Thread Tools
This thread is privately moderated by Jack Crossfire, who may elect to delete unwanted replies.
May 08, 2016, 04:23 PM
Registered User
Jack Crossfire's Avatar
Thread OP
Discussion

Feiyu Mini 3D reverse engineering


So the mane processor is an STM32F103C8 64K flash, 20K RAM, 72 Mhz, 48 pins. It breaks out single wire debug on pins 34, 37 for raw programming. It also breaks out 3.3V, GND to the programming header.

There's no distinguishing feature for the chips to detect which board they're on. It must be programmed in the bootloader or some initialization handshake.

MOSFETS are connected directly to GND & battery V+. They're some kind of motor controller packages with complementary MOSFETS.

switching regulator reduces battery to 5V
linear regulator reduces 5V to 3.3V
STM32 VDD comes from linear regulator
LMV358 VDD comes from linear regulator
hall effect VDD comes from linear regulator

Header entering yaw board:

RX/yaw PWM -> 100R to pin 43/UART1_RX/I2C1_SDA/TIM4_CH1
TX/pitch PWM -> 100R to pin 42/UART1_TX/I2C1_SCL/TIM4_CH2
GND
8.4V
Mode PWM -> directly to pin 41/TIM3_CH2
video

Header exiting yaw board:

100R to pin 21/UART3_TX/I2C2_SCL/TIM2_CH3
100R to pin 22/UART3_RX/I2C2_SDA/TIM2_CH4
GND
8.4V
unused
video

Board to board wires are straight through. The boards communicate via UART at 2Mhz. Colors are reversed on the IMU wire but I2C connects to the MPU-6050 as expected. I2C goes at 1Mhz.

Hall effect sensor uses SPI. Clock speed is 561khz. Chip select goes low 1st. The STM32 sends a command in 16 bits, switches the SPI to input & reads the result in 16 bits. Chip select goes high last. Sequence repeats every 300us. Doesn't have an initialization sequence. Not sure why the Chinese didn't use 4 wires.

The op-amp is a current sensor for the motor which reads the voltage from 2 phases & outputs 2 voltages to the STM32.

The motor control GPIOs work as expected. The PWM goes at 20khz. There is a 4us gap between transitions, when both GPIOs are off. This might depend on the battery voltage, but never tested it.

STM32 pins:

pin 10/ADC12_IN0 -> RC filter connected to LMV358 OUT A
pin 11/ADC12_IN1 -> RC filter connected to LMV358 OUT B
pin 12/ADC12_IN2 -> voltage divider between battery V+ & GND to sense battery voltage
pin 14/ADC12_IN4 -> hall chip select
pin 15/ADC12_IN5 -> hall clock/561 khz
pin 16/ADC12_IN6 -> hall data/bridged to pin 17
pin 21/UART3_TX/I2C2_SCL/TIM2_CH3 -> to next board UART1_RX
pin 22/UART3_RX/I2C2_SDA/TIM2_CH4 -> to next board UART1_TX
pin 26/PB13 -> 100R to N MOSFET 1 pulled to ground by 2k
pin 27/PB14 -> 100R to N MOSFET 2 pulled to ground by 2k
pin 28/PB15 -> 100R to N MOSFET 3 pulled to ground by 2k
pin 29/PA8 -> 100R to P MOSFET 1 pulled to ground by 2k
pin 30/PA9 -> 100R to P MOSFET 2 pulled to ground by 2k
pin 31/PA10 -> 100R to P MOSFET 3 pulled to ground by 2k
pin 34 -> SWD IO
pin 37 -> SWD CLK
pin 40/PB4 -> LED
pin 41/PB5/TIM3_CH2 -> 0R on yaw board to mode PWM
pin 42/UART1_TX/I2C1_SCL/TIM4_CH2 -> TX/pitch PWM via 100R
pin 43/UART1_RX/I2C1_SDA/TIM4_CH1 -> RX/yaw PWM via 100R
pin 46/PB9 -> LED

feiyu27.png

Hall effect sensor data & clock.

feiyu28.png

pin 26, pin 29 motor control waveform.

Programming it required powering it from the SWD header's 3.3V instead of the battery input. The battery input makes it use standard JTAG. A Nordic development board was able to get in by selecting device STM32F103C8, interface SWD. There was hope the stock firmware could be backed up, but the dreaded active read protection appeared.

Device "STM32F103C8" selected.


Found SWD-DP with ID 0x1BA01477
Active read protected STM32 device detected. This could cause problems during flash download.
Device will be unsecured now.
Note: Unsecuring will trigger a mass erase of the internal flash.
Depending on the flash size this can take longer than 10 seconds.
Found SWD-DP with ID 0x1BA01477


Found Cortex-M3 r1p1, Little endian.
FPUnit: 6 code (BP) slots and 2 literal slots
CoreSight components:
ROMTbl 0 @ E00FF000
ROMTbl 0 [0]: FFF0F000, CID: B105E00D, PID: 001BB000 SCS
ROMTbl 0 [1]: FFF02000, CID: B105E00D, PID: 001BB002 DWT
ROMTbl 0 [2]: FFF03000, CID: B105E00D, PID: 000BB003 FPB
ROMTbl 0 [3]: FFF01000, CID: B105E00D, PID: 001BB001 ITM
ROMTbl 0 [4]: FFF41000, CID: B105900D, PID: 001BB923 TPIU-Lite
Cortex-M3 identified.
J-Link>


There was no way to read the stock firmware for a later
recovery or upgrade if they ever released a new one. The last upgrade
was still Dec 2015, so it seemed unlikely. Any probing of the voltages
had to be done before programming it, especially the protocol for the hall effect sensor.



J-Link>savebin /tmp/temp 0 0x10000
Opening binary file for writing... [/tmp/temp]
Reading 65536 bytes from addr 0x00000000 into file...Could not read memory.
J-Link>h
PC = 0800311E, CycleCnt = 181EB94D
R0 = 00000C18, R1 = 00000063, R2 = FFFFFFFF, R3 = 00000000
R4 = 20000B38, R5 = 2000024C, R6 = 200006C0, R7 = 00005555
R8 = 200006E4, R9 = FFBFBFF9, R10= CD5F5F92, R11= 1C7C99E9
R12= 00000000
SP(R13)= 200003D8, MSP= 200003D8, PSP= 20001C18, R14(LR) = FFFFFFF9
XPSR = 01000003: APSR = nzcvq, EPSR = 01000000, IPSR = 003 (HardFaultMemManage)
CFBP = 00000001, CONTROL = 00, FAULTMASK = 00, BASEPRI = 00, PRIMASK = 01
J-Link>savebin /tmp/temp 0 0x10000
Opening binary file for writing... [/tmp/temp]
Reading 65536 bytes from addr 0x00000000 into file...Could not read memory.


Still reading instructions from the flash until the 1st restart.



J-Link>r
Reset delay: 0 ms
Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit.
J-Link>g

Made it execute the bulk erase.

J-Link>h
PC = FFFFFFFE, CycleCnt = 00000009
R0 = 00000C18, R1 = 00000063, R2 = FFFFFFFF, R3 = 00000000
R4 = 20000B38, R5 = 2000024C, R6 = 200006C0, R7 = 00005555
R8 = 200006E4, R9 = FFBFBFF9, R10= CD5F5F92, R11= 1C7C99E9
R12= 00000000
SP(R13)= FFFFFFDC, MSP= FFFFFFDC, PSP= 20001C18, R14(LR) = FFFFFFF9
XPSR = 01000003: APSR = nzcvq, EPSR = 01000000, IPSR = 003 (HardFaultMemManage)
CFBP = 00000000, CONTROL = 00, FAULTMASK = 00, BASEPRI = 00, PRIMASK = 00



The program counter now showed no instructions.


J-Link>savebin /tmp/temp 0 0x10000
Opening binary file for writing... [/tmp/temp]
Reading 65536 bytes from addr 0x00000000 into file...O.K.

The memory dump only showed blank flash, but at least it could be
programmed.
Last edited by Jack Crossfire; May 08, 2016 at 04:32 PM.
Sign up now
to remove ads between posts


Quick Reply
Message:
Thread Tools

Similar Threads
Category Thread Thread Starter Forum Replies Last Post
Discussion Feiyu Tech Mini 3D Pro Vs. (older?) Feiyu Tech Mini 3D rpriscu Aerial Photography 19 Nov 05, 2018 11:35 AM