I now got 49 packets: 48 packets of 2048 bytes and one of 1727, that is 100031 bytes
More details on the protocol:
PC: <PrSTM32_START 0x0A
BP: START 0x0A
PC: <IAPSTM32_PacketLength_PacketNumber_16bitChecksum0x0A
BP: 0x0A
PC: 2048 binary packet
BP: "WrEND" when write OK or "error"
PC: <IAPSTM32_PacketLength_Packet+1_16bitsChecksum 0x0A
…..
On "error" reply to a packet, PC Software retries 4 times then stops
After the last packet:
PC:<PrSTM32_DO 0x0A
… and I don't know yet what to reply ...
First packet is 0.
I suppose there is some kind of
CRC Checksum so that the FP MCU can check the packet before writing it.
At the moment I only have the first 2048 bytes but when I find the correct answer, I should receive the remining blocks.
I suppose that we may miss the 4096 remaining bytes of the bootloader at the end so this won't be usable like this. But one step at a time...
More after lunch ;-)
You noticed that the data are just the bytes from the firmware binary file?
The decryption (if my assumption of encrytped data is correct) most certainy takes place inside the STM32 and not in the PC executable.
Yes the decoding seems to be made in the FP MCU.
When you remove a 13 bytes header in the firmware file, you get the same values as in packet 0.
I attached the first packet plus the capture of the whole tranfer made with my DSLogic analyser.
Edit: CRC replaced with Checksum