ds30 Loader is free software: you can redistribute it and/or modify ; it under the terms of the GNU General Public License as published by the Free Software Foundation.
这个 bootloader 应该是,第三方所开发的框架, 直接对其进行修改就好
静态初始化
;------------------------------------------------------------------------------; Register usage;------------------------------------------------------------------------------ ;.equ MIXED, W0 ;immediate .equ DOERASE, W1 ;flag indicated erase should be done before next write .equ WBUFPTR, W2 ;buffer pointer .equ WCNT, W3 ;loop counter .equ WADDR2, W4 ;memory pointer .equ WADDR, W5 ;memory pointer .equ PPSTEMP1, W6 ;used to restore pps register .equ PPSTEMP2, W7 ;used to restore pps register .equ WFWJUMP, W8 ;did we jump here from the firmware? ;.equ UNUSED, W9 ; .equ WDEL1, W10 ;delay outer .equ WDEL2, W11 ;delay inner ;.equ UNUSED, W12 ; .equ WCMD, W13 ;command .equ WCRC, W14 ;checksum .equ WSTPTR, W15 ;stack pointer
;------------------------------------------------------------------------------ ; Global declarations ;------------------------------------------------------------------------------ .global __reset ;the label for the first line of code, needed by the linker script
;------------------------------------------------------------------------------ ; User specific entry code go here, see also user exit code section at end of file ;------------------------------------------------------------------------------ bclr OSCCON, #SOSCEN bclr CLKDIV, #RCDIV0 ;set clock divider to 0
waitPLL:btss OSCCON, #LOCK; 锁相环初始化 bra waitPLL ;wait for the PLL to lock
mov #0xFFFF, W0 ;all pins to digital mov W0, AD1PCFG; IO初始化
; Make sure the firmware has been started at least once. ; ; If the firmware signature is found in memory then it is ; extremely plausible that skip_pgc_pgd_check has been ; initialised to the correct value.
+++++++++++++++++++++++++++++++++++++++++++ Pirate-Loader for BP with Bootloader v4+ Loader version: 1.0.2 OS: WINDOWS +++++++++++++++++++++++++++++++++++++++++++
Parsing HEX file [BPv3-firmware-v6.2-r1981.hex] Found 21502 words (64506 bytes) Fixing bootloader/userprogram jumps Opening serial device COM13...OK Configuring serial port settings...OK Sending Hello to the Bootloader...ERROR No reply from the bootloader, or invalid reply received: 0 Please make sure that PGND and PGC are connected, replug the devide and try again
上述的代码, 就是对上电时候是否有进行 跳线进行检测, 从而执行不同的后续操作.
Firmware Upgrade – dangerousprototypes
用户程序 UserApp
在上面的bootloader , bra 到quit 标号的时候, 惊奇的发现,后面就开始执行我们的用户程序了.
1 2 3 4 5 6 7 8 9 10 11 12
quit:;clean up from jumper test ; 根据注释,这里应该是把 之前的跳线检测,进行复位 bclr CNPU1, #CN5PUE ;disable pullups on PGC/CN5/RB1 bset TRISB, #TRISB0 ;rb0 back to input mov #0x0000, W0 ;clear pins to analog default mov W0, AD1PCFG
;------------------------------------------------------------------------------ ; Load user application ;------------------------------------------------------------------------------ ; 没错,就是这里, 直接到了我们的用户程序了, 永不返回; bra usrapp
;------------------------------------------------------------------------------ ; firmware jump entry point (kind of like a function because it's never reached from the above code ;------------------------------------------------------------------------------ firmwarejump: mov #0xffff, WFWJUMP;flag that we jumped from firmware bra setup;jump to just after jumper check
这个符号被导出, 我们的用户程序中, 可以进行一次跳转. 回到我们的 bootloader.
这里 也找到在固件中存在的 跳转部分
源文件链接 ProcMenu.c:666
C 代码如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
// ProcMenu.c case '$': //bpWline("-bootloader jump"); if (agree()) { //bpWline("BOOTLOADER"); BPMSG1094; bpDelayMS(100); bpInit(); // turn off nasty things, cleanup first needed? while (0 == UART1TXRdy()); //wait untill TX finishes
setup: ;---------------------------------------------------------------------- ; UART pps config ;---------------------------------------------------------------------- .ifdef BUSPIRATEV2 ; Backup, these are restored in exit code at end of file ; Changes needs to be done in exit, search for xxx movRPINR18, PPSTEMP1;xxx movRPOR2, PPSTEMP2;xxx
; Receive, map pin to uart (RP5 on 2/3, RP3 on v1a) ; 初始化 串口接收 bsetRPINR18, #U1RXR0;xxx bclrRPINR18, #U1RXR1;xxx bsetRPINR18, #U1RXR2;xxx bclrRPINR18, #U1RXR3;xxx bclrRPINR18, #U1RXR4;xxx
; Transmit, map uart to pin (RPOR2bits.RP4R = 3 on 2/3, RPOR1bits.RP2R=3 on v1a) ... ; 配置 串口发送
; MODE LED on during bootload (A1 on 2/3, B4 on v1a) ; 增加性能的 rgb bset LATA, #LATA1 ;on bclr TRISA, #TRISA1 ;output .endif
;---------------------------------------------------------------------- ; Receive nr of data bytes that will follow ;----------------------------------------------------------------------
;---------------------------------------------------------------------- ; Check address ;---------------------------------------------------------------------- ;check that write and erase range does not overlap the bootloader ;this is pretty specific to the bootloader being in the last page ;additional checks are needed if your bootloader is located elsewhere. ;TBLPAG is always = to 0 on this PIC, no need to verify (check if you have bigger than 64K flash)
;check the end address检查结束的地址 ;write row size is fixed, any writes at (bootloader start-63) are an error ;if write end address (W0) is <= bl start address (WCNT) then OK ;= is ok because we don't DEC after adding, write 10 bytes to 10 = end at 19
bladdrchk: ;; 在前面有定义 BL 的起始地址 ;;.equBLCHECKST, ( STARTADDR - (ROWSIZE) )/*precalculate the first row write position that would overwrite the bootloader*/
mov#BLCHECKST, WCNT;last row write postion that won't overwrite the bootloader ;; 比较 当前内存指针, 和我们的 BL 的末地址. cpWADDR, WCNT;compare end address, does it overlap? bra GTU, bladdrerror ;if greater unsigned then error
...
;handle the address error 地址错误的处理, 发送错误信息, 跳转进行重新的读. bladdrerror:clrDOERASE ;clear, just in case SendL BLPROT;send bootloader protection error bra main1 ;