header
    - https://github.com/orangecms/vf2-loader
    - nttps://github.com/orangecms/viz-ioader
- Bouffalo Lab https://github.com/orangecms/bouffalo-loader



- StarFive
  - Provide source code for jh7110-recovery-20221205.bin https://github.com/starfive-tech/Tools/issues/2
  - Document XMODEM behavior with good/bad chips https://github.com/starfive-tech/Tools/issues/6
  - document OTP fuses and secure boot flow https://github.com/starfive-tech/Tools/issues/8
    - https://github.com/starfive-tech/lools/issues/8
      https://github.com/orangecms/vf2-header
    - https://github.com/orangecms/vf2-loader
    - nttps://github.com/orangecins/viz-toader
- Bouffalo Lab https://github.com/orangecms/bouffalo-loader
- CVITEK/Sophgo https://github.com/orangecms/sg\_boot



- StarFive
  - Provide source code for jh7110-recovery-20221205.bin https://github.com/starfive-tech/Tools/issues/2
  - Document XMODEM behavior with good/bad chips https://github.com/starfive-tech/Tools/issues/6
  - document OTP fuses and secure boot flow https://github.com/starfive-tech/Tools/issues/8
    - https://github.com/orangecms/vf2-header
    - https://github.com/orangecms/vf2-loader
    - nttps.//github.com/orangecins/viz-toader
- Bouffalo Lab https://github.com/orangecms/bouffalo-loader
- CVITEK/Sophgo https://github.com/orangecms/sg\_boot
- SpacemiT? TBD :-)





### Follow Me



https://github.com/orangecms https://twitter.com/orangecms https://twitch.tv/cyrevolt https://youtube.com/@cyrevolt

Darnet Mastowsk

Related:

- Bootloaders in Limbo https://www.youtube.com/watch?v=-Ub8rCMrso0
- From Hardware Design to Rich OS with No Code https://www.youtube.com/watch?v=sxVIUeWkD6o

https://metaspora.org/digging-for-documentation.pdf

License: CC BY 4.0 https://creativecommons.org/licenses/by/4.0/

