How Security Recovery Core Works

Complete technical explanation of the recovery system

System Overview

Security Recovery Core (SRC) is a hardware-assisted firmware recovery system that operates at the lowest level of your computer system, before the BIOS/UEFI even starts. It provides an automatic safety net that can recover your system from firmware corruption or failed updates.

Key Point: SRC runs independently of your operating system, which means it can protect you even if your OS is completely corrupted or if malware attempts to disable protection.

Boot Process & Detection

1

Power On

When you power on your system, the Recovery Core firmware initializes immediately, before any other firmware or BIOS code runs.

2

Configuration Check

SRC reads its configuration from a reserved region in SPI flash memory. It checks if recovery is enabled, if there's a temporary disable period, and reads the last known firmware hash.

3

Boot Detection Initialization

The system initializes multiple boot detection methods:

  • GPIO Signal: A hardware pin that gets set high when boot succeeds
  • Watchdog Timer: A hardware timer that must be cleared by successful boot
  • POST Codes: BIOS/UEFI progress codes monitored via hardware interface
  • Firmware Flag: A flag set in NVRAM/SPI after successful initialization
4

Boot Monitoring

SRC starts a 30-second countdown timer and begins monitoring for boot success signals. If ANY of the detection methods indicates successful boot, the system is considered healthy.

5

Success or Failure

If boot succeeds: SRC performs automatic backup (if needed) and allows normal system operation.

If boot fails: After 30 seconds with no success signal, SRC triggers the recovery process.

Recovery Process

Boot Failure Detected

No success signal received within 30 seconds. System is considered failed.

USB Device Check

SRC initializes USB Mass Storage interface and checks for a valid recovery device. The device must contain a /SECURITY_RECOVERY/ directory.

Manifest Reading

Reads manifest.json to determine which backup to use (A.bin or B.bin) and verifies board/system ID matches.

Firmware Loading

Reads the firmware image from USB device (typically 8MB). Attempts A.bin first, then B.bin if A.bin fails verification.

Signature Verification

Performs cryptographic signature verification:

  • Calculates SHA-256 hash of firmware image
  • Reads signature from signature.sig
  • Verifies signature using embedded public key (ECDSA-P256 or RSA-2048)
  • Rejects firmware if signature is invalid

Firmware Writing

Writes verified firmware to SPI flash memory at the firmware region (typically offset 0x0, size 8MB).

Verification

Reads back the written firmware and compares it with the source to ensure write integrity. If verification fails, the process is aborted.

System Reboot

Triggers system reboot. On next boot, the recovered firmware should boot successfully, and SRC will detect the success signal.

Automatic Backup System

Backup Frequency

When the system is healthy and booting successfully, SRC performs automatic firmware backups every 10 minutes (configurable).

Backup Rotation Logic

SRC maintains exactly two backups at all times:

New Backup
A.bin
(Latest)
Old A.bin
B.bin
(Previous)
Old B.bin
Deleted

Backup Process

  1. Check Interval: Verifies if 10 minutes have passed since last backup
  2. USB Presence: Checks if USB recovery device is present and accessible
  3. Firmware Read: Reads current firmware from SPI flash
  4. Hash Calculation: Calculates SHA-256 hash of current firmware
  5. Change Detection: Compares hash with stored hash. If unchanged, skips backup
  6. Rotation: Deletes old B.bin, moves A.bin to B.bin
  7. Write New Backup: Writes current firmware to A.bin
  8. Signature Generation: Generates cryptographic signature for new backup
  9. Metadata Update: Updates manifest.json and metadata.txt
  10. Configuration Update: Updates stored firmware hash and timestamp

Important: Backups only occur if the USB device is present. If USB is not connected, backups are skipped (system continues normally).

SPI Flash Memory Layout

SRC uses a reserved region in SPI flash memory. The typical layout is:

Main Firmware Region
Offset: 0x000000 - 0x7FFFFF
Size: 8MB
Purpose: Main system firmware (BIOS/UEFI)
Recovery Core Region
Offset: 0x100000 - 0x17FFFF
Size: 512KB
Purpose: SRC firmware and configuration
  • 0x100000 - 0x1003FF: Configuration (1KB)
  • 0x100400 - 0x17EFFF: Recovery Core Code
  • 0x17F000 - 0x17FFFF: Logs (4KB)
Reserved/Other
Offset: 0x800000 - 0xFFFFFF
Size: 8MB
Purpose: Platform-specific or reserved

Security Features

Cryptographic Signing

All firmware images must be cryptographically signed. SRC verifies signatures before any recovery operation, preventing unauthorized firmware installation.

Hardware-Level Protection

SRC runs before the OS, making it immune to malware, OS-level attacks, or software-based disable attempts.

Tamper-Resistant Logging

All operations are logged in a tamper-resistant region. Logs cannot be modified without physical access to SPI flash.

Downgrade Protection

SRC can be configured to prevent firmware downgrades, ensuring only newer or same-version firmware can be installed.

State Machine

SRC operates using a state machine that transitions between different states based on system conditions:

INIT
Initialization
CHECKING_BOOT
Monitoring boot
BOOT_SUCCESS
Boot detected
BACKUP_ACTIVE
System healthy
BOOT_FAILED
No success signal
RECOVERING
USB recovery
DISABLED
Temporary disable
REMOVING
Uninstall process