STM32: 从STLinkReflash提取jlink与ST-LINK/V2-1固件

JLINK官方提供了将ST-LINK/V2或者ST-LINK/V2-1升级为JLINK,当然也可以通过它恢复成ST-LINK。

2016_07_17_jlink-stlink-stlinkreflash-3-upgradetojlink

(图片来自:https://www.segger.com/jlink-st-link.html)

  • 相关的局限性:
Limitations
The firmware making the ST-LINK on-board J-Link compatible has some limitations in contrast to an original, industry leading SEGGER J-Link:
May be used with ARM based ST devices only
Only debugging on evaluation boards is allowed. Debugging on custom hardware is not supported and not allowed
No production flash programming support
Unlimited breakpoints in flash available for evaluation only
No support is given
  • 固件提取

通过IDA工具分析STLinkReflash_160617/STLinkReflash.exe可以知道JLINK的固件位于该文件偏移0x14958, 长度为0xA710:

$ dd if=STLinkReflash.exe of=jlink_160617.bin skip=$((0x14958)) bs=1 count=$((0xA710)) 
42768+0 records in
42768+0 records out
42768 bytes transferred in 0.076162 secs (561541 bytes/sec)
$ hexdump -C jlink_160617.bin 
00000000  a0 19 00 20 81 e6 00 08  b3 5e 00 08 95 e1 00 08  |... .....^......|
00000010  b3 5e 00 08 b3 5e 00 08  b3 5e 00 08 00 00 00 00  |.^...^...^......|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 b3 5e 00 08  |.............^..|
00000030  b3 5e 00 08 00 00 00 00  39 6e 00 08 01 e1 00 08  |.^......9n......|
00000040  b3 5e 00 08 b3 5e 00 08  b3 5e 00 08 b3 5e 00 08  |.^...^...^...^..|
*
00000090  03 a9 00 08 b3 5e 00 08  b3 5e 00 08 b3 5e 00 08  |.....^...^...^..|
000000a0  b3 5e 00 08 b3 5e 00 08  b3 5e 00 08 b3 5e 00 08  |.^...^...^...^..|
*
000000d0  b3 5e 00 08 8b cc 00 08  65 b1 00 08 b3 5e 00 08  |.^......e....^..|
000000e0  b3 5e 00 08 b3 5e 00 08  b3 5e 00 08 ff ff ff ff  |.^...^...^......|
000000f0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000110  4a 2d 4c 69 6e 6b 20 53  54 4c 69 6e 6b 20 56 32  |J-Link STLink V2|
...

而ST-LINK/V2-1的固件位于该文件偏移0x29760, 长度为0xB4D0:

$ dd if=STLinkReflash.exe of=stlink_v2-1_160617.bin skip=$((0x29760)) bs=1 count=$((0xB4D0)) 
46288+0 records in
46288+0 records out
46288 bytes transferred in 0.079159 secs (584747 bytes/sec)
$ hexdump -C stlink_v2-1_160617.bin 
00000000  68 48 00 20 75 ee 00 08  91 ee 00 08 95 ee 00 08  |hH. u...........|
00000010  99 ee 00 08 9d ee 00 08  a1 ee 00 08 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 a5 ee 00 08  |................|
00000030  a9 ee 00 08 00 00 00 00  ad ee 00 08 3d ea 00 08  |............=...|
00000040  3f ea 00 08 41 ea 00 08  43 ea 00 08 45 ea 00 08  |?...A...C...E...|
00000050  47 ea 00 08 49 ea 00 08  4b ea 00 08 4d ea 00 08  |G...I...K...M...|
00000060  4f ea 00 08 51 ea 00 08  53 ea 00 08 55 ea 00 08  |O...Q...S...U...|
00000070  57 ea 00 08 5d ea 00 08  65 ea 00 08 6f ea 00 08  |W...]...e...o...|
00000080  73 ea 00 08 77 ea 00 08  b1 ee 00 08 79 ea 00 08  |s...w.......y...|
00000090  7d ea 00 08 b5 ee 00 08  b9 ee 00 08 81 ea 00 08  |}...............|
000000a0  83 ea 00 08 85 ea 00 08  bb ea 00 08 bd ea 00 08  |................|
000000b0  11 eb 00 08 13 eb 00 08  15 eb 00 08 17 eb 00 08  |................|
000000c0  19 eb 00 08 1b eb 00 08  1d eb 00 08 1f eb 00 08  |................|
000000d0  21 eb 00 08 23 eb 00 08  25 eb 00 08 27 eb 00 08  |!...#...%...'...|
000000e0  29 eb 00 08 2b eb 00 08  2d eb 00 08 26 48 0f f2  |)...+...-...&H..|
000000f0  a0 01 41 61 0f f2 c8 41  c1 62 0f f6 a4 11 41 64  |..Aa...A.b....Ad|
00000100  16 49 79 44 56 31 c1 65  15 49 79 44 52 31 1f 48  |.IyDV1.e.IyDR1.H|
00000110  01 60 14 49 79 44 4c 31  41 60 13 49 79 44 48 31  |.`.IyDL1A`.IyDH1|
00000120  81 60 12 49 79 44 44 31  c1 60 11 49 79 44 40 31  |.`.IyDD1.`.IyD@1|
00000130  01 61 10 49 79 44 3c 31  41 61 0f 49 79 44 38 31  |.a.IyD<1Aa.IyD81|
00000140  81 61 0e 49 79 44 34 31  c1 61 0d 49 79 44 30 31  |.a.IyD41.a.IyD01|
00000150  01 62 0c 49 79 44 2c 31  41 62 70 47 c4 99 00 00  |.b.IyD,1AbpG....|
00000160  64 97 00 00 64 97 00 00  a0 97 00 00 fc 97 00 00  |d...d...........|
00000170  50 98 00 00 8c 98 00 00  dc 98 00 00 20 99 00 00  |P........... ...|
00000180  4c 99 00 00 74 99 00 00  cc 18 00 20 84 3f 00 20  |L...t...... .?. |
00000190  28 05 00 20 19 04 00 20  e5 02 00 20 e7 02 00 20  |(.. ... ... ... |
...

最后你将ST-LINK/V2的固件也一并奉上(偏移 0x23250, 长度0x6510):

$ dd if=STLinkReflash.exe of=stlink_v2_160617.bin skip=$((0x23250)) bs=1 count=$((0x6510))
25872+0 records in
25872+0 records out
25872 bytes transferred in 0.050625 secs (511053 bytes/sec)
$ hexdump -C stlink_v2_160617.bin 
00000000  48 35 00 20 09 a2 00 08  31 a2 00 08 35 a2 00 08  |H5. ....1...5...|
00000010  39 a2 00 08 3d a2 00 08  41 a2 00 08 00 00 00 00  |9...=...A.......|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 45 a2 00 08  |............E...|
00000030  49 a2 00 08 00 00 00 00  4d a2 00 08 a5 9e 00 08  |I.......M.......|
00000040  a7 9e 00 08 a9 9e 00 08  ab 9e 00 08 ad 9e 00 08  |................|
00000050  af 9e 00 08 b1 9e 00 08  b3 9e 00 08 b5 9e 00 08  |................|
00000060  b7 9e 00 08 b9 9e 00 08  bb 9e 00 08 bd 9e 00 08  |................|
00000070  bf 9e 00 08 c5 9e 00 08  cd 9e 00 08 d7 9e 00 08  |................|
00000080  db 9e 00 08 e3 9e 00 08  51 a2 00 08 e5 9e 00 08  |........Q.......|
00000090  e9 9e 00 08 55 a2 00 08  59 a2 00 08 ed 9e 00 08  |....U...Y.......|
000000a0  ef 9e 00 08 f1 9e 00 08  27 9f 00 08 29 9f 00 08  |........'...)...|
000000b0  7d 9f 00 08 7f 9f 00 08  81 9f 00 08 83 9f 00 08  |}...............|
000000c0  85 9f 00 08 87 9f 00 08  89 9f 00 08 8b 9f 00 08  |................|
000000d0  8d 9f 00 08 8f 9f 00 08  91 9f 00 08 93 9f 00 08  |................|
000000e0  95 9f 00 08 97 9f 00 08  99 9f 00 08 78 b1 83 78  |............x..x|
000000f0  c2 78 0f f2 f4 01 5b 5c  52 5c 1b 04 43 ea 02 62  |.x....[\R\..C..b|
00000100  43 78 00 78 5b 5c 40 5c  42 ea 03 22 10 43 70 47  |Cx.x[\@\B..".CpG|
00000110  f0 b5 df f8 48 7c 0c 46  39 78 80 26 01 29 83 b0  |....H|.F9x.&.)..|
00000120  15 46 06 d1 21 46 01 f0  d9 fe 00 f0 44 f9 06 46  |.F..!F......D..F|
00000130  18 e0 00 28 18 bf 01 28  02 d1 02 f0 32 f9 06 46  |...(...(....2..F|
00000140  0f f2 a4 00 00 eb 84 10  80 2e 90 f8 20 00 38 71  |............ .8q|
...

 

  • 更新固件

ST-LINK/V2-1使用的是STM32F103RBT6 MCU, 固件在Flash中的起始位置为0x08004000,需要使用ST-LINK/V2-1的bootloader才能正常工作,之后就需要想办法提取ST-LINK/V2-1中的bootloader。

那么,如果我们使用自制的bootloader,能否是其正常工作呢?Maple-bootloader怎么样?->@<-

去看看能否在maple-bootloader上正常工作:->@<-

  • 相关的参考文档:
  1. https://www.segger.com/jlink-st-link.html

《STM32: 从STLinkReflash提取jlink与ST-LINK/V2-1固件》有7个想法

  1. STLINK bootloader是否会做些固件验证之类的动作?还是需要侦听USB的操作。

    1. ST-LINK/V2-1的bootloader会去做验证的操作,所以写入固件一定不能出错。

      还有你可以参考这篇文档:https://lujji.github.io/blog/reverse-engineering-stlink-firmware/

      及这篇:https://www.brobwind.com/archives/1133 (可能还不全,STLinkReflash.exe缺少一个步骤)

  2. 您好!请问IDA工具是如何看出固件位置和大小的?非常膜拜大神,望有机会交流,我的qq 450547566,我叫刘权。

    1. 您好!请问IDA工具具体是如何看到固件的?希望大神可以帮我指点迷津,我的qq 1428876581 ,谢谢。

      1. 我已经很久没有用ida工具了,好多操作都忘记了。
        文章中包含了相关地址,你可以通过ida工具反推回去。同时,你也可以通过ida工具,打开STLINKREFLASH的调试信息。
        还有,你可以参考这篇文件(也是之前网友提供的)
        https://lujji.github.io/blog/reverse-engineering-stlink-firmware/
        https://lujji.github.io/blog/reverse-engineering-stlink-firmware-part2/

发表评论

电子邮件地址不会被公开。 必填项已用*标注