JLINK官方提供了将ST-LINK/V2或者ST-LINK/V2-1升级为JLINK,当然也可以通过它恢复成ST-LINK。
(图片来自:https://www.segger.com/jlink-st-link.html)
- 相关的局限性:
Limitations The firmware making the ST-LINK on-board J-Link compatible has some limitations in contrast to an original, industry leading SEGGER J-Link: May be used with ARM based ST devices only Only debugging on evaluation boards is allowed. Debugging on custom hardware is not supported and not allowed No production flash programming support Unlimited breakpoints in flash available for evaluation only No support is given
- 固件提取
通过IDA工具分析STLinkReflash_160617/STLinkReflash.exe可以知道JLINK的固件位于该文件偏移0x14958, 长度为0xA710:
$ dd if=STLinkReflash.exe of=jlink_160617.bin skip=$((0x14958)) bs=1 count=$((0xA710)) 42768+0 records in 42768+0 records out 42768 bytes transferred in 0.076162 secs (561541 bytes/sec) $ hexdump -C jlink_160617.bin 00000000 a0 19 00 20 81 e6 00 08 b3 5e 00 08 95 e1 00 08 |... .....^......| 00000010 b3 5e 00 08 b3 5e 00 08 b3 5e 00 08 00 00 00 00 |.^...^...^......| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 b3 5e 00 08 |.............^..| 00000030 b3 5e 00 08 00 00 00 00 39 6e 00 08 01 e1 00 08 |.^......9n......| 00000040 b3 5e 00 08 b3 5e 00 08 b3 5e 00 08 b3 5e 00 08 |.^...^...^...^..| * 00000090 03 a9 00 08 b3 5e 00 08 b3 5e 00 08 b3 5e 00 08 |.....^...^...^..| 000000a0 b3 5e 00 08 b3 5e 00 08 b3 5e 00 08 b3 5e 00 08 |.^...^...^...^..| * 000000d0 b3 5e 00 08 8b cc 00 08 65 b1 00 08 b3 5e 00 08 |.^......e....^..| 000000e0 b3 5e 00 08 b3 5e 00 08 b3 5e 00 08 ff ff ff ff |.^...^...^......| 000000f0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000110 4a 2d 4c 69 6e 6b 20 53 54 4c 69 6e 6b 20 56 32 |J-Link STLink V2| ...
而ST-LINK/V2-1的固件位于该文件偏移0x29760, 长度为0xB4D0:
$ dd if=STLinkReflash.exe of=stlink_v2-1_160617.bin skip=$((0x29760)) bs=1 count=$((0xB4D0)) 46288+0 records in 46288+0 records out 46288 bytes transferred in 0.079159 secs (584747 bytes/sec) $ hexdump -C stlink_v2-1_160617.bin 00000000 68 48 00 20 75 ee 00 08 91 ee 00 08 95 ee 00 08 |hH. u...........| 00000010 99 ee 00 08 9d ee 00 08 a1 ee 00 08 00 00 00 00 |................| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 a5 ee 00 08 |................| 00000030 a9 ee 00 08 00 00 00 00 ad ee 00 08 3d ea 00 08 |............=...| 00000040 3f ea 00 08 41 ea 00 08 43 ea 00 08 45 ea 00 08 |?...A...C...E...| 00000050 47 ea 00 08 49 ea 00 08 4b ea 00 08 4d ea 00 08 |G...I...K...M...| 00000060 4f ea 00 08 51 ea 00 08 53 ea 00 08 55 ea 00 08 |O...Q...S...U...| 00000070 57 ea 00 08 5d ea 00 08 65 ea 00 08 6f ea 00 08 |W...]...e...o...| 00000080 73 ea 00 08 77 ea 00 08 b1 ee 00 08 79 ea 00 08 |s...w.......y...| 00000090 7d ea 00 08 b5 ee 00 08 b9 ee 00 08 81 ea 00 08 |}...............| 000000a0 83 ea 00 08 85 ea 00 08 bb ea 00 08 bd ea 00 08 |................| 000000b0 11 eb 00 08 13 eb 00 08 15 eb 00 08 17 eb 00 08 |................| 000000c0 19 eb 00 08 1b eb 00 08 1d eb 00 08 1f eb 00 08 |................| 000000d0 21 eb 00 08 23 eb 00 08 25 eb 00 08 27 eb 00 08 |!...#...%...'...| 000000e0 29 eb 00 08 2b eb 00 08 2d eb 00 08 26 48 0f f2 |)...+...-...&H..| 000000f0 a0 01 41 61 0f f2 c8 41 c1 62 0f f6 a4 11 41 64 |..Aa...A.b....Ad| 00000100 16 49 79 44 56 31 c1 65 15 49 79 44 52 31 1f 48 |.IyDV1.e.IyDR1.H| 00000110 01 60 14 49 79 44 4c 31 41 60 13 49 79 44 48 31 |.`.IyDL1A`.IyDH1| 00000120 81 60 12 49 79 44 44 31 c1 60 11 49 79 44 40 31 |.`.IyDD1.`.IyD@1| 00000130 01 61 10 49 79 44 3c 31 41 61 0f 49 79 44 38 31 |.a.IyD<1Aa.IyD81| 00000140 81 61 0e 49 79 44 34 31 c1 61 0d 49 79 44 30 31 |.a.IyD41.a.IyD01| 00000150 01 62 0c 49 79 44 2c 31 41 62 70 47 c4 99 00 00 |.b.IyD,1AbpG....| 00000160 64 97 00 00 64 97 00 00 a0 97 00 00 fc 97 00 00 |d...d...........| 00000170 50 98 00 00 8c 98 00 00 dc 98 00 00 20 99 00 00 |P........... ...| 00000180 4c 99 00 00 74 99 00 00 cc 18 00 20 84 3f 00 20 |L...t...... .?. | 00000190 28 05 00 20 19 04 00 20 e5 02 00 20 e7 02 00 20 |(.. ... ... ... | ...
最后你将ST-LINK/V2的固件也一并奉上(偏移 0x23250, 长度0x6510):
$ dd if=STLinkReflash.exe of=stlink_v2_160617.bin skip=$((0x23250)) bs=1 count=$((0x6510)) 25872+0 records in 25872+0 records out 25872 bytes transferred in 0.050625 secs (511053 bytes/sec) $ hexdump -C stlink_v2_160617.bin 00000000 48 35 00 20 09 a2 00 08 31 a2 00 08 35 a2 00 08 |H5. ....1...5...| 00000010 39 a2 00 08 3d a2 00 08 41 a2 00 08 00 00 00 00 |9...=...A.......| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 45 a2 00 08 |............E...| 00000030 49 a2 00 08 00 00 00 00 4d a2 00 08 a5 9e 00 08 |I.......M.......| 00000040 a7 9e 00 08 a9 9e 00 08 ab 9e 00 08 ad 9e 00 08 |................| 00000050 af 9e 00 08 b1 9e 00 08 b3 9e 00 08 b5 9e 00 08 |................| 00000060 b7 9e 00 08 b9 9e 00 08 bb 9e 00 08 bd 9e 00 08 |................| 00000070 bf 9e 00 08 c5 9e 00 08 cd 9e 00 08 d7 9e 00 08 |................| 00000080 db 9e 00 08 e3 9e 00 08 51 a2 00 08 e5 9e 00 08 |........Q.......| 00000090 e9 9e 00 08 55 a2 00 08 59 a2 00 08 ed 9e 00 08 |....U...Y.......| 000000a0 ef 9e 00 08 f1 9e 00 08 27 9f 00 08 29 9f 00 08 |........'...)...| 000000b0 7d 9f 00 08 7f 9f 00 08 81 9f 00 08 83 9f 00 08 |}...............| 000000c0 85 9f 00 08 87 9f 00 08 89 9f 00 08 8b 9f 00 08 |................| 000000d0 8d 9f 00 08 8f 9f 00 08 91 9f 00 08 93 9f 00 08 |................| 000000e0 95 9f 00 08 97 9f 00 08 99 9f 00 08 78 b1 83 78 |............x..x| 000000f0 c2 78 0f f2 f4 01 5b 5c 52 5c 1b 04 43 ea 02 62 |.x....[\R\..C..b| 00000100 43 78 00 78 5b 5c 40 5c 42 ea 03 22 10 43 70 47 |Cx.x[\@\B..".CpG| 00000110 f0 b5 df f8 48 7c 0c 46 39 78 80 26 01 29 83 b0 |....H|.F9x.&.)..| 00000120 15 46 06 d1 21 46 01 f0 d9 fe 00 f0 44 f9 06 46 |.F..!F......D..F| 00000130 18 e0 00 28 18 bf 01 28 02 d1 02 f0 32 f9 06 46 |...(...(....2..F| 00000140 0f f2 a4 00 00 eb 84 10 80 2e 90 f8 20 00 38 71 |............ .8q| ...
- 更新固件
ST-LINK/V2-1使用的是STM32F103RBT6 MCU, 固件在Flash中的起始位置为0x08004000,需要使用ST-LINK/V2-1的bootloader才能正常工作,之后就需要想办法提取ST-LINK/V2-1中的bootloader。
那么,如果我们使用自制的bootloader,能否是其正常工作呢?Maple-bootloader怎么样?->@<-。
去看看能否在maple-bootloader上正常工作:->@<-。
- 相关的参考文档:
- https://www.segger.com/jlink-st-link.html
STLINK bootloader是否会做些固件验证之类的动作?还是需要侦听USB的操作。
ST-LINK/V2-1的bootloader会去做验证的操作,所以写入固件一定不能出错。
还有你可以参考这篇文档:https://lujji.github.io/blog/reverse-engineering-stlink-firmware/
及这篇:https://www.brobwind.com/archives/1133 (可能还不全,STLinkReflash.exe缺少一个步骤)
1
您好!请问IDA工具是如何看出固件位置和大小的?非常膜拜大神,望有机会交流,我的qq 450547566,我叫刘权。
您好!请问IDA工具具体是如何看到固件的?希望大神可以帮我指点迷津,我的qq 1428876581 ,谢谢。
我已经很久没有用ida工具了,好多操作都忘记了。
文章中包含了相关地址,你可以通过ida工具反推回去。同时,你也可以通过ida工具,打开STLINKREFLASH的调试信息。
还有,你可以参考这篇文件(也是之前网友提供的)
https://lujji.github.io/blog/reverse-engineering-stlink-firmware/
https://lujji.github.io/blog/reverse-engineering-stlink-firmware-part2/
1