[craig131]

Nice article, that was a really enjoyable read. But one of the things that stuck out to me was:

> The last four bytes of the EC firmware image clearly appeared to be a checksum, and there were some other locations that consistently varied as well. I guessed (correctly) that if I programmed an image with the wrong checksums the EC would fail to boot and I would have a brick on my hands, so trial and error was not a very good option.

I was under the impression that the checksum is validated before flashing? Isn't that the primary purpose of checksums in ROM images?

[fpgaminer]

It's not possible to verify the checksum before flashing in this scheme. The EC is the only device that can calculate the checksum (1), and its RAM is probably smaller than its Flash. So there isn't enough RAM to receive the entire update, checksum, and then flash. It needs to stream to flash. So the checksum is either checked after flashing, after which it's too late to go back, or it's checked by the EC during boot, which is again too late.

There are better ways of doing this, but based on the article it seems the EC didn't implement them.

(1) We know this because the checksums are calculated on the decrypted image, and only the EC has the keys to decrypt the image.