Support for bk7238 - Githubissues

arikon commented 6 months ago

Is it possible to use bk7231tools with bk7238 SoC?

I tried with no luck on macOS:

% bk7231tools chip_info --device /dev/cu.wchusbserial110
Traceback (most recent call last):
  File "/Users/arikon/projects/firefly/beken_freertos_sdk-3.0.70/tools/matter_factory_data_generate/.python-venv/lib/python3.12/site-packages/bk7231tools/__main__.py", line 623, in cli
    connect_device(args.device, args.baudrate, args.timeout, args.debug)
  File "/Users/arikon/projects/firefly/beken_freertos_sdk-3.0.70/tools/matter_factory_data_generate/.python-venv/lib/python3.12/site-packages/bk7231tools/__main__.py", line 381, in connect_device
    s.connect()
  File "/Users/arikon/projects/firefly/beken_freertos_sdk-3.0.70/tools/matter_factory_data_generate/.python-venv/lib/python3.12/site-packages/bk7231tools/serial/__init__.py", line 42, in connect
    raise TimeoutError("Timed out attempting to link with chip")
TimeoutError: Timed out attempting to link with chip

arikon commented 6 months ago

When I connect CEN to GND for short time, I receive these errors

<- TX: BkLinkCheckCmnd()
<- TX: BkLinkCheckCmnd()
<- TX: BkLinkCheckCmnd()
<- TX: BkLinkCheckCmnd()
<- TX: BkLinkCheckCmnd()
<- TX: BkLinkCheckCmnd()
<- TX: BkLinkCheckCmnd()
-> RX (1): BkLinkCheckResp(value=0)
<- TX: BkCheckCrcCmnd(start=2097152, end=2097408)
-> RX (4): BkCheckCrcResp(crc32=2484401883)
Connected! Chip info: None / Flash ID: 00 00 00 / Protocol: BASIC_BEKEN
Reading 2097152 bytes from 0x0
Reading 4k page at 0x200000 (0.00%)
<- TX: BkFlashRead4KCmnd(start=2097152)
-> RX (4101): Check OK
-> RX (4101): BkFlashRead4KResp(status=0, start=2097152, [...]
<- TX: BkCheckCrcCmnd(start=2097152, end=2101248)
-> RX (4): BkCheckCrcResp(crc32=1804650096)
Reading failure (Chip CRC value 946F398F does not match calculated CRC value 4687B26), retrying (attempt 0)
<- TX: BkFlashRead4KCmnd(start=2097152)
-> RX (4101): Check OK
-> RX (4101): BkFlashRead4KResp(status=0, start=2097152, [...]
<- TX: BkCheckCrcCmnd(start=2097152, end=2101248)
-> RX (4): BkCheckCrcResp(crc32=1804650096)
Reading failure (Chip CRC value 946F398F does not match calculated CRC value 4687B26), retrying (attempt 1)
<- TX: BkFlashRead4KCmnd(start=2097152)
-> RX (4101): Check OK
-> RX (4101): BkFlashRead4KResp(status=0, start=2097152, [...]
<- TX: BkCheckCrcCmnd(start=2097152, end=2101248)
-> RX (4): BkCheckCrcResp(crc32=1804650096)
Reading failure (Chip CRC value 946F398F does not match calculated CRC value 4687B26), retrying (attempt 2)
<- TX: BkFlashRead4KCmnd(start=2097152)
-> RX (4101): Check OK
-> RX (4101): BkFlashRead4KResp(status=0, start=2097152, [...]
<- TX: BkCheckCrcCmnd(start=2097152, end=2101248)
-> RX (4): BkCheckCrcResp(crc32=1804650096)
Reading failure (Chip CRC value 946F398F does not match calculated CRC value 4687B26), retrying (attempt 3)
<- TX: BkFlashRead4KCmnd(start=2097152)
-> RX (4101): Check OK
-> RX (4101): BkFlashRead4KResp(status=0, start=2097152, [...]
<- TX: BkCheckCrcCmnd(start=2097152, end=2101248)
-> RX (4): BkCheckCrcResp(crc32=1804650096)

kuba2k2 commented 6 months ago

I have never heard of this chip before. There's a pending update here: https://github.com/tuya-cloudcutter/bk7231tools/tree/feature/flash-refactor It should improve chip detection capability and allow some flashing operations even on unrecognized chips.

Please post the verbose output of running bk7231tools from this branch.

arikon commented 6 months ago

Reading flash in working on this branch:

% bk7231tools read_flash --device /dev/cu.wchusbserial110 --debug bk7238-entire-flash.bin
<- TX: BkLinkCheckCmnd()
-> RX (1): BkLinkCheckResp(value=0)
<- TX: BkCheckCrcCmnd(start=0, end=256)
-> RX (4): BkCheckCrcResp(crc32=2484401883)
Reading 4k page at 0x000000 (0.00%)
<- TX: BkFlashRead4KCmnd(start=0)
-> RX (4101): Check OK
-> RX (4101): BkFlashRead4KResp(status=0, start=0, [...]
<- TX: BkReadRegCmnd(address=8388608)
-> RX (8): Check OK
-> RX (8): BkReadRegResp(address=8388608, value=29240)
<- TX: BkFlashReg24ReadCmnd(cmd=159)
-> RX (5): BkFlashReg24ReadResp(status=0, data0=133, data1=66, data2=21)
Connected! Chip info: BK7231N / Flash ID: 85 42 15 / Flash size: 0x200000 / Protocol: FULL
Reading 2097152 bytes from 0x0
Reading 4k page at 0x000000 (0.00%)
<- TX: BkFlashRead4KCmnd(start=2097152)
-> RX (4101): Check OK
-> RX (4101): BkFlashRead4KResp(status=0, start=2097152, [...]
<- TX: BkCheckCrcCmnd(start=2097152, end=2101247)
-> RX (4): BkCheckCrcResp(crc32=4221011161)
Reading 4k page at 0x001000 (0.20%)
<- TX: BkFlashRead4KCmnd(start=2101248)
-> RX (4101): Check OK
-> RX (4101): BkFlashRead4KResp(status=0, start=2101248, [...]
<- TX: BkCheckCrcCmnd(start=2101248, end=2105343)
-> RX (4): BkCheckCrcResp(crc32=3689778625)
Reading 4k page at 0x002000 (0.39%)

arikon commented 6 months ago

@kuba2k2 Writing to flash emits error:

% bk7231tools write_flash --device /dev/cu.wchusbserial110 --bootloader --debug bk7238-entire-flash.bin
<- TX: BkLinkCheckCmnd()
-> RX (1): BkLinkCheckResp(value=0)
<- TX: BkCheckCrcCmnd(start=0, end=256)
-> RX (4): BkCheckCrcResp(crc32=2484401883)
Reading 4k page at 0x000000 (0.00%)
<- TX: BkFlashRead4KCmnd(start=0)
-> RX (4101): Check OK
-> RX (4101): BkFlashRead4KResp(status=0, start=0, [...]
<- TX: BkReadRegCmnd(address=8388608)
-> RX (8): Check OK
-> RX (8): BkReadRegResp(address=8388608, value=29240)
<- TX: BkFlashReg24ReadCmnd(cmd=159)
-> RX (5): BkFlashReg24ReadResp(status=0, data0=133, data1=66, data2=21)
Connected! Chip info: BK7231N / Flash ID: 85 42 15 / Flash size: 0x200000 / Protocol: FULL
Writing 2097152 bytes to 0x0
Trying to unprotect flash memory...
Traceback (most recent call last):
  File "/Users/arikon/projects/firefly/beken_freertos_sdk-3.0.70/tools/matter_factory_data_generate/.python-venv/bin/bk7231tools", line 8, in <module>
    sys.exit(cli())
             ^^^^^
  File "/Users/arikon/projects/firefly/beken_freertos_sdk-3.0.70/tools/matter_factory_data_generate/.python-venv/lib/python3.12/site-packages/bk7231tools/__main__.py", line 626, in cli
    args.handler(device, args)
  File "/Users/arikon/projects/firefly/beken_freertos_sdk-3.0.70/tools/matter_factory_data_generate/.python-venv/lib/python3.12/site-packages/bk7231tools/__main__.py", line 470, in write_flash
    for _ in device.program_flash(
  File "/Users/arikon/projects/firefly/beken_freertos_sdk-3.0.70/tools/matter_factory_data_generate/.python-venv/lib/python3.12/site-packages/bk7231tools/serial/cmd_hl_flash.py", line 133, in program_flash
    self.flash_unprotect()
  File "/Users/arikon/projects/firefly/beken_freertos_sdk-3.0.70/tools/matter_factory_data_generate/.python-venv/lib/python3.12/site-packages/bk7231tools/serial/cmd_hl_flash.py", line 60, in flash_unprotect
    raise ValueError(f"Flash ID not known: {flash_id.hex()}")
ValueError: Flash ID not known: 854215

arikon commented 6 months ago

@kuba2k2 SoC info is here: https://www.bekencorp.com/en/goods/detail/cid/42.html

arikon commented 6 months ago

@kuba2k2 SoC Datasheet is here: https://device.report/m/afb952eb395dfc21d38f7294dbbf7fd507288ffd43c3a8c81d2cc79bdf336bc4.pdf

kuba2k2 commented 6 months ago

Try adding the flash ID somewhere here: https://github.com/tuya-cloudcutter/bk7231tools/blob/feature/flash-refactor/bk7231tools/serial/cmd_hl_flash.py#L29 Like:

         b"\x85\x60\x17": 2,
+        b"\x85\x42\x15": 2,
         b"\xC2\x23\x14": 2,

arikon commented 6 months ago

@kuba2k2 New error

% bk7231tools write_flash --device /dev/cu.wchusbserial110 --bootloader --debug bk7238-entire-flash.bin
<- TX: BkLinkCheckCmnd()
-> RX (1): BkLinkCheckResp(value=0)
<- TX: BkCheckCrcCmnd(start=0, end=256)
-> RX (4): BkCheckCrcResp(crc32=2484401883)
Reading 4k page at 0x000000 (0.00%)
<- TX: BkFlashRead4KCmnd(start=0)
-> RX (4101): Check OK
-> RX (4101): BkFlashRead4KResp(status=0, start=0, [...]
<- TX: BkReadRegCmnd(address=8388608)
-> RX (8): Check OK
-> RX (8): BkReadRegResp(address=8388608, value=29240)
<- TX: BkFlashReg24ReadCmnd(cmd=159)
-> RX (5): BkFlashReg24ReadResp(status=0, data0=133, data1=66, data2=21)
Connected! Chip info: BK7231N / Flash ID: 85 42 15 / Flash size: 0x200000 / Protocol: FULL
Writing 2097152 bytes to 0x0
Trying to unprotect flash memory...
<- TX: BkFlashReg8ReadCmnd(cmd=5)
-> RX (3): Check OK
-> RX (3): BkFlashReg8ReadResp(status=0, cmd=5, data0=4)
<- TX: BkFlashReg8ReadCmnd(cmd=53)
-> RX (3): Check OK
-> RX (3): BkFlashReg8ReadResp(status=0, cmd=53, data0=0)
<- TX: BkFlashReg16WriteCmnd(cmd=1, data=0)
-> RX (4): Check OK
-> RX (4): BkFlashReg16WriteResp(status=0, cmd=1, data=0)
<- TX: BkFlashReg8ReadCmnd(cmd=5)
-> RX (3): Check OK
-> RX (3): BkFlashReg8ReadResp(status=0, cmd=5, data0=4)
<- TX: BkFlashReg8ReadCmnd(cmd=53)
-> RX (3): Check OK
-> RX (3): BkFlashReg8ReadResp(status=0, cmd=53, data0=0)
Traceback (most recent call last):
  File "/Users/arikon/projects/firefly/beken_freertos_sdk-3.0.70/tools/matter_factory_data_generate/.python-venv/bin/bk7231tools", line 8, in <module>
    sys.exit(cli())
             ^^^^^
  File "/Users/arikon/projects/firefly/beken_freertos_sdk-3.0.70/tools/matter_factory_data_generate/.python-venv/lib/python3.12/site-packages/bk7231tools/__main__.py", line 626, in cli
    args.handler(device, args)
  File "/Users/arikon/projects/firefly/beken_freertos_sdk-3.0.70/tools/matter_factory_data_generate/.python-venv/lib/python3.12/site-packages/bk7231tools/__main__.py", line 470, in write_flash
    for _ in device.program_flash(
  File "/Users/arikon/projects/firefly/beken_freertos_sdk-3.0.70/tools/matter_factory_data_generate/.python-venv/lib/python3.12/site-packages/bk7231tools/serial/cmd_hl_flash.py", line 134, in program_flash
    self.flash_unprotect()
  File "/Users/arikon/projects/firefly/beken_freertos_sdk-3.0.70/tools/matter_factory_data_generate/.python-venv/lib/python3.12/site-packages/bk7231tools/serial/cmd_hl_flash.py", line 65, in flash_unprotect
    self.flash_write_sr(sr, size=sr_size, mask=mask)
  File "/Users/arikon/projects/firefly/beken_freertos_sdk-3.0.70/tools/matter_factory_data_generate/.python-venv/lib/python3.12/site-packages/bk7231tools/serial/cmd_ll_flash.py", line 59, in flash_write_sr
    raise RuntimeError(
RuntimeError: Writing Status Register failed: wrote 0x0000, got 0x0004

Patch:

diff --git a/bk7231tools/serial/cmd_hl_flash.py b/bk7231tools/serial/cmd_hl_flash.py
index d78b075..efe0f92 100644
--- a/bk7231tools/serial/cmd_hl_flash.py
+++ b/bk7231tools/serial/cmd_hl_flash.py
@@ -23,6 +23,7 @@ class BK7231SerialCmdHLFlash(BK7231SerialInterface):
         b"\x51\x40\x13": 1,
         b"\x51\x40\x14": 1,
         b"\x5E\x40\x14": 1,
+        b"\x85\x42\x15": 2,
         b"\x85\x60\x13": 2,
         b"\x85\x60\x14": 2,
         b"\x85\x60\x16": 2,

arikon commented 6 months ago

@kuba2k2 Is it possible to make a quick fix here?

Sorry for pushing. I'm trying to decide which way to go on my working task — wait for fix here or continue to look for another options to work with bk7238 SoC.

BTW, thank you for your tool and for you help!

kuba2k2 commented 6 months ago

I don't know, really. Maybe instead of : 2 try using : 1?

arikon commented 6 months ago

diff --git a/bk7231tools/serial/cmd_hl_flash.py b/bk7231tools/serial/cmd_hl_flash.py
index d78b075..cf5718d 100644
--- a/bk7231tools/serial/cmd_hl_flash.py
+++ b/bk7231tools/serial/cmd_hl_flash.py
@@ -23,6 +23,7 @@ class BK7231SerialCmdHLFlash(BK7231SerialInterface):
         b"\x51\x40\x13": 1,
         b"\x51\x40\x14": 1,
         b"\x5E\x40\x14": 1,
+        b"\x85\x42\x15": 1,
         b"\x85\x60\x13": 2,
         b"\x85\x60\x14": 2,
         b"\x85\x60\x16": 2,

@kuba2k2 It worked!

Also I needed to connect CEN to GND one-time.

Cossid commented 6 months ago

diff --git a/bk7231tools/serial/cmd_hl_flash.py b/bk7231tools/serial/cmd_hl_flash.py
index d78b075..cf5718d 100644
--- a/bk7231tools/serial/cmd_hl_flash.py
+++ b/bk7231tools/serial/cmd_hl_flash.py
@@ -23,6 +23,7 @@ class BK7231SerialCmdHLFlash(BK7231SerialInterface):
         b"\x51\x40\x13": 1,
         b"\x51\x40\x14": 1,
         b"\x5E\x40\x14": 1,
+        b"\x85\x42\x15": 1,
         b"\x85\x60\x13": 2,
         b"\x85\x60\x14": 2,
         b"\x85\x60\x16": 2,

@kuba2k2 It worked!

Also I needed to connect CEN to GND one-time.

~~That means your device only has a 1MiB flash. If you did a dump and it came out as 2MiB (because that's what it was told to do), you just have the same dump successively twice in the same file.~~ Nevermind, I misunderstood, thanks for the correction kubu2k2

kuba2k2 commented 6 months ago

Actually, no. 1<<0x15 is 0x200000, which is 2 MiB. : 1/: 2 means 1 or 2 SR bytes, not flash size.

arikon commented 6 months ago

@kuba2k2 When are you planning to release this branch?

kuba2k2 commented 6 months ago

Can you share the stock firmware dump of that device? I need to add the bootloader parameters to bk7231tools first.

kuba2k2 commented 6 months ago

Also, I would need a ROM dump of that chip made with ltchiptool.

arikon commented 5 months ago

@kuba2k2 I've got another SoC Beken BK7238, with different flash ID: 85 20 15

I added it like this:

diff --git a/bk7231tools/serial/cmd_hl_flash.py b/bk7231tools/serial/cmd_hl_flash.py
index 1e6c322..045af62 100644
--- a/bk7231tools/serial/cmd_hl_flash.py
+++ b/bk7231tools/serial/cmd_hl_flash.py
@@ -23,6 +23,7 @@ class BK7231SerialCmdHLFlash(BK7231SerialInterface):
         b"\x51\x40\x13": 1,
         b"\x51\x40\x14": 1,
         b"\x5E\x40\x14": 1,
+        b"\x85\x20\x15": 2,
         b"\x85\x42\x15": 1,
         b"\x85\x60\x13": 2,
         b"\x85\x60\x14": 2,

But got this error trying to flash binary:

RuntimeError: Writing Status Register failed: wrote 0x4000, got 0x4007

How it could be fixed?

Also, I would need a ROM dump of that chip made with ltchiptool.

Could you provide a command, how to make it?

Can you share the stock firmware dump of that device? I need to add the bootloader parameters to bk7231tools first.

Do you need only a bootloader binary?

Could you DM me at https://telegram.me/arikon, I can provide you some. Can't post it here.

arikon commented 5 months ago

Patch:

diff --git a/bk7231tools/serial/cmd_hl_flash.py b/bk7231tools/serial/cmd_hl_flash.py
index 1e6c322..0ca1528 100644
--- a/bk7231tools/serial/cmd_hl_flash.py
+++ b/bk7231tools/serial/cmd_hl_flash.py
@@ -23,6 +23,7 @@ class BK7231SerialCmdHLFlash(BK7231SerialInterface):
         b"\x51\x40\x13": 1,
         b"\x51\x40\x14": 1,
         b"\x5E\x40\x14": 1,
+        b"\x85\x20\x15": 1,
         b"\x85\x42\x15": 1,
         b"\x85\x60\x13": 2,
         b"\x85\x60\x14": 2,

Result:

<- TX: BkLinkCheckCmnd()
<- TX: BkLinkCheckCmnd()
<- TX: BkLinkCheckCmnd()
-> RX (1): BkLinkCheckResp(value=0)
<- TX: BkSetBaudRateCmnd(baudrate=1500000, delay_ms=20)
-- UART: Changing port baudrate
-> RX (5): Response check OK
<- TX: BkCheckCrcCmnd(start=0x0, end=0x100)
-> RX (4): BkCheckCrcResp(crc32=0x9414F6DB)
<- TX: BkLinkCheckCmnd()
-> RX (1): BkLinkCheckResp(value=0)
Unknown bootloader CRC - 0x6BEB0924 - please report this on GitHub issues!
<- TX: BkCheckCrcCmnd(start=0x11000, end=0x11100)
-> RX (4): BkCheckCrcResp(crc32=0x21E082EF)
<- TX: BkLinkCheckCmnd()
-> RX (1): BkLinkCheckResp(value=0)
Reading 4k page at 0x011000 (0.00%)
<- TX: BkFlashRead4KCmnd(start=0x11000)
-> RX (4101): Response check OK
-> RX (4101): BkFlashRead4KResp(status=0, start=0x11000, data=bytes(4096))
<- TX: BkReadRegCmnd(address=0x800000)
-> RX (8): Response check OK
-> RX (8): BkReadRegResp(address=0x800000, value=0x7238)
BK72xx connected - protocol: FULL, chip: BK7238, bootloader: None, chip ID: 0x7238, boot version: None
<- TX: BkFlashReg24ReadCmnd(cmd=0x9F)
-> RX (5): BkFlashReg24ReadResp(status=0, data0=0x85, data1=0x20, [...]
Connected! Chip info: BK7238 / Flash ID: 85 20 15 / Flash size: 0x200000 / Protocol: FULL
Writing 1253376 bytes to 0x0
Trying to unprotect flash memory...
<- TX: BkFlashReg8ReadCmnd(cmd=0x5)
-> RX (3): Response check OK
-> RX (3): BkFlashReg8ReadResp(status=0, cmd=0x5, data0=0x4)
<- TX: BkFlashReg8WriteCmnd(cmd=0x1, data=0x0)
-> RX (3): Response check OK
-> RX (3): BkFlashReg8WriteResp(status=0, cmd=0x1, data=0x0)
<- TX: BkFlashReg8ReadCmnd(cmd=0x5)
-> RX (3): Response check OK
-> RX (3): BkFlashReg8ReadResp(status=0, cmd=0x5, data0=0x7)
Traceback (most recent call last):
  File "/Users/arikon/projects/firefly/burn/python-venv/bin/bk7231tools", line 8, in <module>
    sys.exit(cli())
             ^^^^^
  File "/Users/arikon/projects/firefly/burn/python-venv/lib/python3.12/site-packages/bk7231tools/__main__.py", line 626, in cli
    args.handler(device, args)
  File "/Users/arikon/projects/firefly/burn/python-venv/lib/python3.12/site-packages/bk7231tools/__main__.py", line 470, in write_flash
    for _ in device.program_flash(
  File "/Users/arikon/projects/firefly/burn/python-venv/lib/python3.12/site-packages/bk7231tools/serial/cmd_hl_flash.py", line 125, in program_flash
    self.flash_unprotect()
  File "/Users/arikon/projects/firefly/burn/python-venv/lib/python3.12/site-packages/bk7231tools/serial/cmd_hl_flash.py", line 66, in flash_unprotect
    self.flash_write_sr(sr, size=sr_size, mask=mask)
  File "/Users/arikon/projects/firefly/burn/python-venv/lib/python3.12/site-packages/bk7231tools/serial/cmd_ll_flash.py", line 61, in flash_write_sr
    raise RuntimeError(
RuntimeError: Writing Status Register failed: wrote 0x0000, got 0x0007

Patch:

diff --git a/bk7231tools/serial/cmd_hl_flash.py b/bk7231tools/serial/cmd_hl_flash.py
index 1e6c322..0ca1528 100644
--- a/bk7231tools/serial/cmd_hl_flash.py
+++ b/bk7231tools/serial/cmd_hl_flash.py
@@ -23,6 +23,7 @@ class BK7231SerialCmdHLFlash(BK7231SerialInterface):
         b"\x51\x40\x13": 1,
         b"\x51\x40\x14": 1,
         b"\x5E\x40\x14": 1,
+        b"\x85\x20\x15": 2,
         b"\x85\x42\x15": 1,
         b"\x85\x60\x13": 2,
         b"\x85\x60\x14": 2,

Result:

<- TX: BkLinkCheckCmnd()
<- TX: BkLinkCheckCmnd()
<- TX: BkLinkCheckCmnd()
-> RX (1): BkLinkCheckResp(value=0)
<- TX: BkSetBaudRateCmnd(baudrate=1500000, delay_ms=20)
-- UART: Changing port baudrate
-> RX (5): Response check OK
<- TX: BkCheckCrcCmnd(start=0x0, end=0x100)
-> RX (4): BkCheckCrcResp(crc32=0x9414F6DB)
<- TX: BkLinkCheckCmnd()
-> RX (1): BkLinkCheckResp(value=0)
Unknown bootloader CRC - 0x6BEB0924 - please report this on GitHub issues!
<- TX: BkCheckCrcCmnd(start=0x11000, end=0x11100)
-> RX (4): BkCheckCrcResp(crc32=0x21E082EF)
<- TX: BkLinkCheckCmnd()
-> RX (1): BkLinkCheckResp(value=0)
Reading 4k page at 0x011000 (0.00%)
<- TX: BkFlashRead4KCmnd(start=0x11000)
-> RX (4101): Response check OK
-> RX (4101): BkFlashRead4KResp(status=0, start=0x11000, data=bytes(4096))
<- TX: BkReadRegCmnd(address=0x800000)
-> RX (8): Response check OK
-> RX (8): BkReadRegResp(address=0x800000, value=0x7238)
BK72xx connected - protocol: FULL, chip: BK7238, bootloader: None, chip ID: 0x7238, boot version: None
<- TX: BkFlashReg24ReadCmnd(cmd=0x9F)
-> RX (5): BkFlashReg24ReadResp(status=0, data0=0x85, data1=0x20, [...]
Connected! Chip info: BK7238 / Flash ID: 85 20 15 / Flash size: 0x200000 / Protocol: FULL
Writing 1253376 bytes to 0x0
Trying to unprotect flash memory...
<- TX: BkFlashReg8ReadCmnd(cmd=0x5)
-> RX (3): Response check OK
-> RX (3): BkFlashReg8ReadResp(status=0, cmd=0x5, data0=0x4)
<- TX: BkFlashReg8ReadCmnd(cmd=0x35)
-> RX (3): Response check OK
-> RX (3): BkFlashReg8ReadResp(status=0, cmd=0x35, data0=0x40)
<- TX: BkFlashReg16WriteCmnd(cmd=0x1, data=0x4000)
-> RX (4): Response check OK
-> RX (4): BkFlashReg16WriteResp(status=0, cmd=0x1, data=0x4000)
<- TX: BkFlashReg8ReadCmnd(cmd=0x5)
-> RX (3): Response check OK
-> RX (3): BkFlashReg8ReadResp(status=0, cmd=0x5, data0=0x7)
<- TX: BkFlashReg8ReadCmnd(cmd=0x35)
-> RX (3): Response check OK
-> RX (3): BkFlashReg8ReadResp(status=0, cmd=0x35, data0=0x40)
Traceback (most recent call last):
  File "/Users/arikon/projects/firefly/burn/python-venv/bin/bk7231tools", line 8, in <module>
    sys.exit(cli())
             ^^^^^
  File "/Users/arikon/projects/firefly/burn/python-venv/lib/python3.12/site-packages/bk7231tools/__main__.py", line 626, in cli
    args.handler(device, args)
  File "/Users/arikon/projects/firefly/burn/python-venv/lib/python3.12/site-packages/bk7231tools/__main__.py", line 470, in write_flash
    for _ in device.program_flash(
  File "/Users/arikon/projects/firefly/burn/python-venv/lib/python3.12/site-packages/bk7231tools/serial/cmd_hl_flash.py", line 125, in program_flash
    self.flash_unprotect()
  File "/Users/arikon/projects/firefly/burn/python-venv/lib/python3.12/site-packages/bk7231tools/serial/cmd_hl_flash.py", line 66, in flash_unprotect
    self.flash_write_sr(sr, size=sr_size, mask=mask)
  File "/Users/arikon/projects/firefly/burn/python-venv/lib/python3.12/site-packages/bk7231tools/serial/cmd_ll_flash.py", line 61, in flash_write_sr
    raise RuntimeError(
RuntimeError: Writing Status Register failed: wrote 0x4000, got 0x4007

kuba2k2 commented 5 months ago

How it could be fixed?

I don't think I know.

Could you provide a command, how to make it?

I see you use bk7231tools directly. To make a ROM dump (or any other kind of firmware dump), install pip install ltchiptool and then run ltchiptool flash read bk72xx rom filename.bin.

Do you need only a bootloader binary?

A whole firmware dump would help, but if you can't share it, the bootloader itself will do too. If you read from 0x0 to 0x11000 you will get the bootloader only.

Can't post it here.

You can, just pack it into a ZIP file.

arikon commented 5 months ago

@kuba2k2 Here are all the bootloaders I have, not only for bk7238.

bk-bootloaders.zip

Here is rom.

ltchiptool flash read --rom bk72xx bk7238-rom.bin

bk7238-rom.bin.zip

kuba2k2 commented 5 months ago

Are these bootloaders taken from some SDK? They look like they don't come from a flash chip of the BK7238.

If you could dump the bootloader (it might be a bit different than the ones from SDK) it would be helpful.

arikon commented 5 months ago

Are these bootloaders taken from some SDK?

@kuba2k2 Yes.

They look like they don't come from a flash chip of the BK7238.

bootloader_bk7238_uart1_v1.0.14.bin this one for bk7238 and used as is during the firmware build process.

You can use this one. And other bootloaders to add support for them, if you like.

arikon commented 5 months ago

@kuba2k2 Here is dumped from flash bootloader:

bootloader_bk7238.bin.zip

PS: You were right, it is different from the one from SDK.

arikon commented 5 months ago

@kuba2k2 Could you tell, please, is it possible to add support for BK7238 to bk7231tools?

kuba2k2 commented 5 months ago

It supports Bk7238 already, you've been able to flash a few devices before.

arikon commented 5 months ago

@kuba2k2 Okay =) Is it possible to add support for BK7238 with different flash? Do you need more info / artifacts for that?

kuba2k2 commented 5 months ago

If what you've tried doesn't work, then you either modified the wrong file (e.g. your changes weren't installed in the version you tested) or the flash chip requires something different. I can't possibly test every flash chip ever made.

You can, however, try ltchiptool-ft232-flasher, which can connect to BK72xx using an FT232 adapter. You first need to install the libusbK driver using Zadig. The tool can show more information, such as the Status Registers.

divadiow commented 2 months ago

@arikon im curious about what devices you have that contain BK7238s. if you have links to exact items please that would be useful. thanks!

this is the only one I have at present https://discord.com/channels/967863521511608370/1261030204508209243

tuya-cloudcutter / bk7231tools

Support for bk7238 #23