search

osresearch / airbreak

CPAP jailbreak to allow it to be used as a temporary ventilator
MIT License
257 stars 68 forks source link

computed checksum did NOT match #33

Open nbritton opened 4 years ago

nbritton commented 4 years ago

root@ubuntu:~/airbreak# ./patch-airsense stm32.bin stm32-unlocked.bin stm32.bin: FAILED sha256sum: WARNING: 1 computed checksum did NOT match stm32.bin: wrong hash

SW firmware version on my device is SX567-0306, it's been unplugged for about six months so I guess it did not receive the over the air updates to version SX567-0401. I don't know how to trigger the OTA firmware update process, I don't have a DME provider so I'm not even sure this unit can receive the update. The machine has one bar on the modem signal status. Is there a way to download the stock firmware update version SX567-0401 on the Internet?

root@ubuntu:~/airbreak# sha256sum stm32.bin 363a204ba217f31223e929365d58b8f5ce038a7681e362fe157e190c2eacbd30 stm32.bin

nbritton commented 4 years ago

I changed the sha256 checksum in the bash script to match my v306 firmware and flashed the device anyways. The flash appears to have worked because my machine now says "HACKED!". However, none of the extra options show up in the mode menu, it just shows CPAP and Autoset.

nbritton commented 4 years ago

I flashed the machine back to the stock firmware, that appears to have worked as expected... the machine no longer says "HACKED!". I reset the Redmed machine with a power cycle. However, I now get this message on the Raspberry Pi...

root@ubuntu:~/airbreak# openocd -f ./tcl/airsense.cfg Open On-Chip Debugger 0.10.0 Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html BCM2835 GPIO nums: swclk = 25, swdio = 24 BCM2835 GPIO config: srst = 18 srst_only separate srst_gates_jtag srst_push_pull connect_deassert_srst adapter speed: 2000 kHz adapter_nsrst_delay: 100 srst_only separate srst_nogate srst_push_pull connect_deassert_srst cortex_m reset_config sysresetreq Info : replaced existing 'mrw' usage Info : replaced existing 'mrw' help Info : replaced existing 'mrb' usage Info : replaced existing 'mrb' help Info : replaced existing 'mmw' usage Info : replaced existing 'mmw' help Info : BCM2835 GPIO JTAG/SWD bitbang driver Info : SWD only mode enabled (specify tck, tms, tdi and tdo gpios to add JTAG mode) Info : clock speed 2002 kHz in procedure 'init' called at file "./tcl/airsense.cfg", line 77 in procedure 'ocd_bouncer'

nbritton commented 4 years ago

root@ubuntu:~/airbreak# openocd -f ./tcl/airsense.cfg -d 3 Open On-Chip Debugger 0.10.0 Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html User : 13 5 command.c:544 command_print(): debug_level: 3 Debug: 14 6 options.c:181 add_default_dirs(): bindir=/usr/bin Debug: 15 6 options.c:182 add_default_dirs(): pkgdatadir=/usr/share/openocd Debug: 16 6 options.c:183 add_default_dirs(): exepath=/usr/bin Debug: 17 6 options.c:184 add_default_dirs(): bin2data=../share/openocd Debug: 18 6 configuration.c:42 add_script_search_dir(): adding /root/.openocd Debug: 19 6 configuration.c:42 add_script_search_dir(): adding /usr/bin/../share/openocd/site Debug: 20 6 configuration.c:42 add_script_search_dir(): adding /usr/bin/../share/openocd/scripts Debug: 21 6 configuration.c:82 find_file(): found ./tcl/airsense.cfg Debug: 22 6 configuration.c:82 find_file(): found /usr/bin/../share/openocd/scripts/interface/raspberrypi2-native.cfg Debug: 23 6 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_interface bcm2835gpio Debug: 24 7 command.c:143 script_debug(): command - interface ocd_interface bcm2835gpio Debug: 26 7 command.c:364 register_command_handler(): registering 'ocd_bcm2835gpio_jtag_nums'... Debug: 27 7 command.c:319 command_new(): BUG: command 'bcm2835gpio_tck_num' does not have the '.usage' field filled out Debug: 28 7 command.c:364 register_command_handler(): registering 'ocd_bcm2835gpio_tck_num'... Debug: 29 7 command.c:319 command_new(): BUG: command 'bcm2835gpio_tms_num' does not have the '.usage' field filled out Debug: 30 7 command.c:364 register_command_handler(): registering 'ocd_bcm2835gpio_tms_num'... Debug: 31 7 command.c:319 command_new(): BUG: command 'bcm2835gpio_tdo_num' does not have the '.usage' field filled out Debug: 32 7 command.c:364 register_command_handler(): registering 'ocd_bcm2835gpio_tdo_num'... Debug: 33 7 command.c:319 command_new(): BUG: command 'bcm2835gpio_tdi_num' does not have the '.usage' field filled out Debug: 34 7 command.c:364 register_command_handler(): registering 'ocd_bcm2835gpio_tdi_num'... Debug: 35 7 command.c:364 register_command_handler(): registering 'ocd_bcm2835gpio_swd_nums'... Debug: 36 7 command.c:319 command_new(): BUG: command 'bcm2835gpio_swclk_num' does not have the '.usage' field filled out Debug: 37 7 command.c:364 register_command_handler(): registering 'ocd_bcm2835gpio_swclk_num'... Debug: 38 7 command.c:319 command_new(): BUG: command 'bcm2835gpio_swdio_num' does not have the '.usage' field filled out Debug: 39 7 command.c:364 register_command_handler(): registering 'ocd_bcm2835gpio_swdio_num'... Debug: 40 7 command.c:319 command_new(): BUG: command 'bcm2835gpio_srst_num' does not have the '.usage' field filled out Debug: 41 7 command.c:364 register_command_handler(): registering 'ocd_bcm2835gpio_srst_num'... Debug: 42 7 command.c:319 command_new(): BUG: command 'bcm2835gpio_trst_num' does not have the '.usage' field filled out Debug: 43 7 command.c:364 register_command_handler(): registering 'ocd_bcm2835gpio_trst_num'... Debug: 44 7 command.c:319 command_new(): BUG: command 'bcm2835gpio_speed_coeffs' does not have the '.usage' field filled out Debug: 45 7 command.c:364 register_command_handler(): registering 'ocd_bcm2835gpio_speed_coeffs'... Debug: 46 7 command.c:319 command_new(): BUG: command 'bcm2835gpio_peripheral_base' does not have the '.usage' field filled out Debug: 47 7 command.c:364 register_command_handler(): registering 'ocd_bcm2835gpio_peripheral_base'... Debug: 48 7 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_bcm2835gpio_peripheral_base 0x3F000000 Debug: 49 8 command.c:143 script_debug(): command - bcm2835gpio_peripheral_base ocd_bcm2835gpio_peripheral_base 0x3F000000 Debug: 51 8 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_bcm2835gpio_speed_coeffs 146203 36 Debug: 52 8 command.c:143 script_debug(): command - bcm2835gpio_speed_coeffs ocd_bcm2835gpio_speed_coeffs 146203 36 Debug: 54 8 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_bcm2835gpio_swd_nums 25 24 Debug: 55 8 command.c:143 script_debug(): command - bcm2835gpio_swd_nums ocd_bcm2835gpio_swd_nums 25 24 User : 57 8 command.c:544 command_print(): BCM2835 GPIO nums: swclk = 25, swdio = 24 Debug: 58 8 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_bcm2835gpio_srst_num 18 Debug: 59 8 command.c:143 script_debug(): command - bcm2835gpio_srst_num ocd_bcm2835gpio_srst_num 18 User : 61 8 command.c:544 command_print(): BCM2835 GPIO config: srst = 18 Debug: 62 8 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_reset_config srst_only srst_push_pull Debug: 63 8 command.c:143 script_debug(): command - reset_config ocd_reset_config srst_only srst_push_pull User : 65 8 command.c:544 command_print(): srst_only separate srst_gates_jtag srst_push_pull connect_deassert_srst Debug: 66 8 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_transport select swd Debug: 67 8 command.c:143 script_debug(): command - ocd_transport ocd_transport select swd Debug: 68 8 command.c:319 command_new(): BUG: command 'swd' does not have the '.usage' field filled out Debug: 69 8 command.c:364 register_command_handler(): registering 'ocd_swd'... Debug: 70 8 bitbang.c:353 bitbang_swd_init(): bitbang_swd_init Debug: 71 9 configuration.c:82 find_file(): found /usr/bin/../share/openocd/scripts/target/stm32f4x.cfg Debug: 72 9 configuration.c:82 find_file(): found /usr/bin/../share/openocd/scripts/target/swj-dp.tcl Debug: 73 9 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_transport select Debug: 74 9 command.c:143 script_debug(): command - ocd_transport ocd_transport select Debug: 75 9 configuration.c:82 find_file(): found /usr/bin/../share/openocd/scripts/mem_helper.tcl Debug: 76 9 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_add_usage_text mrw address Debug: 77 10 command.c:143 script_debug(): command - add_usage_text ocd_add_usage_text mrw address Debug: 79 10 command.c:1098 help_add_command(): added 'mrw' help text Debug: 80 10 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_add_help_text mrw Returns value of word in memory. Debug: 81 10 command.c:143 script_debug(): command - add_help_text ocd_add_help_text mrw Returns value of word in memory. Debug: 83 10 command.c:1111 help_add_command(): added 'mrw' help text Debug: 84 10 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_add_usage_text mrb address Debug: 85 10 command.c:143 script_debug(): command - add_usage_text ocd_add_usage_text mrb address Debug: 87 10 command.c:1098 help_add_command(): added 'mrb' help text Debug: 88 10 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_add_help_text mrb Returns value of byte in memory. Debug: 89 10 command.c:143 script_debug(): command - add_help_text ocd_add_help_text mrb Returns value of byte in memory. Debug: 91 10 command.c:1111 help_add_command(): added 'mrb' help text Debug: 92 10 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_add_usage_text mmw address setbits clearbits Debug: 93 10 command.c:143 script_debug(): command - add_usage_text ocd_add_usage_text mmw address setbits clearbits Debug: 95 10 command.c:1098 help_add_command(): added 'mmw' help text Debug: 96 10 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_add_help_text mmw Modify word in memory. new_val = (old_val & ~clearbits) | setbits; Debug: 97 10 command.c:143 script_debug(): command - add_help_text ocd_add_help_text mmw Modify word in memory. new_val = (old_val & ~clearbits) | setbits; Debug: 99 10 command.c:1111 help_add_command(): added 'mmw' help text Debug: 100 11 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_transport select Debug: 101 11 command.c:143 script_debug(): command - ocd_transport ocd_transport select Debug: 102 11 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_transport select Debug: 103 11 command.c:143 script_debug(): command - ocd_transport ocd_transport select Debug: 104 11 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_transport select Debug: 105 11 command.c:143 script_debug(): command - ocd_transport ocd_transport select Debug: 106 11 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_transport select Debug: 107 11 command.c:143 script_debug(): command - ocd_transport ocd_transport select Debug: 108 11 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_swd newdap stm32f4x cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id 0x2ba01477 Debug: 109 11 command.c:143 script_debug(): command - ocd_swd ocd_swd newdap stm32f4x cpu -irlen 4 -ircapture 0x1 -irmask 0xf -expected-id 0x2ba01477 Debug: 110 11 tcl.c:548 jim_newtap_cmd(): Creating New Tap, Chip: stm32f4x, Tap: cpu, Dotted: stm32f4x.cpu, 8 params Debug: 111 11 core.c:1300 jtag_tap_init(): Created Tap: stm32f4x.cpu @ abs position 0, irlen 0, capture: 0x0 mask: 0x0 Debug: 112 12 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_transport select Debug: 113 12 command.c:143 script_debug(): command - ocd_transport ocd_transport select Debug: 114 12 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_target create stm32f4x.cpu cortex_m -endian little -chain-position stm32f4x.cpu Debug: 115 12 command.c:143 script_debug(): command - ocd_target ocd_target create stm32f4x.cpu cortex_m -endian little -chain-position stm32f4x.cpu Debug: 116 12 target.c:1899 target_free_all_working_areas_restore(): freeing all working areas Debug: 117 12 command.c:364 register_command_handler(): registering 'ocd_arm'... Debug: 118 12 command.c:364 register_command_handler(): registering 'ocd_arm'... Debug: 119 12 command.c:364 register_command_handler(): registering 'ocd_arm'... Debug: 120 12 command.c:364 register_command_handler(): registering 'ocd_arm'... Debug: 121 12 command.c:364 register_command_handler(): registering 'ocd_arm'... Debug: 122 12 command.c:364 register_command_handler(): registering 'ocd_arm'... Debug: 123 12 command.c:364 register_command_handler(): registering 'ocd_arm'... Debug: 124 12 command.c:364 register_command_handler(): registering 'ocd_dap'... Debug: 125 12 command.c:364 register_command_handler(): registering 'ocd_dap'... Debug: 126 12 command.c:364 register_command_handler(): registering 'ocd_dap'... Debug: 127 12 command.c:364 register_command_handler(): registering 'ocd_dap'... Debug: 128 12 command.c:364 register_command_handler(): registering 'ocd_dap'... Debug: 129 12 command.c:364 register_command_handler(): registering 'ocd_dap'... Debug: 130 12 command.c:364 register_command_handler(): registering 'ocd_dap'... Debug: 131 12 command.c:364 register_command_handler(): registering 'ocd_dap'... Debug: 132 13 command.c:364 register_command_handler(): registering 'ocd_tpiu'... Debug: 133 13 command.c:364 register_command_handler(): registering 'ocd_itm'... Debug: 134 13 command.c:364 register_command_handler(): registering 'ocd_itm'... Debug: 135 13 command.c:364 register_command_handler(): registering 'ocd_cortex_m'... Debug: 136 13 command.c:364 register_command_handler(): registering 'ocd_cortex_m'... Debug: 137 13 command.c:364 register_command_handler(): registering 'ocd_cortex_m'... Debug: 138 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 139 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 140 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 141 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 142 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 143 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 144 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 145 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 146 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 147 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 148 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 149 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 150 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 151 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 152 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 153 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 154 13 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 155 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 156 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 157 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 158 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 159 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 160 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 161 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 162 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 163 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 164 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 165 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 166 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 167 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 168 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 169 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 170 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 171 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 172 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 173 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 174 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 175 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 176 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 177 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 178 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 179 14 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 180 15 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 181 15 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 182 15 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 183 15 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 184 15 command.c:364 register_command_handler(): registering 'ocd_stm32f4x.cpu'... Debug: 185 15 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_stm32f4x.cpu configure -work-area-phys 0x20000000 -work-area-size 0x8000 -work-area-backup 0 Debug: 186 15 command.c:143 script_debug(): command - ocd_stm32f4x.cpu ocd_stm32f4x.cpu configure -work-area-phys 0x20000000 -work-area-size 0x8000 -work-area-backup 0 Debug: 187 15 target.c:1899 target_free_all_working_areas_restore(): freeing all working areas Debug: 188 15 target.c:1899 target_free_all_working_areas_restore(): freeing all working areas Debug: 189 15 target.c:1899 target_free_all_working_areas_restore(): freeing all working areas Debug: 190 15 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_flash bank stm32f4x.flash stm32f2x 0 0 0 0 stm32f4x.cpu Debug: 191 15 command.c:143 script_debug(): command - ocd_flash ocd_flash bank stm32f4x.flash stm32f2x 0 0 0 0 stm32f4x.cpu Debug: 193 15 command.c:364 register_command_handler(): registering 'ocd_stm32f2x'... Debug: 194 15 command.c:364 register_command_handler(): registering 'ocd_stm32f2x'... Debug: 195 15 command.c:364 register_command_handler(): registering 'ocd_stm32f2x'... Debug: 196 15 command.c:364 register_command_handler(): registering 'ocd_stm32f2x'... Debug: 197 15 command.c:364 register_command_handler(): registering 'ocd_stm32f2x'... Debug: 198 16 tcl.c:1033 handle_flash_bank_command(): 'stm32f2x' driver usage field missing Debug: 199 16 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_adapter_khz 2000 Debug: 200 16 command.c:143 script_debug(): command - adapter_khz ocd_adapter_khz 2000 Debug: 202 16 core.c:1631 jtag_config_khz(): handle jtag khz Debug: 203 16 core.c:1598 adapter_khz_to_speed(): convert khz to interface specific speed value Debug: 204 16 core.c:1598 adapter_khz_to_speed(): convert khz to interface specific speed value User : 205 16 command.c:544 command_print(): adapter speed: 2000 kHz Debug: 206 16 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_adapter_nsrst_delay 100 Debug: 207 16 command.c:143 script_debug(): command - adapter_nsrst_delay ocd_adapter_nsrst_delay 100 User : 209 16 command.c:544 command_print(): adapter_nsrst_delay: 100 Debug: 210 16 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_transport select Debug: 211 16 command.c:143 script_debug(): command - ocd_transport ocd_transport select Debug: 212 16 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_reset_config srst_nogate Debug: 213 16 command.c:143 script_debug(): command - reset_config ocd_reset_config srst_nogate User : 215 16 command.c:544 command_print(): srst_only separate srst_nogate srst_push_pull connect_deassert_srst Debug: 216 16 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_transport select Debug: 217 16 command.c:143 script_debug(): command - ocd_transport ocd_transport select Debug: 218 17 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_cortex_m reset_config sysresetreq Debug: 219 17 command.c:143 script_debug(): command - ocd_cortex_m ocd_cortex_m reset_config sysresetreq User : 221 17 command.c:544 command_print(): cortex_m reset_config sysresetreq Debug: 222 17 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_stm32f4x.cpu configure -event examine-end

Enable debug during low power modes (uses more power)

# DBGMCU_CR |= DBG_STANDBY | DBG_STOP | DBG_SLEEP
mmw 0xE0042004 0x00000007 0

# Stop watchdog counters during halt
# DBGMCU_APB1_FZ |= DBG_IWDG_STOP | DBG_WWDG_STOP
mmw 0xE0042008 0x00001800 0

Debug: 223 17 command.c:143 script_debug(): command - ocd_stm32f4x.cpu ocd_stm32f4x.cpu configure -event examine-end

Enable debug during low power modes (uses more power)

# DBGMCU_CR |= DBG_STANDBY | DBG_STOP | DBG_SLEEP
mmw 0xE0042004 0x00000007 0

# Stop watchdog counters during halt
# DBGMCU_APB1_FZ |= DBG_IWDG_STOP | DBG_WWDG_STOP
mmw 0xE0042008 0x00001800 0

Debug: 224 17 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_stm32f4x.cpu configure -event trace-config

Set TRACE_IOEN; TRACE_MODE is set to async; when using sync

# change this value accordingly to configure trace pins
# assignment
mmw 0xE0042004 0x00000020 0

Debug: 225 17 command.c:143 script_debug(): command - ocd_stm32f4x.cpu ocd_stm32f4x.cpu configure -event trace-config

Set TRACE_IOEN; TRACE_MODE is set to async; when using sync

# change this value accordingly to configure trace pins
# assignment
mmw 0xE0042004 0x00000020 0

Debug: 226 17 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_stm32f4x.cpu configure -event reset-init

Configure PLL to boost clock to HSI x 4 (64 MHz)

mww 0x40023804 0x08012008   ;# RCC_PLLCFGR 16 Mhz /8 (M) * 128 (N) /4(P)
mww 0x40023C00 0x00000102   ;# FLASH_ACR = PRFTBE | 2(Latency)
mmw 0x40023800 0x01000000 0 ;# RCC_CR |= PLLON
sleep 10                    ;# Wait for PLL to lock
mmw 0x40023808 0x00001000 0 ;# RCC_CFGR |= RCC_CFGR_PPRE1_DIV2
mmw 0x40023808 0x00000002 0 ;# RCC_CFGR |= RCC_CFGR_SW_PLL

# Boost JTAG frequency
adapter_khz 8000

Debug: 227 17 command.c:143 script_debug(): command - ocd_stm32f4x.cpu ocd_stm32f4x.cpu configure -event reset-init

Configure PLL to boost clock to HSI x 4 (64 MHz)

mww 0x40023804 0x08012008   ;# RCC_PLLCFGR 16 Mhz /8 (M) * 128 (N) /4(P)
mww 0x40023C00 0x00000102   ;# FLASH_ACR = PRFTBE | 2(Latency)
mmw 0x40023800 0x01000000 0 ;# RCC_CR |= PLLON
sleep 10                    ;# Wait for PLL to lock
mmw 0x40023808 0x00001000 0 ;# RCC_CFGR |= RCC_CFGR_PPRE1_DIV2
mmw 0x40023808 0x00000002 0 ;# RCC_CFGR |= RCC_CFGR_SW_PLL

# Boost JTAG frequency
adapter_khz 8000

Debug: 228 18 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_stm32f4x.cpu configure -event reset-start

Reduce speed since CPU speed will slow down to 16MHz with the reset

adapter_khz 2000

Debug: 229 18 command.c:143 script_debug(): command - ocd_stm32f4x.cpu ocd_stm32f4x.cpu configure -event reset-start

Reduce speed since CPU speed will slow down to 16MHz with the reset

adapter_khz 2000

Debug: 230 18 configuration.c:82 find_file(): found tcl/airsense-info.tcl Debug: 231 18 configuration.c:82 find_file(): found tcl/airsense-waveform.tcl Debug: 232 18 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_init Debug: 233 18 command.c:143 script_debug(): command - init ocd_init Debug: 235 19 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_target init Debug: 236 19 command.c:143 script_debug(): command - ocd_target ocd_target init Debug: 238 19 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_target names Debug: 239 19 command.c:143 script_debug(): command - ocd_target ocd_target names Debug: 240 19 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_stm32f4x.cpu cget -event gdb-flash-erase-start Debug: 241 19 command.c:143 script_debug(): command - ocd_stm32f4x.cpu ocd_stm32f4x.cpu cget -event gdb-flash-erase-start Debug: 242 19 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_stm32f4x.cpu configure -event gdb-flash-erase-start reset init Debug: 243 19 command.c:143 script_debug(): command - ocd_stm32f4x.cpu ocd_stm32f4x.cpu configure -event gdb-flash-erase-start reset init Debug: 244 19 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_stm32f4x.cpu cget -event gdb-flash-write-end Debug: 245 19 command.c:143 script_debug(): command - ocd_stm32f4x.cpu ocd_stm32f4x.cpu cget -event gdb-flash-write-end Debug: 246 19 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_stm32f4x.cpu configure -event gdb-flash-write-end reset halt Debug: 247 19 command.c:143 script_debug(): command - ocd_stm32f4x.cpu ocd_stm32f4x.cpu configure -event gdb-flash-write-end reset halt Debug: 248 20 target.c:1324 handle_target_init_command(): Initializing targets... Debug: 249 20 command.c:364 register_command_handler(): registering 'ocd_target_request'... Debug: 250 20 command.c:364 register_command_handler(): registering 'ocd_trace'... Debug: 251 20 command.c:364 register_command_handler(): registering 'ocd_trace'... Debug: 252 20 command.c:364 register_command_handler(): registering 'ocd_fast_load_image'... Debug: 253 20 command.c:364 register_command_handler(): registering 'ocd_fast_load'... Debug: 254 20 command.c:364 register_command_handler(): registering 'ocd_profile'... Debug: 255 20 command.c:364 register_command_handler(): registering 'ocd_virt2phys'... Debug: 256 20 command.c:364 register_command_handler(): registering 'ocd_reg'... Debug: 257 20 command.c:364 register_command_handler(): registering 'ocd_poll'... Debug: 258 20 command.c:364 register_command_handler(): registering 'ocd_wait_halt'... Debug: 259 20 command.c:364 register_command_handler(): registering 'ocd_halt'... Debug: 260 20 command.c:364 register_command_handler(): registering 'ocd_resume'... Debug: 261 20 command.c:364 register_command_handler(): registering 'ocd_reset'... Debug: 262 20 command.c:364 register_command_handler(): registering 'ocd_soft_reset_halt'... Debug: 263 20 command.c:364 register_command_handler(): registering 'ocd_step'... Debug: 264 20 command.c:364 register_command_handler(): registering 'ocd_mdw'... Debug: 265 20 command.c:364 register_command_handler(): registering 'ocd_mdh'... Debug: 266 20 command.c:364 register_command_handler(): registering 'ocd_mdb'... Debug: 267 20 command.c:364 register_command_handler(): registering 'ocd_mww'... Debug: 268 20 command.c:364 register_command_handler(): registering 'ocd_mwh'... Debug: 269 21 command.c:364 register_command_handler(): registering 'ocd_mwb'... Debug: 270 21 command.c:364 register_command_handler(): registering 'ocd_bp'... Debug: 271 21 command.c:364 register_command_handler(): registering 'ocd_rbp'... Debug: 272 21 command.c:364 register_command_handler(): registering 'ocd_wp'... Debug: 273 21 command.c:364 register_command_handler(): registering 'ocd_rwp'... Debug: 274 21 command.c:364 register_command_handler(): registering 'ocd_load_image'... Debug: 275 21 command.c:364 register_command_handler(): registering 'ocd_dump_image'... Debug: 276 21 command.c:364 register_command_handler(): registering 'ocd_verify_image_checksum'... Debug: 277 21 command.c:364 register_command_handler(): registering 'ocd_verify_image'... Debug: 278 21 command.c:364 register_command_handler(): registering 'ocd_test_image'... Debug: 279 21 command.c:364 register_command_handler(): registering 'ocd_reset_nag'... Debug: 280 21 command.c:364 register_command_handler(): registering 'ocd_ps'... Debug: 281 21 command.c:364 register_command_handler(): registering 'ocd_test_mem_access'... Info : 282 21 bcm2835gpio.c:428 bcm2835gpio_init(): BCM2835 GPIO JTAG/SWD bitbang driver Info : 283 21 bcm2835gpio.c:440 bcm2835gpio_init(): SWD only mode enabled (specify tck, tms, tdi and tdo gpios to add JTAG mode) Debug: 284 21 bcm2835gpio.c:505 bcm2835gpio_init(): saved pinmux settings: tck 0 tms 0 tdi 0 tdo 0 trst 0 srst 0 Debug: 285 21 bitbang.c:408 bitbang_switch_to_swd(): bitbang_switch_to_swd Debug: 286 21 bitbang.c:360 bitbang_exchange(): bitbang_exchange Debug: 287 21 core.c:1598 adapter_khz_to_speed(): convert khz to interface specific speed value Debug: 288 21 core.c:1601 adapter_khz_to_speed(): have interface set up Debug: 289 21 core.c:1598 adapter_khz_to_speed(): convert khz to interface specific speed value Debug: 290 21 core.c:1601 adapter_khz_to_speed(): have interface set up Info : 291 21 core.c:1386 adapter_init(): clock speed 2002 kHz Debug: 292 21 openocd.c:140 handle_init_command(): Debug Adapter init complete Debug: 293 22 command.c:143 script_debug(): command - ocd_command ocd_command type ocd_transport init Debug: 294 22 command.c:143 script_debug(): command - ocd_transport ocd_transport init Debug: 296 22 transport.c:239 handle_transport_init(): handle_transport_init Debug: 297 22 bitbang.c:383 bitbang_swd_switch_seq(): bitbang_swd_switch_seq Debug: 298 22 bitbang.c:391 bitbang_swd_switch_seq(): JTAG-to-SWD Debug: 299 22 bitbang.c:360 bitbang_exchange(): bitbang_exchange Debug: 300 22 bitbang.c:420 bitbang_swd_read_reg(): bitbang_swd_read_reg Debug: 301 22 bitbang.c:360 bitbang_exchange(): bitbang_exchange Debug: 302 22 bitbang.c:360 bitbang_exchange(): bitbang_exchange Debug: 303 22 bitbang.c:442 bitbang_swd_read_reg(): JUNK DP read reg 0 = ffffffff Debug: 304 22 bitbang.c:470 bitbang_swd_read_reg(): No valid acknowledge: ack=7 Debug: 305 22 bitbang.c:479 bitbang_swd_write_reg(): bitbang_swd_write_reg Debug: 306 22 bitbang.c:483 bitbang_swd_write_reg(): Skip bitbang_swd_write_reg because queued_retval=7 Debug: 307 22 bitbang.c:531 bitbang_swd_run_queue(): bitbang_swd_run_queue Debug: 308 22 bitbang.c:360 bitbang_exchange(): bitbang_exchange Debug: 309 22 bitbang.c:538 bitbang_swd_run_queue(): SWD queue return value: 07 Debug: 310 22 command.c:626 run_command(): Command failed with error code 7 User : 311 22 command.c:687 command_run_line(): in procedure 'init' called at file "./tcl/airsense.cfg", line 78 in procedure 'ocd_bouncer' Debug: 312 22 command.c:626 run_command(): Command failed with error code -4 User : 313 23 command.c:687 command_run_line():

nbritton commented 4 years ago

I very briefly had it working after I shorted RST to v3.3 (R-Pi pin 1)... the following was output to the terminal... I'm wondering if maybe I have a loose wiring? I soldered them to the board and they seem solidly attached to the pads. However, when I wiggle SWDIO and restart openocd it sometimes briefly works (gets to the dump message). I'm struggling to isolate the wire or figure out a pattern to help me troubleshoot. I didn't find any issues yet with a multimeter continuity test. I guess I'll try resoldering the connection tomorrow.

root@ubuntu:~/airbreak# openocd -f ./tcl/airsense.cfg Open On-Chip Debugger 0.10.0 Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html BCM2835 GPIO nums: swclk = 25, swdio = 24 BCM2835 GPIO config: srst = 18 srst_only separate srst_gates_jtag srst_push_pull connect_deassert_srst adapter speed: 2000 kHz adapter_nsrst_delay: 100 srst_only separate srst_nogate srst_push_pull connect_deassert_srst cortex_m reset_config sysresetreq Info : replaced existing 'mrw' usage Info : replaced existing 'mrw' help Info : replaced existing 'mrb' usage Info : replaced existing 'mrb' help Info : replaced existing 'mmw' usage Info : replaced existing 'mmw' help Info : BCM2835 GPIO JTAG/SWD bitbang driver Info : SWD only mode enabled (specify tck, tms, tdi and tdo gpios to add JTAG mode) Info : clock speed 2002 kHz Info : SWD DPIDR 0x2ba01477 Info : stm32f4x.cpu: hardware has 6 breakpoints, 4 watchpoints This device is not running modified firmware. File stm32.bin not found! Backup of stock firmware image not found. Please type 'dump' to save the stock firmware to disk.

Polling target stm32f4x.cpu failed, trying to reexamine Error: Could not initialize the debug port Examination failed, GDB will be halted. Polling again in 100ms Polling target stm32f4x.cpu failed, trying to reexamine Error: Could not initialize the debug port Examination failed, GDB will be halted. Polling again in 300ms Polling target stm32f4x.cpu failed, trying to reexamine Error: Could not initialize the debug port Examination failed, GDB will be halted. Polling again in 700ms Polling target stm32f4x.cpu failed, trying to reexamine Error: Could not initialize the debug port Examination failed, GDB will be halted. Polling again in 1500ms Polling target stm32f4x.cpu failed, trying to reexamine Error: Could not initialize the debug port Examination failed, GDB will be halted. Polling again in 3100ms Polling target stm32f4x.cpu failed, trying to reexamine Error: Could not initialize the debug port Examination failed, GDB will be halted. Polling again in 6300ms Polling target stm32f4x.cpu failed, trying to reexamine Error: Could not initialize the debug port Examination failed, GDB will be halted. Polling again in 6300ms Polling target stm32f4x.cpu failed, trying to reexamine Error: Could not initialize the debug port Examination failed, GDB will be halted. Polling again in 6300ms Polling target stm32f4x.cpu failed, trying to reexamine Error: Could not initialize the debug port Examination failed, GDB will be halted. Polling again in 6300ms ^C

dblunk88 commented 4 years ago

Just a FYI: I'm running into the same checksum mismatch and I have the same checksum as you

dblunk88 commented 4 years ago

Confirmed: Hash is equivalent to SW version: SX567-0306

Running also in the same issues as you. One bar and unable to force an OTA update.

nbritton commented 4 years ago

Good news, it turns out it was a bad connection on the SWDIO wire, I desoldered the old wire and cleaned up the pad and soldered on an entirely new wire. Now openocd is working as expected on the very first attempt. The old wire didn't fail continuity testing, but I think the problem was the wire just had very high resistance relatively speaking that was degrading the digital signaling... the pad is so small and maybe the rosin core I used was interfering with the little bit of contact surface... I don't know, but openocd is working now!

Now I just need to figure out how to injects the rights bits in the right places with the v306 firmware that I have, but ideally I would like to figure out how to upgrade my machine to v401.

dblunk88 commented 4 years ago

Is there a reason why we aren't sharing the firmware dumps? This would make it a lot easier for people who haven't been getting OTA updates

colinoflynn commented 4 years ago

The firmware is copyright material, and should never be shared (or even links to such material submitted). People doing so would jeopardize the entire project.

Note that the same SW version number encompasses a large group of potentially incompatible firmware as as well. The firmware (and location of stuff) changes also with the 'catalog no' on the back. It's possible some catalog no's are never OTA to the latest FW version as well, which could be due to compatibility reasons for example.

dblunk88 commented 4 years ago

Aw, that makes sense! Thank you for the clarification and for all of the hard work you and others have put in to this project.

nbritton commented 4 years ago

This is from the patch-airsense script:

extra_modes() { BUILD_FLAGS=$(( BUILD_FLAGS | (1 << 3) ))

add more mode entries, set config 0x0 mask to all bits high

    # default is 0x3, which only enables mode 1 (CPAP) and 2 (AutoSet)
    # ---> This is the real magic <---
    printf '\xff\xff' | patch 0x8590 || die failed

}

From someone who has a v401 firmware, what exactly is located at 0x8590? I'm wondering if I can use xxd and just grep for that string to find the correct location in my v306 firmware to patch. A grep for just 0303 returns too many entries.

gszakacs commented 4 years ago

Is there a reason why we aren't sharing the firmware dumps? This would make it a lot easier for people who haven't been getting OTA updates

It does not appear that the manufacturer is pushing updates to devices, It seems that patients need to go to their doctor to have the devices updated to newer firmware versions.

Ref: http://www.apneaboard.com/forums/Thread-Resmed-Airsense-10-Autoset-firmware-update?page=3

dblunk88 commented 4 years ago

From someone who has a v401 firmware, what exactly is located at 0x8590? I'm wondering if I can use xxd and just grep for that string to find the correct location in my v306 firmware to patch. A grep for just 0303 returns too many entries.

I've asked around and may have found a friend with the newer firmware who would let me borrow his device. Since I'd have access to both dumps, I could see if I can compare both

nbritton commented 4 years ago

I have new modes now after my latest flash:

IMG_4176

IMG_4177

screenshot1

root@ubuntu:~/airbreak# git diff patch-airsense
diff --git a/patch-airsense b/patch-airsense
index b0e58d4..4b315e2 100755
--- a/patch-airsense
+++ b/patch-airsense
@@ -20,7 +20,7 @@ patch() {
        dd bs=1 seek=$offset conv=notrunc of="$OUT" status=none
 }

-echo "533b91127aa22e05b933db203ad56c449dc12a8c3fd62f57bd88c472a8061775  $IN"\
+echo "363a204ba217f31223e929365d58b8f5ce038a7681e362fe157e190c2eacbd30  $IN"\
 | sha256sum --check \
 || die "$IN: wrong hash"

@@ -32,8 +32,8 @@ printf '\xc0\x46' | patch 0xf0 \

 # and add a message so that we know this is a modified firmware
 printf 'HACKED!' | patch 0x17500 || die failed
-printf 'NOT FOR USE\x0' | patch 0x1a540 || die failed
-printf 'WARNING! WARNING! Ventilator test firmware: Not for humans!\x00' | patch 0x1b860 || die failed
+#printf 'NOT FOR USE\x0' | patch 0x1a540 || die failed
+#printf 'WARNING! WARNING! Ventilator test firmware: Not for humans!\x00' | patch 0x1b860 || die failed

 BUILD_FLAGS=0

@@ -115,12 +115,12 @@ gui_config () {
        done
 }

-patch_code
-unlock_ui_limits
-extra_debug
+#patch_code
+#unlock_ui_limits
+#extra_debug
 extra_modes
 extra_menu
-#all_menu
+all_menu
 gui_config

 FLAGSTR=$(printf 'FLAGS=0x%02x' $BUILD_FLAGS)
dblunk88 commented 4 years ago

I have new modes now after my latest flash:

Oh nice! Is everything working?

nbritton commented 4 years ago

Still playing with it, not even sure what half the features do! However, the first one I tried, ASVAuto, appears to be working... because if I pause my breath for a few seconds the machine will increase the pressure to force me to inhale.

The screen has some non-sense on it too...

IMG_4178

root@ubuntu:~/airbreak# xxd stm32-unlocked.bin | egrep "(GIT|FLAGS)="
00017580: 6e67 656e 0000 0000 464c 4147 533d 3078  ngen....FLAGS=0x
--
00017760: 656e 0000 4749 543d 6165 6331 3938 6100  en..GIT=aec198a.
dblunk88 commented 4 years ago

iVaps has been acting strange for me, just wondering if it is the same for you

nbritton commented 4 years ago

I'm not even sure what that is so I'm probably not the best person to ask if it's operating normally. I'll do what I can to help out converting these to emergency ventilators, but I came here primarily for enabling BiPAP / ASVAuto functionality on my own personal machine. I'm a computer systems engineer who also likes to do electrical engineering as a hobby, so I was compelled to pull mine apart and tinker with it. :-)

image

nbritton commented 4 years ago

Yes absolutely, I think that is critical for enabling emergency ventilator use because it seems very apparent that ResMed has a multitude of firmware versions in production units. If we can figure out how to find the right insertion points in the code for the 0x0 mode feature mask we can automate the process to work on most any arbitrary firmware version.

nbritton commented 4 years ago

I think the very first time I re-flashed the machine it was a bad upload, recall that my IO wire was flakey... the extra menus are working now with just the 0x0 mode feature mask. This code works as is verbatim with my firmware version:

extra_modes() {
        BUILD_FLAGS=$(( BUILD_FLAGS | (1 << 3) ))
        # add more mode entries, set config 0x0 mask to all bits high
        # default is 0x3, which only enables mode 1 (CPAP) and 2 (AutoSet)
        # ---> This is the real magic <---
        printf '\xff\xff' | patch 0x8590 || die failed
}
dblunk88 commented 4 years ago

Left is 0401 offset, right is the equivalent 0306 offset using a hexdump of both bins. Basically just went through the script and fished out all relevant offsets. 00008590 --> 00008590 00017500 --> 00017500 0001a540 --> 0001a540 0001b860 --> 0001b860 000bb730 --> 000bb4d0 000fd000 is an unwritten offset 000f9c80 --> 000f9a20 0004fa80 --> 0004fa80 00004fc0 --> 00004fc0 00007eb0 --> 00007eb0 00007ee0 --> 00007ee0 00007ec0 --> 00007ec0 000084a0 --> 000084a0 00008590 --> 00008590 00066470 --> 00066470 Note: 0006647c and 0006647d are different values 0006e500 --> 0006e500 0006e4c0 --> 0006e4c0 00004ef0 --> 00004ef0 00017580 --> 00017580 00017760 --> 00017760

As can be seen, there are not a lot of differences. Since the actual firmware is copyrighted, I decided to just post the offsets and not the actual values

dblunk88 commented 4 years ago

Added a pull request based off of what I found to make patch-airsense compatible

gszakacs commented 4 years ago

Patched a v306 bin file using dblunk88's update, but I do not see new modes either in the user or the clinical menu.

dblunk88 commented 4 years ago

@gszakacs comment out patch_code (line 126 if you're using my compatibility patch from my fork https://github.com/dblunk88/airbreak/blob/master/patch-airsense) and uncommenting all_menu (line 131) might help too.

What I think is happening is that you did not compile and it is trying to install the patch_code, which will be missing. Mid-patch it will panic and exit... which leaves you with a half-patched firmware with no modes

Or you could give this a shot and try some of his troubleshooting steps he took in this thread

I think the very first time I re-flashed the machine it was a bad upload, recall that my IO wire was flakey... the extra menus are working now with just the 0x0 mode feature mask. This code works as is verbatim with my firmware version:

extra_modes() {
        BUILD_FLAGS=$(( BUILD_FLAGS | (1 << 3) ))
        # add more mode entries, set config 0x0 mask to all bits high
        # default is 0x3, which only enables mode 1 (CPAP) and 2 (AutoSet)
        # ---> This is the real magic <---
        printf '\xff\xff' | patch 0x8590 || die failed
}
dblunk88 commented 4 years ago

Also, I will probably attempt to add an automatic hexdump search to find offsets sometime in the future to get all versions compatible (if there are any non-306 and 401 versions floating around). I just don't know how feasible that is due to the need to disclose certain sections in the bin file for the search.

gszakacs commented 4 years ago

@dblunk88 You are correct. I used the patch file from your repo and run it on my bin, After following your most recent comments, more items were patched, but I still received a git related fatal error between items 17588 and 17764, Not sure how critical that is.

After patching, I also have the same non-sense menu titles as @nbritton + noticed duplicate "min PS", "max PS", "start EPAP" items in the clinical menu. Some settings are visible but not adjustable, for example the "rise time" "trigger" "cycle". As far as the emergency ventilator functionality those menu items are hopefully irrelevant, but I am curious if you are noticing the same limitations.

dblunk88 commented 4 years ago

I think the menu items are intentional and may be used as an indicator on what version it is running. You can actually see them being patched in at the end of the script.

As far as the limited options go, I do have the same issue, but really haven't taken the time yet to see on why that is. I'm still getting familiar with the binaries myself... someone else might know the answer though :)

Could you paste the error?

ruri-baka commented 4 years ago

I've been working on 0302 compatibility and here is what I have so far:

unlock ui limits, extra debug, extra modes, and the gui config address need a +8 offset

comment out extra menu and the second address of all menu, then offset the first (status bit 5) address by +8

The anti-tamper may not be needed but it does need to be offset by +2 to use it.

I haven't tried anything else but that is tested and working on a Rev 1.0 board as well. What I've ran into though is that the GUI areas on 302 are a bit different. For example (from the 0401 stubs file):

NSTUB(0x08066c1b, dispatch_0x38_0x40) is at 664f6 -725 NSTUB(0x080668dd, date_format_time) is at 6589a (I think)

I haven't tested anything else yet but that yields working menus, graphics, and all modes; again on SX567-0302 on a Rev. 1.0 PCB.

dblunk88 commented 4 years ago

@ruri-baka awesome!! You should do a pull request :)

I wonder how many 302's are floating out there

ruri-baka commented 4 years ago

Lots..sitting in warehouses...

By the way...

Text Strings: not for use is at 1a5bo, the other two are the same.

SHA256: A5E7D77FC7B2FE38DA82A7D99035CECD40749398DA31F7E39634C002E7081CC7

dblunk88 commented 4 years ago

Mind sharing your patcher? I could add this to my existing pull request if you want

ruri-baka commented 4 years ago

I just created a pull request with it; I'd be interested to see if what I did for the menus on 0302 would get them working on 0306 though.

dblunk88 commented 4 years ago

My concern is having two different versions for the patcher. Once either pull gets through, I'll merge them

dblunk88 commented 4 years ago

Also, since I have access to a 306 and temporary access to a 401 device, I can do some testing for you if you want

ruri-baka commented 4 years ago

Go for it; I didn't know who's working on what patcher so I figured I'd throw that up so I can take a break and start digging and debugging the additions (graphs, debug, etc.) for 302.

If you have two versions you might want to run some diffs on the 6xxxx space...are they very similar between 306-401?

dblunk88 commented 4 years ago

The python patcher is working really well, might just add on to that instead

dblunk88 commented 4 years ago

@ruri-baka Will take a look :) Do you think we should open up a different issues for the comparisons? This thread is starting to feel a bit cluttered

dblunk88 commented 4 years ago

Scripting out a python program to grab the individual offset differences between binary files (through the use of xxd -c 1 ) that'll split out an excel file

dblunk88 commented 4 years ago

Done! Put in another pull request. https://github.com/dblunk88/airbreak/blob/master/offset_diff.py It'll write a .csv file which can be easily imported into excel. Kept the imports to a minimum

Will upload a redacted version of the results on my Drive.

dblunk88 commented 4 years ago

Here are the results https://docs.google.com/spreadsheets/d/1_i6PF-nABOaD_m5coIUW_zA4tfrCzPFv0MkYMmZaUq8/edit?usp=sharing

If anyone has 302 and 401, please let me know. I'll add your results to the file

ruri-baka commented 4 years ago

Well that explains why I was going nuts over the trying to get the GUI to work, but the good news is that you should be able to enable the menus on 306 with the 302 menu code.

Do all the menus show up in 401 (for example height and back up rate in ivaps)?

@ruri-baka Will take a look :) Do you think we should open up a different issues for the comparisons? This thread is starting to feel a bit cluttered

Yeah...This is gonna get confusing real fast in one issue

dblunk88 commented 4 years ago

I wish I had 302 as a reference. I'll ask around to see if I can find someone and borrow a device running that specific firmware. :) I think most, if not all, menus show up. But can't edit some of them and there are a few duplicates.

I think 306 might be pretty similar compared with 401 in terms of patched offsets

dblunk88 commented 4 years ago

Also will be adding a offset finder script soon to see where changed offsets might be located at for differing firmware version

Maybe I can implement this as a website with the actual search being performed server-side as not to disclose any code publicly. This should make patching a LOT easier for people who are lacking the necessary firmware

dblunk88 commented 4 years ago

Above is done. Added a new issue at https://github.com/osresearch/airbreak/issues/41

nimamoslemy commented 4 years ago

Hi, we are a team that needs your feedback to complete our idea. Please visit our pages and comment on it. github gitlab

nbritton commented 4 years ago

I was able to disassemble the binary using:

arm-none-eabi-objdump -D -bbinary -marm stm32.bin -Mforce-thumb > stm32.s

Additionally, The Reko program was able to disassemble it as well.

https://github.com/uxmal/reko

The main chip on my AirSense 10 AutoSet is STMicroelectronics STM32F405ZGT6. This is an ARM Cortex-M4 32-bit RISC, however the Internet says the Cortex-M series only supports the 16-bit Thumb ISA.

STM32F405ZG Datasheet: https://www.st.com/resource/en/datasheet/stm32f405zg.pdf

16-bit Thumb ISA Quick Reference: http://infocenter.arm.com/help/topic/com.arm.doc.qrc0006e/QRC0006_UAL16.pdf

IMG_4181

ruri-baka commented 4 years ago

I was able to disassemble the binary using:

arm-none-eabi-objdump -D -bbinary -marm stm32.bin -Mforce-thumb > stm32.s

Additionally, The Reko program was able to disassemble it as well.

https://github.com/uxmal/reko

The main chip on my AirSense 10 AutoSet is STMicroelectronics STM32F405ZGT6. This is an ARM Cortex-M4 32-bit RISC, however the Internet says the Cortex-M series only supports the 16-bit Thumb ISA.

STM32F405ZG Datasheet: https://www.st.com/resource/en/datasheet/stm32f405zg.pdf

16-bit Thumb ISA Quick Reference: http://infocenter.arm.com/help/topic/com.arm.doc.qrc0006e/QRC0006_UAL16.pdf

IMG_4181

Here is a link to STMicro’s STemWin package; it includes libraries and headers for the STM32F405ZG and additional IO as well as emwin headers and libraries for that processor: https://www.st.com/en/embedded-software/stemwin.html#overview

Asmageddon commented 3 years ago

Hey @nbritton, @ruri-baka, @dblunk88, and/or @colinoflynn, could I solicit any of you for help/assistance/advice with working with airbreak and openocd that goes slightly past the scope(not in complexity) of this project and issues relating to it?

nbritton commented 3 years ago

Hey @nbritton, @ruri-baka, @dblunk88, and/or @colinoflynn, could I solicit any of you for help/assistance/advice with working with airbreak and openocd that goes slightly past the scope(not in complexity) of this project and issues relating to it?

Well I've been reassigned to a new project now that there isn't a ventilator shortage due to the pandemic, so I'm not sure how much assistance I can offer you, but what would you happen to be having trouble with?

Asmageddon commented 3 years ago

@nbritton Basically, I've been trying to flash firmware from one machine(bought a broken ASV) to another, but am finding that it is failing to boot(the airbroken ASV mode does not work correctly), with the main three possibilities I can think of being that it won't boot older firmware(0306 vs my 0401), that there might be some sort of region restriction(if that's even a thing), or the fact that optionbytes differ. I tried patching the tamper check byte, but no dice, and I'm wary of fiddling with optionbytes in case it results in a brick. If possible, I would like to diagnose and overcome the problem, as regrettably, my VAuto is simply not cutting it for me, and I'm out of capacity to afford further/alternate treatment for the time being.