Lxboot - openlgtv/wiki GitHub Wiki

LXboot is the name given by LG to the bootloader of their LX Chipsets

The bootloader is divided into several stages:

Stage 0 (bootrom)

LXBoot stage 0 starts from the R/O Mask ROM located on the CPU.

Tasks

  • Initializing the EMMC Device
  • Starting a shell if triggered by an onboard button
    • Protected Shell (#), requires RSA key
    • Normal Shell ($), freely accessible but can't read OTP
    • ISP Shell (In System Programming), not yet explored
  • Booting Stage 1 from EMMC (and possibly any other boot device supported by the ROM code)

Stage 1 (emmc primitive loader)

LXBoot stage 1 starts from EMMC. It's responsible for initializing the DRAM controller and loading the stage 2 loader to it

Tasks

  • Initializing the DRAM controller
  • Starting a shell if triggered by a key press on RS232-TTL (USB not yet initialized at this point)
  • Loading Stage 2 from EMMC into DRAM

Stage 2 (emmc bootloader)

LXBoot stage 2 starts from EMMC after being loaded into DRAM by stage 1. It's responsible for loading the OS kernel and hypervisor.

Tasks

  • Initializing the LCD panel, and show boot logo
  • Initializing the USB subsystem, and initialize PL2303 Serial2USB
  • Initializing the NVRAM, which is used to check hardware parameters and debug mode
  • Optionally inittializing the NIC for NFS booting
  • Loading the hypervisor (trustzone) and running it
  • Loading the Linux Kernel and running it (after hypervisor)
  • Starting a shell if triggered by a key press on RS232-TTL or PL2303, or if boot fails

Hypervisor

The LX hypervisor task is to protect the device keys and expose them to the OS when required.

All the device keys are stored in a special partition called "sedata" (Secure Data).

This partition contains a magic header ("SE"), followed by a list of the keys it contains (key names).

After this list there is a big block of encrypted content.

This content is encrypted against the OTP key, likely stored in the Mask ROM next to Stage 0 (Boot ROM).

The hypervisor acts as an oracle to the user OS. It can serve keys contained in sedata, without exposing the OTP key.

The interface to the hypervisor is contained in the library "libkadaptor.so", which sits on top of the kernel driver.

The kernel driver provides the interfaces to send and receive data to the hardware devices, included the Secure Monitor by performing SMC calls (System Monitor Calls).

libkadaptor uses these interfaces to implement the HAL and high level functionalities.