|
|
View previous topic :: View next topic |
Author |
Message |
treitmey
Joined: 23 Jan 2004 Posts: 1094 Location: Appleton,WI USA
|
Reverse Engineer the TinyBootloader. |
Posted: Mon Oct 12, 2009 11:28 am |
|
|
I wanted to reverse engineer the Tiny boot loader to better understand
what each part is doing, and perhaps make it eaiser for other to understand.
http://www.etc.ugal.ro/cchiculita/software/picbootloader.htm
So I want to design in CCS C such that the result is like the following HEX. If you have mpasm, and CCS C you can follow along.
source in asm. similar to tinyB18F with 18F452 set along with fuses.
btw. If anyone knows of a show-stopper reason this can't be done. let me know,.. I don't want to sit here spinning my wheels.
1st question. Can the startup initialization code be eliminated? I want
to start with a jump to the loader.
Code: | radix DEC
LIST P=18F452 ; change also: Configure->SelectDevice from Mplab
xtal EQU 18432000 ; you may want to change: _XT_OSC_1H _HS_OSC_1H _HSPLL_OSC_1H
baud EQU 19200 ; standard TinyBld baud rates: 115200 or 19200
; The above 3 lines can be changed and built a bootloader for the desired frequency (and PIC type)
;********************************************************************
; Tiny Bootloader 18F series Size=100words
; [email protected]
; http://www.etc.ugal.ro/cchiculita/software/picbootloader.htm
; Modified by Nam Nguyen-Quang for testing different PIC18Fs with tinybldWin.exe v1.9
; [email protected]
;********************************************************************
; This source file is for PIC18F242, 252, 442, 452, 248, 258, 448, 458, 2220, 2320,
; 4220, 4320, 1220, 1320, 2331, 2431, 4331, 4431, 2439, 2539, 4439, and 4539
; Copy these include files to your project directory (i.e. they are in the same
; directory with your .asm source file), if necessary
#include "icdpictypes.inc" ; Takes care of: #include "p18fxxx.inc", max_flash, IdTypePIC
#include "spbrgselect.inc" ; RoundResult and baud_rate
#define first_address max_flash-200 ;100 words
CONFIG OSC = HS, OSCS = OFF, PWRT = ON, BOR = ON, BORV = 27, WDT = OFF
CONFIG WDTPS = 32, CCP2MUX = OFF, STVR = ON, LVP = OFF, DEBUG = OFF
; For different PICs, uncomment the appropriate lines of CONFIG directives
; as indicated, and comment out all the other lines, if necessary
; For example, the following configuration is for PIC18F4580, with 8 MHz crystal
; You could find the symbol names for the chip in its include file
; (in the Microchip\MPASM Suite directory)
;----- CONFIG1H Options -----
; For 18F242, 248, 252, 258, 442, 448, 452, and 458 (xx2/xx8)
; CONFIG OSC = HS, OSCS = OFF
; For 18F1220, 1320, 2220, 2320, 4220, and 4320 (x220/x320)
; CONFIG OSC = HS, FSCM = OFF, IESO = OFF
; CONFIG OSC = INTIO2, FSCM = OFF, IESO = OFF ; Use internal oscilator, xtal = 8000000
; For 18F2331, 2431, 4331, and 4431
; CONFIG OSC = HS, FCMEN = OFF, IESO = OFF
; CONFIG OSC = IRCIO, FCMEN = OFF, IESO = OFF
; For 18F2439, 2539, 4439, and 4539
; CONFIG OSC = HS
; For 2480, 2580, 4480, and 4580
; CONFIG OSC = HS, FCMENB = OFF, IESOB = OFF
; CONFIG OSC = IRCIO67, FCMENB = OFF, IESOB = OFF ; Use internal oscilator, xtal = 8000000
;----- CONFIG2L Options -----
; For 18F242, 248, 252, 258, 442, 448, 452, and 458 (xx2/xx8)
; For 18F1220, 1320, 2220, 2320, 4220, and 4320 (x220/x320)
; and for 18F2439, 2539, 4439, and 4539 as well
; CONFIG PWRT = ON, BOR = ON, BORV = 27
; For 18F2331, 2431, 4331, and 4431
; CONFIG PWRTEN = ON, BOREN = ON, BORV = 27
; For 2480, 2580, 4480, and 4580
; CONFIG PWRT = ON, BOR = BOHW, BORV = 27
;----- CONFIG2H Options -----
; For all of the chips associated with this source file, except xx31 as follows
; CONFIG WDT = OFF, WDTPS = 128
; For 18F2331, 2431, 4331, and 4431
; CONFIG WDTEN = OFF, WINEN = OFF, WDPS = 128
;----- CONFIG3L Options -----
; For 18F2331, 2431, 4331, and 4431
; CONFIG T1OSCMX = ON, HPOL = HIGH, LPOL = HIGH, PWMPIN = OFF
;----- CONFIG3H Options -----
; For 18F242, 252, 442, and 452
; CONFIG CCP2MUX = OFF
; For 18F1220, 1320, 2220, 2320, 4220, and 4320
; CONFIG MCLRE = ON, PBAD = DIG, CCP2MX = OFF
; For 18F2331, and 2431
; CONFIG MCLRE = ON
; For 18F4331, and 4431
; CONFIG MCLRE = ON, EXCLKMX = RD0, PWM4MX = RD5, SSPMX = RD1, FLTAMX = RD4
; For 2480, 2580, 4480, and 4580
; CONFIG MCLRE = ON, LPT1OSC = OFF, PBADEN = OFF
;----- CONFIG4L Options -----
; For 18F242, 248, 252, 258, 442, 448, 452, and 458
; For 18F1220, 1320, 2220, 2320, 4220, and 4320
; and for 18F2439, 2539, 4439, and 4539 as well
; CONFIG STVR = ON, LVP = OFF, DEBUG = OFF
; For 18F2331, 2431, 4331, and 4431
; CONFIG STVREN = ON, LVP = OFF, DEBUG = OFF
; For 2480, 2580, 4480, and 4580
; CONFIG STVREN = ON, LVP = OFF, DEBUG = OFF, XINST = OFF, BBSIZ = 1024
;----------------------------- PROGRAM ---------------------------------
cblock 0
crc
i
cnt1
cnt2
cnt3
counter_hi
counter_lo
flag
endc
cblock 10
buffer:64
dummy4crc
endc
SendL macro car
movlw car
movwf TXREG
endm
;0000000000000000000000000 RESET 00000000000000000000000000
ORG 0x0000
GOTO IntrareBootloader
;view with TabSize=4
;&&&&&&&&&&&&&&&&&&&&&&& START &&&&&&&&&&&&&&&&&&&&&&
;---------------------- Bootloader ----------------------
;PC_flash: C1h U H L x ... <64 bytes> ... crc
;PC_eeprom: C1h 40h EEADR EEDATA 0 crc
;PC_cfg C1h U OR 80h H L 1 byte crc
;PIC_response: type `K`
ORG first_address ;space to deposit first 4 instr. of user prog.
nop
nop
nop
nop
org first_address+8
IntrareBootloader
;init IntOSC, added by Nam Nguyen-Quang
;movlw 0x70
;movwf OSCCON
; the above 2 lines should be commented out for designs not using the internal oscilator
; or for the chips without the internal oscilator
;init serial port
movlw b'00100100'
movwf TXSTA
movlw spbrg_value
movwf SPBRG
movlw b'10010000'
movwf RCSTA
;wait for computer
rcall Receive
sublw 0xC1 ;Expect C1h
bnz way_to_exit
SendL IdTypePIC ;send PIC type
MainLoop
SendL 'K' ; "-Everything OK, ready and waiting."
mainl
clrf crc
rcall Receive ;Upper
movwf TBLPTRU
movwf flag ;(for EEPROM and CFG cases)
rcall Receive ;Hi
movwf TBLPTRH
movwf EEADR ;(for EEPROM case)
rcall Receive ;Lo
movwf TBLPTRL
movwf EEDATA ;(for EEPROM case)
rcall Receive ;count
movwf i
incf i
lfsr FSR0, (buffer-1)
rcvoct ;read 64+1 bytes
movwf TABLAT ;prepare for cfg; => store byte before crc
rcall Receive
movwf PREINC0
decfsz i
bra rcvoct
tstfsz crc ;check crc
bra ziieroare
btfss flag,6 ;is EEPROM data?
bra noeeprom
movlw b'00000100' ;Setup eeprom
rcall Write
bra waitwre
noeeprom
btfss flag,7 ;is CFG data?
bra noconfig
tblwt* ;write TABLAT(byte before crc) to TBLPTR***
movlw b'11000100' ;Setup cfg
rcall Write
bra waitwre
noconfig
;write
eraseloop
movlw b'10010100' ; Setup erase
rcall Write
TBLRD*- ; point to adr-1
writebigloop
movlw 8 ; 8groups
movwf counter_hi
lfsr FSR0,buffer
writesloop
movlw 8 ; 8bytes = 4instr
movwf counter_lo
writebyte
movf POSTINC0,w ; put 1 byte
movwf TABLAT
tblwt+*
decfsz counter_lo
bra writebyte
movlw b'10000100' ; Setup writes
rcall Write
decfsz counter_hi
bra writesloop
waitwre
;btfsc EECON1,WR ;for eeprom writes (wait to finish write)
;bra waitwre ;no need: round trip time with PC bigger than 4ms
bcf EECON1,WREN ;disable writes
bra MainLoop
ziieroare ;CRC failed
SendL 'N'
bra mainl
;******** procedures ******************
Write
movwf EECON1
movlw 0x55
movwf EECON2
movlw 0xAA
movwf EECON2
bsf EECON1,WR ;WRITE
nop
;nop
return
Receive
movlw xtal/1845200 + 1 ; for 20MHz => 11 => 1second delay
; for 18F2xxx chips, this should be xtal/1000000+1
movwf cnt1
rpt2
clrf cnt2
rpt3
clrf cnt3
rptc
btfss PIR1,RCIF ;test RX
bra notrcv
movf RCREG,w ;return read data in W
addwf crc,f ;compute crc
return
notrcv
decfsz cnt3
bra rptc
decfsz cnt2
bra rpt3
decfsz cnt1
bra rpt2
;timeout:
way_to_exit
bcf RCSTA, SPEN ; deactivate UART
bra first_address
;*************************************************************
; After reset
; Do not expect the memory to be zero,
; Do not expect registers to be initialised like in catalog.
END
|
Code: |
:020000040000FA
:04000000A0EF3FF03E
:087F3800000000000000000041
:107F4000240EAC6E3B0EAF6E900EAB6E46D8C108E1
:107F500053E1410EAD6E4B0EAD6E006A3ED8F86E29
:107F6000076E3BD8F76EA96E38D8F66EA86E35D876
:107F7000016E012A00EE09F0F56E2FD8EC6E012E8D
:107F8000FBD700661FD007AC03D0040E1ED818D054
:107F900007AE04D00C00C40E18D812D0940E15D819
:107FA0000A00080E056E00EE0AF0080E066EEE508E
:107FB000F56E0F00062EFBD7840E07D8052EF5D7D9
:107FC000A694C9D74E0EAD6EC8D7A66E550EA76E35
:107FD000AA0EA76EA682000012000A0E026E036AA5
:107FE000046A9EAA03D0AE5000261200042EF9D7D0
:0C7FF000032EF6D7022EF3D7AB9E9ED7CF
:020000040030CA
:03000100220A0AC6
:02000500008178
:060008000FC00FE00F40E5
:00000001FF
|
|
|
|
ckielstra
Joined: 18 Mar 2004 Posts: 3680 Location: The Netherlands
|
|
Posted: Mon Oct 19, 2009 5:24 pm |
|
|
The bootloader code is short so it should be relative easy to port. I'm willing to help but don't fully understand why would you want to do this?
The beauty of this bootloader is it being so tiny. Rewriting the code in CCS-C makes it easier to understand but will also be (slightly) larger. |
|
|
asmallri
Joined: 12 Aug 2004 Posts: 1635 Location: Perth, Australia
|
|
Posted: Mon Oct 19, 2009 9:52 pm |
|
|
If you look at the stated objective of the Tiny Bootloader, its primary objective was to make the code as small as possible. Porting to CCS would double the size and you would still be dependent of the PC programmer application. _________________ Regards, Andrew
http://www.brushelectronics.com/software
Home of Ethernet, SD card and Encrypted Serial Bootloaders for PICs!! |
|
|
treitmey
Joined: 23 Jan 2004 Posts: 1094 Location: Appleton,WI USA
|
|
Posted: Tue Oct 20, 2009 8:04 am |
|
|
Yes, I understand the concerns. And I think most of the port may be
simple #asm statements, and #org to put it in the right area.
My goal was to make it easier to understand, while producing the exact
same hex.
Well the history is I was trying to add an TX enable.
I'm ashamed to say I had a lot of difficulty.
I also was trying the ds30 loader.
http://mrmackey.no-ip.org/elektronik/ds30loader/
And I was having a lot of difficulty.
I figure many more people will embrace the bootloader if they see
its design(in C) and understand how it works. They may even be
able to make easy changes(TXE) without help.
I have been given permission to reverse eng. it by the author.
Yes, it is OK to use that code for whatever purposes, to learn from it,
rewrite in another language (CCS) and make it available to others.
Claudiu dot Chiculita at ugal dot ro
So.....
The first step was to get any type of code compiling without the CCS startup code.
and perhaps get it to #org in the proper area.
also any thoughts,.. Will I have to compile ccs then assemble with mpasm.
This is all very new. Sorry for the ignorance.
Last edited by treitmey on Tue Oct 20, 2009 8:15 am; edited 1 time in total |
|
|
treitmey
Joined: 23 Jan 2004 Posts: 1094 Location: Appleton,WI USA
|
|
Posted: Tue Oct 20, 2009 8:11 am |
|
|
Maybe this isn't a worthwhile project.
After several days I think I understand much of the asm.
And there are many comments.
Perhaps I should just move on.
I've got my TXE working, thanks to
Mark Weir's code.
Consider the thread closed. |
|
|
Guest
|
|
Posted: Tue Oct 20, 2009 9:54 am |
|
|
I think it's a good idea to make a real small C code loader. The loader must import standard bin hex file, just as tiny loader...
The one CCS made is real bad stuff! |
|
|
treitmey
Joined: 23 Jan 2004 Posts: 1094 Location: Appleton,WI USA
|
|
Posted: Tue Oct 20, 2009 10:37 am |
|
|
Look at ds30 loader. The link is above.
In hindsight I think my problems with ds30loader were because of a
beta release that was hanging on eeprom write.
I think he fixed that now. |
|
|
ckielstra
Joined: 18 Mar 2004 Posts: 3680 Location: The Netherlands
|
|
Posted: Tue Oct 20, 2009 12:27 pm |
|
|
Anonymous wrote: | I think it's a good idea to make a real small C code loader. The loader must import standard bin hex file, just as tiny loader... | The Tiny bootloader does not import standard bin hex files, that's one of the reasons why it can be so tiny. Reading the file and converting to bin is done by the special PC program (and this source code is not provided).
Quote: | The one CCS made is real bad stuff! | I don't think it is so bad. It is just lacking a good 'how-to' document describing how to use it. |
|
|
Guest
|
|
Posted: Tue Oct 20, 2009 1:00 pm |
|
|
I just make a test, and:
1) loader changed to my OSC!
2) I burn it to the PIC.
3) Starting the pc loader. It found the right devices 18F26j11.
4) Upload a test program, but here the pc program crash at the end of the verifying process?
Not good? |
|
|
ckielstra
Joined: 18 Mar 2004 Posts: 3680 Location: The Netherlands
|
|
Posted: Thu Oct 22, 2009 3:23 am |
|
|
Anonymous guest: Which bootloader are you testing?
You mention a PC loader program. The CCS bootloader does not use such a program.
My guess is you tried the Tiny bootloader? If that's true then go for help to the Tiny Bootloader website. The source code of the Tiny Bootloader PC program is not public so we can not help you. |
|
|
Gonzalo Guest
|
Cracking TinyPICbld |
Posted: Mon Jan 11, 2010 4:01 pm |
|
|
I spent some time years ago, using a freeware serial port monitor to sniff serial traffic between the PC s/w and PC bootloader. Seems like something completely feasible for doing with any Java, C or VB app.
I remember a dialogue much like this:
1- PC: burst of C1h bytes // a sort of ping, with rate and timeout defined by PC sw
2- PIC: 2K // PIC acknowledge command
3- PC: Send binary bytes of HEX file, in chunks of 16xn bytes, exactly as seen in hex file.
4- PIC: Send same ACK command upon successfully writing each chunk in Flash, and ready to accept the next one // much like XON/XOFF protocol
That's all. PC sw might scan the hex file to check if there's a B/L overwritting risk.
Gonzalo |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|