Some findings. The new bootloader supports 3 commands:
$ arm-none-eabi-objdump -D -b binary -marm --start-address=0x27c --stop-address=0x2a8 -Mforce-thumb bootloader.bin
27c: b510 push {r4, lr}
27e: 4809 ldr r0, [pc, #36] @ (0x2a4) @ r0 = 0x20000B24; // packet_ptr = pointer to unpacked packet
280: 22af movs r2, #175 @ 0xaf @ r2 = 0x00af
282: 8801 ldrh r1, [r0, #0] @ r1 = *(short*)&packet_ptr[0]; // packet id
284: 00d2 lsls r2, r2, #3 @ r2 = r2 << 3 = 0x0578;
286: 1a89 subs r1, r1, r2 @ r1 = r1-r2;
288: d006 beq.n 0x298 @ [if (r1==0x0578) { call 0x30c; return; }]
28a: 2903 cmp r1, #3
28c: d007 beq.n 0x29e @ [if (r1==0x057b) { call 0x338; return; }]
28e: 2905 cmp r1, #5
290: d101 bne.n 0x296 @ [if (r1==0x057d) { call 0x2a8; return; }]
292: f000 f809 bl 0x2a8
296: bd10 pop {r4, pc}
298: f000 f838 bl 0x30c
29c: bd10 pop {r4, pc}
29e: f000 f84b bl 0x338
2a2: bd10 pop {r4, pc}
2a4: 0b24 lsrs r4, r4, #12
2a6: 2000 movs r0, #0
It seems that the new packet id=0x057d is a new flash unlock command it is processed with procedure at address 0x2a8.
This procedure checks if a first letter of version string is '*' or equals to the first letter of bootloader version string "5.00.01" (0x0bf0 offset) and ignores packet if it don't equals:
$ arm-none-eabi-objdump -D -b binary -marm --start-address=0x2a8 --stop-address=0x30c -Mforce-thumb bootloader.bin
2a8: b510 push {r4, lr}
2aa: 7d01 ldrb r1, [r0, #20] @ r1 = (byte)packet_ptr[20];
2ac: b08c sub sp, #48 @ 0x30 @ sp -= 48; // alloc 48 bytes on stack
2ae: 2910 cmp r1, #16
2b0: d224 bcs.n 0x2fc @ if (r1 >= 16) return;
2b2: 4a13 ldr r2, [pc, #76] @ (0x300) @ r2 = 0x0BF0; // pointer to string "5.00.01"
2b4: 7900 ldrb r0, [r0, #4] @ r0 = (byte)packet_ptr[4]; // first letter of version string
2b6: 7812 ldrb r2, [r2, #0] @ r2 = '5';
2b8: 4290 cmp r0, r2
2ba: d001 beq.n 0x2c0
2bc: 282a cmp r0, #42 @ 0x2a
2be: d11d bne.n 0x2fc @ if (r0!=r2 && r0!='*') return;
2c0: 4a10 ldr r2, [pc, #64] @ (0x304) @ r2 = 0x20000314; // ptrVars
2c2: 2001 movs r0, #1 @ r0 = 1;
2c4: 7050 strb r0, [r2, #1] @ r2[1] = (byte)r0; // IsWriteEnable = 1;
2c6: 4810 ldr r0, [pc, #64] @ (0x308) @ r0 = 0x09f0; // ptr to bootloader area at 0x09f0 offset
2c8: 0149 lsls r1, r1, #5 @ r1 = r1 << 5;
2ca: 1809 adds r1, r1, r0 @ r1 += r0; // r1 = (byte)packet_ptr[20] * 0x20 + 0x09f0;
2cc: 460c mov r4, r1 @ r4 = r1;
2ce: 2210 movs r2, #16 @ r2 = 16;
2d0: a804 add r0, sp, #16 @ r0 = sp+16;
2d2: f7ff ff3f bl 0x154 @ call 0x154; // memcpy(r0, r1, r2);
2d6: 4621 mov r1, r4 @ r1 = r4;
2d8: 3110 adds r1, #16 @ r1 += 16;
2da: 2210 movs r2, #16 @ r2 = 16;
2dc: 4668 mov r0, sp @ r0 = sp;
2de: f7ff ff39 bl 0x154 @ call 0x154; // memcpy(r0, r1, r2);
2e2: 466a mov r2, sp @ r2 = sp;
2e4: a904 add r1, sp, #16 @ r1 = sp+16;
2e6: 2001 movs r0, #1 @ r0 = 1;
2e8: f000 f902 bl 0x4f0 @ call 0x4f0;
2ec: a808 add r0, sp, #32 @ r0 = sp+32;
2ee: f7ff ffb1 bl 0x254 @ call 0x254;
2f2: 466a mov r2, sp @ r2 = sp;
2f4: a908 add r1, sp, #32 @ r1 = sp+32;
2f6: 2002 movs r0, #2 @ r0 = 2;
2f8: f000 f8fa bl 0x4f0 @ call 0x4f0
2fc: b00c add sp, #48 @ 0x30 @ sp += 48; // free 48 bytes on stack
2fe: bd10 pop {r4, pc} @ return;
300: 0bf0 lsrs r0, r6, #15
302: 0000 movs r0, r0
304: 0314 lsls r4, r2, #12
306: 2000 movs r0, #0
308: 09f0 lsrs r0, r6, #7
30a: 0000 movs r0, r0
But there is a new unknown byte field after 16 bytes of version string signature. The procedure rejects packet if this byte is >= 0x10. If this field is less than 0x10, then it calculates ptr = byte * 0x20 + 0x09F0. It appears like pointer to bootloader area which starts at 0x09f0 offset. Then it doing some manipulation with it. Needs time to discover it more deep...
Let me know if you discover more details.
Home
Help
Search
Login
Register
