USB boot wipe #28
Comments
|
This is very interesting feature :-) |
I have just tested this "feature", I want to find way how to replace bootloader with my own. So this is good starting point. firmware size is wrongly generated, and erase is run on many more sectors than needed |
Is USB ISP in this chip is dead? |
|
Yes, i read the bootloader flash as zeros, that means it was written to zeros. Erased flash in these chips is 0x39 0xe3 |
|
I played a bit more with this thing, It seemed that the chip locked itself. After connecting to wch linke utility it unlocked and the bootloader section is indeed erased. |
|
So, i connected the chip to the WCHlink utility in windows. It told me that the chip was locked. Unlocking the chip helped, and i can read the bootlaoder memory as empty: I think what happened is, that the chip tried to erase flash in 64kB blocks. Flash memory in these chips is external SPI or QSPI flash. Bootloader erases memory like this: First at most 0x3f 64kB blocks, then at most 0x1f 32kBlocks, then at most 3x 4kBlocks, then rest as 1kBlocks (4x256). If you request erase of 480sectors, that is 0x78000. This chip's flash memory goes up to address 0x38000. So the bootloader tries to erase memory "beyond". The problem here is:
How to get data back ? Well that is problem. When you try to program anything higher than 0x08038000 you get hardfault. Except when you try to program 0x1fff8000 address space. But it wont get written, but it will not hardfault either! It will hang there for the write in progress flag to drop. My guess is that there is some "unlock bootloader" for ch32v20x/30x chips. But i have not found it yet. (I have tested the ch32v003 method FLASH_BOOT_MODEKEYR). Here is the test code i use: any suggestions are welcome :-) |
|
Thanks for sharing your findings. it's very interesting. |
|
|
|
you can see second die in upper left corner |
|
Wow! |
|
fiddling with bits that you should not .... I call it success (at least partial), the flash controller locked up, and needed power cycle. But the data is there !! |
|
Now it will be nice to find a way to change the bootloader part (at least one bit) |
|
Is there a datasheet on the bootloader sequence? Looks like as you said there is no check in the bootloader (or a logic error). I also would like to know if you can USB ISP over the USB HS interface (on CH32V305/7). |
|
Sorry guys for looong time waiting :) https://github.com/robots/wch-ch32v20x-flash I have written soft to repair the bootloader (or replace it with anything else) |
|
amazing! |
|
Potentially could get a tinyUF2 going in the bootloader then :O (at least for ch32v307 as that is support in tinyUSB) |
Exactly! Or tiny DFU bootloader if UF2 will not fit. |
Perfect catch! |
I made simple stupid blinker on PA0 for ch32v203. It works fine.
My issue that when it assembled with clang instead of GCC it creates bit different elf file which somehow magically erase/disable internal 28k USB bootloader code.
wchisp.exe flash main.elfAfter programming this elf file i am not able anymore to use USB ISP, but SDI way still works.
now wch-link over SDI shows empty region of 28k bootloader @0x1FFF8000.
wchisp is flashing stack region over address 0x20002000
May someone confirm the issue?
Any ideas to recover USB bootloader functionality?
wchisp v0.2.0
main.elf.zip
The text was updated successfully, but these errors were encountered: