OTP whitelabel options for RP2350 boards

It’s a fair enough question. First, allow me to recall some history of the BusPirate5 saga.

Rev8 vs. Rev10

BP5 has early version (known generally now as “Rev8”), which had some different hardware … including an SD card instead of onboard flash. Later, this was changed in “Rev10” to have onboard flash, and some pin mappings were changed. This raised a problem … how to determine if a firmware was accidentally applied to the wrong board type?

To be fair, Ian found a way to detect this, and the detection occurs early enough in the boot process that hardware should not be damaged. But, it would still be preferable to have a way to identify the specific model.

Manufacturing Glitches

At various times, there were problems in production (or caused during shipping) which only appeared once the boards are in customer hands. Much time was spent tracking down which boards had the problem, with the hope of tracking back to see if there was a common cause (e.g., all made on the same date? same batch?) It would be nice to have human-readable information that can be used in an error report to help correlate these issues.

Recall-like information

Having manufacturing information is also good for the customer. One issue (E9) affected all boards manufactured before a given date. How can a user know when their board was made? Ian and friends did a great job looking things up for folks and answering individual questions … but having it accessible (even without any firmware loaded) would be even better.

More Polished User Experience

The UF2 bootloader is drab. Every device out there using the RP bootloader seems to show the same “RP2350” volume, and the device advertises itself as Raspberry Pi’s product … not a BusPirate product. The INFO_UF2.TXT indicates only that this is a “Raspberry Pi RP2350”, of model “RP2350” … not a BusPirate. Worse, the UF2 bootloader has a HTML site that loads Raspberry Pi’s website. That should go to BusPirate.com, obviously

Can it be better?

The loaded firmware is already full controlling what is exposed over USB. Only the bootrom’s (and thus UF2 partition and behavior) were locked to the above behavior.

Wouldn’t it be even better if the UF2 booloader showed information more appropriate to the actual BusPirate product? YES!

New to the RP2350, there are now settings in the OTP area specifically set aside to provide richer customization of the UF2 bootloader.

I’ll walk through the details on how later, and a full walkthrough of changing things to meet some desired changes as an example.

For this example, at least at the time this post was authored, I am going to try to modify the bootrom to have the following changes (vs. the stock RP2350 bootloader behavior).

Vendor IDs and Product IDs should refer to the Bus Pirate board. So should the model information. The UF2 volume should have a Bus
Pirate based volume label. The UF2 volume’s text files should point to the buspirate site (for index.htm) and include both model and manufacturing data.

• USB_VID / USB_PID become 0x1209 / 0x7332
  • this is a value that Ian already has assigned to the BusPirate product (for the logic analyzer). Since the LA is now integrated, the PID is free to re-use here. Ian might obtain an additional VID/PID, of course…
  • USB_MANUFACTURER string of “Bus Pirate”
  • USB_PRODUCT string “Bus Pirate 6”
• SCSI VID/PID become “Bus Pir8”/“Bus Pirate 6”
• UF2 Volume should have label of “BP6_BOOT”
  • UF2 Volume is FAT16
  • Limit self to 8 uppercase chars
  • ? TODO: Test 11 characters ?
  • ? TODO: Test 4000 characters ?
• UF2 INDEX.HTM file should have:

<html>
  <head>
    <meta http-equiv="refresh" content="0;URL='https://buspirate.com'"/>
   </head>
   <body>Redirecting to <a href='https://buspirate.com'>buspirate.com</a></body>
</html>

• UF2’s INFO_UF2.TXT should have info such as:

UF2 Bootloader v1.0
Model: Bus Pirate 6
Board-ID: Rev0      LineA               20250214T012759Z

That last line deserves an explanation…

• The first ten characters are reserved to store a revision identifier. This would correlate to BP5’s Rev8 vs. Rev10. The new BP7 might store “Rev0” on the first prototypes.
• The next twenty characters are manufacturing information. I just put “LineA” as an example. Other values are expected.
• The last bit is the ISO8601 string for the date of manufacture, as accurate as the factory processes allow. Maybe it’s the time the OTP is programmed.
  Regardless, it’s just an example of three types of useful information that really should be exposed: Board hardware revision, manufacturing trace data, and datetime of manufacture.

Even better:
Program the serial number and a digital signature over the OTP settings & device serial number, and include that signature as an indicator of hardware sourced from DangerousThings / BusPirate.com / DirtyPCBs / Ian. Now the device can self-report with a higher degree of confidence a source of who made it. Missing or no signature just means no validation of the source … all functionality remains.

When this investigation is complete, I hope to have a working solution for programming the BusPirate 6 with the example data. This solution should even be usable on devices that are already shipped to customers (datetime would obviously be estimates, under customer control). If digital signature applied, however, Ian could provide estimates that match his needs (e.g., even approximate month might be good enough).

The only variable portion is the board revision / manufacturing string, so it should be relatively straightforward to move to production.

Since this is testing the bootloader, a PICO board is sufficient for testing … no need to do early tests on expensive hardware.

Stretch goals:

• Bus Pirate 7 solution
• Bus Pirate 5XL solution
• Automated insertion of current ISO datetime

Mental model:

Simplifying things, one can think of the OTP as being an an array of uint16_t. Reading is done by a row address, which mentally can map to the array index of the uint16_t array.

Addressing Details (if you want them)

OTP addressing is … a bit weird … because of the options it supports. Each row of OTP is 24 bits. Generally, each row stores two bytes of data, plus one byte for ECC and polarity reversal protection.

Raspberry Pi made a choice to allow reading the OTP in multiple modes via alias’d addresses:

• Read 32 bits of ECC corrected data corresponding to two neighboring rows.
• Read 32 bits RAW from a single row (most significant 8 bits zero)
• As either of the above, but using the now infamous “guarded” reads

Since these return different quantities of data for a single row, the API is based on a Row address, rather than byte offsets (which would change depending on mode).

Relevant Layout Details

• OTP has 8192 bytes total, row addresses 0x0…0x0FFF.
• OTP is then logically grouped into 64 pages, each 0x40 Rows (128 ECC corrected bytes).
• Each page can be locked (various options… ignored here)

Of those 64 pages, six are not usable to store the customization data:

• Page 0 is locked during manufacturing (0x0 … 0x3F)
• Pages 1…2 are boot config / boot key (0x40 … 0xBF)
• Page 61 (0xF40 … 0xF7F) store OTP access keys
• Pages 62…63 (0xF80…0xFFF) define OTP page locking

This leaves 48 pages that store any other data, including the customization we’re going to try to get to work:

• First usable page is 3 (0xC0 … 0xFF)
• Last usable page is 60 (0xF00 … 0xF3F)

OTP Row 0x059 USB_BOOT_FLAGS

Bit 22 indicates the USB_WHITE_LABEL_ADDR field is valid
Each of bits 0…15 indicate a given field in that pointed to structure contains valid data. For example, bit 0 indicates if the USB Device Product ID field is valid.

OTP Row 0x05A USB_BOOT_FLAGS_R1

Redundant copy of 0x059.

OTP Row 0x05B USB_BOOT_FLAGS_R2

Redundant copy of 0x059.

OTP Row 0x05C USB_WHITE_LABEL_ADDR

Row index where the start of the “White Label” structure are stored.

(varies) USB_WHITE_LABEL

Conceptually, this can be thought of as the following C-struct:

typedef struct _STRING_REF {
    // least significant seven bits of first byte
    uint8_t Character_Count : 7;
    // Most significant bit of first byte
    uint8_t Is_Two_Byte_Unicode : 1;
    // Valid range: 0x10..0xFF
    uint8_t Row_Offset_From_USB_White_Label;
} STRING_REF;
_Static_assert(sizeof(STRING_REF) == 2, ""); // 16 bits

typedef struct _USB_WHITE_LABEL {
    uint16_t   USB_Device_VendorID;
    uint16_t   USB_Device_ProductID;
    uint16_t   USB_Device_Standard_Version; // aka BCD
    uint16_t   USB_Device_Language_ID; // 0x0409 is default
    STRING_REF USB_Device_Manufacturer; 
    STRING_REF USB_Device_Product;
    STRING_REF USB_Device_Serial_Number;
    uint16_t   USB_Device_Max_Power_mA;
    STRING_REF Volume_Label;
    STRING_REF SCSI_VendorID;
    STRING_REF SCSI_ProductID;
    STRING_REF SCSI_Version;
    STRING_REF Index_htm_Redirect_URL;
    STRING_REF Index_htm_Redirect_Name;
    STRING_REF Info_uf2_Model;
    STRING_REF Info_uf2_Board_ID;
} USB_WHITE_LABEL;

Major GOTCHA!

The string reference values stored in the USB_WHITE_LABEL structure can only point forward, and can point forward a maximum of 255 rows. Thus, the strings to be used must be stored after, but close to, the USB_WHITE_LABEL itself.

It is not clear yet in which order to store the individual characters in a given OTP row.

Hacks

Because the STRING_REF is a counted (not null-terminated) string, a string that is a sub-string of another string may be directly referenced, so long as the starting point in the string is an even offset (for ASCII). It’s always possible to do this for unicode strings.

e.g., If storing “Bus Pirate ABC” and “Bus Pirate”, both STRING_REF can point to the start of “Bus Pirate ABC”, the second will just indicate fewer characters are used.

I will use this later to reduce the number of rows needed to store the strings.

What is being overridden

For this first example, let’s override the following data:

• USB_VID = 0x1209
• USD_PID = 0x7332
• USB_MANUFACTURER = “Bus Pirate”
• USB_PRODUCT = “Bus Pirate 6”
• VOLUME_LABEL = “BP6_BOOT”
• UF2_REDIRECT_URL = “https://buspirate.com/”
• UF2_REDIRECT_NAME = “buspirate.com”
• SCSI_VENDOR_ID = “Bus Pir8”
• SCSI_PRODUCT_ID = “Bus Pirate 6”
• UF2_INFO_MODEL = “Bus Pirate 6”
• UF2_INFO_BOARD_ID = “Rev 0 LineA 20250214T012759Z”

Just the strings …

There are only a few strings that need to be written to the OTP.

The second string re-uses the same OTP rows used for the first string, just fewer characters. For the fifth string, it’s just lucky that the https:// is an even number of characters, allowing to point a few OTP rows into the middle of that string for just the hostname.

Totally needless hacks, but hacks are good!

NOTE: None of the data in this section should be presumed valid. It’s entirely untested, just the output after review of some documentation. Reality may differ.

One goal is to ensure everything fits in a single OTP Page (0x40 Row addresses). Keeping stuff aligned with OTP pages avoids contention with the lock bits and similar permissions. This also would mean that single page could be locked, to prevent any additional bits from being inadvertently set. Using the last usable page (0x60 … starting row of 0xF00) might also be preferable.

USB_WHITE_LABEL data

Reference Strings

Row address offsets 0x3d, 0x3e, 0x3f are reserved for future use. Thus, the total size of the white label data is 0x40 rows (128 bytes).

Program Ordering during testing

1. Program the USB_WHITE_LABEL data + reference strings @ starting row 0x100 (0x100 … 0x13C, inclusive)

2. Program the USB_WHITE_LABEL_ADDR to point to 0x100

3. Program the USB_BOOT_FLAGS to indicate which fields of the USB_WHITE_LABEL data should be considered valid.

   • 0b_0000_0000_0100_0000__1111_0111_0011_0011
     • bit 0: USB VID
     • bit 1: USB PID
     • bit 4: USB Manufacturer string
     • bit 5: USB Product string
     • bit 8: Volume Label string
     • bit 9: SCSI VID string
     • bit 10: SCSI PID string
     • bit 12: Redirect URL string
     • bit 13: Redirect name string
     • bit 14: INFO_UF2.TXT model string
     • bit 15: INFO_UF2.TXT Board ID string
     • bit 22: WHITE_LABEL_ADDR is valid
   • 0x0040F733

4. Test with this configuration

5. HACKHACK. If somethings not working, can still get three more tries on this same hardware. Re-write the USB_WHITE_LABEL starting at the following starting row addresses (once per attempt, in order), and then update USB_WHITE_LABEL_ADDR to add the bit needed for the new row address.

   • 0x300
   • 0x700
   • 0xF00
     EDIT: Oops … I forgot about the ECC. It might be possible to get more than one try, but doing so would require finding a first lower encoded address with few ECC bits set, and then a second address with more bits in both address and ECC (and none of the existing bits of the first address or ECC cleared). Glad I ordered a bunch of pico boards…

6. After those four attempts, if it’s still not working, disable the chip via the RMA procedure / decommisioning procedure (sets a bit in last OTP page…). Try again on a new chip…

cmake -S . -B build_rp2040 -DPICO_SDK_FETCH_FROM_GIT=TRUE
cmake -S . -B build_rp2350 -DPICO_SDK_FETCH_FROM_GIT=TRUE -DBP_PICO_PLATFORM=rp2350
cmake --build ./build_rp2040 --parallel --target clean
cmake --build ./build_rp2350 --parallel --target clean
cmake --build ./build_rp2040 --parallel --target all
cmake --build ./build_rp2350 --parallel --target all