Skip to main content
Topic: Linux - Bootloader-Programmer (Read 27022 times) previous topic - next topic

Re: Linux - Bootloader-Programmer

Reply #15
yeah -it's the same for every location - of course I've tried erasing the board, but the values still remain the same.

I experimented a bit using my api - and made the following observations
I can read flash. EEDATA and CONFIG - i.e. the values remain the same after wrting.
I can't write flash , EEDATA but I can write to config - however if I unplug the bp the values are resetted.

--> maybe I have enabled some write protection by setting (random) values to the config?

Re: Linux - Bootloader-Programmer

Reply #16
That could explain it. There are usually various configuration bits to set block protection fuses. You might have also enabled code protect.

Can you make a dump of the chip using the quick programmer read function (it's probably just 0xffffff, huh)? Do you have any way to access an ICD2 and try to read out the chip? If you're at a dead end, let's make arrangements to mail it me to for repair.
Got a question? Please ask in the forum for the fastest answers.

Re: Linux - Bootloader-Programmer

Reply #17
I asked one of my university teachers if he has one for me - maybe I'm lucky.

Isn't it possible to set the config vars using the windows-programmer? (unfortunately I don't have the menu for it?)

Re: Linux - Bootloader-Programmer

Reply #18
I'm pretty sure the firmware includes the configuration bits. Wouldn't it get set with the windows programmer on a firmware update?
Got a question? Please ask in the forum for the fastest answers.

Re: Linux - Bootloader-Programmer

Reply #19
If I read back the chip using the win-programmer - everythinf is FF FF FF 0 except 0x800 - 0x17BB - which is the bootloader+some code as far as I can guess :)

Re: Linux - Bootloader-Programmer

Reply #21
wow that programmer is serious overkill.

do you allready have a pic programmer? If so can you do a chip erase and verify that it is blank? if it is blank it should just be a matter of reloading the bootloader.

if you cant blank the chip then it becomes harder. :)


Re: Linux - Bootloader-Programmer

Reply #22
oh sorry it's only a galep 4 - but this one should suffice too?
It's not mine, but I can borrow it from my university for a few weeks.

Re: Linux - Bootloader-Programmer

Reply #23

I'm also interested in writing a Linux programmer for the Bus Pirate. I've read over AN1157 and implemented most of a programmer. A few issues have come up though, let's start with the logs you posted (maybe you can provide better ones?):

Read 1 word from offset 0xFF0000 - Result: 0x47 0x04 0x00 0x00 Checksum: B4
Ask for Bootloader Revision - Result: 0x02, 0x01 Checksum: FB
Read 2 words from offset 0x000000 - Result: 0x00 0x04 0x04 0x00, 0x00, 0x00, 0x00, 0x00 Checksum: F5
These were fine and made sense and work in my programmer program.

Erase Device again using the same parameters as last time
Since there are no arguments, I looked at the source code and the ini file you provided with the windows programmer. It would seem that with 0xAC00 addresses to erase that you would use 21 or 22 erase pages to clear it. This doesn't actually seem to be the case. Up to 43 "works" in that the serial doesn't time out. This seems to be the "right" number, perhaps the erase block size is wrong or I'm misunderstanding something? Programming the chip with my PICKit2 then erasing it does work though.


Write to Flash again using the same parameters as last time

{55}{55}{01}{40}{00}{00}{00} ...
Read 0x40 words from address 0x000000 - Read back the written data for verification

Write to Flash again using the same parameters as last time (not sure why this is at the end)
While the write appears to work (my code doesn't cause any timeouts) the chip isn't actually written to. Any ideas? I'm using the same addresses and data shown in this post (and trying the whole HEX file too). Along these lines, reading from certain memory addresses causes a timeout on the serial line. What might cause this?


Hack a Day Bus Pirate v2go


Firmware v2.0


Heh, unfortunately, not very useful. The first character (0x11) I'm not sure about, but it doesn't seem to put the device back into user mode. The bootloader code suggests that the correct sequence is a data packet with the command 0x08, but that doesn't seem to work either.

Anyway! The programmer code is at and it's written in python. You'll need the pyserial module to make it work. It's certainly not finished, there's lots of error checking and bug fixing still to be done, but it's a start!

Things that should work:
  • Reading the bootloader version
  • Reading the device memory (mostly, there's still a few issues including some random timeouts)
  • Erasing the device memory

Things that don't work:
  • Writing the device memory (Seems like it works, but verification and reading it back shows that it didn't)
  • Reset the bootloader to user mode (Command seems to make no change, perhaps due to writing issues?)

Thanks for looking!

Re: Linux - Bootloader-Programmer

Reply #24
Here's the work that's been done so far, just uploaded to the SVN yesterday: ... tail?r=169
Got a question? Please ask in the forum for the fastest answers.

Re: Linux - Bootloader-Programmer

Reply #25
Okay, would you like patches that add to this code? I'm not really much of a python programmer, I mostly work with C, but there's a bunch of features/options in my code that I could easily provide patches to implement.

Would it be possible to get better dumps? I don't think that what we've got is enough to really make this work, sorry!

Re: Linux - Bootloader-Programmer

Reply #26
Thank you, a patch would be great, or you can have SVN access (send me an e-mail addy that's registered with google). Peter's actually maintaining the python QP code, I only have a passing familiarity with Python.

Looking at your break-down of my dumps, the "sequence to start the bootloader" is actually the output of the firmware after it boots. Great catch, I didn't pay any attention. I bet that's causing a problem because it's certainly not correct.

Do you want dumps that show who said what? A text file with a full, 100% log of a programming session? Do you have a favorite snooper utility? I'll be happy to provide anything I can.
Got a question? Please ask in the forum for the fastest answers.

Re: Linux - Bootloader-Programmer

Reply #27
It's pretty easy to pick out who said what, so don't go to that kind of trouble. The things I would like to see to fix my code would be:

  • The erase command
  • A programming command
  • The "go" command

The format you've used here is fine. If it's easier for you to provide a log of a whole programming session, it's pretty easy to work with.

Thanks for the help!

Re: Linux - Bootloader-Programmer

Reply #28
I'm doing some new dumps, they look exactly like the old ones. It looks like the serial splitter isn't echoing the data from the local application into the other local apps. I need to find a new way to dump the traffic, I think the previous dumps only show what the PIC echoes back to the application.

While I work on dumping the traffic, does the source to the quick programmer .dll help? The PICBOOT.h defines all the commands:

//Bootloader commands
#define COMMAND_READVER      0
#define COMMAND_READPM      1
#define COMMAND_WRITEPM      2
#define COMMAND_ERASEPM      3
#define COMMAND_READEE      4
#define COMMAND_WRITEEE      5
#define COMMAND_READCFG      6

PICBOOT.c has simple C functions. Here's the erase PIC function:

    FUNCTION:   ErasePIC

    PURPOSE:   Simple erase function.

   BYTE InData[MAX_PACKET];      //Allocate for one packet
   INT RetStatus;
   //Build header
   InData[1] = nBlock;
   InData[2] = (BYTE)(PICAddr & 0xFF);
   InData[3] = (BYTE)((PICAddr & 0xFF00) / 0x100);
   InData[4] = (BYTE)((PICAddr & 0xFF0000) / 0x10000);

   RetStatus = SendGetPacket(hComPort, InData, 5, MAX_PACKET, nRetry);

   if(RetStatus < 0) return RetStatus;

   return InData[1];

The command to make the PIC go is sent from PicComms.bas in the P24qp program. It looks like it's just a packet of two 0's:
Function GotoRunMode() As Integer
    ReDim DevID(10) As Byte
    Dim RetStat As Integer
    Dim picb As PIC

    DevID(0) = 0
    DevID(1) = 0
    RetStat = SendPacket(PicBootS.PortHandle, DevID(0), 2)
End Function

It's picked up by the sendpacket function in PICBOOT.c:

                  BYTE PacketData[], 
                  WORD NumOfBytes)

I'll try to get a dump that shows both sides of the COM traffic.
Got a question? Please ask in the forum for the fastest answers.


Re: Linux - Bootloader-Programmer

Reply #29
I used the free MS Windows Portmon utility to get a full debug dump of the serial traffic. The virtual serial port monitor I used didn't echo back the local traffic, only the serial port traffic. I held this up by posting bad dumps, and I'm really sorry. Now we can really see what's going on. I also attached this as an archive too.

17   0.00042659   P24QP.exe   IRP_MJ_WRITE   VCP0   SUCCESS   Length 9: 55 55 01 01 00 00 FF FF 04    
18   0.00398207   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 55    
19   0.00000503   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 55    
20   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 01    
21   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 01    
22   0.00000251   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 00    
23   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 00    
24   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: FF    
25   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 47    
26   0.00000251   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 05    
27   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 04    
28   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 00    
29   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 00    
30   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: B4    
31   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 04    
32   0.00028607   P24QP.exe   IRP_MJ_WRITE   VCP0   SUCCESS   Length 6: 55 55 00 02 FE 04    
33   0.01497844   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 55    
34   0.00000503   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 55    
35   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 00    
36   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 02    
37   0.00000251   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 02    
38   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 01    
39   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: FB    
40   0.00000251   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 04    
41   0.00024780   P24QP.exe   IRP_MJ_WRITE   VCP0   SUCCESS   Length 9: 55 55 01 02 00 00 00 FD 04    
42   0.01398278   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 55    
43   0.00000475   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 55    
44   0.00000251   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 01    
45   0.00000251   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 02    
46   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 00    
47   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 00    
48   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 00    
49   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 00    
50   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 05    
51   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 04    
52   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 05    
53   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 04    
54   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 00    
55   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 00    
56   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 00    
57   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 00    
58   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 00    
59   0.00000251   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: F5    
60   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 04

0   0.00054476   P24QP.exe   IRP_MJ_WRITE   VCP0   SUCCESS   Length 9: 55 55 03 2A 00 00 00 D3 04    
1   0.85696953   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 55    
2   0.00000643   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 55    
3   0.00000251   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 03    
4   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: FD    
5   0.00000223   P24QP.exe   IRP_MJ_READ   VCP0   SUCCESS   Length 1: 04    

Exit bootloader:
0   0.00102639   P24QP.exe   IRP_MJ_WRITE   VCP0   SUCCESS   Length 6: 55 55 00 00 00 04    
1   0.00000419   P24QP.exe   IRP_MJ_CLEANUP   VCP0   SUCCESS      
2   0.13068421   P24QP.exe   IRP_MJ_CLOSE   VCP0   SUCCESS   

The programming dump is only the first 26000 lines, but it includes about 2meg of text. It's in the archive attached to this message.
Got a question? Please ask in the forum for the fastest answers.