Project

General

Profile

Bug #3279

flashing SIMtrace 2 in RAM on SIMtrace board with SAM3S using DFU not possible

Added by tsaitgaist over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
High
Assignee:
Category:
-
Target version:
-
Start date:
05/21/2018
Due date:
% Done:

0%


Description

what I wanted to do:
flash main SIMtrace 2 application on SIMtrace using USB DFU

what environment am I using:
  • Linux Arch amd64 2018-05-21 up to date
  • dfu-util v0.9
  • arm-none-eabi-gcc 8.1.0
  • SIMtrace v1.4 board with SAM3S micro-controller
  • simtrace2 git, branch laforge/simtrace, commit 849d20e29e3b8ff1d40e3b012849f78ded3be734
  • USB DFU bootloader flashed over JTAG

what I did:
sudo dfu-util --device 1d50:60e3 --alt 0 --download ./bin/simtrace-cardem-dfu.bin

what I expected:
successful firmware download

what I got:
dfu-util: Invalid DFU suffix signature
dfu-util: A valid DFU suffix will be required in a future dfu-util release!!!
Opening DFU capable USB device...
ID 1d50:60e3
Run-time device DFU version 0100
Claiming USB DFU Interface...
Setting Alternate Setting #0 ...
Determining device status: state = dfuIDLE, status = 0
dfuIDLE, continuing
DFU mode device DFU version 0100
Device returned transfer size 512
Copying data from PC to DFU device
Download [====== ] 25% 7168 bytesdfu-util: Error during download

serial log:

=============================================================================
DFU bootloader 0.3.29-849d for board simtrace (C) 2010-2017 by Harald Welte =============================================================================
W Sta 0x8800C [0] W _ W Sta 0x888A8 [0] W _ dnload(altif=0, offset=0, len=512)
dnload(altif=0, offset=512, len=512)
dnload(altif=0, offset=1024, len=512)
dnload(altif=0, offset=1536, len=512)
dnload(altif=0, offset=2048, len=512)
dnload(altif=0, offset=2560, len=512)
dnload(altif=0, offset=3072, len=512)
dnload(altif=0, offset=3584, len=512)
dnload(altif=0, offset=4096, len=512)
dnload(altif=0, offset=4608, len=512)
dnload(altif=0, offset=5120, len=512)
dnload(altif=0, offset=5632, len=512)
dnload(altif=0, offset=6144, len=512)
dnload(altif=0, offset=6656, len=512)
dnload(altif=0, offset=7168, len=512)
dnload(altif=0, offset=7680, len=512)

R0=20002600, R1=200004d0, R2=200004d0, R3=200027ff, R12=00000045
LR[R14]=004024e7, PC[R15]=00004770, PSR=60000032
BFAR=e000ed38, CFSR=00020000, HFSR=40000000
DFSR=00000000, AFSR=00020000, SHCSR=00000000
FORCED INVSTATE

=============================================================================
DFU bootloader 0.3.29-849d for board simtrace (C) 2010-2017 by Harald Welte =============================================================================
W Sta 0x888A8 [0] W _ W Sta 0x888A8 [0] W _ W Sta 0x888A8 [0] W _

History

#1 Updated by tsaitgaist over 1 year ago

gdb backtrace:

Breakpoint 1, hard_fault_handler_c (args=0x200027b8 <pdwStack+8896>)
at ./atmel_softpack_libraries/libchip_sam3s/source/exceptions.c:84
84 printf("\r\nHardFault\r\n");
(gdb) bt
#0 hard_fault_handler_c (args=0x200027b8 <pdwStack+8896>) at ./atmel_softpack_libraries/libchip_sam3s/source/exceptions.c:84
#1 <signal handler called>
#2 0x00004770 in ?? ()
#3 0x004024e6 in USBDFU_handle_dnload (altif=<optimized out>, offset=2164462080, data=0x200002d0 <dfu_buf> "", len=512)
at apps/dfu/main.c:44
#4 0x280bfeec in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

#2 Updated by Anonymous over 1 year ago

#3 Updated by tsaitgaist over 1 year ago

  • Subject changed from flashing SIMtrace 2 on SIMtrace board with SAM3S using DFU not possible to flashing SIMtrace 2 in RAM on SIMtrace board with SAM3S using DFU not possible
  • Status changed from New to Closed

It is important to mention that DFU alternative 0 is to flash in RAM.

The backtrace indicates the stack has been corrupted in the following memcpy:

https://git.osmocom.org/simtrace2/tree/firmware/apps/dfu/main.c#n37
case ALTIF_RAM:
addr = RAM_ADDR(offset);
if (addr > IRAM_ADDR + IRAM_SIZE) {
g_dfu->state = DFU_STATE_dfuERROR;
g_dfu->status = DFU_STATUS_errADDRESS;
return DFU_RET_STALL;
}
memcpy((void *)addr, data, len);

the code only checks if the start address of the data to be downloaded is within the RAM range.
it should also check if this is the case for the end address and if it does not overwrite the stack (located at the end of the RAM).

the fix is in commit f79ae1c54a732e2834b6af8418f4a78bf1f8e422 ( https://git.osmocom.org/simtrace2/commit/?h=kredon/simtrace&id=f79ae1c54a732e2834b6af8418f4a78bf1f8e422 )

#4 Updated by laforge over 1 year ago

On Fri, Jun 01, 2018 at 09:23:47AM +0000, tsaitgaist [REDMINE] wrote:

it should also check if this is the case for the end address and if it does not overwrite the stack (located at the end of the RAM).

nice catch, thanks!

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)