SID Register Guide

From linux-sunxi.org
Jump to: navigation, search

Contents

Security ID

So far, all Allwinner A-series SoC come with a bit of memory called 'SID'. So far, for all chips this is 128 bits of freely? usable memory, with a catch. These 128 bits of memory, are not in RAM or ROM, they are so called e-fuses.

By default, the chip ID or revision is written to these fusions and possibly some form of serial number. While modifying is untested at this moment, it is possible to read the fuses.

A few use cases for the SID are, but not limited to:

  • Generate per-device unique MAC address
  • Store/use as an RSA etc key
  • Write in-house serial numbers

Info

SID Base address: 0x01c23800

For Allwinner A83T and H3 the SID address space starts at 0x01c14000, and the e-fuses are at offset 0x200 - so the address to use for these SoCs is 0x01c14200.

SID Registers

Register Name Offset Size Description Note
SID_KEY0 0x00 4 B Key0 [0:31]
SID_KEY1 0x04 4 B Key1 [32:63]
SID_KEY2 0x08 4 B Key2 [64:95]
SID_KEY3 0x0c 4 B Key3 [96:127]
SID_WRITE_DATA 0x40 4 B Data [0:31] NOT VERIFIED
SID_WRITE_CTRL 0x44 4 B SID Program Control register


SID_KEY[0-3]

Default value: undefined
Offset: 0x0{0, 4, 8, c}

Name Bit Read/Write Default (Hex) Values Description
KEY[0-3] 0:31 Read 32 bits for SID


SID_WRITE_DATA

Default value: 0x00000000
Offset: 0x40

We think this is the data register used when programming the SID efuses.

There is also a EFUSE_VDDQ pin (pin T9 on A10) which is normally tied to GND but which we guess needs to have suitable power to enable efuse programming. Details unknown.

SID_WRITE_CTRL

Default value: 0x00000000
Offset: 0x44

Name Bit Read/Write Default (Hex) Values Description
SID_WRITE_START 0 Read/Write 0x00
    0x00 = done writing
    0x01 = start writing
  
Writes when enabled, returns to 0 after writing.
no operation 1:3
SID_WRITE_POS 4:7 Read/Write 0x00
    0x00 = macrocell 0
    0x01 = macrocell 1
    0x02 = macrocell 2
    0x03 = macrocell 3
  
Index of which of the 4 hardware macrocell fuses to burn. It is currently unknown where to obtain said value from but a guess is register 0x40.
no operation 8:31

A83T, H3, A64, ...

Newer SoCs have a 2 kbit eFUSE area with a new controller.

Registers

Base address: 0x01c14000

Register Name Offset Size Description
SID_PRCTL 0x40 4B Control register
SID_PRKEY 0x50 4B Program data
SID_RDKEY 0x60 4B Read data

SID_PRCTL

Offset
0x40
Name Bits R/W Default Values Description
31:24
RW
reserved
SID_PRCTL_OFFSET 23:16
RW
eFUSE offset
SID_PRCTL_OP_LOCK 15:8
W
0xac
magic value to prevent accidental programming
7:2
RW
reserved
SID_PRCTL_READ 1
RW
write 1 to read eFUSE, clears after finish
SID_PRCTL_WRITE 0
RW
write 1 to program eFUSE, clears after finish

SID_PRKEY

Offset
0x50
Name Bits R/W Default Values Description
SID_PRKEY 31:0
RW
data to program to eFUSE

SID_RDKEY

Offset
0x60
Name Bits R/W Default Values Description
SID_RDKEY 31:0
RW
data read from eFUSE

eFUSE

Name Offset Size Description
CHIPID 0x00 128 bit Chip-ID, also known as SID
OEM_PROGRAM 0x10 32 bit unknown
NV1 0x14 32 bit unknown
NV2 0x18 64 bit unknown
RSAKEY_HASH 0x20 160 bit unknown
THERMAL_SENSOR 0x34 64 bit Thermal sensor calibration data
RENEWABILITY 0x3c 64 bit unknown
HUK 0x44 256 bit unknown, later split in IN(192), IDENTIFI(32), ID(32)
ROTPK_HASH 0x64 256 bit SHA256 hash of the "Root of Trust" public key
SSK 0x84 128 bit unknown
RSSK 0x94 256 bit unknown
HDCP_HASH 0xb4 128 bit unknown
EK_HASH 0xc4 128 bit unknown
SN 0xd4 192 bit unknown, RESERVED before A64
NV2_BACKUP 0xec  ? bit unknown, RESERVED before A64
LCJS 0xf4 32 bit Flags (secure boot mode, ...)
DEBUG 0xf8 32 bit unknown
CHIP_CONFIG 0xfc 32 bit unknown

ROTPK_HASH

Contains the SHA256 hash of the 2048-bit public key used to verify the signature of the first code executed after BROM, the so-called TOC0.

ROTPK_HASH = SHA256([Byte 0-255] = RSA modulus || [Byte 256-x] = RSA public exponent || [Byte x-511] filled with 0x91)

The hash isn't checked as long as all 32-bit words in this eFUSE have the same value. This means, only the signature is verified, but not the key used to sign, so any key can be used.

LCJS

Name Bits Values Description
LCJS_CUSTOM_DMA_WAIT 31:30
  0x2  = custom wait cycles (para0 * para1)
 other = fixed wait cycles (32)
BROM flag: DMA wait cycles
LCJS_CE_CLK_SRC 29:28
  0x2  = PLL_PERIPH0/4
 other = OSC24M
SBROM flag: CE clock source
LCJS_DMA_WAIT_PARA1 27:24 BROM param: DMA wait cycles
LCJS_DMA_WAIT_PARA0 23:20 BROM param: DMA wait cycles
LCJS_SW_SHA256 19:18
  0x2  = software SHA256
 other = CE hardware SHA256
SBROM flag: use software SHA256 instead of CE
LCJS_MAGIC_FEL_FLAG 17:16
  0x2  = set flag
 other = don't set flag
SBROM flag: write magic value at 0x2800, which is checked by FEL code (what does FEL do with it?)
LCJS_SECURE_BOOT 11
 0x1 = secure boot
 0x0 = normal boot

Currently known SID's

You may try to retrieve the SID value via our sunxi-tools (./sunxi-fel sid) - or dump it from within U-Boot using the corresponding, SoC-specific address (e.g. md.l 0x01c23800 4). If running a mainline kernel hexdump should be sufficient.

hexdump -C /sys/devices/platform/[email protected]/1c23800.eeprom/eeprom
00000000  16 51 66 c6 80 51 77 89  54 53 48 48 0a 40 f2 67  |[email protected]|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

Simple script to run on legacy kernel with devmem2:

d0=`./devmem2 0x01c14200 w|grep Value|sed 's/^.*: 0x/ /'`
d1=`./devmem2 0x01c14204 w|grep Value|sed 's/^.*: 0x/ /'`
d2=`./devmem2 0x01c14208 w|grep Value|sed 's/^.*: 0x/ /'`
d3=`./devmem2 0x01c1420c w|grep Value|sed 's/^.*: 0x/ /'`
echo $d0 $d1 $d2 $d3


Board eeprom package batch notes
A10
Cubieboard 1.0 1024 (A10) 16236747 80728452 50574848 064163D5
Cubieboard 1.0 1024 (A10) 162367C7 80778052 50554848 0201DDC3
Cubieboard 1.0 1024 (A10) 16236750 80758352 52574848 08025081
Cubieboard 1.0 1024 (A10) 16236745 80778052 50554848 07C171AD
Cubieboard 1.0 1024 (A10) 16236743 80758952 54544848 0642d3e9
Cubieboard 1.0 1024 (A10) 16236790 80758952 54544848 03c21c4e
Cubieboard 1.0 1024 (A10) 162367d9 80758952 54544848 08c21483
Cubieboard 1.0 1024 (A10) 16236798 80758952 54544848 0781186a
Cubieboard 1.0 1024 (A10) 1623674c 80758952 54544848 0a02c845
Cubieboard 1.0 1024 (A10) 1623670f 80758952 54544848 0981e268
Cubieboard 1.0 1024 (A10) 1623678b 80778251 54534848 0a4285d6
Cubieboard 1.0 1024 (A10) 16236743 80758952 54544848 06410f3d
Gemei G9 (A10) 16236712 80726652 57524848 04c29968
Mele A1000 (A10) early version 00000000 00000000 00000000 00000000
pcDuino (A10) 16236755 80758952 53554848 0a41e8c9
A10s
R7 hdmi-stick (A10s) 16254157 504B4133 30397030 0A41FA85
mk802 hdmi-stick (A10s) 16254115 50484E39 35397030 0D02F6E8
OlinuXino (A10S) 162541d3 50485937 30357030 04020663
A13 / R8
A13B tablet (A13) 16254216 504E4837 39313030 06819C58
OlinuXIno (A13) 16254147 50475838 36313030 0341B75D
OlinuXIno (A13) 16254159 50475838 36313030 0B4181E9
OlinuXIno (A13) 16254158 504B4E39 35303030 0A0185F5
OlinuXIno Micro (A13) 16254187 504b4e39 35303030 094313f2
NextThingCo CHIP v1.0 (R8) 1625420f 50303647 36363030 0400b0b0
NextThingCo CHIP v1.0 (R8) 16254293 50303858 31333030 0282919a
Nolimbook (A13) 162542c1 50525039 30313030 06420e6b
A20
EOMA68-A20 (A20) 165165c7 80807552 55564848 0842c7fb
Cubietruck (A20) 16516683 80485172 49514848 0940e0da plaes, via sunxi-fel
Cubietruck (A20) 16516507 80808952 56524848 03c18168
Cubietruck (A20) 16516581 80808952 56524848 0583548e
Cubietruck (A20) 16516587 80808952 56524848 0b81d536
Banana Pi (A20) 1651664f 80485686 53504848 0702dde9
Banana Pi (A20) 1651668a 80485788 51484848 02825172
Banana Pi M1 (A20) 165166cc 80485666 53564848 09c255a3 kc's
Banana Pi R1 (A20) 16516604 80485686 52524848 0641E864 kc's bpi-r1 (using devmem2)
A20-OLinuXIno-LIME2: (A20) 16516608 80485172 49484848 0800ccfc
A20-OLinuXIno-LIME2: (A20) 165166c6 80517789 54534848 0a40f267
A20-OLinuXino-MICRO (A20) 00000000 00000000 00000000 00000000 (2 verified)
Cubieboard 2.0 1024 (A20) 00000000 00000000 00000000 00000000 (3 verified)
A31s, sid in AXP221
CSQ CS908 (A31s) 16524251 434e3038 34010088 080d81eb
Mele A1000G quad (A31) 16524251 43423635 32000045 060a7a38
A33/R16
Aoson M751S (A33) 0461872a 034c0106 9b486765 00000000
iNet D978 Rev02 (A33) 0461872a 03386006 1846b855 00000000
Nintendo NES Classic (R16) 0461872a 86583185 9ae7d847 6c118000
H2+
Orange Pi Zero 02004620 3435c614 5030034e 58000032
Orange Pi Zero 02c00042 34004620 5035c614 0439098e G6079BA 67B1
H3
Banana Pi M2+ 02004620 94358000 502d05ce 5800006c
Banana Pi M2+ 02004620 94358000 50350a8e 4c000022
HYH-TBH3 02C00081 00004620 51900618 a058e187 BroderTuck's 'Smart Android Box' (using devmem2)
NanoPi NEO 02004620 24358810 502405ce 2800000a
NanoPi NEO 02c00081 44004620 5035c204 2c2e0c4e G5071BA 65L3 Lion's batch -- #1
NanoPi NEO 02c00081 44004620 5035c204 2417068e G5071BA 65L3 Lion's batch -- #2
NanoPi NEO 02c00081 44004620 5035c204 242301ce G5071BA 65L3 Lion's batch -- #3
NanoPi M1 02004620 64358720 50320c8e 40000069
Orange Pi PC 02004620 94340508 5040068e 54000000
Orange Pi PC 02004620 94340508 502b0a8e 24000000
Orange Pi PC 02004620 24340408 50330d0e 60000000
Orange Pi PC 02004620 34344314 503a04ce 80000000
Orange Pi PC 02004620 34344314 503b0c0e 80000000
Orange Pi PC 02c00081 94004620 50340508 3035080e F7008BA 68E3 kc's opipc#1
Orange Pi PC 02c00081 54004620 50354520 1033080e G2064BA 62T3 kc's opipc#2
Orange Pi PC 02c00081 54004620 50354520 1c34020e NiteHawk's OPiPC, (incorrect) value before was
02004620 54354520 5034020e 1c000000
Orange Pi PC 02c00081 54004620 50358720 4c1c058e G4075BA 64P3
Orange Pi PC Plus 02004620 1435811c 50340a0e 4c00006f
Orange Pi PC Plus 02004620 1435811c 5024010e 5c000080
Orange Pi Plus 02004620 94340508 501a050e 4000006d
Orange Pi Plus 2 02004620 34344314 5021034e 5c000000
Orange Pi Plus 2E 02004620 1435811c 501d078e 4c000060
Orange Pi Plus 2E 02004620 1435811c 503f050e 48000085
Orange Pi Plus 2E 02c00081 14004620 5035811c 4423098e G4060BA-64H3 kc's opi+2e
Orange Pi Lite 02004620 1435811c 5022018e 64000022
Orange Pi Lite 02004620 1435811c 5018050e 3c000011
Orange Pi Lite 02c00081 14004620 50354718 3422048e
Orange Pi One 02004620 9435430c 502e034e 58000000
Orange Pi One 02004620 4435c204 502404ce 20000065
Orange Pi One 02c00081 74004620 50358720 3c27048e G5039BA 6593
Orange Pi 2 02004620 34900700 51360a0c 0c000050
H5
Orange Pi PC 2 82800001 24004704 5035c120 303403cc
Orange Pi PC 2 82800001 44004704 5035c120 2c2d07cc
Orange Pi PC 2 82800001 34004704 5035c120 1c2d02cc G7015AA 67E1
Orange Pi Prime 82800001 34004704 5035c200 382f020c G8112AA 6AU2
NanoPi NEO2 82800001 34004704 5035c200 3c2b068c G8112AA 6AU2 FriendlyELEC sent to Icenowy, #1
NanoPi NEO2 82800001 34004704 5035c200 303a080c G8112AA 6AU2 FriendlyELEC sent to Icenowy, #2, in the same order with #1
A64
Pine64 sample (green LED) 92c000ba 24104620 51900808 14160acb
Pine64+ sample (green LED) 92c000ba 24004620 51900808 141709cb
Pine64+ (red LED) 92c000ba 04004620 51900804 0805070b
Pine64+ 2GB (red LED) 92c000ba 04004620 51900804 040905cb
Pine64+ 2GB (red LED) 92c000ba 54104620 51900808 581802cb F8059BA 4977
Pine64+ 2GB (red LED) 92c000ba 54104620 51900808 280c094b F8059BA 4977
SoPine RevC 92c000ba 84004620 50344424 141908cd F9192BA 4967
Banana Pi M64 92c000ba 84104620 51900800 6020024b
H64
Jide Remix Mini 92c000bb 44004620 51900808 1011028b
R40
Banana Pi M2 Ultra 12c00017 14104700 5190410c 2417088c
V3s
Lichee Pi Zero 12c00000 44104620 5033c810 5c23118d
Sticky-note-pin.png Note: The H3 SIDs starting with 02004620 are likely wrong due to a quirk of H3. A silicon bug manifests itself in a way that returns a garbled SID (root key) when reading the values solely via memory access. Accessing the SID once via register access seems to fix this, even for subsequent memory reading - see the discussion on the mailing list. Corresponding entries in the table above therefore cannot be trusted, and need to be refreshed. A fix for sunxi-fel is now available.

Newer SoC families no longer seem to follow the above pattern of containing the SoC ID within the first value.
However, the leading 32 bits still appear to be consistent among the same SoCs:

SoC ID SID key
A33 (R16) 0x1667 0461872a [...]
A64 0x1689 92c000ba [...]
A83T 0x1673 32c00401 [...]
H3 0x1680 02c00081 [...]
H5 0x1718 82800001 [...]
H64 0x1689 92c000bb [...]
R40 0x1701 12c00017 [...]
Personal tools
Namespaces

Variants
Actions
Navigation
Tools