Python based flashtool

[ajaybhargav]

Hi @Wiz-IO Did you get python based flashtool working? I am also looking for a cross-platform flasher for Mediatek chipset. Maybe we can collaborate to make it work?

[Wiz-IO]

Hi, what chipset?

MT2625 must work on Win/Lin/Mac ( just need usb drivers ) https://github.com/Wiz-IO/platform-quectel/blob/master/builder/frameworks/MT2625.py

[ajaybhargav]

MT2503/MT6261

[Wiz-IO]

https://github.com/Wiz-IO/platform-quectel/blob/master/builder/frameworks/MT6261.py

[probonopd]

Does this mean all MT2503/MT6261 based modules can work?

[Wiz-IO]

yep, the boot loader is one test ... or spy COM port for reverse protocol I not have info from Mediatek/Quectel

[ajaybhargav]

wow thats a lot of work i believe. Will it support flashing via usb? for mediatek usb is just a name they are creating a usbcom port and doing usual uart stuff.

[Wiz-IO]

USB direct? or UART ( Quectel bootloader is uart based )

[ajaybhargav]

I am not using MC60. its a different module based on MT2503 with USB interface exposed. When connected it creates USB com port for flashing, rest everything looks similar to uart however i may be wrong. i will put a sniffing tool to see what's going on. which tool did you use for uart sniffing?

[Wiz-IO]

if is created USB com port try python script maybe will need small changes.... no idea - test

[Wiz-IO]

the princip:

• enter boot mode: send 0xA0 .... A0, read 0x5F - boot mode OK ( maybe diff numbers )
• read SoC info
• upload boot part 1 ( from MTK_AllOne_DA.bin )
• upload boot part 2 ( from MTK_AllOne_DA.bin ) this parts is based of SoC ID
• upload firmware, format fat.... any commands :)

[ajaybhargav]

I am going to test it today :) lets see. Which tool did you use to monitor (spy) serial port? Do you have any idea how hwids in platformio can be used to detect dynamic serial port?

[update] I checked on sniffer tool, you're not changing baudrate (0xD2) before file upload. after that it changes baudrate and then send 0x00 to 0xff (expects echo) then sends 0xf0 (?)

[Wiz-IO]

I use: https://www.hhdsoftware.com/

[ajaybhargav]

I am using the same but It is not able to capture USB port of module, serial works fine.

[ajaybhargav]

I am able to capture both USB and UART... here are the application flashing logs.

mt2503_data.zip

[Wiz-IO]

is this USB-HID or is USB-UART?

[Wiz-IO]

the first part: enter boot-mode is the same

    def connect(self, timeout = 9.0):
        self.s.timeout = 0.02
        c = 0
        PB_BEGIN()
        while True:
            if c % 10 == 0: PB_STEP()
            c += 1
            self.s.write( b"\xA0" )      
            if self.s.read(1) == b"\x5F":        
                self.s.write(b"\x0A\x50\x05")
                r = self.s.read(3)
                if r == b"\xF5\xAF\xFA":  
                    break
                else: ERROR("BOOT")
            timeout -= self.s.timeout
            if timeout < 0:
                ERROR("Timeout") 

https://github.com/Wiz-IO/platform-quectel/blob/master/builder/frameworks/MT6261.py#L234

[ajaybhargav]

is this USB-HID or is USB-UART?

Its USB-UART (in log it says Device: MediaTek USB Port (COM12) (MT6227 phone))

yes first part is same.. then it flashtool go crazy with some kind of settings on external memory interface (is this needed?) 0xA0050000 <- base address for external memory interface

A0 05 01 10 = 00 00 00 00
A0 05 00 60 = 00 00 10 01
A0 05 00 70 = 00 00 00 11
A0 05 00 88 = 00 00 00 01
A0 05 01 30 = 00 01 00 01
A0 05 01 38 = 00 01 00 01
A0 05 01 50 = 00 00 50 00
A0 05 01 58 = 00 00 10 01
A0 05 00 90 = 00 00 00 00

-- Loop till 00 00 00 00
A0 05 00 D0 = 1F 1F 1F 1F
A0 05 00 D8 = 1F 1F 1F 1F
A0 05 00 E0 = 00 00 00 00
A0 05 03 00 = 00 00 00 00
A0 05 03 00 = 00 00 00 00
A0 05 03 08 = 20 00 00 3F
A0 05 03 00 = A5 5A 00 00
A0 05 03 00 = A5 5A 03 25
d1 A0 05 03 18 00 00 00 01> -- dummy read?
d1 A0 05 03 18 00 00 00 01> -- dummy read? both read returns same value
A0 05 03 00 = 00 00 00 00

scanning manually though that loop took a lot of time but I am almost lost after that :)

[Wiz-IO]

your SoC is 90% as my python script

Enter Boot: _same_
Read SoC Info need to get DA parts[2] from MTK_AllOne_DA.bin

>>> 80 00 00 00 00 00 00 01 
<<< 80 00 00 00 00 00 00 01 [cb 01] BB_CPU_HW = CB01

>>> 80 00 00 04 00 00 00 01
<<< 80 00 00 04 00 00 00 01 [00 01] BB_CPU_SW = 0001

>>> 80 00 00 08 00 00 00 01
<<< 80 00 00 08 00 00 00 01 [62 61] BB_CPU_ID = 6261

>>> 80 00 00 0c 00 00 00 01    
<<< 80 00 00 0c 00 00 00 01 [80 00] BB_CPU_SB = 8000  

Prepare DA DIFFERENT

SEND_DA_1: _same_
SEND_DA_2: _same_

CMD_JUMP_DA: _same_
FLASH: Init DIFFERENT
UPLOAD FIRMWARE: _same_

[ajaybhargav]

Thanks @Wiz-IO MT2503 is basically MT6261 + MT3333 in single SoC. so I believe most things should be same. Can you explain

Prepare DA DIFFERENT

And with "FLASH: Init DIFFERENT" you meant the start address etc. correct?

[Wiz-IO]

Prepare DA is set some params before uploadind DA (Download Agent) after upload - CMD_JUMP_DA( start DA )
then get/set FLASH info ( for flash as chip ) then clear/upload flash ... and other commands

BTW: this is standart MTK bootloader for all old chipsets

[ajaybhargav]

It would be helpful if you can reference line number from MT6261.py script. I can then try to modify it.

Did you check USB logs? they do look similar to UART but some extra stuff going on which I do not understand. I mentioned it here https://github.com/Wiz-IO/platform-quectel/issues/29#issuecomment-638739457

and did you try to change speed after DA upload?

[Wiz-IO]

at the beginig - try separate SEND-RECEIVE data from spy-log and write notes to "reverse" protocol then is easy :)

[ajaybhargav]

Thanks, I will try that 😄

[ajaybhargav]

Hi Georgi (@Wiz-IO) I tested standalone MT6261.py today. And with just modification to application address (DEVICE), everything worked perfectly. No change made to DA, as I believed DA must be same for all MTK devices. I tested over uart as of now no USB.

I had to comment few things in the source: Below part I had to comment completely as the MMM check always fail.

        if check == True:
            if app_data[:3] != "MMM":
                ERROR("APP: MMM")
            if app_data[8:17] != "FILE_INFO":
                ERROR("APP: FILE_INFO")

I am getting error "APP: MMM" even though file starts with MMM still it throw error.

I also had to comment and change the following:

def crc_word(self, data, chs=0):
        for i in xrange(0, len(data), 1):
            chs += data[i] & 0xFF #ord(data[i])
        return chs & 0xFFFF

Error with ord says:

Exception has occurred: TypeError
ord() expected string of length 1, but int found

So far so good :)

[Update]

Are you not using python3? That code works with python2 though. As per my knowledge PlatformIO works on python 3.7. Just delete penv folder and let PlatformIO install the latest env for you.

Following change worked:

        if check == True:
            if app_data[:3].decode() != "MMM":
                ERROR("APP: MMM")
            if app_data[8:17].decode() != "FILE_INFO":
                ERROR("APP: FILE_INFO")

ord still fails so I would just use data[i] & 0xff instead of ord(data[i]). Its working fine.

Lastly I need your permission to use the flasher 😄

[Update 2] I tried getting USB working with this but I think there are some changes to be made in script. USB packets do not carry all the data at once like UART. I am getting cmd echo error even though USB might be sending but not in single shot so script is failing. Maybe I will try again by separating and data bytes.

Here is the sample that is causing failure: We expect everything to come at once whereas USB is sending is packets