From 3759bb509000962f3d1c8f059637ddafd0dbe65a Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Sat, 4 May 2019 14:00:08 +0200 Subject: [PATCH] doc: OTP layout notes --- README.md | 1 + doc/otp_layout.md | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 doc/otp_layout.md diff --git a/README.md b/README.md index d1c30fa..ed33393 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ Documentation Additional register documentation that is not in the datasheet can be found here: - [K210 memory map](doc/memory_map.md) - A rough memory map for the Kendryte K210 (as used on the Sipeed Maix boards) +- [OTP memory map](doc/otp_layout.md) - Some random notes about the layout of the Kendryte K210 OTP memory - [LicheeDan / MaixGo on-board peripherals](doc/onboard.md) - List of on-board peripherals and chips for the various boards with a K210 External: diff --git a/doc/otp_layout.md b/doc/otp_layout.md new file mode 100644 index 0000000..2c32418 --- /dev/null +++ b/doc/otp_layout.md @@ -0,0 +1,43 @@ +OTP layout +========== + +Some random notes about the layout of the Kendryte K210 OTP memory. + +There is some on-board One-Time Programmable Memory, which is used +to configure the boot sequence as used by the boot ROM. A part of it is pre-written +in the factory. + +The total size seems to be 16384 (0x4000) bytes. + +``` +Ofs Type Description +---------------------------------------------------- +0000 u32 "ROXM" (0x4d584f52) magic value +0004 u16 Size of "boot patch" program +0006 u8[sz] Program data to be copied +3d91 u8[11] Looks like a production run identifier (ASCII) +3d9c u32? Serial number? Differs per board instance +3da0 u16 ? +3da2 u16 ? +3da4 u16 ? +3da6 u16 ? +3fd0 u8[16] 2 bits per entry, for 64 entries +3fe0 u8[16] 2 bits per entry, for 64 entries +3ff0 u8[16] Causes read errors. Might be write-only area for encryption key. +``` + +- The "boot patch" program is copied to SRAM at address 0x805f8000 at boot and + executed. I think it's meant to be a vector to fix issues in the ROM without + having to modify the chip. + +- You can read the OTP of your board using the `otp_dump` tool in this + repository. Note that the OTP contains a serial number (at least + 0x3d9c..0x3d9f seem to differ between boards) so it'd be wise to treat the + output as privacy-sensitive. + +- My intuition is that the areas at 0x3fd0 and 0x3fe0 are bit fields that specify + which parts of the OTP have been written and which have not. + +- Be careful: any writing to the OTP (if possible at all, I don't know, there + are some routines in the ROM that look like they might do this but haven't + tried !) might brick your chip unrecoverably.