csr-spi-ftdi
csr-spi-ftdi copied to clipboard
lorf
Fake HC-05/HC-06 modules with BlueCore3 chips relabeled as BC417
I have a problem, please advise: I have exactly an HC-05 board from Ali Express, which I want to upgrade to RN42 firmware. I got connected to HC-05 (LED blinking when "processor running"), I dumped backup firmware and settings, uploaded RN42 firmware, clicked "Start Processor" and got "Processor Running" but LED doesn't blink, it's off. When I try to connect with PSTool I get an error: "unable to find entries in the look-up table on chip". When I flash backup firmware back everything works again, but when I flash RN-42 - same thing, can't get to settings, LED not blinking, but can start and stop processor, get firmware version, verify etc. Any advice? Is it driver-related or hardware-related? Anyone had similar issue? Thanks.
To add some more detail to this, there seems to be two different types of HC-05/06 modules. One of them works fine, the other causes the issue.
I'm guessing it's not an issue with the drivers as these modules work fine with PStool with their stock firmware, it's only after they are flashed with Rn-42 firmware do they not work
I can confirm that my module that failed is the one that appears on that photo as the bad one on the bottom. However in the product photo on Ali Express the product shows the top one. So it's difficult to get that one I think. I have ordered the one form a link to one of the videos a while ago, let's hope I get the right one in the mail... It was called hc-06
I can confirm that the module shown as the bad one on the photo doesn't work with RN-42 firmware. Reverting the module to the original firmware brings it back to life!
$ e2cmd info
Chip ID - 0x4543
Chip Name - BC3 MM (kal)
Unable to calculate addressing mode of EEPROM
$ BlueFlashCmd identify
Flash identity: size = 128 sectors (8 Mbit), man_id = 0x00c2, dev_id = 0x225b
Firmware ID (loader)="bc3k_8unified_fl_bt2.1_23g_0903311011_native_encr56 2009-03-31"
Firmware ID (stack)="bc3k_8unified_fl_bt2.1_23g_0903311011_native_encr56 2009-03-31"
Result: Usable flash size: 128 sectors, 8 megabit.
Currently I can't compare this with a working unit but this looks like a BC3 and not BC4 module. Might be that it was just labeled BC4!
@ssapalski if there are any commands or tests you want me to run I'd be happy to do it. I have both types here and also have the ftdi circuit set up
@romandesign I mentioned in my pinned YouTube comment, I bought 4 modules off 4 different sellers, all looked like the good module on the listing but two of the ones I received were the bad ones. The one I linked to in the video is the only one I know for sure what seller I got it from (and was good)
It was also bought in august 2016 so maybe its old stock
@witnessmenow that is because most sellers have outdated pictures on their listings but they say they sell the most recent version of the module, maybe manufacturers realized people were turning this modules into HID's and decided to screw us up?
Maybe, I bought 3 of the modules in September 2017 and one of them was good, but I have no way of knowing which seller sent which one!
I'd say someone just figured how to make a hc05 module cheaper! I'm sure sellers don't really care what we do with them.
I think they do care, since they use the same chips for both modules I'd assume they wouldn't want us to have an HID module for the price of an HC-05, there's a huge price gap between them, but once again, it's just an assumption
@witnessmenow Can you run the two commands I've shown on the good unit?
e2cmd.exe info BlueFlashCmd.exe identify
My assumption is that this will show a BC4 device (BlueCore 4)! If this is true, than it would explain why the RN-42 firmware isn't running since most likely this firmware can only run on BC4 devices. These are just some assumptions, I'm playing around with these BT devices since a couple of days and I don't know them well.
Good board (already running RN-42 can revert to stock if needed)
C:\Program Files (x86)\CSR\BlueSuite 2.6.2>e2cmd.exe info
e2cmd.exe, version 2.6.2.632 Release
Copyright Cambridge Silicon Radio Limited 2007 - 2015.
21:32:27.171178: all:spi.c:558:spi_init: csr-spi-ftdi 0.5.2, git rev 4c3061a
Chip ID - 0x4826
Chip Name - BC4-EXT (cyt)
21:32:29.420610: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
Unable to calculate addressing mode of EEPROM
*** FTDI Statistics ********************************************************
csr-spi-ftdi version: 0.5.2 (git rev 4c3061a)
Time open: 2.86 s
Time in xfer: 2.60 s (90.86% of open time)
Reads: 224 (13372 bytes, 59.70 bytes avg read size)
Writes: 320 (15084 bytes, 47.14 bytes avg write size)
Xfer data rate: 10.67 KB/s (28456 bytes in 2.60 s)
IOPS: 208.00 IO/s (544 IOs in 2.60 s)
FTDI chip: FT232R (3), buffer size: 384 bytes
FTDI stats: 1085.00 xfers/s (0.00 short reads/s,
2829 xfers/1 short reads in 2.60 s,
5.00 xfers/IO, 323.00 bytes/xfer)
SPI max clock: 1000 kHz, min clock: 666 kHz, slowdowns: 1
****************************************************************************
C:\Program Files (x86)\CSR\BlueSuite 2.6.2>BlueFlashCmd.exe identify
blueflashcmd, version 2.6.2.632 Release
Copyright Cambridge Silicon Radio Limited 2002 - 2015.
21:33:06.033075: all:spi.c:558:spi_init: csr-spi-ftdi 0.5.2, git rev 4c3061a
Resetting XAP
Identifying XAP
21:33:07.012860: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:33:07.040974: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
Flash identity: size = 128 sectors (8 Mbit), man_id = 0x00c2, dev_id = 0x225b
Firmware ID (loader)="cyt_8unified_fl_bt3.0_23i_1002111152_native_encr56 2010-02-11"
Firmware ID (stack)="cyt_8unified_fl_bt3.0_23i_1002111152_native_encr56 2010-02-11"
Result: Usable flash size: 128 sectors, 8 megabit.
*** FTDI Statistics ********************************************************
csr-spi-ftdi version: 0.5.2 (git rev 4c3061a)
Time open: 4.13 s
Time in xfer: 3.81 s (92.17% of open time)
Reads: 399 (20628 bytes, 51.70 bytes avg read size)
Writes: 560 (20177 bytes, 36.03 bytes avg write size)
Xfer data rate: 10.45 KB/s (40805 bytes in 3.81 s)
IOPS: 251.00 IO/s (959 IOs in 3.81 s)
FTDI chip: FT232R (3), buffer size: 384 bytes
FTDI stats: 1093.00 xfers/s (0.00 short reads/s,
4169 xfers/1 short reads in 3.81 s,
4.00 xfers/IO, 314.00 bytes/xfer)
SPI max clock: 1000 kHz, min clock: 666 kHz, slowdowns: 1
****************************************************************************
Success
Bad board (stock)
C:\Program Files (x86)\CSR\BlueSuite 2.6.2>e2cmd.exe info
e2cmd.exe, version 2.6.2.632 Release
Copyright Cambridge Silicon Radio Limited 2007 - 2015.
21:38:45.697115: all:spi.c:558:spi_init: csr-spi-ftdi 0.5.2, git rev 4c3061a
21:38:46.495925: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.498125: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.502984: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.507925: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.510845: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.513974: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.519845: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.523779: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.527800: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.529277: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.534800: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.537845: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.539846: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.541991: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.547721: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.550678: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.551939: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.556675: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.559732: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.563720: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.565719: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.567726: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.570877: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.573594: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.577594: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.579738: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.584777: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.587778: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.590781: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.594595: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.598606: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.601724: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.605469: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.609473: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.613469: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.617306: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.620482: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.623468: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:46.626470: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
Chip ID - 0x4543
Chip Name - BC3 MM (kal)
Unable to calculate addressing mode of EEPROM
*** FTDI Statistics ********************************************************
csr-spi-ftdi version: 0.5.2 (git rev 4c3061a)
Time open: 4.81 s
Time in xfer: 4.36 s (90.56% of open time)
Reads: 284 (24238 bytes, 85.35 bytes avg read size)
Writes: 375 (24949 bytes, 66.53 bytes avg write size)
Xfer data rate: 11.01 KB/s (49187 bytes in 4.36 s)
IOPS: 151.00 IO/s (659 IOs in 4.36 s)
FTDI chip: FT232R (3), buffer size: 384 bytes
FTDI stats: 1079.00 xfers/s (1.00 short reads/s,
4712 xfers/6 short reads in 4.36 s,
7.00 xfers/IO, 335.00 bytes/xfer)
SPI max clock: 1000 kHz, min clock: 1000 kHz, slowdowns: 0
****************************************************************************
C:\Program Files (x86)\CSR\BlueSuite 2.6.2>BlueFlashCmd.exe identify
blueflashcmd, version 2.6.2.632 Release
Copyright Cambridge Silicon Radio Limited 2002 - 2015.
21:38:59.086055: all:spi.c:558:spi_init: csr-spi-ftdi 0.5.2, git rev 4c3061a
21:38:59.879870: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:59.888890: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:59.892936: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:59.895035: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:59.898207: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:59.901935: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:59.906509: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:59.909820: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:59.914811: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:59.919811: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:59.923810: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:59.927956: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:59.933685: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:59.934799: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
21:38:59.940685: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
Resetting XAP
21:39:00.045309: err:basics.cpp:481:spifns_sequence_read: Unable to start read (invalid control data)
Identifying XAP
Flash identity: size = 128 sectors (8 Mbit), man_id = 0x00c2, dev_id = 0x225b
Firmware ID (loader)="bc3k_8unified_fl_bt2.1_23g_0903311011_native_encr56 2009-03-31"
Firmware ID (stack)="bc3k_8unified_fl_bt2.1_23g_0903311011_native_encr56 2009-03-31"
Result: Usable flash size: 128 sectors, 8 megabit.
*** FTDI Statistics ********************************************************
csr-spi-ftdi version: 0.5.2 (git rev 4c3061a)
Time open: 12.63 s
Time in xfer: 12.18 s (96.48% of open time)
Reads: 450 (70360 bytes, 156.36 bytes avg read size)
Writes: 613 (69963 bytes, 114.13 bytes avg write size)
Xfer data rate: 11.24 KB/s (140323 bytes in 12.18 s)
IOPS: 87.00 IO/s (1063 IOs in 12.18 s)
FTDI chip: FT232R (3), buffer size: 384 bytes
FTDI stats: 1032.00 xfers/s (0.00 short reads/s,
12589 xfers/3 short reads in 12.18 s,
11.00 xfers/IO, 357.00 bytes/xfer)
SPI max clock: 1000 kHz, min clock: 1000 kHz, slowdowns: 0
****************************************************************************
Success
@witnessmenow Many thanks, this looks like my assumption was correct. I will compress the information to the relevant parts:
good board (rn-42 firmware):
$ e2cmd.exe info
Chip ID - 0x4826
Chip Name - BC4-EXT (cyt)
Unable to calculate addressing mode of EEPROM
$ BlueFlashCmd.exe identify
Flash identity: size = 128 sectors (8 Mbit), man_id = 0x00c2, dev_id = 0x225b
Firmware ID (loader)="cyt_8unified_fl_bt3.0_23i_1002111152_native_encr56 2010-02-11"
Firmware ID (stack)="cyt_8unified_fl_bt3.0_23i_1002111152_native_encr56 2010-02-11"
Result: Usable flash size: 128 sectors, 8 megabit.
bad board (stock firmware):
$ e2cmd.exe info
Chip ID - 0x4543
Chip Name - BC3 MM (kal)
Unable to calculate addressing mode of EEPROM
$ BlueFlashCmd.exe identify
Flash identity: size = 128 sectors (8 Mbit), man_id = 0x00c2, dev_id = 0x225b
Firmware ID (loader)="bc3k_8unified_fl_bt2.1_23g_0903311011_native_encr56 2009-03-31"
Firmware ID (stack)="bc3k_8unified_fl_bt2.1_23g_0903311011_native_encr56 2009-03-31"
Result: Usable flash size: 128 sectors, 8 megabit.
Can you please do the same with the "good board" and the stock firmware? I guess this won't change anything related to "chip id" and "chip name". If the "chip id" value is unrelated to the running firmware, than this would mean that in fact the "bad board" is a BC3 module but fake labeled BC4.
good board (stock firmware):
>e2cmd.exe info
Chip ID - 0x4826
Chip Name - BC4-EXT (cyt)
Unable to calculate addressing mode of EEPROM
>BlueFlashCmd.exe identify
Flash identity: size = 128 sectors (8 Mbit), man_id = 0x007f, dev_id = 0x225b
Firmware ID (loader)="cyt_8unified_fl_bt2.0_22_0612121241_encr56 2006-12-12"
Firmware ID (stack)="cyt_8unified_fl_bt2.1_23g_0903311011_encr56 2009-03-31"
Result: Usable flash size: 128 sectors, 8 megabit.
good board (rn-42 firmware):
>e2cmd.exe info
Chip ID - 0x4826
Chip Name - BC4-EXT (cyt)
Unable to calculate addressing mode of EEPROM
>BlueFlashCmd.exe identify
Flash identity: size = 128 sectors (8 Mbit), man_id = 0x007f, dev_id = 0x225b
Firmware ID (loader)="cyt_8unified_fl_bt3.0_23i_1002111152_native_encr56 2010-02-11"
Firmware ID (stack)="cyt_8unified_fl_bt3.0_23i_1002111152_native_encr56 2010-02-11"
Result: Usable flash size: 128 sectors, 8 megabit.
BC417143B part is originally BlueCore4 (BC4). Looks like some smartasses repackaged BlueCore3 chip into 7x7 mm WFBGA (originally 10x10 mm 96-ball LFBGA) and labeled as BlueCore4. Original BlueCore4 is only 8x8mm 96-ball TFBGA and 6x6mm 96-ball VFBGA package options. So that's definitely counterfeit. BlueCore3 is old as dump of mammoth (2003).
Yes, these are counterfeit chips with BC3 compatible HC-05 firmware and thus not usable with RN42 (BC4) firmware. The csr-spi-fdti driver works fine with these chips!
Hi! I am currently facing this problem right now, unable to access the PSTool after flashing RN42's firmware into my HC05 (LED stops blinking). As per witnessmenow's photo, it seems that my HC05 is indeed the 'bad' one (bottom on picture). So I can't continue this project unless I get the 'good' one or is there any other way to do it? I've bought two HC05 modules and both of them is the 'bad' one. :(
Help would be very much appreciated, thanks!
@Gunvarrel39 if you'd read all the replies you'd know that the 'bad' modules have a BlueCore 3 chip that can't be flashed with RN42's firmware so no, you need to get a 'good' one if you want to flash it.
@doteroargentino Aw shucks, guess I just lost $8 lol (that's 2 dinner's worth)
Alright then, I'll find another. Hope I got the 'good' one this time; gotta ask the seller if the module looks exactly like the 'good' one above!
Thanks for your answer :)
Personally I bought this one: https://www.aliexpress.com/item/HC05-HC-05-master-slave-6pin-JY-MCU-anti-reverse-integrated-Bluetooth-serial-pass-through-module/32340945238.html
Didn't test the custom firmware but the unit chips are the same as the 'working' variant on the picture. Order was from august this year.
I think the working one is sold as HC-06 while the non-working is sold as HC-05
hi all i see the Ali-Express chip in the link above has 30 - 50 day delivery to uk which is a bit long. Ebay UK https://www.ebay.co.uk/itm/HC-06-HC06-Bluetooth-Wireless-Module-Serial-RS232-TTL-for-Arduino-Raspberry-Pi/161780777682?hash=item25aae2c2d2:g:lBIAAOSwwbdWPxDW:rk:23:pf:0 is being sold as HC06 has anyone tried this module and if so does it work as RN-42 if it does work i need to buy some, if not i'll buy one and report back here if it works or not
cheers Dave
I'm not sure what you guys plan to do with this HC-05, but the ESP32 supports BLE.. it may be an easier and more readily available alternative if you are don't plan on supporting Bluetooth 2.0 etc.
Hi thanks for the reply RN-42 firmware allows the use as a hid keyboard or mouse, it is possible to replace the firmware on hc-05/06. Cost of RN-42 is about £20. If they can be re-programmed it means HC-05/06 will do the same job for a quarter of the price Manufacturers have found out about this and in some cases changed the boards so that they will not work as RN-42 , hence my question to you I have since done more research and I think your boards can be used as RN42 so I have ordered your last 3 so that I can try it out, if you are interested I can come back to you and let you know for certain
I’ll have a look at the ESP32 and see if it will do the same job, thanks
Cheers Dave
Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10
From: bilogic [email protected] Sent: Tuesday, January 15, 2019 2:46:22 PM To: lorf/csr-spi-ftdi Cc: davejel; Comment Subject: Re: [lorf/csr-spi-ftdi] Error with RN421 firmware on HC-05 module with csr-spi-fdti driver (#25)
I'm not sure what you guys plan to do with this HC-05, but the ESP32 supports BLE.. it may be an easier and more readily available alternative if you are don't plan on supporting Bluetooth 2.0 etc.
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/lorf/csr-spi-ftdi/issues/25#issuecomment-454416735, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AltCToNsSGdsoKKBKeEHTbV_fYpsp4cpks5vDem-gaJpZM4RLboz.
@davejel From my understanding, the upgraded HC-05/06 will still need a microp to drive it via the AT commands, it merely acts as a BT interface. ESP32 on the other hand is a microp + HID BLE all in one. I'm trying to work on a wireless mechanical keyboard with RGB backlight. If you have a similar goal, maybe we can collaborate.
hi @bilogic my goal is to 'create' a simple BT switch which can then be used by disabled users to use programs that need input. the switch would be configured as a hid keyboard with only one key some HC-06 boards can be uploaded with RN42 firmware, RN42 is naturally a Hhid at command set (which is then needed for configuration) can be done by connecting the HC to an ESP8266 via serial if you pm me we can compare notes and work together if there is enough common ground
@davejel i think https://github.com/asterics/esp32_mouse_keyboard will almost work right out of the box for you, just add a button to one of the IO pins. I was able to compile and get it to work which is why I have the confidence to move forward with my project, however my main challenge eventually will be in drawing the PCB.
@bilogic looks interesting, i have just bought some HC-06 chips which i shall be testing today(i think they are the ones which will take RN42 software) i'll report back here later and let you know how i get on with it.
looks as though the approach you are taking might be better in that there is no need for RN42 firmware to make the hid. i have been following https://mitxela.com/projects/bluetooth_hid_gamepad and https://www.youtube.com/watch?v=y8PcNbAA6AQ both these use HC-05/06 with RN-42 firmware programmed into them My final aim is to produce a bluetooth switch for use by disabled people at a reasonable price at the moment the cheapest one on the market is £175 which most cannot afford, if i can produce one for say £25 - £30 or under this could potentially help a lot of disabled users. i dont mind how this is achieved so i will buy some ESP-32 and try them as well to see how it all pans out Dave
Thanks for the info, i ordered 3 modules online and got 3 bad ones... how unfortunate. Does anybody know if we can still ordere the old style HC05/06 ? Thanks
@davejel Can you confirm if your module is working or not? I can't find any working modules right now.. If anyone has a working one, please share the link with us.
