Espritmodel.com Telemetry Radio
Reply
Thread Tools
Old Apr 06, 2012, 09:56 AM
Registered User
Joined Jan 2012
682 Posts
Quote:
Originally Posted by FDR_ View Post
Actually I'm quite surprised to see the same 4 bytes at 0x08000000, that are at the beginnind of the fw at 0x08004000! Why is that?
Because it is the beginning of the vector table, and the 1st word of the vector table is the start of the stack-pointer. Since the data loaded at 0800 4000 should also contain a vector table, I would expect the 1st word to be the same (stack-pointer initialization is a constant). The 2nd word should be completely different though....
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Sign up now
to remove ads between posts
Old Apr 06, 2012, 09:57 AM
Registered User
Joined Jun 2010
119 Posts
The first 4 bytes of the exception vector table is the initial stack pointer, it's the same as found in the .dfu file
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Apr 06, 2012, 10:18 AM
Registered User
Joined May 2011
655 Posts
I see, but thought it starts at 0x08000000 mapped to 0x00000000 because of the BOOT0 & BOOT1 configured to boot from flash. Why is there an other vector table at 0x08004000?

I should dig deeper into the reference manuals, I think...
FDR_ is offline Find More Posts by FDR_
Reply With Quote
Old Apr 06, 2012, 10:25 AM
Registered User
Joined Jan 2012
682 Posts
Quote:
Originally Posted by FDR_ View Post
I see, but thought it starts at 0x08000000 mapped to 0x00000000 because of the BOOT0 & BOOT1 configured to boot from flash. Why is there an other vector table at 0x08004000?

I should dig deeper into the reference manuals, I think...
Your understanding is correct, but the bootloader changes things. Walkera is using a custom bootloader (not the built-in one), which executes as regular code. The bootloader lives at 0x08000000. A normal bootloader, will let the user redefine the vector table in the code being loaded. Normally it would redefine the vector-table start at the program load address (0x08004000 for us) and then jump to the reset vector, thus acting for the most part as if the program had been loaded at 0x08000000. However, the code at the reset address in the dfu at 08004000 makes little sense to me, so I am wondering if they've tweaked things a bit (this is one reason we want to extract the bootloader...so we can see what it is up to)
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 06, 2012, 11:55 AM
Registered User
Joined Jan 2012
682 Posts
Here is an updated version of my code. It should use the model number as the index to the proper 896byte, and read the ROM into the buffer (which should end up in the model memory). It doesn't make sense to use this until we can manage to capture even a single page, but it should be a good starting point once we figure out what is wrong. I switched from 2kB pagesize to 896byte page-size due to the CRC being written at 0x38F. I figured out that if I try to write to any offset of R0, the write doesn't happen (i.e. for some reason I can only update R0[0], and not R0[1] or R0[2]). I can't actually test this code, but it does compile cleanly
Code:
ResetModelData:
   MOVW   R2, #896          /*We can only capture 896 bytes before the CRC???*/
   LDRB   R1, [R0, #10]     /*Retrieve the model number (in ascii) from memory pointed to by R0*/
   SUB    R1, R1, #49       /*convert model number to value (0 based) */
   MUL    R1, R1, R2        /*Choose which page to read (we'll read from 0x00000000, not 0x08000000)*/
   ADD    R2, R2, R1        /*Set R2 to R1 + page-size*/
Loop:
   LDR    R3, [R1]          /*Retrieve 4bytes from ROM */
   STR    R3, [R0]          /*Store 4 bytes in buffer */
   ADD    R1, R1, #4        /*Increment pointers */
   ADD    R0, R0, #4
   CMP    R1, R2            /*Check if we are done */
   BNE    Loop
   MOV    PC, LR
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 06, 2012, 12:21 PM
Registered User
Joined May 2011
655 Posts
The DEVO 8 model data is 912 bytes including the 4 bytes CRC and the "DV08" at the begin...
FDR_ is offline Find More Posts by FDR_
Reply With Quote
Old Apr 06, 2012, 03:21 PM
Registered User
Joined Jun 2010
119 Posts
Did some testing. I tried PB's original code & got the same result, 4 bytes (00 04 00 20).

Then I modified a for loop to fill a number of bytes with a fixed value. This is a sanity check to see if we are being overwritten somehow:

Code:
movs    r5, #0
Loop1:
	movs	r1, #0xFA
	strb	r1, [r0, r5]
	add	r5, r5, #1

	cmp	r5, #0x80
	blt	        Loop1
	mov       pc, lr
Now when I reset & dump the model data I get some 0xFA's - woot, but I get 0xCF of them and not 0x80

Next I modified the loop to copy the bootloader byte by byte

Code:
	movs    r5, #0
	ldr	r1, =startaddress

Loop1:
	ldrb    r3, [r1,r5]
	strb    r3, [r0,r5]
	add    r5,  r5, #1

	cmp    r5, #0x80
	blt    Loop1

	mov    pc, lr

.equ startaddress, 0x08000000
Now I get some more bytes:

Code:
	0x00, 0x04, 0x00, 0x20, 0x67, 0x01, 0x00, 0x08, 0x3F, 0x16, 0x00, 0x08, 0xFF, 0x0F, 0x00, 0x08, 
	0x3D, 0x16, 0x00, 0x08, 0x75, 0x02, 0x00, 0x08, 0xB5, 0x27, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCD, 0x1E, 0x00, 0x08, 
	0x01, 0x0C, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0xDD, 0x17, 0x00, 0x08, 0xED, 0x24, 0x00, 0x08, 
	0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 
	0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 
	0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 
	0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 
	0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 
	0x95, 0x27, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 
	0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 
	0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08, 
	0x87, 0x01, 0x00, 0x08, 0x87, 0x01, 0x00, 0x08
The reset vector 08000167 which makes sense
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Apr 06, 2012, 05:34 PM
Registered User
Joined Jan 2012
682 Posts
Cool. One thing that is probably worth doing is computing a checksum while we copy the bytes, and append it to the end of the data. Then we can ensure that what we actually see in the model memory is what we read from ROM.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 06, 2012, 05:49 PM
Registered User
Joined Jun 2010
119 Posts
Yes, a checksum of the bootloader would be very useful. The code can definitely be improved

I am pulling out the bootloader in chunks of 0x300 bytes. I've got the first 4K and it looks valid, found two strings so far "Walker DEVO-08 Radio Controller" and even better "DEVO-08" at 0x08001000. That matches up with the code in the application that checks the model number (ASCII 6 or 8) I mentioned previously

Edit: Got the whole bootloader now, it's 0x2AE4 bytes long...
rcH4x0r is offline Find More Posts by rcH4x0r
Last edited by rcH4x0r; Apr 06, 2012 at 06:43 PM.
Reply With Quote
Old Apr 06, 2012, 08:14 PM
Registered User
Joined Jun 2010
119 Posts
Hmmm, SadSack was right...

Here's the bootloader code that starts the application code, a number of checks are made before the code jumps thru the ptr at 0x08000004. Needs more study...

Code:
ROM:08002800 StartApplication                        ; CODE XREF: sub_8000138+2j
ROM:08002800                                         ; DATA XREF: sub_8000138o ...
ROM:08002800
ROM:08002800 var_48          = -0x48
ROM:08002800 var_44          = -0x44
ROM:08002800 var_40          = -0x40
ROM:08002800 var_3C          = -0x3C
ROM:08002800 var_38          = -0x38
ROM:08002800 var_34          = -0x34
ROM:08002800 var_30          = -0x30
ROM:08002800 var_2C          = -0x2C
ROM:08002800 var_28          = -0x28
ROM:08002800 var_24          = -0x24
ROM:08002800 var_20          = -0x20
ROM:08002800 var_1C          = -0x1C
ROM:08002800
ROM:08002800                 PUSH.W  {R4-R8,LR}
ROM:08002804                 SUB     SP, SP, #0x30
ROM:08002806                 BL      sub_8000674
ROM:0800280A                 BL      sub_8000484
ROM:0800280E                 MOVS    R0, #0
ROM:08002810                 MOVW    R1, #0x2710
ROM:08002814
ROM:08002814 loc_8002814                             ; CODE XREF: StartApplication+1Aj
ROM:08002814                 ADDS    R0, R0, #1      ; Delay(0x2710)
ROM:08002816                 UXTH    R0, R0
ROM:08002818                 CMP     R0, R1
ROM:0800281A                 BCC     loc_8002814
ROM:0800281C                 BL      sub_80004F8
ROM:08002820                 LDR     R6, =0x20000018
ROM:08002822                 CMP     R0, #0
ROM:08002824                 BEQ     StartDFUMode    ; if(EXT button presed? GPIO Port E) StartDFUMode
ROM:08002826                 LDR.W   R8, =0x8004000
ROM:0800282A                 LDR.W   R0, [R8]
ROM:0800282E                 LDR     R1, =0x2FFE0000
ROM:08002830                 ANDS    R0, R1
ROM:08002832                 CMP.W   R0, #0x20000000
ROM:08002836                 BNE     StartDFUMode    ; if(Invalid SP at 0x08004000) StartDFUMode
ROM:08002838                 LDR     R0, =0x1FFFF7E8
ROM:0800283A                 LDR     R1, [R0]
ROM:0800283C                 STR     R1, [SP,#0x48+var_34]
ROM:0800283E                 LDR     R1, [R0,#4]
ROM:08002840                 MOVS    R5, #8
ROM:08002842                 STR     R1, [SP,#0x48+var_30]
ROM:08002844                 LDR     R0, [R0,#8]
ROM:08002846                 STR     R0, [SP,#0x48+var_2C]
ROM:08002848                 LDR     R0, [SP,#0x48+var_34]
ROM:0800284A                 LDR     R1, [SP,#0x48+var_30]
ROM:0800284C                 ADD     R0, R1
ROM:0800284E                 STR     R0, [SP,#0x48+var_28]
ROM:08002850                 LDR     R0, [SP,#0x48+var_34]
ROM:08002852                 LDR     R1, [SP,#0x48+var_30]
ROM:08002854                 EORS    R0, R1
ROM:08002856                 STR     R0, [SP,#0x48+var_24]
ROM:08002858                 LDR     R0, [SP,#0x48+var_34]
ROM:0800285A                 LDR     R1, [SP,#0x48+var_2C]
ROM:0800285C                 ADD     R0, R1
ROM:0800285E                 STR     R0, [SP,#0x48+var_20]
ROM:08002860                 LDR     R0, [SP,#0x48+var_34]
ROM:08002862                 LDR     R1, [SP,#0x48+var_2C]
ROM:08002864                 EORS    R0, R1
ROM:08002866                 STR     R0, [SP,#0x48+var_1C]
ROM:08002868                 LDR     R1, =0x8005000
ROM:0800286A                 LDR     R0, [R1]
ROM:0800286C                 STR     R0, [SP,#0x48+var_48]
ROM:0800286E                 LDR     R0, [R1,#4]
ROM:08002870                 STR     R0, [SP,#0x48+var_44]
ROM:08002872                 LDR     R2, [R1,#8]
ROM:08002874                 MOVS    R0, #0
ROM:08002876                 STR     R2, [SP,#0x48+var_40]
ROM:08002878                 LDR     R2, [R1,#0xC]
ROM:0800287A                 STR     R2, [SP,#0x48+var_3C]
ROM:0800287C                 LDR     R1, [R1,#0x10]
ROM:0800287E                 STR     R1, [SP,#0x48+var_38] ; CRC @ 0x8005000 + 0x10
ROM:08002880                 ADD     R1, SP, #0x48+var_34
ROM:08002882                 MOV     R2, SP
ROM:08002884
ROM:08002884 loc_8002884                             ; CODE XREF: StartApplication+98j
ROM:08002884                 ADD.W   R3, R1, R0,LSL#2
ROM:08002888                 LDR     R3, [R3,#0xC]
ROM:0800288A                 LDR.W   R4, [R2,R0,LSL#2]
ROM:0800288E                 CMP     R3, R4
ROM:08002890                 BNE     StartDFUMode
ROM:08002892                 ADDS    R0, R0, #1
ROM:08002894                 UXTH    R0, R0
ROM:08002896                 CMP     R0, #4
ROM:08002898                 BCC     loc_8002884
ROM:0800289A                 MOVS    R7, #0
ROM:0800289C                 MOVS    R1, #1
ROM:0800289E                 MOVS    R0, #0x40
ROM:080028A0                 BL      sub_800184C
ROM:080028A4                 BL      ResetCRC
ROM:080028A8                 MOVS    R4, #0
ROM:080028AA                 B       loc_80028BA
ROM:080028AC ; ---------------------------------------------------------------------------
ROM:080028AC
ROM:080028AC loc_80028AC                             ; CODE XREF: StartApplication+BCj
ROM:080028AC                 MOVS    R1, #7
ROM:080028AE                 ADD     R0, SP, #0x48+var_34
ROM:080028B0                 BL      CalculateCRC    ; R0 - Buffer
ROM:080028B0                                         ; R1 - Number of bytes
ROM:080028B4                 ADDS    R4, R4, #1
ROM:080028B6                 MOV     R7, R0
ROM:080028B8                 UXTH    R4, R4
ROM:080028BA
ROM:080028BA loc_80028BA                             ; CODE XREF: StartApplication+AAj
ROM:080028BA                 CMP     R4, R5
ROM:080028BC                 BCC     loc_80028AC
ROM:080028BE                 LDR     R0, [SP,#0x48+var_38]
ROM:080028C0                 CMP     R0, R7
ROM:080028C2                 BNE     StartDFUMode    ; if(bad CRC) StartDFUMode
ROM:080028C4                 LDR.W   R0, [R8,#4]
ROM:080028C8                 STR     R0, [R6,#8]
ROM:080028CA                 STR     R0, [R6,#4]
ROM:080028CC                 LDR.W   R0, [R8]
ROM:080028D0                 BL      sub_8000156
ROM:080028D4                 LDR     R0, [R6,#4]
ROM:080028D6                 BLX     R0              ; Jump to *0x08004004 - reset vector in application
ROM:080028D8
ROM:080028D8 StartDFUMode                            ; CODE XREF: StartApplication+24j
...
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Apr 06, 2012, 10:28 PM
Registered User
Joined Jan 2012
682 Posts
Finally! I figured out why working with the Walkera images is so hard. They are post-processed in some way during upload. I spent a log time trying to figure out why my checksum code wasn't working. Well, the code I was loading was getting corrupted during upload.
I used the code that rcH4x0r posted to read back the initialization of the firmware, and indeed, it is different. Here is the data from the dfu starting at 0x08004130:
Code:
0000000: dff8 0cd0 00f0 a0fc 0048 0047 b579 0208  .........H.G.y..
0000010: 481d 0020 7047 0848 8847 0849 89f3 0890  H.. pG.H.G.I....
0000020: 0748 0047 fee7 fee7 fee7 fee7 fee7 fee7  .H.G............
0000030: fee7 fee7 fee7 fee7 4541 0008 481d 0020  ........EA..H.. 
0000040: 3141 0008 40ea 0103 a307 0ad1 02e0 0881  1A..@...........
0000050: 121f 08c8 042a fad2 03e0 11f8 013b 00f8  .....*.......;..
0000060: 013b 521e f9d2 7047 d2ba 01e0 00f8 012b  .;R...pG.......+
0000070: 491e fbd2 7047 0022 f6e7 10bd 0446 0846  I...pG.".....F.F
0000080: 1146 0246 2046 fff7 efff 2046 10c5 0346  .F.F F.... F...F
0000090: 00e0 401c 0278 002a fbd1 11f8 012b 00f8  ..@..x.*.....+..
00000a0: 012b 002a f9d1 1846 7047 0146 0020 00e0  .+.*...FpG.F. ..
00000b0: 401c 0a5c 002a fbd1 7047 30bd 0446 0020  @..\.*..pG0..F. 
00000c0: 0346 00e0 5b1c 9b42 03d2 e05c 855c 401b  .F..[..B...\.\@.
00000d0: f8d0 30c5 0346 11f8 012b 00f8 012b 002a  ..0..F...+...+.*
00000e0: f9d1 1846 7047 f0bc 1446 20f0 0046 21f0  ...FpG...F ..F!.
00000f0: 0041 00f0 0042 9642 05d2 3046 0e46 0146  .A...B.B..0F.F.F
and here is what was read from the Tx for the same address range:
Code:
0000000: dff8 0cd0 00f0 98fc 0048 0047 ad79 0208  .........H.G.y..
0000010: 481d 0020 7047 0848 8047 0849 81f3 0888  H.. pG.H.G.I....
0000020: 0748 0047 fee7 fee7 fee7 fee7 fee7 fee7  .H.G............
0000030: fee7 fee7 fee7 fee7 4541 0008 481d 0020  ........EA..H.. 
0000040: 3141 0008 40ea 0103 9b07 0ad1 02e0 08c9  1A..@...........
0000050: 121f 08c0 042a fad2 03e0 11f8 013b 00f8  .....*.......;..
0000060: 013b 521e f9d2 7047 d2b2 01e0 00f8 012b  .;R...pG.......+
0000070: 491e fbd2 7047 0022 f6e7 10b5 0446 0846  I...pG.".....F.F
0000080: 1146 0246 2046 fff7 efff 2046 10bd 0346  .F.F F.... F...F
0000090: 00e0 401c 0278 002a fbd1 11f8 012b 00f8  ..@..x.*.....+..
00000a0: 012b 002a f9d1 1846 7047 0146 0020 00e0  .+.*...FpG.F. ..
00000b0: 401c 0a5c 002a fbd1 7047 30b5 0446 0020  @..\.*..pG0..F. 
00000c0: 0346 00e0 5b1c 9342 03d2 e05c cd5c 401b  .F..[..B...\.\@.
00000d0: f8d0 30bd 0346 11f8 012b 00f8 012b 002a  ..0..F...+...+.*
00000e0: f9d1 1846 7047 f0b4 1446 20f0 0046 21f0  ...FpG...F ..F!.
00000f0: 0041 00f0 0042 8e42 05d2 3046 0e46 0100  .A...B.B..0F.F..
note the 7th bit is 0xa0 in the dfu and 0x98 in the dump from the Tx.
I think the transformation is something like (dfu->rom): if byte >= 0x88 && byte <= 0xcf, byte = byte - 8. if byte >= 0x80 and byte < 0x88, byte += 0x48

So in writing code to dump the rom, we got lucky. The code rcH4x0r generated has no bytes that meet this criteria, so it worked as desired. The code I wrote sometimes had these bytes and sometimes not, which is why I was getting so frustrated.

Edit: I used the reverse translation above with my checksum code, and I was able to prove that the bootloader rcH4x0r downloaded is complete and correct. So now I can load arbitrary code into the dfu and actually have it work rather than behave mysteriously, and we have both the proper firmware code as well as the proper bootloader!
PhracturedBlue is offline Find More Posts by PhracturedBlue
Last edited by PhracturedBlue; Apr 06, 2012 at 11:20 PM.
Reply With Quote
Old Apr 06, 2012, 11:22 PM
Registered User
Joined Jan 2012
682 Posts
The next question is if someone is willing to take the risk to wipe the ROM entirely and reload the bootloader and firmware with read-protect disabled (so that the SWD port can be used for debugging). I'm not yet ready to go there, it will probably depend on how much progress I can make with the firwmare as it is.
PhracturedBlue is offline Find More Posts by PhracturedBlue
Reply With Quote
Old Apr 07, 2012, 02:32 AM
Registered User
Joined May 2011
655 Posts
Quote:
Originally Posted by PhracturedBlue View Post
The next question is if someone is willing to take the risk to wipe the ROM entirely and reload the bootloader and firmware with read-protect disabled (so that the SWD port can be used for debugging). I'm not yet ready to go there, it will probably depend on how much progress I can make with the firwmare as it is.


No, I am actually using this tx!
FDR_ is offline Find More Posts by FDR_
Reply With Quote
Old Apr 07, 2012, 04:50 AM
Registered User
Joined Jun 2010
119 Posts
Quote:
Originally Posted by PhracturedBlue View Post
The next question is if someone is willing to take the risk to wipe the ROM entirely and reload the bootloader and firmware with read-protect disabled (so that the SWD port can be used for debugging). I'm not yet ready to go there, it will probably depend on how much progress I can make with the firwmare as it is.
Yep, let me wake up properly and drink some tea then I will go for it.

Did you find the code that is actually doing the descrambling? That should be our next target along with nailing the checks when the app is launched. Then we can build our own .dfus from C code
rcH4x0r is offline Find More Posts by rcH4x0r
Reply With Quote
Old Apr 07, 2012, 05:19 AM
Registered User
United Kingdom, Bristol
Joined Aug 2008
1,774 Posts
Quote:
Originally Posted by PhracturedBlue View Post
The next question is if someone is willing to take the risk to wipe the ROM entirely and reload the bootloader and firmware with read-protect disabled (so that the SWD port can be used for debugging). I'm not yet ready to go there, it will probably depend on how much progress I can make with the firwmare as it is.
Excellent work people!!

Quote:
Originally Posted by FDR_ View Post


No, I am actually using this tx!
Thats a fair comment

Quote:
Originally Posted by rcH4x0r View Post
Yep, let me wake up properly and drink some tea then I will go for it.

Did you find the code that is actually doing the descrambling? That should be our next target along with nailing the checks when the app is launched. Then we can build our own .dfus from C code
Light weight tea drinker with brass balls LOL!!

My offer still stands with no strings....
SadSack is offline Find More Posts by SadSack
Reply With Quote
Reply


Thread Tools

Similar Threads
Category Thread Thread Starter Forum Replies Last Post
Wanted Broken Walkera Devo and Spektrum tx itsmillertime Aircraft - General - Radio Equipment (FS/W) 1 Mar 20, 2012 04:37 AM
For Sale Walkera Devo 7 TX/Devo RX2625H Combo for sale Tom Z Aircraft - General - Radio Equipment (FS/W) 0 Oct 06, 2011 12:33 PM
For Sale Walkera Devo 7 TX/Devo RX2625H Combo for sale Tom Z Aircraft - Electric - Helis (FS/W) 0 Oct 05, 2011 11:38 AM
Discussion New Walkera Devention Devo 12 TX w/ Touch-Screen hobbypartz Radios 2 May 08, 2011 11:38 PM
Discussion New Walkera Devention Devo 12 TX w/ Touch-Screen hobbypartz XHeli 0 May 05, 2011 11:19 PM