search

Jieli-Tech / fw-Bootloader

Customized bootloader for JL series
Apache License 2.0
14 stars 12 forks source link

HID upgrade vs MSD upgrade #4

Open pandysong opened 2 years ago

pandysong commented 2 years ago

There are some confusion in the code:

Is it possible to provide PC demo using MSD, and also the boot loader is changed to MSD?

ACCount12 commented 1 year ago

"MSD update mode" is a part of MaskROM, not bootloader. It uses a set of proprietary SCSI commands to send a specialized burner tool to the chip, and then uses that burner to flash firmware.

There is a way to reboot your device into MaskROM MSD update mode - as seen here:

https://github.com/Jieli-Tech/fw-AC63_BT_SDK/blob/master/apps/common/device/usb/device/msd_upgrade.c

You could add something like that to your firmware or bootloader - make it reboot into MSD update mode if a certain condition is met.

On the PC side, JieLi has never documented the MSD update process. But some people have already reverse engineered it well enough that you could make your own flashing tool.

pandysong commented 1 year ago

"MSD update mode" is a part of MaskROM, not bootloader. It uses a set of proprietary SCSI commands to send a specialized burner tool to the chip, and then uses that burner to flash firmware.

There is a way to reboot your device into MaskROM MSD update mode - as seen here:

https://github.com/Jieli-Tech/fw-AC63_BT_SDK/blob/master/apps/common/device/usb/device/msd_upgrade.c

You could add something like that to your firmware or bootloader - make it reboot into MSD update mode if a certain condition is met.

On the PC side, JieLi has never documented the MSD update process. But some people have already reverse engineered it well enough that you could make your own flashing tool.

Thanks for reply. The code in msd_update.c is well understood. It is useful.

Could you provide some more info for the reverse engineered update process? Any link or repo? Thank you.

ACCount12 commented 1 year ago

Here are some bits and pieces: https://github.com/kagaimiq/jl-uboot-tool https://github.com/kagaimiq/jielie/tree/main/MySpecialBareMetals/BR25/br25xloader

The loader is what implements the actual flash read/write commands, so, you'll have to send and run the loader binary first for those to become available.

To get a loader binary, you can try to build your own, or you can try to decrypt and upload the ones that ship with JieLi isd_download tool.

pandysong commented 1 year ago

@ACCount12 Thank you for all the information.

It was busy in last a few weeks and I have no time to try until today, when I found it does not support Darwin. I may need to hack it a little bit to try on Mac OS.

But, Could I assume the implementation in https://github.com/kagaimiq/jl-uboot-tool is the default protocol and it could replace the GUI tool provided by Jieli?

ACCount12 commented 1 year ago

I don't actually know what the GUI tool does, but those Python tools should work well enough to replace isd_tool.

Keep in mind that you first need to send and run a compatible loader with jlrunner. The loader is what implements the flashing-related SCSI commands - without it running, jlflasher wouldn't work.

To get the loader file and address, see what arguments are passed to isd_tool. Then use the same address and the same file in jlrunner, with an argument --raw if the loader is encrypted. Most default loaders that ship with isd_tool are encrypted.

pandysong commented 1 year ago

@ACCount12 Thanks. I will check.