So I noticed one of my contact sensors has the bootloader “backdoor” enabled, and I’m able to read & write the firmware using a simple USB to serial adapter (no JTAG). My other sensors did not have it enabled though, and I’m guessing most of the sensors out there are like that, but if anyone wants to try…
[Warning: You can brick your sensor playing with this. You should only try it as a last resort, like to fix an already broken sensor by flashing Wyzeback.]
- I used a generic CP2102-based USB to serial adapter from eBay. Any 3.3v-level serial/UART adapter/device should be OK.
- Connect GND from the serial adapter.
- Short the RX pad on the sensor to GND. This triggers the bootloader.
- Connect 3.3v from the serial adapter.
- Remove the RX pad to GND short.
- LED should be solid red. If it isn’t, then this method will not work.
- Connect the TX/RX from the serial adapter to the “T”-marked TX pad and the RX pad next to it.
You can use the cc2538-bsl tool, Flash Programmer 2 (select the serial port, then CC1310F128), UniFlash (select CC1310F128 bootloader, Start, then set the serial port in Settings).
cc2538-bsl
Backup the firmware…
cc2538-bsl.py -p com10 -r -l 131072 backup.bin
Opening port com10, baud 500000
Connecting to target...
CC1310 PG2.1 (5x5mm): 128KB Flash, 20KB SRAM, CCFG.BL_CONFIG at 0x0001FFD8
Primary IEEE Address: 00:12:4B
Reading 131072 bytes starting at address 0x0
Read done
Program a new firmware…
cc2538-bsl.py -p com10 -e -v -w patched_77AABBCC_blen.bin
Opening port com10, baud 500000
Reading data from patched_77AABBCC_blen.bin
Cannot auto-detect firmware filetype: Assuming .bin
Connecting to target...
CC1310 PG2.1 (5x5mm): 128KB Flash, 20KB SRAM, CCFG.BL_CONFIG at 0x0001FFD8
Primary IEEE Address: 00:12:4B
Performing mass erase
Erasing all main bank flash sectors
Erase done
Writing 131072 bytes starting at address 0x00000000
Write 128 bytes at 0x0001FF808
Write done
Verifying by comparing CRC32 calculations.
Verified (match: 0x98b2fdb8)
Make sure any firmware you program also has the bootloader enabled, otherwise you will get locked out. Offset 1FFD8 of the file contains the BL_CONFIG setting and needs to be something like C5 01 FE C5.
Also, do not write protect the CCFG. When I did this, I couldn’t undo it via the bootloader because it would not allow me to do a mass erase. If you have to write protect the flash, you should exclude the CCFG area.