Bug #3279
closedflashing SIMtrace 2 in RAM on SIMtrace board with SAM3S using DFU not possible
0%
Description
what I wanted to do:
flash main SIMtrace 2 application on SIMtrace using USB DFU
- Linux Arch amd64 2018-05-21 up to date
- dfu-util v0.9
- arm-none-eabi-gcc 8.1.0
- SIMtrace v1.4 board with SAM3S micro-controller
- simtrace2 git, branch laforge/simtrace, commit 849d20e29e3b8ff1d40e3b012849f78ded3be734
- USB DFU bootloader flashed over JTAG
what I did:
sudo dfu-util --device 1d50:60e3 --alt 0 --download ./bin/simtrace-cardem-dfu.bin
what I expected:
successful firmware download
what I got:
dfu-util: Invalid DFU suffix signature
dfu-util: A valid DFU suffix will be required in a future dfu-util release!!!
Opening DFU capable USB device...
ID 1d50:60e3
Run-time device DFU version 0100
Claiming USB DFU Interface...
Setting Alternate Setting #0 ...
Determining device status: state = dfuIDLE, status = 0
dfuIDLE, continuing
DFU mode device DFU version 0100
Device returned transfer size 512
Copying data from PC to DFU device
Download [====== ] 25% 7168 bytesdfu-util: Error during download
serial log:
=============================================================================
DFU bootloader 0.3.29-849d for board simtrace (C) 2010-2017 by Harald Welte
=============================================================================W Sta 0x8800C [0] W _ W Sta 0x888A8 [0] W _ dnload(altif=0, offset=0, len=512)
dnload(altif=0, offset=512, len=512)
dnload(altif=0, offset=1024, len=512)
dnload(altif=0, offset=1536, len=512)
dnload(altif=0, offset=2048, len=512)
dnload(altif=0, offset=2560, len=512)
dnload(altif=0, offset=3072, len=512)
dnload(altif=0, offset=3584, len=512)
dnload(altif=0, offset=4096, len=512)
dnload(altif=0, offset=4608, len=512)
dnload(altif=0, offset=5120, len=512)
dnload(altif=0, offset=5632, len=512)
dnload(altif=0, offset=6144, len=512)
dnload(altif=0, offset=6656, len=512)
dnload(altif=0, offset=7168, len=512)
dnload(altif=0, offset=7680, len=512)
R0=20002600, R1=200004d0, R2=200004d0, R3=200027ff, R12=00000045
LR[R14]=004024e7, PC[R15]=00004770, PSR=60000032
BFAR=e000ed38, CFSR=00020000, HFSR=40000000
DFSR=00000000, AFSR=00020000, SHCSR=00000000
FORCED INVSTATE
=============================================================================
DFU bootloader 0.3.29-849d for board simtrace (C) 2010-2017 by Harald Welte
=============================================================================W Sta 0x888A8 [0] W _ W Sta 0x888A8 [0] W _ W Sta 0x888A8 [0] W _
Updated by tsaitgaist almost 6 years ago
gdb backtrace:
Breakpoint 1, hard_fault_handler_c (args=0x200027b8 <pdwStack+8896>)
at ./atmel_softpack_libraries/libchip_sam3s/source/exceptions.c:84
84 printf("\r\nHardFault\r\n");
(gdb) bt
#0 hard_fault_handler_c (args=0x200027b8 <pdwStack+8896>) at ./atmel_softpack_libraries/libchip_sam3s/source/exceptions.c:84
#1 <signal handler called>
#2 0x00004770 in ?? ()
#3 0x004024e6 in USBDFU_handle_dnload (altif=<optimized out>, offset=2164462080, data=0x200002d0 <dfu_buf> "", len=512)
at apps/dfu/main.c:44
#4 0x280bfeec in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
Updated by tsaitgaist almost 6 years ago
- Subject changed from flashing SIMtrace 2 on SIMtrace board with SAM3S using DFU not possible to flashing SIMtrace 2 in RAM on SIMtrace board with SAM3S using DFU not possible
- Status changed from New to Closed
It is important to mention that DFU alternative 0 is to flash in RAM.
The backtrace indicates the stack has been corrupted in the following memcpy:
https://git.osmocom.org/simtrace2/tree/firmware/apps/dfu/main.c#n37
case ALTIF_RAM:
addr = RAM_ADDR(offset);
if (addr > IRAM_ADDR + IRAM_SIZE) {
g_dfu->state = DFU_STATE_dfuERROR;
g_dfu->status = DFU_STATUS_errADDRESS;
return DFU_RET_STALL;
}
memcpy((void *)addr, data, len);
the code only checks if the start address of the data to be downloaded is within the RAM range.
it should also check if this is the case for the end address and if it does not overwrite the stack (located at the end of the RAM).
the fix is in commit f79ae1c54a732e2834b6af8418f4a78bf1f8e422 ( https://git.osmocom.org/simtrace2/commit/?h=kredon/simtrace&id=f79ae1c54a732e2834b6af8418f4a78bf1f8e422 )
Updated by laforge almost 6 years ago
On Fri, Jun 01, 2018 at 09:23:47AM +0000, tsaitgaist [REDMINE] wrote:
it should also check if this is the case for the end address and if it does not overwrite the stack (located at the end of the RAM).
nice catch, thanks!