forked from aeickho/md380tools
-
Notifications
You must be signed in to change notification settings - Fork 0
/
md380-dfu
executable file
·479 lines (388 loc) · 14.4 KB
/
md380-dfu
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
#!/usr/bin/env python2
# Copyright 2010, 2011 Michael Ossmann
# Copyright 2015 Travis Goodspeed
#
# This file was forked from Project Ubertooth as a DFU client for the
# TYT MD380, an amateur radio for the DMR protocol on the UHF bands.
# This script implements a lot of poorly understood extensions unique
# to the MD380.
#
#
#
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING. If not, write to
# the Free Software Foundation, Inc., 51 Franklin Street,
# Boston, MA 02110-1301, USA.
# http://pyusb.sourceforge.net/docs/1.0/tutorial.html
import struct
import sys
import time
from optparse import OptionParser
import dfu_suffix
from DFU import DFU, State
# The tricky thing is that *THREE* different applications all show up
# as this same VID/PID pair.
#
# 1. The Tytera application image.
# 2. The Tytera bootloader at 0x08000000
# 3. The mask-rom bootloader from the STM32F405.
md380_vendor = 0x0483
md380_product = 0xdf11
#application_offset = 0x08000000
#ram_offset = 0x20000000
#application_size = 0x00040000
def download(dfu, data, flash_address):
block_size = 1 << 8
sector_size = 1 << 12
if flash_address & (sector_size - 1) != 0:
raise Exception('Download must start at flash sector boundary')
block_number = flash_address / block_size
assert block_number * block_size == flash_address
try:
while len(data) > 0:
packet, data = data[:block_size], data[block_size:]
if len(packet) < block_size:
packet += '\xFF' * (block_size - len(packet))
dfu.download(block_number, packet)
status, timeout, state, discarded = dfu.get_status()
sys.stdout.write('.')
sys.stdout.flush()
block_number += 1
finally:
print
def download_codeplug(dfu, data):
"""Downloads a codeplug to the MD380."""
block_size = 1024
dfu.md380_custom(0x91,0x01); #Programming Mode
dfu.md380_custom(0x91,0x01); #Programming Mode
#dfu.md380_custom(0xa2,0x01); #Returns "DR780...", seems to crash client.
#hexdump(dfu.get_command()); #Gets a string.
dfu.md380_custom(0xa2,0x02);
hexdump(dfu.get_command()); #Gets a string.
time.sleep(2);
dfu.md380_custom(0xa2,0x02);
dfu.md380_custom(0xa2,0x03);
dfu.md380_custom(0xa2,0x04);
dfu.md380_custom(0xa2,0x07);
dfu.erase_block(0x00000000);
dfu.erase_block(0x00010000);
dfu.erase_block(0x00020000);
dfu.erase_block(0x00030000);
dfu.set_address(0x00000000); # Zero address, used by configuration tool.
#sys.exit();
status, timeout, state, discarded = dfu.get_status()
#print status, timeout, state, discarded
block_number = 2
try:
while len(data) > 0:
packet, data = data[:block_size], data[block_size:]
if len(packet) < block_size:
packet += '\xFF' * (block_size - len(packet))
dfu.download(block_number, packet)
state=11
while state!=State.dfuDNLOAD_IDLE:
status, timeout, state, discarded = dfu.get_status()
#print status, timeout, state, discarded
sys.stdout.write('.')
sys.stdout.flush()
block_number += 1
finally:
print
def hexdump(string):
"""God awful hex dump function for testing."""
buf="";
i=0;
for c in string:
buf=buf+("%02x"%c);
i=i+1;
if i&3==0:
buf=buf+" "
if i&0xf==0:
buf=buf+" "
if i&0x1f==0:
buf=buf+"\n"
print buf;
def upload_bootloader(dfu,filename):
"""Dumps the bootloader, but only on Mac."""
#dfu.set_address(0x00000000); # Address is ignored, so it doesn't really matter.
# Bootloader stretches from 0x08000000 to 0x0800C000, but our
# address and block number are ignored, so we set the block size
# ot 0xC000 to yank the entire thing in one go. The application
# comes later, I think.
block_size=0xC000; #0xC000;
f=None;
if filename!=None:
f=open(filename,'wb');
print "Dumping bootloader. This only works in radio mode, not programming mode."
try:
data = dfu.upload(2, block_size)
status, timeout, state, discarded = dfu.get_status()
if len(data) == block_size:
print "Got it all!";
else:
print "Only got %i bytes. Older versions would give it all." % len(data);
#raise Exception('Upload failed to read full block. Got %i bytes.' % len(data))
if f!=None:
f.write(data)
else:
hexdump(data);
finally:
print "Done."
def upload_codeplug(dfu,filename):
"""Uploads a codeplug from the radio to the host."""
dfu.md380_custom(0x91,0x01); #Programming Mode
#dfu.md380_custom(0xa2,0x01); #Returns "DR780...", seems to crash client.
#hexdump(dfu.get_command()); #Gets a string.
dfu.md380_custom(0xa2,0x02);
dfu.md380_custom(0xa2,0x02);
dfu.md380_custom(0xa2,0x03);
dfu.md380_custom(0xa2,0x04);
dfu.md380_custom(0xa2,0x07);
dfu.set_address(0x00000000); # Zero address, used by configuration tool.
f = open(filename, 'wb')
block_size=1024
try:
# Codeplug region is 0 to 3ffffff, but only the first 256k are used.
for block_number in range(2,0x102):
data = dfu.upload(block_number, block_size)
status, timeout, state, discarded = dfu.get_status()
#print "Status is: %x %x %x %x" % (status, timeout, state, discarded);
sys.stdout.write('.')
sys.stdout.flush()
if len(data) == block_size:
f.write(data)
#hexdump(data);
else:
raise Exception('Upload failed to read full block. Got %i bytes.' % len(data))
#dfu.md380_reboot()
finally:
print "Done."
def download_firmware(dfu, data):
""" Download new firmware binary to the radio. """
addresses = [
0x0800c000,
0x08010000,
0x08020000,
0x08040000,
0x08060000,
0x08080000,
0x080a0000,
0x080c0000,
0x080e0000]
sizes = [0x4000, #0c
0x10000, #1
0x20000, #2
0x20000, #4
0x20000, #6
0x20000, #8
0x20000, #a
0x20000, #c
0x20000] #e
block_ends = [0x11, 0x41, 0x81, 0x81, 0x81, 0x81, 0x81, 0x81, 0x81]
try:
print("Beginning firmware upgrade.")
status, timeout, state, discarded = dfu.get_status()
assert state == State.dfuIDLE
dfu.md380_custom(0x91,0x01)
dfu.md380_custom(0x91,0x31)
for address in addresses:
if dfu.verbose: print("Erasing address@ 0x%x" % address)
dfu.erase_block( address )
block_size = 1024
block_start = 2
address_idx = 0
if data[0:14] == "OutSecurityBin": #skip header if present
if dfu.verbose: print("Skipping 0x100 byte header in data file")
header, data = data[:0x100], data[0x100:]
print("Writing firmware:")
assert len(addresses) == len(sizes)
numaddresses = len(addresses)
while address_idx < numaddresses: #for each section
print("%0d%% complete" % (address_idx*100/numaddresses) )
address = addresses[ address_idx ]
size = sizes[ address_idx ]
dfu.set_address( address )
if address_idx != len(addresses) -1:
assert address + size == addresses[ address_idx + 1]
datawritten = 0
block_number = block_start
while len(data) > 0 and size > datawritten: #for each block
assert block_number <= block_ends[ address_idx ]
packet, data = data[:block_size], data[block_size:]
if len(packet) < block_size:
packet += '\xFF' * (block_size - len(packet))
dfu.download(block_number, packet)
dfu.wait_till_ready()
datawritten += len(packet)
block_number += 1
#if dfu.verbose: sys.stdout.write('.'); sys.stdout.flush()
#if dfu.verbose: sys.stdout.write('_\n'); sys.stdout.flush()
address_idx += 1
print("100% complete, now safe to disconnect and/or reboot radio")
except Exception as e:
print(e)
def upload(dfu, flash_address, length, path):
#block_size = 1 << 8
block_size = 1 << 14
print "Address: 0x%08x"%flash_address
print "Block Size: 0x%04x"%block_size
if flash_address & (block_size - 1) != 0:
raise Exception('Upload must start at block boundary')
block_number = flash_address / block_size
assert block_number * block_size == flash_address
#block_number=0x8000;
print "Block Number: 0x%04x"%block_number
cmds=dfu.get_command();
print "%i supported commands." % len(cmds)
for cmd in cmds:
print "Command %02x is supported by UPLOAD."%cmd;
dfu.set_address(0x08001000); #RAM
block_number=2;
f = open(path, 'wb')
try:
while length > 0:
data = dfu.upload(block_number, block_size)
status, timeout, state, discarded = dfu.get_status()
print "Status is: %x %x %x %x" % (status, timeout, state, discarded);
sys.stdout.write('.')
sys.stdout.flush()
if len(data) == block_size:
f.write(data)
else:
raise Exception('Upload failed to read full block. Got %i bytes.' % len(data))
block_number += 1
length -= len(data)
finally:
f.close()
print
def detach(dfu):
if dfu.get_state() == State.dfuIDLE:
dfu.detach()
print('Detached')
else:
print 'In unexpected state: %s' % dfu.get_state()
def init_dfu(alt=0):
dev = usb.core.find(idVendor=md380_vendor,
idProduct=md380_product)
if dev is None:
raise RuntimeError('Device not found')
dfu = DFU(dev, alt)
dev.default_timeout = 3000
try:
dfu.enter_dfu_mode()
except usb.core.USBError, e:
if len(e.args) > 0 and e.args[0] == 'Pipe error':
raise RuntimeError('Failed to enter DFU mode. Is bootloader running?')
else:
raise e
return dfu
def usage():
print("""
Usage: md380-dfu <command> <arguments>
Write a codeplug to the radio.
md380-dfu write <codeplug.bin>
Write firmware to the radio.
md380-dfu upgrade <firmware.bin>
Read a codeplug and write it to a file.
md380-dfu read <codeplug.bin>
Dump the bootloader from Flash memory.
md380-dfu readboot <filename.bin>
Print the time from the MD380.
md380-dfu time
Detach the bootloader and execute the application firmware:
md380-dfu detach
Close the bootloader session.
md380-dfu reboot
Upgrade to new firmware:
md380-dfu upgrade foo.bin
""")
if __name__ == '__main__':
try:
if len(sys.argv) == 3:
if sys.argv[1] == 'read':
import usb.core
dfu = init_dfu()
upload_codeplug(dfu, sys.argv[2])
print('Read complete')
elif sys.argv[1] == 'readboot':
print "This only wokrs from OS X. Use the one in md380-tool with patched firmware for other bootloaders.";
import usb.core
dfu = init_dfu()
upload_bootloader(dfu, sys.argv[2])
elif sys.argv[1] == "upgrade":
import usb.core
with open(sys.argv[2], 'rb') as f:
data = f.read();
dfu = init_dfu();
download_firmware(dfu, data);
elif sys.argv[1] == 'write':
import usb.core
f = open(sys.argv[2], 'rb')
data = f.read()
f.close()
if sys.argv[2][-4:] == '.dfu':
suf_len, vendor, product = dfu_suffix.check_suffix(data)
dfu = init_dfu()
firmware = data[:-suf_len]
else:
dfu = init_dfu()
firmware = data
download_codeplug(dfu, firmware)
print('Write complete')
elif sys.argv[1] == 'sign':
filename = sys.argv[2]
f = open(filename, 'rb')
firmware = f.read()
f.close()
data = dfu_suffix.add_suffix(firmware, md380_vendor, md380_product)
dfu_file = filename[:-4] + '.dfu'
f = open(dfu_file, 'wb')
f.write(data)
f.close()
print("Signed file written: %s" % dfu_file)
else:
usage()
elif len(sys.argv) == 2:
if sys.argv[1] == 'detach':
import usb.core
dfu = init_dfu()
dfu.set_address(0x08000000); #Radio Application
detach(dfu)
elif sys.argv[1] == 'time':
import usb.core
dfu = init_dfu()
print dfu.get_time();
elif sys.argv[1] == 'reboot':
import usb.core
dfu = init_dfu()
dfu.md380_custom(0x91,0x01); #Programming Mode
dfu.md380_custom(0x91,0x01); #Programming Mode
#dfu.md380_custom(0x91,0x01); #Programming Mode
#dfu.drawtext("Rebooting",160,50);
dfu.md380_reboot()
elif sys.argv[1] == 'abort':
import usb.core
dfu = init_dfu()
dfu.abort();
else:
usage()
else:
usage()
except RuntimeError, e:
print(e.args[0])
exit(1)
except Exception, e:
print e
#print dfu.get_status()
exit(1)