Re-Flashing the Misfit Flash

IMG_20160109_241816569

After a thorough electrical and mechanical investigation of the Flash device, I decided I would do a little more poking around to see if I could download the firmware from the device. In the end I was not successful (although there is hope), but I did manage to put my own firmware on the device quite easily.

IMG_20160107_200815531

I took a multimeter to the tag-connect header to see which pins when where.  It doesen’t look like the normal SWD or JTAG 10 pin connector, but I did find power, ground, SWDIO/RST, and SWDCLK.  For reference, on the drawing above, the single hole of the tag connect is at the top.

Selection_016

I connected a few wires to the programming pins, and then wired those pins to an STLink programmer from one of the STM discovery boards.  Using OpenOCD, I first tried to download the firmware from the chip with dump image- but it came back all zeros (not shown)!  This is because the NRF51822 has a read-protection feature to prevent people from gaining access to your code.  This is configured through the second register in the UICR, RBPCONF.  The UICR starts at 0x10001000, so I started there and read a few registers.  RBPCONF was 0xffff0000, which means that all of the program memory is protected.

after erase

The values in the UICR can only be cleared if the entire program memory is erased, so that’s exactly what I did- nrf51 mass_erase.  With the memory wiped, reading the RBPCONF resulted in 0xFFFFFFFF, the default value of read back protection for code region 0 and all code regions being disabled.

IMG_20160108_211731262

Once it was erased, I checked that I could write to the chip by putting a simple blinking LED program on the chip.  All the program does is sleep and toggle all of the IO pins, but it was enough to show me that everthing was working.  Later on, I can use this program to test what pin goes to what LED, if I want to make a cool blinky display or something.

After talking to my coworker about this, I learned that there is a way to dump the firmware even with the memory protection on.  Since I was already on the prowl to find a non-destroyed flash to reprogram as a cool display, I might go ahead and buy one and see if I can get the firmware out of it after all.

Posted in: ENG

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s