DaFlasherFiles icon indicating copy to clipboard operation
DaFlasherFiles copied to clipboard

Published 20 hours ago verified publisher icon atc1441

[FR] read function of bootloader

Open ildar opened this issue 5 years ago • 13 comments

So that we could backup the stock FW and other data the device has

ildar avatar Jul 27 '20 21:07 ildar

+1

goddade avatar Aug 16 '20 17:08 goddade

This is not possible to archive right now. The stock bootloader does not support read. And to install a new bootloader the flash and bootloader gets erased. So after flashing it there is nothing to dump anymore.

The only thing possible to backup it the stock Bootloader. That one is already known and same for many DaFit devices.

atc1441 avatar Aug 16 '20 18:08 atc1441

Hi atc1441,

But what about reading the stock boot loader using openocd (or gdb with Black Magic?): When I try to dump I get Unknown device. Maybe newer P8 watches has read protection bit set ?:

flash read_bank 0 flash-bank0.bin Unknown device: nRF51xxx (HWID 0x00000000) 0kB Flash, 0kB RAM wrote 0 bytes to file flash-bank0.bin from flash bank 0 at offset 0x00000000 in 7.190152s (0.000 KiB/s)

Do you happen to have a dump of the stock boot loader ? And will it be possible to recover original firmware using Da Fit software if we re-install the stock boot loader ?

suphammer avatar Aug 16 '20 21:08 suphammer

Every Smartwatch from DaFit has the Read Protection bit set so it is needed to recovery the nRF wich also does erase the flash.

I have the stock bootloader and used it to have a way to go simply back and retry while developing, i can not share it.

The Stock Bootloader does not have any BLE functions included so it relies on the Firmware that will download the new Firmware to external flash, that means it is not possible to go back to stock with only the Bootloader flashed.

atc1441 avatar Aug 16 '20 23:08 atc1441

You are right, ATC1441. Once I flashed your hacked boot loader, the flash was accessible.

I assume the only way to get the boot loader is to craft a special image with a firmware dumper that is loaded by the existing firmware. I was only thinking about this to be able to compare when debugging. But since most of the hardware is already identified, I's not strictly necessary.

suphammer avatar Aug 17 '20 08:08 suphammer

The Flash is unlocked after the Hacked bootloader as it clears the UICR registers while flashing.

The idea with the special firmware dumper is possible but not needed anymore as this is already done :) and only the bootloader can be dumped that way.

atc1441 avatar Aug 17 '20 09:08 atc1441

On Mon, Aug 17, 2020 at 5:00 AM atc1441 wrote:

The Stock Bootloader does not have any BLE functions included so it relies on the Firmware that will download the new Firmware to external flash, that means it is not possible to go back to stock with only the Bootloader flashed.

I'm sorry, I'm lost. So you write here that stock FW is flashed to the SPI flash. But the recipe here: https://bloglon.blogspot.com/2020/07/p8-smartwatch-research.html proposes to flash the stock ROM with nRF connect to the app area which is 0x23000 for the s132v5.0.1 . I also took a look at the stock FW I acquired with the app (meanwhile learning Radare2).

~~ (((According to the Vector table it should be put to another area: 0x1FA00 which is bizarre. ))) ~~ EDIT: This appeared to be completely wrong.

Would you clarify a little for me? Thanks in advance.

ildar avatar Sep 28 '20 21:09 ildar

Hey.

So the stock bootloader needs the new firmware on external flash.

When already on the custom bootloader and you want to go back to stock you need to flash it to 0x23000 internaly. That is what the stock bootloader does as well.

Just mentioning when going back to stock on a closed watch you can not flash anything else every again ota. You need to open the watch then

atc1441 avatar Sep 28 '20 22:09 atc1441

Morning! :-)

On Tue, Sep 29, 2020 at 4:29 AM atc1441 wrote:

So the stock bootloader needs the new firmware on external flash.

I see. But as we lost that to the moment, that doesn't matter.

When already on the custom bootloader and you want to go back to stock you need to flash it to 0x23000 internaly. That is what the stock bootloader does as well.

Great!

~~ ((( But what's kinda suspicious to me is that stock FW has 0x2043xx in its vector table. ))) ~~ EDIT: This appeared to be completely wrong.

It is beyond internal flash and I may guess it is the external (SPI) flash area. That makes me wonder how it works...

BTW I guess that resetting UICR and erasing internal flash still saved SPI. Did you manage to backup it?

Just mentioning when going back to stock on a closed watch you can not flash anything else every again ota. You need to open the watch then

Yep, warned already. We still need a good custom BL to make it more flexible. If you want, we can go on discussing in Gitter. Thanks again!

ildar avatar Sep 29 '20 04:09 ildar

I found that erroneously interpreted figures in vector tables I referenced above. Please ignore. Will explore some more..

ildar avatar Sep 30 '20 12:09 ildar

Check this out : https://video.codingfield.com/videos/watch/5b70cc41-2e14-49cc-a631-0aa466957169

ildar avatar Dec 28 '20 14:12 ildar

The Stock Bootloader does not have any BLE functions included so it relies on the Firmware that will download the new Firmware to external flash, that means it is not possible to go back to stock with only the Bootloader flashed.

Can't the stock firmware be populated in the external flash before the stock bootloader is flashed, and then the stock bootloader will finish the job? Thereby returning to a factory-like state where firmware updates remain possible...

luke-jr avatar Nov 19 '21 16:11 luke-jr

Yes this does work. "Only" needs to be imolemented

atc1441 avatar Nov 19 '21 16:11 atc1441