How to dump bluetrum chip

[DRCRecoveryData]

Hi,

How to dump this Bluetrum AB5656C2?

[kagaimiq]

Hi, well the software side of this process isn't ready yet, so here are some tips on the hardware side:

First of all you need to find a pad used for the UART download. I'm not really sure about this chip, but I see there are some pins that match the ones on the AB5376A chip (happen to have a reference schematic pdf featuring that chip), and on that chip the download pin is the pin 14 (which is a "PB3" GPIO). On this photo it goes to a resistor next to the left side of an 26 MHz crystal, and there's a via hole in between, that goes somewhere on the back side of the PCB.

Then you need to get a UART bridge and mix its TX/RX signals into a single I/O line, and then connect it to that download pin on the chip. And that's it. However having ability to interrupt power to the chip is also a good idea, in case the firmware repurposes this pin such a way that it couldn't receive the UART sync key anymore - meaning that you couldn't access the bootloader anymore.

[DRCRecoveryData]

Hi, well the software side of this process isn't ready yet, so here are some tips on the hardware side:

First of all you need to find a pad used for the UART download.

I'm not really sure about this chip, but I see there are some pins that match the ones on the AB5376A chip (happen to have a reference schematic pdf featuring that chip), and on that chip the download pin is the pin 14 (which is a "PB3" GPIO). On this photo it goes to a resistor next to the left side of an 26 MHz crystal, and there's a via hole in between, that goes somewhere on the back side of the PCB.

Then you need to get a UART bridge and mix its TX/RX signals into a single I/O line, and then connect it to that download pin on the chip. And that's it.

However having ability to interrupt power to the chip is also a good idea, in case the firmware repurposes this pin such a way that it couldn't receive the UART sync key anymore - meaning that you couldn't access the bootloader anymore.

I see from my chip uart pin is from pb3 ( rx ) and pb4 ( tx ), which board can i use as uart for this chip? ch341a or bus pirate?

[kagaimiq]

Okay, so I've put together a download script that maybe will work with your chip. It's the download.py script in the repo.

which board can i use as uart for this chip? ch341a or bus pirate?

I think either could work. I'm using a generic CH340 dongle for that:

I see from my chip uart pin is from pb3 ( rx ) and pb4 ( tx )

Just as a reminder, you only need to connect UART to PB3, both TX and RX. Connecting TX and RX separately to PB3/PB4 won't work.

[DRCRecoveryData]

Okay, so I've put together a download script that maybe will work with your chip. It's the download.py script in the repo.

which board can i use as uart for this chip? ch341a or bus pirate?

I think either could work. I'm using a generic CH340 dongle for that:

I see from my chip uart pin is from pb3 ( rx ) and pb4 ( tx )

Just as a reminder, you only need to connect UART to PB3, both TX and RX. Connecting TX and RX separately to PB3/PB4 won't work.

ah which is baurate of putty or ssh when you connect, do you have schematic wriring of that uart usb to Bluetrum AB5656C2, also does the gnd and vcc connect from uart usb to which pinout of Bluetrum AB5656C2?

[kagaimiq]

Here's a "wiring diagram":

As you can see, there's literally nothing to it.

With the power pin, of course you should disconnect the battery, otherwise it defeats the purpose of the external power connection (as the chip is going to be still powered up, and that's what we want to control).

The sequence goes like this: First connect UART to the chip as shown above, then start the script and then apply power to the chip. If it works out, it will give you some basic info on the chip (if you haven't specify the read action to it yet). Otherwise try poking into other pins on the chip. If it still doesn't work (i.e. the tool doesn't sync with the chip, if something else happens - tell me upfront), well I have no idea then.

[DRCRecoveryData]

Here's a "wiring diagram":

As you can see, there's literally nothing to it.

With the power pin, of course you should disconnect the battery, otherwise it defeats the purpose of the external power connection (as the chip is going to be still powered up, and that's what we want to control).

The sequence goes like this: First connect UART to the chip as shown above, then start the script and then apply power to the chip. If it works out, it will give you some basic info on the chip (if you haven't specify the read action to it yet). Otherwise try poking into other pins on the chip. If it still doesn't work (i.e. the tool doesn't sync with the chip, if something else happens - tell me upfront), well I have no idea then.

after i run is show: sudo python3 download.py --port /dev/ttyUSB0 usage: download.py [-h] [--mscdev MSCDEV] [-r] {erase,read,write} ... download.py: error: argument action: invalid choice: '/dev/ttyUSB0' (choose from 'erase', 'read', 'write')

[kagaimiq]

My bad, forgot to mention about installing pyserial in order to have an option to use UART interface. Well, I see you seem to have put the scsiio library there, so maybe you did try to install pyserial too, it's just might be inaccessible to python running as root. In that case consider changing permissions to your serial port so that you can run the script without need for sudo. (e.g. sudo chmod 666 /dev/ttyUSB0)

[DRCRecoveryData]

My bad, forgot to mention about installing pyserial in order to have an option to use UART interface. Well, I see you seem to have put the scsiio library there, so maybe you did try to install pyserial too, it's just might be inaccessible to python running as root. In that case consider changing permissions to your serial port so that you can run the script without need for sudo. (e.g. sudo chmod 666 /dev/ttyUSB0)

Look like is not catch any signal when i connect to uart usb to chip, is still show ....... When first run