search

kelchm / cgg1-thermometer-firmware

Reverse engineering and developing a custom firmware for the Qingping CGG1 bluetooth thermometer
GNU General Public License v3.0
5 stars 0 forks source link

Dump stock firmware #1

Open kelchm opened 3 years ago

kelchm commented 3 years ago

As a first step, we should ensure that it is possible to dump the stock firmware of the device.

pvvx commented 3 years ago

What to do with initializing the Nordic SDK? How to speed up? image

fanoush commented 3 years ago

There is no 'nordic SDK initialization' as such. I am guessing it can be bootloader validating your application at boot time. bootloader is optional or you can disable the check in its source or some SDK versions can be configured how/if the check is done as linked docs mention. if you use SWD now then to verify it is this case you can clear bootloader settings in UICR so the softdevice runs your app directly (easiest may be to mass erase and then flash just softdevice and your app. but UICR can be cleared via toggling few bits in NVMC controller registers)

pvvx commented 3 years ago

There is no 'nordic SDK initialization' as such. I am guessing it can be bootloader validating your application at boot time. bootloader is optional or you can disable the check in its source or some SDK versions can be configured how/if the check is done as linked docs mention. if you use SWD now then to verify it is this case you can clear bootloader settings in UICR so the softdevice runs your app directly (easiest may be to mass erase and then flash just softdevice and your app. but UICR can be cleared via toggling few bits in NVMC controller registers)

This is the start of the official firmware from "Cleargrass". Do you propose to turn off OTA and users to open the thermometer with a hairdryer and a soldering iron after purchasing Jtag? What firmware is checked if there can be only one in Flash of 192 KB? 192 kb reads 500 ms? Sluggish CPU? A similar diagram, but several seconds long, is observed on all Arduino with nRF52. This illustration is ten times shorter, but not compatible with battery life.

The 1 bits SPI Flash read speed of the slowest CPUs is about 5..10 MiB per second. The nRF52 use SPI Flash in 0.04 bit? :)

pvvx commented 3 years ago

image

5.3.10.1 Device startup times image ?

pvvx commented 3 years ago

https://devzone.nordicsemi.com/f/nordic-q-a/29658/what-is-operating-voltage-for-nrf52832-flash-memory There are no capacitors in the device - the Chinese regretted it. 2.7V seems to be the minimum. In the documentation, Nordic is embarrassed to indicate? OTA not checking voltage?

pvvx commented 3 years ago

New firmware (test). Start Power. No DFU/OTA, no function, no tasks, Advertising only Unknown process at startup with duration of 350 ms: image

Advertising interval 1.875 sec, no function, no tasks, Advertising only image Measurement period 140 sec. Average current 21.5 uA (3.3V) (high consumption compared to other SoCs)