TL866 II PLUS/Bootloader: Difference between revisions

From Proghq
Jump to navigation Jump to search
VisualWikitext
Line 47: Line 47:
|}
|}


The device will respond with a 64-byte structure (unknown fields omitted):
The device will respond with a 64-byte structure:


{| class="wikitable"
{| class="wikitable"
Line 54: Line 54:
| 0 || <tt>bCommand</tt> || 1 || <tt>00</tt> || the command, echoed
| 0 || <tt>bCommand</tt> || 1 || <tt>00</tt> || the command, echoed
|-
|-
| 1 || <tt>bStatus</tt> || 1 || ??
| 1 || <tt>bStatus</tt> || 1 ||  
| which firmware is running: <tt>01</tt> is the stock firmware, <tt>02</tt> is the bootloader
| which firmware is running: <tt>01</tt> is the stock firmware, <tt>02</tt> is the bootloader
|-
|-
| 4 || <tt>bFwVersionMinor</tt> || 1 || ??
| 2 || ''unknown'' || 2 ||  ||
|-
| 4 || <tt>bFwVersionMinor</tt> || 1 ||  
| firmware version minor part: 00.0.xx
| firmware version minor part: 00.0.xx
|-
|-
| 5 || <tt>bFwVersionMajor</tt> || 1 || ??
| 5 || <tt>bFwVersionMajor</tt> || 1 ||  
| firmware version major part: 00.x.00
| firmware version major part: 00.x.00
|-
|-
Line 66: Line 68:
| device model: <tt>05</tt> is the TL866II-Plus, <tt>06</tt> is the XGecu T500
| device model: <tt>05</tt> is the TL866II-Plus, <tt>06</tt> is the XGecu T500
|-
|-
| 8 || <tt>sDeviceCode</tt> || 8 || ??
| 7 || ''unknown'' || 1 ||  ||
|-
| 8 || <tt>sDeviceCode</tt> || 8 ||  
| ISO 8859-1 string (no zero terminator)
| ISO 8859-1 string (no zero terminator)
|-
|-
| 16 || <tt>sSerialNumber</tt> || 20 || ??
| 16 || <tt>sSerialNumber</tt> || 20 ||  
| ISO 8859-1 string (no zero terminator)
| ISO 8859-1 string (no zero terminator)
|-
|-
| 40 || <tt>bDeviceVersion</tt> || 1 || ??
| 36 || ''unknown'' || 4 ||  ||
|-
| 40 || <tt>bDeviceVersion</tt> || 1 ||  
| firmware version device part: xx.0.00
| firmware version device part: xx.0.00
|}
|}

Revision as of 20:07, 26 August 2018

The TL866 II PLUS has a bootloader installed at the start of the internal flash which is used to update the firmware. The hardware reset vector (the instruction at 0000h) points to the bootloader. On each boot the bootloader inspects various state (TBD) and determines whether it should execute itself to allow firmware updates or jump into the main firmware.

The process of reverse engineering the bootloader is still ongoing.

Commands

Reset

Command 3F seems to be used to reset the device. When used from the stock firmware the device resets into the bootloader, and when used from the bootloader the device resets to the stock firmware.

Offset Field Size Value Description
0 command 1 3F the command identifier
1 reserved 7 0 reserved, set to zero

When resetting from the stock firmware, another command is transmitted first. This may be some kind of key required to permit reset? Unknown until the firmware is dumped and analyzed.

Offset Field Size Value Description
0 command 1 3D the command identifier
1 reserved 3 0 reserved, set to zero
4 key? 4 86 B9 78 A5 unknown, maybe just a fixed key? Set statically in the official client.


Report

The report command requests that the firmware identify itself.

Offset Field Size Value Description
0 bCommand 1 00 the command identifier
1 reserved 7 0 reserved, set to zero

The device will respond with a 64-byte structure:

Offset Field Size Value Description
0 bCommand 1 00 the command, echoed
1 bStatus 1 which firmware is running: 01 is the stock firmware, 02 is the bootloader
2 unknown 2
4 bFwVersionMinor 1 firmware version minor part: 00.0.xx
5 bFwVersionMajor 1 firmware version major part: 00.x.00
6 bModel 1 05 device model: 05 is the TL866II-Plus, 06 is the XGecu T500
7 unknown 1
8 sDeviceCode 8 ISO 8859-1 string (no zero terminator)
16 sSerialNumber 20 ISO 8859-1 string (no zero terminator)
36 unknown 4
40 bDeviceVersion 1 firmware version device part: xx.0.00
Retrieved from "https://proghq.org/w/index.php?title=TL866_II_PLUS/Bootloader&oldid=506"