Retrieving ST-Link/V2 Firmware from Update Utility

http://www.taylorkillian.com/2013/01/retrieving-st-linkv2-firmware-from.html

http://forum.easyelectronics.ru/viewtopic.php?f=17&t=6620&start=0

Reversing proshivatelya ST-Link

 

For what? I want to pull out the full firmware from apple cores to try to make a full Discovery (well, almost) ST-Link. Naturally, there are hardware differences, but they can be overcome - to attach a level converter and trivia among other things. 
About 15 minutes (longer write code ;) than the reverse) found that the STM8S-Discovery is as ST-Link v1. 
The question is - do not do it if I repeat what has already been done ;)? And will anyone interested in the result. 

UPD1. Firmware is pulled out, but it is encrypted. The key type is found, reverses the encryption algorithm. Scheme complete ST-Link also seems to have found on one of devbord from ST. 
UPD2. Do not believe it. :) Deciphered. Now we have to STM32F103 nadybat (dumb on Discovery experimenting :)) and try. If there are brave people with finished with a handkerchief for this case - us, wondering potestit.

So, there is still one part - the identification and what is not replaced when flashing - 0x4000 bytes at the beginning of the flush. Any idea how to get it? 
While I can say that can alter ST-Link on Discovery in full, but here's clone from scratch - it is necessary to seek a method dump these initial bytes of flash.

Maybe I'm not really caught up, but ... if you know the encryption algorithm firmware + key, you can make your firmware that any memory dump.
 
Also inclined to this ... Besides there proshivatore encryption only. In the ST-Link firmware nekriptovana. 
Prosherstila Internet, more and more convinced of the usefulness of the built-ST-Link: STM32VL-Discovery in exactly the same, but the circumcision of the other type of software :) 0x4a - JTAG Debugger, and STM8 type 0x53 - SWIM Debugger, and the possible and, and there type 0x4D - JTAG + SWIM Debugger. 
That would still live Owner ST-Link v1 to find, but ask a couple of prog to drive, it would be easier.

 

This is how I see the marking, namely ST-Link, right? And it v1. Do you mind if I let down a couple of days to run the program notes? Just read no more. May be able to do the people's debugger for all STM :). 

PS. Discovery to solder JTAG, USB flash drive, as expected, no direct reads, radishes :). But in the RAM write / read gives. Wait sculpt will prozhku to copy a piece of flash to RAM

No, unfortunately the first 0h3S00 does not alter. It seems there is sewn logic DFU, and it has not yet ruled. The structure of the firmware is as follows: 
1. 0h8000000 - 0h8003S00 - HZCH. Presumably DFU-code, not overwritten. 
2. 0h8003S00 - 0h8004000 - configuration block. 
3. 0h8004000 - ... - Depending on the version and type of debugger 
4. 0h800D000 - there is only v1, does not depend on the type of debugger. 
In stock and 3.4 part 2. It is necessary to know only one block.

 

Getting there primitive - based on SCSI commands. Here's what I found so far googled: http://code.google.com/p/arm-utilities/ - where much is made ​​of the support STM32, STM8 - in versaloon and OpenOCD. But poreversit can, you're right. 

Threat. There will be some free time - do proxies for STLinkUSBDriver.dll - then it will be more fully see what's going on in the process.

Heh, you will not believe ... The first block is ... Drive FAT16 :). Or emulation, which is more likely - there must have something to work off the team DFU and transferring control to the debugger (which by the way is also done through a SCSI-command). So the contents of 2.5k 16ti do know is left to get the leftovers.

USB flash drive - this is his main mode. Through it is flashing, debugging, and so on. Actually in my opinion questionable practice, but it works. Change in the self-made labels can be basic, original flasher this area is checking. In the original theory is also possible, but it does take a dump, so know where to change.
 

I now have two problems: 
1. Rewrite configuration space, so he took proshivator truncatedness ST-Link for full. I am writing a program to dump this piece, like the record is clear how to do - this option seems the most real. 
2. Throw a "decoy", that one of the challenges of a dump of memory. How - is not yet clear. Likely to look into the original BIOS file to find a tab for just pull. If it is possible - will be a full clone. While the version of the distant future :). 
Sdamplenymi files is willing to share, provided that all nakovyrennoe will not be used for commercial purposes and will be available to all comers (shorter copyleft :)).

 

 

Hello everyone. 
Gathered USB SWD programmer scheme of STM32VLDISCOVERY. Firmware Versaloon works, ie vsprog, OpenOCD did not try. 
CooIDE work with OpenOCD does not want to, but it works with the ST-Link. I was looking for the firmware of it, is not found. 
There is certainly an ST-LinkUpgrade.exe, there is clearly a firmware poked disassembler, but failed to find anything ( 
If you have any sketches, I will be glad to try. 
Apparently here these people were able to get the firmware http://elecena.pl/product/912714/zl30prg 
Thank you!

Vylrat code updater'a any of them do not. The whole problem is only a piece of the 800 0000 and 800 4000. Two for mudoholsya then went and did just ULinkMe - circuits and firmware bulk. Use myself samopalbny J-Link on the Chinese scheme already, 3 - ULinkMe just for interesayu Repeat ST-Link. 
I do not see no point in repeating the st-link - except for time-wasters. and the adapter and soft shit still shitty. 

PS Sorry for the harsh sentences - beer makes itself felt 
PPS 
To compensate for the sharpness can report a successful start. NET MF to STM32F4-Discovery. Now draw platyu under three cheapest display with aliexpress (1.8, 2.8, 3.5) - which will come before - and he gets to. NET MF

 

 

 

 

 

posted @ 2013-09-12 09:35  IAmAProgrammer  阅读(1655)  评论(0编辑  收藏  举报