Hi
I recently purchased a BP5 and was excited to finally have the means to dump the flash memory from the Texas Instruments CC2510 that im playing with.
However when I connect the pins to the correct probes on the debug port of my PCB and try SPI Read it fails saying:
SPI> flash read -f out.bin
Probing:
Device ID Manuf ID Type ID Capacity ID
RESID (0xAB) –
REMSID (0x90) – –
RDID (0x9F) – – –
SFDP (0x5A): not found
Initializing SPI flash…
Flash device manufacturer ID 0xFF, type ID 0xFF, capacity ID 0xFF
Error: SFDP signature error. It must be 0x50444653 ‘SFDP’
Warning: Read SFDP parameter header information failed.
Warning: The chip does not support JEDEC SFDP.
Searching flash chip database for 0xFF 0xFF 0xFF
Error: Flash device not found
Error: device not detected
I tried switching over to use the TWO Wire option I hooked it up
to
Debug Clock (SCL)
Debug Data (SDA)
Ground
It looks like a 2 wire protocol with with a direction pin. The new 2 wire mode has this setup, with { and } controlling RST, which you could use for data direction.
This shows how to get the ID, I’d start here.
} 0x68{ D:1 r:2
Something like this might work.
} - RST (data direction) low
0x68 - get chip id command (?)
{ - RST /data direction high
D:1 - 1ms delay because it shows a delay in the datasheet, I don’t know how long it should be
r:2 - read two bytes. The first should be 0x81
Just a quick look though. There may be nuisances I didn’t catch.
Reading, at least from the debug interface, seems to involve executing instructions to place bytes in an array and push out through the flash unit? I’m not sure.
This is from an Arduino project for debugging CC2510. It seems you do indeed write in 8051 instructions that program the MCU to write out the flash.
The project doesn’t have a license, or I’d just port it to the Bus Pirate. I didn’t see any other open C2510 code, if you know of any I’ll try to port it. I looked for a CC2510 breakout on Taobao and couldn’t find one, so I don’t have anything to test against.
Oh wow, I’m doing a glitch hack over here on the SLE4442.
I can’t integrate that directly into the Bus Pirate main firmware because it’s GPL licensed (we’re MIT/BSD). It shouldn’t be difficult to port the whole project and made a firmware that works on the Bus Pirate though.
I was curious where the CC2510s were coming from because I couldn’t find them on Aliexpress or Taobao, but those eink tags make total sense.
I have this tool called the CC debugger which I can use Flash Programmer to dump the 8051 intel hex. I want to use the BP5 to dump it so you reckon I need to modify the firmware and build a custom version or does BP5 have a way to script similarly to that python code.
My plan is to figure out how to dump the firmware then use the CC debugger to enable the read lock and try voltage glitch using BP5 to try read byte by byte out the firmware again.
What I would do personally (and will try if I can get ahold of this chip):
Start with that PICO project
Use the library in /pirate/ and adapt the firmware to use the Bus Pirate’s buffered IO pins (bio.c/h), enable power supply, and anything else you need
I’m really excited about this one because I want to know more about glitch hacking. Is there a recommended eink display that defo has the CC2510? I’ll make the firmware, but it’s almost impossible to do without something to test against.
