-
Notifications
You must be signed in to change notification settings - Fork 426
Firmware m1300
Target
Purpose
Versions
Structure
Boot process
OS and Libraries
Flashing
Interfaces
The module programs video transcoding chip firmware. Location of this chip is GL300 Interface board.
The specific chip:
- for stock GL300a, or GL300a/b/c RC with HDMI output upgrade, DaVinci TMS320DM368 is located on GL300 Interface board,
- for GL300e RC, RockChip RK3288 is located on unknown board,
Complementary chip exists within the drone gimbal; the air part is programmed by module m0800.
Within GL300a/b/c RCs, this module is used on all boards with HDMI output, and on GL300a boards even if no HDMI output is present. GL300b/c RC models have the DM368 chip removed, so the firmware is not used; on these devices, USB output is handled directly by Cypress serializer.
The DaVinci firmware forwards video signal from Cypress serializer to the USB port for mobile app. In boards with HDMI output, it also transcodes the video signal for that output. In addition, it allows to handle RC firmware upgrades via USB Thumb Drive. RC versions without this chip cannot upgrade firmware via USB Thumb Drive, because Cypress controller is not capable of such tasks.
The RockChip firmware probably has similar function - it wasn't analyzed in detail.
There are multiple versions, always without package-related encryption. But inside, the binary is encrypted - see Structure chapter for details.
Older Phantom 3 firmwares contained both AC and RC upgrade in one file; after P3?_FW_V01.03.0020, RC firmware became a separate file, starting with C1_FW_. Since V01.03.0020, the device will no longer react to any P3?_FW_ file inserted into USB port.
| Marking | Packages | Timestamp | Overview |
|---|---|---|---|
| 02.12.0000 | P3X_FW_V01.01.0006 P3X_FW_V01.01.1003 | 2015-04-30 ... 2015-05-01 | |
| 02.13.0000 | P3S_FW_V01.01.0008 P3S_FW_V01.01.0009 P3S_FW_V01.02.0007 P3S_FW_V01.02.0008 P3X_FW_V01.01.0008 P3X_FW_V01.01.0009 P3X_FW_V01.01.1007 P3X_FW_V01.02.0006 | 2015-05-06 ... 2015-07-10 | |
| 02.18.0001 | C1_FW_V01.03.0020 P3S_FW_V01.03.0020 P3XS_FW_RC_V01.03.0020 P3X_FW_V01.03.0020 | 2015-07-24 ... 2015-08-04 | |
| 02.18.0002 | C1_FW_V01.02.0021 C1_FW_V01.03.00.21 C1_FW_V01.04.0030 | 2015-07-28 ... 2015-09-29 | |
| 02.24.0000 | C1_FW_V01.05.0070 C1_FW_v01.05.0071 | 2015-11-24 ... 2016-02-01 | |
| 02.26.0000 | C1_FW_V01.01.0020 C1_FW_V01.01.0092 C1_FW_V01.05.0080 C1_FW_V01.06.0000 C1_FW_v01.01.0030 C1_FW_v01.01.0035 C1_FW_v01.01.0040 C1_FW_v01.01.0050 C1_FW_v01.01.0051 C1_FW_v01.01.0053 C1_FW_v01.01.0054 C1_FW_v01.01.0055 C1_FW_v01.01.0060 C1_FW_v01.01.0080 C1_FW_v01.01.0090 C1_FW_v01.07.0002 C1_FW_v01.07.0030 C1_FW_v01.07.0040 | 2016-03-15 ... 2016-12-08 | |
| 02.29.0000 | C1_FW_v01.06.0001 C1_FW_v01.07.0000 C1_FW_v01.08.0000 | 2016-08-13 ... 2016-09-12 | |
| 02.31.0000 | C1_FW_v01.09.0000 | 2016-11-08 | |
| 02.32.0000 | C1_FW_V01.01.0093 C1_FW_v01.07.0060 | 2016-11-10 ... 2016-12-29 |
The module is encrypted using OpenSSL salted format. Password is "Dji123456". Here is an example decryption command:
openssl des3 -md md5 -d -k Dji123456 -in C1_FW_V01.06.0000_m1300.bin -out C1_FW_V01.06.0000_m1300_decrypted.tar.gz
Unencrypted firmware is a TAR GZip archive containing some Linux tools compiled for ARM, boot configuration and kernel modules. It also contains partition images which can be flashed.
In order to use the decrypted bootloader images dji/data/*.img with sfh_DM36x or other chip manufacturers tools, first 0x800 bytes of the files have to be removed, ie.:
dd if=dji/data/u-boot.img of=u-boot_prop.img bs=2048 skip=1 dd if=dji/data/ubl1.img of=ubl1_prop.img bs=2048 skip=1
The files included in firmware update are written in appropriate places of the 128MB NAND flash memory. Map of the flash memory is as follows:
| Offset | Description | Content |
|---|---|---|
| 0020000 | U-boot init | ubl?.img, a copy every 0x20000 bytes; initial startup code for u-boot |
| 0320000 | U-boot app | u-boot.img, a copy every 0x60000 bytes; main part of the u-boot bootloader |
| 0420000 | U-boot env | environment variables for the u-boot bootloader; usually not set |
| 04a0000 | Primary kernel | uImage; the Linux Kernel normally used for booting |
| 0900000 | Recovery kernel | uImage_recovery, not included in FW updates; the Linux Kernel which is used when primary kernel gets corrupted |
| 0d60000 | Encrypted data | Hardware-encrypted partition |
| 0e00000 | Root Filesystem | ubifs-partition.ubi; Linux Root Filesystem, using UbiFS; contains kernel modules, tools and applications |
| 7f00000 | End of flash | also end of Root Filesystem partition |
This memory map corresponds to the u-boot environment configuration which can be set and then displayed with the following commands in u-boot console:
env set mtdids 'nand0=davinci_nand.0' env set mtdparts 'mtdparts=davinci_nand.0:4736k(bootloader)ro,4480k(kernel),4480k(kernel_recv),640k(secret),114m(filesystem)' mtdparts
The module is a container with RKFW magic fourcc in header. After extracrtion, standard Android update files are revealed: loader.bin, boot.img for initial booting, and system.img, recovery.img, misc.img Android partitions for OS startup.
No analysis of the booting procedure were performed.
The firmware consists of U-Boot boot loader and DaVinci Linux as OS.
Additional Kernel Modules and User Mode Applications are providing communication to Cypress USB Controller and video transcode functions.
TODO
Here are the known ways to flash the U-Boot bootloader and DaVinci Linux. Some of the flashing methods may not be listed here.
The official way of flashing the firmware is by selecting upgrade (or downgrade) in the mobile app. The app will download the firmware, extract modules from the package and distribute them to proper target components. In order to use this method on RC which has DaVinci media processor, the DaVinci Linux system has to be functional. This means boot loader must work, at least one kernel image must work, UbiFS must be a valid root file system and encrypted partition must have valid data.
See Flashing RC by official package on USB Stick for details.
See Flashing RC by firmware module on USB Stick for details.
This is a very reliable method of fixing a board with damaged firmware. Requires removing target board from the device and basic soldering skill. It is explained in detail on the page Flashing firmware on DaVinci media processors.
Texas Instruments maintains an extensive Wiki with information about ways of Writing Image to NAND Flash for their processors.
What they propose as primary method is to update the firmware via Ethernet controller by using U-Boot boot loader functionalities. The wiki also discusses flashing the U-Boot itself, and contains links to descriptions of other flashing methods.
The DaVinci Linux kernel loads additional modules which provide communication to CY7C68013 module on the GL300 Main board. Video stream is transmitted from there.
The external USB connector is managed by the DM368 chip. It is normally used to connect mobile device, but if USB stick is connected, it also becomes available in Linux. Old firmwares allowed to update RC firmware via this interface; this function was later disabled, to keep consistency with GL300b and later, where such capability is not possible.
The serial interface can be used to access shell on the DaVinci Linux. It allows both input and output. Service pads which allow access to it are named as follows:
- in GL300a board, the names are UART_RX, UART_TX and GND.
- in HDMI board, the names are 368_RX, 368_TX and GND.
A typical boot sequence which can be seen on the interface is as follows:
DM36x initialization passed! UBL Product Vesion : -WM610-SUPER-UBL-1.0-rc0(2014-09-19) UBL Version: 1.51(Sep 19 2014 - 17:22:26) Booting Catalog Boot Loader BootMode = NAND Starting NAND Copy... Valid magicnum, 0xA1ACED66, found in block 0x00000019. DONE Jumping to entry point at 0x81080000. U-Boot Product Vesion : -WM610-Uboot-1.0-rc4(2014-08-13) U-Boot 2010.12-rc2-svn- (Aug 13 2014 - 10:55:23) Cores: ARM 486 MHz DDR: 360 MHz I2C: ready DRAM: 128 MiB NAND: 128 MiB Bad block table found at page 65472, version 0x01 Bad block table found at page 65408, version 0x01 nand_read_bbt: Bad block at 0x000003900000 nand_read_bbt: Bad block at 0x000003920000 *** Warning - bad CRC, using default environment Net: Ethernet PHY: GENERIC @ 0xff DaVinci-EMAC Press ESC to abort autoboot in 1 seconds Loading from nand0, offset 0x4a0000 Image Name: Linux-2.6.32.17-davinci1 Created: 2014-11-27 10:20:54 UTC Image Type: ARM Linux Kernel Image (uncompressed) Data Size: 4032928 Bytes = 3.8 MiB Load Address: 80008000 Entry Point: 80008000 ## Booting kernel from Legacy Image at 80700000 ... Image Name: Linux-2.6.32.17-davinci1 Created: 2014-11-27 10:20:54 UTC Image Type: ARM Linux Kernel Image (uncompressed) Data Size: 4032928 Bytes = 3.8 MiB Load Address: 80008000 Entry Point: 80008000 Loading Kernel Image ... OK OK Starting kernel ... [ 0.000000] Kernel Product Vesion : -WM610-Kernel-1.0-rc7(2014-11-27) [ 0.000000] Linux version 2.6.32.17-davinci1 (root@dji) (gcc version 4.3.3 (Sourcery G++ Lite 2009q1-203) ) #5 PREEMPT Thu Nov 27 18:20:50 HKT 2014 [ 0.000000] CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177 [ 0.000000] CPU: VIVT data cache, VIVT instruction cache [ 0.000000] Machine: DaVinci DM36x EVM [ 0.000000] Memory policy: ECC disabled, Data cache writeback [ 0.000000] DaVinci dm36x_rev1.2 variant 0x8 [ 0.000000] Built 1 zonelists in Zone order, mobility grouping off. Total pages: 12192 [ 0.000000] Kernel command line: console=ttyS0,115200n8 rw dm365_imp.oper_mode=0 video=davincifb:vid0=0,0:vid1=0,0:osd0=0,0:osd1=0,0 mem=48MB davinci_enc_mngr.ch0_output=COMPOSITE davinci_enc_mngr.ch0_mode=pal ubi.mtd=2,2048 root=ubi0:rootfs rootfstype=ubifs ip=off lpj=1077248 [ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes) [ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes) [ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) [ 0.000000] Memory: 48MB = 48MB total [ 0.000000] Memory: 44448KB available (3644K code, 452K data, 116K init, 0K highmem) [ 0.000000] SLUB: Genslabs=11, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] Hierarchical RCU implementation. [ 0.000000] NR_IRQS:245 [ 0.000000] Console: colour dummy device 80x30 [ 0.000000] Calibrating delay loop (skipped) preset value.. 215.44 BogoMIPS (lpj=1077248) [ 0.000000] Mount-cache hash table entries: 512 [ 0.000000] CPU: Testing write buffer coherency: ok [ 0.000000] DaVinci: 8 gpio irqs [ 0.000000] NET: Registered protocol family 16 [ 0.090000] bio: create slab at 0 ...
Transmission configuration is 115200 8N1. It uses 3.3V logic.
If you can't see any message, it is possible that the DaVinci chip cannot boot from NAND memory. To be sure, short the Boot Select service pad to 3.3V - this will cause it boot from internal ROM, and you should see continuous stream of "BOOTME" messages at serial console. If you can't see these, either your FTDI setup does not work or your DaVinci chip is dead.
This page is created by drone enthusiasts for drone enthusiasts.
If you see a mistake, or you know more about specific subject, or you see an area for improvement for the wiki - create an issue in this project and attach your patch (or describe the change you propose).