Cobo Vault offers a method for verifying official release upgrade packages. You can compare a version package you compiled from Github source code with the official release update package to accomplish this.
The python script make_update_package.py is for verifying secure element firmware update package.
Refer to the below sections for instructions.
Use update public key to unzip upgrade package. An upgrade package consists of the following parts:
app_[version_code]_[version_name]_[git_commit_id]_[apk_sha1_checksum].apk: Cobo Vault cold upgrade version packagemanifest.json: Upgrade package digest informationserial_*.bin: Cobo Vault Secure Element upgrade version packagesigned.rsa: Signature for upgrade package
Download the code of the branch corresponding to the official upgrade package version from Github. For example, if the official upgrade package version is V0.3.6, the corresponding code branch is V0.3.6-release.
Run the following command to download the code:
git clone -b [code branch] git@github.com:CoboVault/cobo-vault-se-firmware.git
Replace [code branch] with a specific branch name.
Build with ARM IDEs like "Keil MDK V4.x".
- Download Keil MDK4.x here.
- Install MDK and register license.
- Run MDK, and add firmware project. Open the dialog
Project - Open Project, selectmason.uvprojin directorycobo-vault-se-firmware/. - Build the firmware project. Select the dialog
Project - Rebuild all target filesto compile the source files. - Find the firmware image
mason_app.hexandmason_app.binin directorycobo-vault-se-firmware/.
Use python script make_update_package.py in directory cobo-vault-se-firmware/upgrade/ to make a upgrade package from build hex file.
Command is make_update_package.py -t TARGET_VERSION, TARGET_VERSION should be same as official release update package. You can find it in cobo-vault-se-firmware/source/version_def.h.
Such as Python upgrade/make_update_package.py -t 0.3.6.000000. app.0.3.6.000000.bin is the update package.
app.0.3.6.000000.bin is consist of the following parts:
| Index | Part | Length | Description |
|---|---|---|---|
| 1 | Header | 128Bytes | version info and signature for verifying |
| 2 | Body | 528Bytes*n | version package encrypted and checksum |
Update Package Header's length is 128 bytes. It is consist of the following parts:
| Index | Item | Length | Description |
|---|---|---|---|
| 1 | ver | 4Bytes | version BCD encode |
| 2 | ver_checksum | 4Bytes | front 4 bytes of ver sha256 |
| 3 | reserve | 24Bytes | reserve |
| 4 | body_hash | 32Bytes | sha256 value of entire body |
| 5 | signature | 64Bytes | signature of body_hash |
Update Package Body has several 528 bytes blocks. Each block is consist of the following parts:
| Index | Item | Sub Item | Length | Description |
|---|---|---|---|---|
| 1 | block_content | block_addr | 8Bytes | flash address of block (3des encrypt) |
| 2 | block_content | block_bin | 512Bytes | package bin of block (3des encrypt) |
| 2 | bloc_checksum | / | 8Bytes | front 8 bytes of block_content(3des encrypt) sha256 |
More information about make_update_package.py , you can execute make_update_package.py -h
After compare the update package with the serial_*.bin unzipped from official release update package,
You will find the "signature" in update Package Header is different.
Beyond that, the other parts should be same. It could prove the official release update package was built by Github source code.