STM32

STM32: ST-LINK/V2与STLINK/V2-1 DFU协议分析

~ 8条评论

借助于IDA工具,我们可以很轻松地得到ST-LINK/V2、ST-LINK/V2-1与JLINK的固件。当然在IDA的帮助下,我们也可以很轻松地分析其bootloader中的DFU协议。

下面先来看一下STLinkReflash.exe程序,这真是个好东西啊。在控制台中执行这个运行用序,加上-v -u参数,你可以看到固件升级时的相关信息,如当前正在做什么,USB通信的所有数据:

 

当然,借助于IDA你可以得到更多的相关信息

  • Openocd相关

从这里可以对ST-LINK/V2有个大概的认识:https://sourceforge.net/p/openocd/code/ci/master/tree/src/jtag/drivers/stlink_usb.c

a. 协议中所使用的command为固定的16字节

#define STLINK_CMD_SIZE_V2    (16)

b. ST-LINK/v2的PID为0x3748, ST-LINK/V2-1的PID为0x374B, 之后可以看到当ST-LINK/V2-1进入DFU模式时,PID为变为0x3748

#define STLINK_V2_PID         (0x3748)
#define STLINK_V2_1_PID       (0x374B)

c. ST-LINK的几个工作模式: DFU, MASS, DEBUG, SWIM, BOOTLOADER (DFU与BOOTLOADER有什么区别?)

#define STLINK_DEV_DFU_MODE            0x00
#define STLINK_DEV_MASS_MODE           0x01
#define STLINK_DEV_DEBUG_MODE          0x02
#define STLINK_DEV_SWIM_MODE           0x03
#define STLINK_DEV_BOOTLOADER_MODE     0x04
#define STLINK_DEV_UNKNOWN_MODE        -1

d. 需要用到的几个命令:获取版本号,获取target电压, 调试命令,DFU命令,当前工作模式命令:

#define STLINK_GET_VERSION             0xF1
#define STLINK_DEBUG_COMMAND           0xF2
#define STLINK_DFU_COMMAND             0xF3
#define STLINK_SWIM_COMMAND            0xF4
#define STLINK_GET_CURRENT_MODE        0xF5
#define STLINK_GET_TARGET_VOLTAGE      0xF7

从STLINK_GET_CURRENT_MODE得到的模式:

enum stlink_mode {
	STLINK_MODE_UNKNOWN = 0,
	STLINK_MODE_DFU,
	STLINK_MODE_MASS,
	STLINK_MODE_DEBUG_JTAG,
	STLINK_MODE_DEBUG_SWD,
	STLINK_MODE_DEBUG_SWIM
};

e. 退出DFU模式命令

#define STLINK_DFU_EXIT                0x07
  • ST-LINK/V2 DFU协议分析

有了前面的知识,我们再看一下我们可以从STLinkReflash中得到什么有用的信息(从JLINK固件刷回ST-LINK/V2固件):

Selection>3

Switching to ST-Link bootloader...O.K.
Waiting for ST-LINK BTL to enumerate (can take 2 seconds)...O.K.
Preparing for FW update (can take up to 10 seconds)...> F1 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00
< 24 00 83 04 48 37
> F5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
< 00 01
> F3 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00
< 40 00 FF FF 4A 06 E7 05 52 FF 6C 06 49 72 51 49 15 42 16 87
Unique device ID:
  40 00 ff ff 52 ff 6c 06 49 72 51 49 15 42 16 87
Device encryption key:
  f6 5c 83 b1 d2 cf 3e e2 0c 3d 6d 17 e4 0d f1 60
Encrypted label:
  cb e5 74 a8 82 1a 03 2c 4c 2a e6 9c d3 27 00 a5
Transport-layer valid label:
  b3 66 b8 82 9b 53 cf 3f f5 3a 19 a6 ef bb 0e 68
Installed firmware version: V2.16.0 - STM32 Debug
O.K.
Identifying ST-LINK variant...> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 02 00
O.K.: ST-LINK/V2
Performing firmware update...> F3 01 00 00 89 00 05 00 00 00 00 00 00 00 00 00
> 41 00 40 00 08
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 50 00 00 04 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 01 00 00 8D 00 05 00 00 00 00 00 00 00 00 00
> 41 00 44 00 08
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 50 00 00 04 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 01 00 00 91 00 05 00 00 00 00 00 00 00 00 00
> 41 00 48 00 08
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 50 00 00 04 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 01 00 00 69 00 05 00 00 00 00 00 00 00 00 00
> 21 00 40 00 08
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 04 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 01 02 00 F7 84 00 04 00 00 00 00 00 00 00 00
> 41 5F 4A 1B B6 A4 41 E6 DE 65 EC A5 EA 5B 7F DD 31 93 19 E2 98 92 8D F4 D5 90 37 D4 5D BD E0 67 A5 09 7A 1B 28 F8 86 42 52 7D ED AE 1F 70 B1 81 5C D5 06 80 DF 3A 77 6C A1 55 2A CB 33 54 37 F1 29 B0 D1 48 FD 0F E5 A1 18 C7 1E 1E 4A 8E FF 35 96 95 8E E7 FF 18 56 C6 10 0C 5B 01 20 CD 57 10 0C 0E 93 87 91 87 06 61 F3 57 BB 9E EE A5 EC 0F 20 52 12 F2 4E 2B 04 CF A4 3A F1 87 32 DB 4B F2 4F B2 FF 43 4C D2 F8 73 3D F5 16 A1 76 B5 7F 64 BC 91 D9 8C 22 3A 44 75 7A 12 CC C7 C7 56 30 02 99 6C 67 84 CF 98 F3 CA CB 02 B1 C0 1A F7 37 EB C3 F2 AC AF 4C A0 FF B8 66 47 66 0F 7D 66 FB 0E 78 10 6C DC BD 8F 1E 09 A4 42 64 6E 00 F8 82 F1 4F 5D CB 51 C5 47 31 C2 13 3F 49 07 44 8E 78 A0 00 E2 4B E6 E3 97 69 5B 56 66 2C 99 A4 CC 69 8C E2 6E 2C 42 CE DF 28 1F 7F 89 1F 00 01 4C 68 1B 6F 18 57 A5 8D 17 9D A6 9C 0B 32 F5 B2 13 CD 64 E3 16 14 BC 06 1D C1 FC 46 97 61 1D 12 39 11 43 A6 AA A4 72 A2 07 98 94 2C 3D 40 A7 98 11 AA 73 A7 7A 8E CF AE D0 0E EB F4 C7 AE EB 4F 0B BB 8C 91 2D 32 F9 32 4A 5E 56 8A 20 1F E9 2B 5D DE C7 AB A1 80 EE 33 34 B2 D4 BB A0 1D EC 47 BB 11 CC 11 5F 98 4F 2D 99 53 A4 D5 F1 A5 7F F9 FC 03 E1 D1 0B 30 2E DC A5 4E 20 EA DE E6 FB B1 6E 51 39 54 E0 7B 9C D6 4B 54 3D FB FD B0 F0 7E AE 01 FB AB 43 60 4B 27 BA B6 F4 6B F7 82 98 6B C4 A1 4F 5A EF BF 0B F2 30 D3 32 05 27 54 57 91 BB D1 53 D3 B6 D3 8E 6C D0 0F E7 DB A2 B0 26 07 C5 64 58 1C C6 3D F8 27 37 D2 C8 0B C2 D2 14 E4 5D 22 78 4C 1E 00 FF 73 81 23 C0 22 4B 13 BB CA 8F B0 9A 49 60 9F C5 56 A9 2C 90 F6 A3 82 F2 0E 7F FD C6 C0 FE 34 CB 1C 1E 72 CA 8B 48 2D 71 EB 04 15 93 CC E9 AF 8C 19 11 B2 9B 1E DA F5 E4 B7 6D C1 E2 76 63 38 7B C0 F4 07 C1 6D 97 3E 9D 7C 64 AF 7F 32 30 C1 D5 11 AE E7 F5 86 E6 33 85 F0 E7 AA 7E 74 95 E8 E6 09 87 05 A8 44 86 DF 03 41 B5 1F 14 2D 1B 45 38 56 8E 06 32 1A 38 66 CE 1D 15 82 8B 54 73 E4 EB 52 1E 69 A7 59 B5 57 DC 89 11 54 62 AB 54 ED 9D A2 DE 9E 7A FF 47 07 C0 6C 53 AF 16 9F AE 9D DC 47 9E 88 D7 E0 4E C7 7C C3 43 64 BA 66 18 24 67 7E 26 D1 05 FD CD 8B A9 BB C9 96 C4 EA A9 79 B7 5A 68 1F E9 AF 53 6A 9A 76 BF C1 DD 1C 1E B0 FB 81 F4 BA E7 15 B0 65 4B 62 AC 69 E0 DD F2 CD 10 9A 45 E7 39 85 F2 49 2D F4 81 5D 6A 02 BB 93 28 BE 3A 64 64 C5 0F 77 15 2E 10 F0 61 4A 6C 26 79 B3 1B 99 5C 75 96 6F E7 88 45 1F 87 03 89 E4 3A 78 65 23 9F 28 95 4F BA 35 3F 8B E5 A1 91 A4 31 F8 8C 83 23 29 CC CA E6 C5 0E 3F D3 B1 BD 60 B7 96 87 62 11 B0 77 84 32 B9 7A EB 43 8A C1 9B 0D D6 DD CB 99 A9 42 E4 4A 6F 48 81 B7 B3 80 CA BB 0D 75 93 85 9F FD D2 3D DF 2B CC 58 F5 57 6F 22 43 43 32 F5 98 B7 D8 24 D0 45 D7 C2 BA 30 56 84 F0 B1 82 18 DB 92 87 75 9D 7D 2C 38 1A BB 25 79 41 83 85 CB 7A 7B 3D 33 3C 50 B3 74 96 0F 17 59 70 31 CC B4 74 0C 3E 4B 47 CA 20 46 37 47 C0 63 C9 E3 50 A9 05 92 E5 58 EC AF 96 F1 EA D0 1B 6A 5C 91 66 42 24 16 0B EB 1B 92 77 AF EA 25 14 3B B0 F7 A2 65 6A 30 0D EB 59 23 F8 55 F5 E9 6F 8E 12 B9 E6 8F 7C D9 F3 2B 48 34 0F 1B D4 8D C1 F1 0C 12 B5 B0 E6 A0 28 40 DA 52 5B 39 EA 8A 2E BD 8E E0 9E 4C 87 F7 A1 96 BD AD F7 1E 24 01 88 27 1B 3F 40 C6 96 FD E5 95 A4 3F 39 6A 21 1B FF B9 D3 B8 95 AD 3A 28 DA 41 99 14 B3 79 6F 94 AA 51 D0 51 A2 3F E4 26 22 CF 03 BA 82 B7
...
Performing firmware update...O.K.
Exiting DFU mode and starting application
> F3 07 00 00 00 06 00 00 00 00 00 00 00 00 00 00

从这里可以看到固件升级包含这几个步骤:

a. 进入bootloader模式(对于ST-LINK/V2来说,连上电脑之后就是在DFU模式,之后ST-LINK会发送命令退出DFU模式,进入调试模式)

b. 获取版本信息:

> F1 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00
< 24 00 83 04 48 37

NOTE:

1. >表明由PC发送数据到ST-LINK/V2,PC先发送16字节的命令,如果有数据再发送数据

2. <表明由ST-LINK/V2发送数据到PC

3. F1: 获取版本信息,0x80表明是bootloader的(openocd中有0x00的)?

4. 小端模式

c. 获取当前的工作模式:

> F5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
< 00 01

NOTE:

0x01 (0x0001?)表明当前工作在DFU模式下

d. 获取设备ID?:

> F3 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00
< 40 00 FF FF 4A 06 E7 05 52 FF 6C 06 49 72 51 49 15 42 16 87
Unique device ID:
  40 00 ff ff 52 ff 6c 06 49 72 51 49 15 42 16 87

从这里可以看到Unique deivce ID是怎么来的,而ST-LINK又是从哪里获取这串ID呢?待分析

e. 计算出当前的encryption key

Device encryption key:
  f6 5c 83 b1 d2 cf 3e e2 0c 3d 6d 17 e4 0d f1 60

由相关资料可以得知encryption key是通过device id计算得出的,可能使用的是AES加密方式。 encrypt key用于加密固件,固件升级过程中PC会先装数据加密,由ST-LINK解密之后,将数据写入Flash中。

如果每个ST-LINK/V2的device ID都不一样,那么得到的encryption key也是不一样的,这就意味着我们需要知道整个加密方式。

d. 计算encrypted label

Encrypted label:
  cb e5 74 a8 82 1a 03 2c 4c 2a e6 9c d3 27 00 a5

只有ST-LINK/V2-1会用到Enrypted label。

e. 计算Transport-layer valid label:

Transport-layer valid label:
  b3 66 b8 82 9b 53 cf 3f f5 3a 19 a6 ef bb 0e 68

这个当前没有用到。

f. 显示当前安装的版本信息:

Installed firmware version: V2.16.0 - STM32 Debug
O.K.

g. 当前硬件版本信息

Identifying ST-LINK variant...> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 02 00
O.K.: ST-LINK/V2

h. 进行固件更新

可以看到STM32F103R8T6 MCU中的Flash被分成多个块,每个块的大小为1KiB。

在固件升级过程中会先去擦除3个块,再写入3个块的数据(当然,数据是经过加密的)

-擦除/写入命令

> F3 01 00 00 89 00 05 00 00 00 00 00 00 00 00 00
> 41 00 40 00 08
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 50 00 00 04 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 01 00 00 8D 00 05 00 00 00 00 00 00 00 00 00
...
> F3 01 00 00 69 00 05 00 00 00 00 00 00 00 00 00
> 21 00 40 00 08
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 04 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00

NOTE:

命令字段被分成这几个部分:

1. 0xF3 :表明是DFU命令

2. 0x01:表明对块数据进行操作?擦除(0x41), 写入(0x21)

3. 0x89 0x00(0x0089): 发送数据的checksum, 每个数据进行加法运算后取最低两个字节

4. 0x05:表明ST-LINK需要再接收5个字节

而后而跟的数据字段可以拆分成两个部分:

1. 0x41: 擦除命令

2.  0x00 0x40 0x00 0x08(0x08004000): Flash中的位置

这也表明了固件的数据存储在0x08004000开始的位置

-查询命令执行的状态

> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00

1. buzy

< 00 50 00 00 04 00

2. OK & Idle

< 00 00 00 00 05 00

-开始发送固件

>F3 01 02 00 F7 84 00 04 00 00 00 00 00 00 00 00

可以看到命令被分成这几部件:

1. 0xF3: DFU命令

2. 0x01;固件数据

3. 0x02 0x00: 帧序号,有0x02 0x00, 0x03 0x00, 0x04 0x00这三个

4. 0xF7 0x84: 加密前的数据的checksum, 也是所有数据的和

5. 0x00 0x04(0x0400): 数据长度

6. 后面跟的是1KiB的数据,如果最后数据不够1KiB, 加密前的数据使用0xff填充,补足1KiB,再加密

i . 退出DFU模式

Exiting DFU mode and starting application
> F3 07 00 00 00 06 00 00 00 00 00 00 00 00 00 00
  • ST-LINK/V2-1 DFU协议分析
Selection>3

Switching to ST-Link bootloader...O.K.
Waiting for ST-LINK BTL to enumerate (can take 2 seconds)...O.K.
Preparing for FW update (can take up to 10 seconds)...> F1 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00
< 26 4E 83 04 48 37
> F5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
< 00 02
> F3 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00
< 80 00 FF FF 42 06 30 05 48 FF 6D 06 51 72 57 54 44 29 13 87
O.K.
Identifying ST-LINK variant...> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 02 00
O.K.: ST-LINK/V2-1
Performing firmware update...> F3 01 00 00 46 01 05 00 00 00 00 00 00 00 00 00
> 41 00 FC 01 08
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 50 00 00 04 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 01 00 00 89 00 05 00 00 00 00 00 00 00 00 00
> 41 00 40 00 08
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 50 00 00 04 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 01 00 00 8D 00 05 00 00 00 00 00 00 00 00 00
> 41 00 44 00 08
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 50 00 00 04 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 01 00 00 91 00 05 00 00 00 00 00 00 00 00 00
> 41 00 48 00 08
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 50 00 00 04 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 01 00 00 69 00 05 00 00 00 00 00 00 00 00 00
> 21 00 40 00 08
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 04 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 01 02 00 4C 01 00 04 00 00 00 00 00 00 00 00
> 2C 60 F1 28 2A 47 38 5E 1C 69 40 BE FC 91 21 EC E2 5C 89 C7 7F B4 86 A7 C3 D2 9F 5E 76 B6 24 DB FC B6 E3 B8 CA 65 47 E4 2A F5 A2 71 D5 6C 02 1A 77 1F 21 CE 40 EE FD E4 0D 32 72 89 0A C7 4B 92 39 8E 7B 5B 5A 38 39 A2 49 E7 B2 D8 AB 2A E0 83 E3 8D 14 E4 51 36 15 66 CF 57 8E D1 BE 5C 2C 5E 6F EF B5 45 4D AF 01 CE B9 A5 B6 77 67 F1 C3 01 59 EE F1 D5 C2 25 64 A4 76 99 CE 47 29 12 88 67 B1 9F 8F 31 43 B8 EA E8 10 95 19 45 B9 0A 6F CD A1 5E 46 69 29 5A FD C7 C9 3B 2C CC 7A 2A 26 91 55 8E 74 1F BF 6A 97 D7 BD 0C 5B 89 A0 C6 A4 FC EA 38 02 04 D3 E6 0F 31 55 5F 94 D4 D3 B1 29 98 86 0D 7C 7C 2E 2A 2E 15 C2 41 2A C3 E3 E7 9B 09 08 19 83 C9 F4 C9 BB FE BB BB C9 3F 0A EF 0D 5D 9F 3C A2 B5 BD BE 23 F0 B0 2D 40 3C 3C 30 9C A9 81 7B B6 B1 91 BC AD F8 64 B0 3C E8 4B FB AB 87 17 1F 09 62 70 FB 4E 41 72 92 91 50 83 97 E5 32 15 2E 4A 41 E2 10 EF E9 83 0E FA D3 29 11 E0 00 6C 1B 4E FA 5F 85 00 DB AD 57 31 2C 03 B1 0E F8 79 59 DD 62 55 65 80 10 40 67 29 13 A7 B9 4B D1 00 AF 88 90 CA 6A 66 AA 6C F1 DC 77 A4 58 2B 2A 59 59 AA 8D E5 CE D2 E7 BD B8 8D E8 5D A3 34 12 39 BB C4 14 66 E2 11 EC B1 C9 6F E1 54 66 A9 21 4B 06 B5 CD 86 D0 C2 2A DA 3C 39 30 62 FD 89 15 8D D8 29 6C 16 5B 91 23 85 1D 22 E0 08 67 50 80 FA 52 BE 7A 47 DC 36 03 A3 A7 4B 7D 04 77 8D 86 95 0C DF FE E0 8A 3B 40 26 09 DE 9C 6E 45 39 F8 E1 EB 9A 18 C5 3B 73 F7 11 97 B4 03 44 B9 77 E8 79 4C 0D A9 8B E6 8C 84 84 4E E2 16 89 EE FA BA C9 FF 30 9C 49 5B 6E 15 74 F3 B8 AE 51 BE 63 1D 7B 78 D4 21 E7 89 15 C1 7F CF 39 6E 6E 18 04 4D A1 90 11 51 45 48 25 C1 FB D0 80 49 94 47 17 9C 08 79 D3 AA 1A AF 7A B0 DF 47 2E 58 8D 62 F5 BE 80 6E A9 8A 40 AC 75 83 17 3D DB 78 C7 F7 BE 55 AB C0 0B 03 14 37 EF 92 06 41 54 29 C8 A1 DE 7D 6A A3 7A D8 4B 94 13 F6 6A E5 BB 9F E5 17 0B D2 CC BA FD A7 88 6C 53 85 0F D4 C0 89 5C 08 94 63 54 F7 44 39 BC FE 9C F7 2C 34 3D A0 CA 65 CA D5 39 A2 09 6E BB B0 81 56 02 99 E2 AC 1D B5 29 67 94 0F 21 9C 51 14 33 B1 3B 27 AE AB 34 F7 9E 73 C3 33 57 3C 9B AD 0B 63 E7 EA DB 57 7E 25 94 B6 8D BD 98 04 2C 8D 07 2C 49 9F 24 34 BB A9 53 4A 25 48 6B 66 C4 3B 00 0A 47 8A 32 8F 8B 80 9C 87 DD D4 B8 04 BC E3 60 95 F6 B0 5E 82 7A E7 9B 8F DA 0F DE 95 64 7E FD 7B 92 95 3E DD 7F DA 5F 3E 73 78 03 63 23 BD 4F 47 0E 8B 8D F6 A1 CA D3 F0 8B 0D 92 91 45 21 2F 4C 69 E7 7A 2E 12 0E DD B0 4A 18 F4 54 67 06 FF D5 4D 86 4D 07 28 E3 8F D1 F1 B4 00 2F 5B 04 1E 91 2B 63 AA 89 D1 8E 91 ED 1C F4 43 D1 FE F6 4E 13 65 38 52 BE 77 1B D2 0F CB AE E8 99 62 5D CE 9E E8 75 FE DC D1 95 6C 8C 35 45 B1 C5 54 1C 04 49 ED 2A 57 5B D2 AF 13 90 FB 51 67 7F 6B EE 33 94 8E DE A1 A3 0E B4 F0 8D 11 36 3B 8F 17 9C E8 49 6A 7B B0 19 00 8C D1 3C 3A 4D D3 8D 3C 1F 75 70 EB C9 AD 85 BF 7E B5 66 9D B1 FA 11 DB D5 CC C4 43 63 40 87 8E 91 62 A6 DD B4 42 13 51 BA 0A 68 D6 9B 32 31 B4 D6 EB C7 94 EC 5E 54 29 B0 B2 3B 62 8D 92 EE 1D 64 31 02 B8 5B 8C C4 5C 3A 85 A9 73 DC 75 EB CD 18 71 18 81 18 2C 15 81 07 21 74 17 F9 E2 FE AA A9 51 62 CE CC FD F1 22 ED FC 9A A0 32 B1 57 A2 1A FC 2B 97 69 62 90 FE 20 07 61 08 C0 06 C3 4A 36 AC B2 AE 6A 46 76 F4 E8 98 F9 42 53 9A 8D 86 F0 39 0F 62 06 E3 C4 04 DF 0D F7 E0 32 7D 40 7A EF 77 1D
...
Performing firmware update...100%> F3 01 00 00 19 02 05 00 00 00 00 00 00 00 00 00
> 21 F0 FF 01 08
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 04 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 01 02 00 1B 06 10 00 00 00 00 00 00 00 00 00
> E7 B0 0A 6D 42 F0 EC BA 66 B8 B9 D1 09 85 4C 4F
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 50 00 00 04 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
Performing firmware update...O.K.
> F3 07 00 00 00 06 00 00 00 00 00 00 00 00 00 00

ST-LINK/V2-1连接PC后不是工作在DFU模式,需要发送相关命令进入DFU模式,进入DFU模式之后, USB接口的PID会由原来的0x374B变为0x3748

进入DFU模式的操作与ST-LINK/V2基本相同,除了一开始会先去擦除encrypted label所在的块(0x0801fc00)

Performing firmware update...> F3 01 00 00 46 01 05 00 00 00 00 00 00 00 00 00
> 41 00 FC 01 08
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 50 00 00 04 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00

写完固件数据之后会再去写入encrypted label:

Performing firmware update...100%> F3 01 00 00 19 02 05 00 00 00 00 00 00 00 00 00
> 21 F0 FF 01 08
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 04 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 01 02 00 1B 06 10 00 00 00 00 00 00 00 00 00
> E7 B0 0A 6D 42 F0 EC BA 66 B8 B9 D1 09 85 4C 4F
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 50 00 00 04 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
> F3 03 00 00 00 06 00 00 00 00 00 00 00 00 00 00
< 00 00 00 00 05 00
Performing firmware update...O.K.
  • 相关的参考文档
  1. http://www.taylorkillian.com/2013/01/retrieving-st-linkv2-firmware-from.htm
  2. https://sourceforge.net/p/openocd/code/ci/master/tree/src/jtag/drivers/stlink_usb.c

相关文档:

  1. STM32: 将提取的JLINK固件写入自制的ST-LINK/V2-1调试器上
  2. STM32: 实现AES 128-bit加密算法 - 标准实现
  3. STM32: Black Magic Probe @ BRO-DBG-LINK-V2-1
  4. STM32: 使用arm-none-eabi-gdb在线调试固件
  5. STM32: 做一个与ST-LINK/V2-1调试器兼容的bootloader

《STM32: ST-LINK/V2与STLINK/V2-1 DFU协议分析》有8个想法

  1. Hi ! Thanks for the post !
    Why you have to reverse engineer Jlink update program ? ST provide a package which has a Java executable. Extract it and you will find there are decrypted firmware inside

    回复

    1. I didn’t realize ST provide such a program that time. I want to analyze the firmware update protocol, using the Jlink update program seems much easier (since it contain same debug info (This needs ida to do a little job).
      I also want to obtain the Jlink firmware from the update program.
      It’s very funny. Thanks

      回复

  2. 你好大神,“由相关资料可以得知encryption key是通过device id计算得出的,可能使用的是AES加密方式。”相关资料是什么资料?
    还有游客long说的 Java executable是STLinkUpgrade.jar吗?那如何分析出固件呢?

    回复

    1. 这个当时是通过IDA反编译后,打印出的log信息及之后反编译相关代码猜测出来的。
      以及参考这篇文档得出来的: http://www.taylorkillian.com/2013/01/retrieving-st-linkv2-firmware-from.htm

      回复

  3. 大神,还有一个问题:根据你的指南,我更新成ST-LinkV2_1在keil中连接不了目标芯片,不知道这是不是有什么特殊的操作?

    回复

发表评论

电子邮件地址不会被公开。 必填项已用*标注