12 def _fmt_addr(addr, count=3):
13 return "".join([chr((addr >> (n*8)) & 0xff) for n in range(count)])
17 E2 43 04 02 E2 43 02 02 80 00 04 25
19 00 05 04 34 31 40 90 33 B0 13 5E 2E 0C 93 00 24
20 B0 13 F4 2D FF 3F 12 01 00 02 00 00 00 08 47 20
21 00 02 04 01 00 00 00 01 06 00 FF 09 01 A1 01 85
22 3F 95 3F 75 08 25 01 15 01 09 01 81 02 85 3F 95
23 3F 75 08 25 01 15 01 09 01 91 02 C0 09 02 29 00
24 01 01 00 80 32 09 04 00 00 02 03 00 00 00 09 21
25 01 01 00 01 22 24 00 07 05 81 03 40 00 01 07 05
28 F2 D2 20 09 F2 D2 22 09 10 01 5E 42 02 24 7E 93
29 25 24 7E 90 09 00 04 28 7D 42 7E 82 5F 43 0C 3C
30 7E 92 02 2C 4D 4E 06 3C 7D 42 D2 93 0E 24 02 20
31 4E 43 F4 3F 7E 43 4F 43 C2 4F 10 24 C2 4E 02 24
32 4F 43 07 3C 1E 42 06 24 EF 4E 78 23 92 53 06 24
33 5F 53 4F 9D F7 2B C2 4D 21 09 10 01 C2 43 10 24
34 10 01 82 4C 06 24 5E 42 86 23 C2 9E 02 24 04 28
35 C2 4E 02 24 4E 43 01 3C 5E 43 C2 4E 0E 24 80 00
36 80 25 F2 B0 0F 00 84 23 14 20 C2 93 84 23 03 34
37 5E 42 20 09 02 3C 5E 42 22 09 7E F2 C2 4E 60 24
38 5E 42 60 24 42 19 4E 10 C2 4E 60 24 B0 13 C4 27
39 09 3C C2 93 84 23 03 34 5E 42 C8 23 EE 3F 5E 42
40 88 23 EB 3F 3C 40 60 24 80 00 D8 25 F2 43 02 24
41 C2 43 10 24 C2 43 21 09 10 01 C2 93 82 23 12 20
42 5E 42 84 23 7E F0 0F 00 02 20 80 00 42 26 5E 93
43 0B 20 C2 93 84 23 03 34 F2 D2 C8 23 F6 3F F2 D2
44 88 23 F3 3F B0 13 76 25 10 01 C2 93 80 23 04 34
45 1F 43 D2 D3 3C 09 03 3C 0F 43 D2 C3 3C 09 5E 42
46 80 23 7E B0 60 00 90 20 5D 42 81 23 4D 83 81 24
47 5D 83 6B 24 6D 83 67 24 6D 83 45 24 5D 83 09 24
48 6D 83 52 24 5D 83 46 24 5D 83 33 24 5D 83 54 24
49 7B 3C 0F 93 79 24 5E 42 83 23 5E 83 08 24 5E 83
50 0F 24 7E 80 1F 00 1C 24 5E 83 13 24 6D 3C C2 43
51 23 09 F2 40 12 00 02 24 3C 40 16 25 80 00 D8 25
52 C2 43 23 09 F2 40 29 00 02 24 3C 40 4C 25 80 00
53 D8 25 F2 40 24 00 02 24 3C 40 28 25 80 00 D8 25
54 C2 43 23 09 F2 40 09 00 02 24 3C 40 5E 25 80 00
55 D8 25 0F 93 49 24 B0 13 C4 27 C2 43 60 24 D2 42
56 01 24 61 24 3B 3C B0 13 CE 27 D2 42 82 23 3F 09
57 80 00 42 26 B0 13 CE 27 D2 42 82 23 00 24 B0 13
58 42 26 D2 43 12 24 10 01 C2 43 23 09 D2 43 02 24
59 3C 40 00 24 80 00 D8 25 B0 13 CE 27 D2 42 84 23
60 01 24 80 00 42 26 80 00 50 26 5E 42 84 23 7E F0
61 0F 00 02 20 80 00 42 26 5E 93 18 20 C2 93 84 23
62 04 34 F2 F0 D7 00 C8 23 F5 3F F2 F0 D7 00 88 23
63 F1 3F 7E 90 80 00 03 20 B0 13 C4 27 43 3F 7E 90
64 82 00 02 20 80 00 F8 25 B0 13 76 25 10 01 C2 43
65 23 09 E2 43 02 24 10 01 D5 3E 1B 15 1F 42 5A 24
66 5B 4F 03 00 5E 4F 01 00 5C 4F 02 00 8C 10 0C DE
67 0D 4B 0E 4F 2E 52 6A 4F 7A 80 10 00 29 24 5A 83
68 14 24 5A 83 2A 24 5A 83 2E 24 6A 83 23 24 5A 83
69 3A 24 5A 83 15 24 5A 83 3B 24 5A 83 3E 24 6A 83
70 41 20 5F 43 B0 13 E2 2B 41 3C 1F 53 0C 4F B0 13
71 38 2C 4C 93 02 20 4C 43 37 3C 7C 40 05 00 34 3C
72 B0 13 66 2E 03 20 B0 13 6E 2E F5 3F 6C 42 2C 3C
73 4F 43 E8 3F B0 13 D4 2D 27 3C 0E 4C 0F 4B 4C 43
74 B0 13 D4 2C 21 3C B0 13 66 2E F0 23 4C 43 1F 42
75 58 24 3F 50 40 00 1B 42 44 01 3B F0 10 00 0F 5B
76 82 4F 44 01 11 3C B0 13 3C 2E B0 13 12 2B 0E 3C
77 B0 13 3C 2E B0 13 66 29 09 3C 2E 42 3C 40 00 25
78 0D 43 F8 3F 7C 40 07 00 B0 13 12 2E 1A 17 10 01
79 E2 B2 3E 09 14 28 F2 40 80 00 23 09 03 3C F2 F0
80 FA 00 3E 09 C2 43 10 24 C2 43 60 24 C2 43 61 24
81 B0 13 80 26 D2 B3 3E 09 F2 2F E2 C2 3E 09 1F 42
82 32 09 7F 90 0A 00 0C 20 B0 13 4A 2E B0 13 86 2C
83 B0 13 08 2A B2 F0 F9 FF 08 09 A2 D3 02 09 10 01
84 7F 90 0C 00 06 20 B0 13 4A 2E B2 40 04 A5 20 01
85 10 01 7F 90 12 00 0A 20 C2 43 23 09 D2 93 10 24
86 02 20 80 00 80 25 F2 D2 20 09 10 01 7F 90 16 00
87 02 20 80 00 08 2A 7F 90 18 00 0C 20 D2 43 11 24
88 F2 C0 40 00 3E 09 B2 40 80 00 10 09 F2 40 20 00
89 3D 09 10 01 7F 90 1A 00 0A 20 B0 13 86 2C F2 F0
90 9F 00 3E 09 F2 40 C0 00 3D 09 C2 43 11 24 10 01
91 7B 15 0A 4C 0B 4D 0F 4E 3F E3 0F 5F 0F 7F 08 4C
92 09 4D 08 5E 09 6F 47 43 0B 3C 1F 42 5C 24 FF 40
93 3A 00 00 00 0C 46 1C 53 B0 13 2A 2E 0A 56 0B 63
94 0B 99 03 28 34 20 0A 98 32 2C 47 93 30 20 0E 48
95 0F 49 0E 8A 0F 7B 03 20 3E 90 3E 00 03 28 36 40
96 3D 00 02 3C 06 48 06 8A 14 42 5C 24 14 53 0E 46
97 0F 46 3F E3 0F 5F 0F 7F 0E 5A 0F 6B 09 3C 1F 15
98 0D 16 6C 4D 0D 4E 0D 8A 05 44 05 5D C5 4C 00 00
99 3E 53 3F 63 0F 9B C9 2B 02 20 0E 9A C6 2B B0 13
100 66 2E ED 27 67 42 6C 42 B0 13 12 2E C7 3F 74 17
101 10 01 F2 40 10 00 3C 09 C2 43 12 24 C2 43 11 24
102 C2 43 00 24 C2 43 01 24 C2 43 3C 09 F2 43 02 24
103 F2 43 04 24 C2 43 10 24 7E 40 80 00 C2 4E 21 09
104 C2 4E 23 09 F2 40 8C 00 20 09 F2 40 8C 00 22 09
105 F2 40 03 00 2F 09 F2 40 03 00 2E 09 C2 4E C8 23
106 F2 40 10 00 C9 23 C2 4E CA 23 C2 4E CE 23 F2 40
107 40 00 CF 23 C2 4E 88 23 C2 43 89 23 C2 43 8A 23
108 F2 40 40 00 8F 23 F2 40 40 00 3C 09 C2 43 3E 09
109 F2 40 C0 00 3D 09 10 01 7B 15 08 4C 07 4D 04 4F
110 4C 43 0A 48 0B 4D 0F 4E 3F E3 0F 5F 0F 7F 06 48
111 06 5E 07 6F 02 3C 1A 53 0B 63 0B 97 03 28 2C 20
112 0A 96 2A 2C 18 B3 08 2C 0E 46 0F 47 3E 53 3F 63
113 0A 9E 19 20 0B 9F 17 20 6E 44 B0 13 66 2E 10 20
114 4C 43 B0 13 56 2E 1B 15 0F 16 CF 4E 00 00 B0 13
115 56 2E 1B 15 0F 16 6D 4F 4E 9D 03 24 5C 43 01 3C
116 6C 42 14 53 07 3C 3E 44 0C 4A 0D 4B B0 13 64 2D
117 1A 53 0B 63 4C 93 CF 27 74 17 10 01 3B 15 0A 4E
118 B2 43 54 01 08 4C 09 4D 07 3C 19 15 0E 16 6F 4E
119 C2 4F 52 01 18 53 09 63 0E 4C 0F 4D 0E 5A 0F 63
120 09 9F 03 28 09 20 08 9E 07 2C B0 13 66 2E ED 27
121 6C 42 B0 13 12 2E 15 3C 1E 42 54 01 1F 42 5C 24
122 FF 40 3A 00 00 00 1B 42 5C 24 CB 4E 01 00 47 18
123 0E 11 1F 42 5C 24 CF 4E 02 00 3C 40 03 00 B0 13
124 2A 2E 38 17 10 01 32 C2 03 43 B2 40 02 1C 5A 24
125 B2 40 17 24 5C 24 B2 40 28 96 00 09 82 43 02 09
126 82 43 60 01 B2 40 F3 10 64 01 B2 40 40 00 62 01
127 B2 40 44 02 68 01 C2 43 0E 24 C2 43 11 24 B2 40
128 28 96 00 09 B2 40 40 1E 08 09 B2 40 80 00 04 09
129 B0 13 4A 2E C2 43 12 24 B2 B2 08 09 06 28 B0 13
130 86 2C B0 13 08 2A A2 D3 02 09 10 01 3B 15 4A 4F
131 6F 42 3B 40 58 24 B0 13 66 2E 08 20 4F 43 A2 4B
132 44 01 28 4B 38 50 40 00 82 48 40 01 4F 93 0B 20
133 B2 90 05 00 5E 24 07 38 0F 4E 1E 42 5E 24 2E 82
134 B0 13 8E 2A 4F 4C 4A 93 03 20 4C 4F B0 13 12 2E
135 A2 4B 40 01 2F 4B 3F 50 10 00 82 4F 44 01 38 17
136 10 01 1B 15 21 83 0D 43 3A 40 E0 FF 0B 43 7E 4A
137 0F 4C 0F 5B 6F 4F 0E EF 0D DE 1B 53 3B 90 20 00
138 F6 2B 0D 93 0E 20 B1 40 FF 7F 00 00 02 3C B1 53
139 00 00 91 93 00 00 FB 37 B2 40 A5 A5 56 24 4C 43
140 04 3C B0 13 D4 2D 7C 40 05 00 21 53 1A 17 10 01
141 21 82 81 43 02 00 B2 40 28 96 00 09 92 D3 02 09
142 92 42 14 24 12 09 B2 40 00 13 10 09 82 43 14 09
143 81 43 00 00 02 3C 91 53 00 00 B1 90 64 00 00 00
144 FA 2B 1F 41 02 00 0E 4F 1E 53 81 4E 02 00 3F 90
145 E9 03 03 2C 82 93 14 09 E9 23 21 52 10 01 B0 13
146 66 2E 0E 20 4C 43 B0 13 FA 2C 1D 42 58 24 2D 53
147 82 4D 40 01 1F 15 0D 16 CD 43 00 00 80 00 08 2D
148 6C 42 10 01 92 B3 44 01 FD 2F 92 42 58 24 44 01
149 10 01 92 B3 44 01 FD 2F 1F 42 58 24 3F 50 10 00
150 82 4F 44 01 10 01 82 43 5E 24 C2 43 8A 23 B0 13
151 A6 28 D2 93 12 24 0D 20 C2 93 11 24 0A 20 4F 43
152 C2 93 8A 23 04 34 5F 42 8A 23 7F F0 7F 00 82 4F
153 5E 24 82 93 5E 24 EB 27 92 93 5E 24 06 38 5F 42
154 01 1C 82 4F 5E 24 5C 43 10 01 4C 43 10 01 1B 15
155 B0 13 66 2E 15 20 4F 43 B0 13 56 2E 1D 15 0A 16
156 8A 4E 00 00 B0 13 56 2E 1D 15 0A 16 2B 4A 0E 9B
157 01 24 5F 43 92 B3 46 01 04 28 7F 40 03 00 01 3C
158 6F 42 4C 4F 1A 17 10 01 0A 12 7E 40 3F 00 C2 93
159 CA 23 11 34 C2 4E 80 1C 3D 40 81 1C 4F 43 0A 4C
160 0A 5F ED 4A 00 00 1D 53 5F 53 4F 9E F8 2B F2 40
161 40 00 CA 23 01 3C 4E 43 4C 4E 3A 41 10 01 B0 13
162 FA 2C B0 13 56 2E 1F 42 58 24 3F 50 06 00 82 4F
163 40 01 C2 43 E0 FF B0 13 08 2D 4C 43 10 01 B2 40
164 A5 A5 56 24 B2 40 00 A5 58 24 B0 13 7C 2B B0 13
165 1C 2D 5C B3 FC 2B B0 13 D0 27 F9 3F 1F 42 5C 24
166 FF 40 3B 00 00 00 1F 42 5C 24 CF 4C 01 00 2C 43
167 80 00 2A 2E C2 4C 16 24 3C 40 16 24 B0 13 9E 2D
168 4C 93 FA 27 10 01 6E 4E 5F 4F 05 00 47 18 0F 5F
169 0E DF 10 01 03 43 3F 40 DE 2E 3F 53 FE 2F 10 01
170 92 B3 44 01 FD 2F 10 01 B2 40 80 5A 5C 01 10 01
171 B2 90 A5 A5 56 24 10 01 1D 15 10 01
177 31 40 00 34 B0 13 0C 80 B0 13 32 80 21 83 D2 43
178 04 02 D2 43 02 02 B2 40 80 5A 5C 01 07 3C 91 53
179 00 00 B1 93 00 00 FB 23 D2 E3 02 02 81 43 00 00
180 F8 3F 80 00 36 80 80 00 3A 80 FF 3F
182 12 34 56 78 99 10 11 12 13 14 15 16 17 18 19 20
183 12 34 56 78 99 10 11 12 13 14 15 16 17 18 00 80
186 # reta: 10 01; jmp .: ff3f; ret: 3041
187 BLINK_BSL3 = """@2400
188 B2 40 80 5A 5C 01 E2 43 04 02 E2 43 02 02 2C 43
189 3D 40 AD DE 3E 40 EF BE 80 00 02 10
193 2C 43 3D 40 AD DE 3E 40 EF BE B0 13 02 10
196 BLINK_BSL2 = """@2400
197 31 40 00 34 B0 13 0C 20 B0 13 32 20 21 83 D2 43
198 04 02 D2 43 02 02 B2 40 80 5A 5C 01 07 3C 91 53
199 00 00 B1 93 00 00 FB 23 D2 E3 02 02 81 43 00 00
200 F8 3F 80 00 36 20 80 00 3A 20 FF 3F
202 12 34 56 78 99 10 11 12 13 14 15 16 17 18 19 20
203 12 34 56 78 99 10 11 12 13 14 15 16 17 18 00 20
206 return " ".join(c.encode("hex") for c in pkt)
209 def __init__(self, string):
210 self.content = content = []
212 for line in string.split("\n"):
213 if line.startswith("@"):
214 addr = int(line[1:],16)
215 elif line.startswith("q"):
220 data = line.replace(" ", "").decode("hex")
222 content.append((addr, data))
225 for x in self.content:
230 def segment_flash(iterator):
232 def insert(base, off, data):
233 assert off + len(data) <= 512
234 orig = flash.get(base, "\0" * 512)
235 new = orig[0:off] + data + orig[off+len(data):]
237 for addr, data in iterator:
242 sub, data = data[0:512-off], data[512-off:]
245 insert(base, off, sub)
247 for addr in sorted(flash):
248 yield (addr << 9), flash[addr]
252 "Flash write check failed",
253 "Flash Fail Bit Set",
254 "Voltage Change During Program",
256 "BSL Password Error",
257 "Byte Write Forbidden",
259 "Packet Length Exceeds Buffer Size"]
261 def __init__(self, vid = BSL_VID, pid = BSL_PID):
264 self.device = hidapi.HidDevice(vid, pid)
266 def _send_command(self, num, data, expect_response = True):
268 raise Exception("Data too long")
269 packet = '\x3f' + chr(len(data) + 1) + chr(num) + data
270 #print " ".join(c.encode("hex") for c in packet)
271 r = self.device.write(packet)
274 rdata = self.device.read(64)
276 raise Exception("Short response")
277 if rdata[0] != '\x3f':
278 raise Exception("Malformed packet")
280 resp = rdata[2: 2+ord(rdata[1])]
281 if resp[0] == '\x3a':
283 elif resp[0] == '\x3b' and len(resp) == 2:
287 raise Exception(self.MSGS[ord(resp[1])])
289 raise Exception("Slightly malformed response")
291 def RxPassword(self, passwd):
292 return self._send_command(0x11, passwd)
295 def RxDataBlock(self, addr, data):
296 return self._send_command(0x10, _fmt_addr(addr) + data)
298 def RxDataBlockFast(self, addr, data):
299 return self._send_command(0x1b, _fmt_addr(addr) + data, False)
301 def EraseSegment(self, addr):
302 return self._send_command(0x12, _fmt_addr(addr))
304 def ToggleInfoLock(self):
305 return self._send_command(0x13, "")
307 return self._send_command(0x15, "")
308 def CrcCheck(self, addr, length):
309 return self._send_command(0x16, _fmt_addr(addr) + _fmt_addr(length, 2))
310 def LoadPc(self, addr, expect_response=False):
311 return self._send_command(0x17, _fmt_addr(addr), expect_response)
312 def TxDataBlock(self, addr, length):
313 return self._send_command(0x18, _fmt_addr(addr) + _fmt_addr(length, 2))
314 def TxBslVersion(self):
315 return self._send_command(0x19, "")
316 def TxBufferSize(self):
317 return self._send_command(0x1a, "")
320 def RxLargeDatablock(self, addr, data):
321 # We can send at most 64 bytes at once, due to HID limitations.
323 sub, data = data[:64], data[64:]
324 self.RxDataBlockFast(addr, sub)
327 def RxTIHexFast(self, hexstring):
328 tihex = TiHex(hexstring)
329 for addr, value in tihex:
330 self.RxDataBlockFast(addr, value)
332 def FlashTIHex(self, hexstring):
333 flash = segment_flash(TiHex(hexstring))
334 sled_path = os.path.join(os.path.dirname(__file__), "shellcode", "bslv2-flasher", "flasher.bin")
335 sled = open(sled_path, "rb").read()
336 for addr, data in flash:
337 # Maybe flash more than one block at a time? We do have 4K of ram
338 payload = struct.pack("<H", addr >> 8) + data
339 cksum = 256 - ((sum(ord(x) for x in "\001" + payload) + 1) % 256)
340 payload = "\001" + chr(cksum) + payload
342 assert (sum(ord(x) for x in payload) % 256) == 255
344 self.RxLargeDatablock(0x2400, sled + payload)
345 print repr(self.LoadPc(0x2400, True))
348 def bounce_hid(self):
349 "Reconnect to the target"
352 self.device = hidapi.HidDevice(self.vid, self.pid)
353 print self.device._device
360 print repr(bsl.RxPassword('\xff' * 32))
361 #print repr(bsl.FlashTIHex(BLINK_BSL))
362 print repr(bsl.RxTIHexFast(BLINK_BSL2))
363 #print repr(bsl.LoadPc(0x2000))
365 #print repr(bsl.RxTIHexFast(file("blinky.tihex","r").read()))
366 print repr(bsl.LoadPc(0x2400, True))
368 print repr("Bouncing...")
370 print repr(bsl.bounce_hid())
371 print repr("waiting")
373 print repr(bsl.TxBufferSize())
374 print repr(bsl.TxBslVersion())
379 for addr, data in segment_flash(TiHex(RAM_BSL)):
381 hexdata = "\n ".join(data[s:s+bs].encode("hex") for s in range(0,len(data),bs))
382 print "%04x %s" % (addr, hexdata)