I am working on the steps to grab the firmware from the Amazon IoT button and flash it onto the $5 DASH Buttons (think Tide/Cottenelle/Ziploc). There are a few really good existing articles that detail the steps, but I had some difficulty getting started. To be fair, the articles are great, but I am a complete newbie to things like:
- OpenOCD – Open On-Chip Debugger (openocd.org)
- ST-Link – (STM32 Microprocessor discovery programmer)
- STM32 microcontroller (Brain for the DASH)
- Soldering super tiny DASH connections resulting in a hardware bricked IoT button (hence no firmware) and one $5 Ziploc button.
So, with that said, here are the steps I used to get everything setup to successfully flash the firmware on the $5 buttons…
Why snag the firmware?
The Amazon Web Services (AWS) IoT firmware version of the DASH button lets you interface with Amazon Web Services like DynamoDB, Lambda, etc. During the configuration, the firmware allows you to upload a public/private key set that enables communication with the AWS IoT service. The $5 version runs the same v1.0 hardware, so if we can get the IoT firmware, we should be able to make the $5 versions act like the more expensive $20 IoT button.
There have been a lot of really great articles detailing the tear down and internals of Amazon’s DASH button as well as flashing the firmware. These should get you up to speed with what were are doing here:
- Great article and copy of the Cottenelle firmware. Useful if you brick your device (like me) https://github.com/dekuNukem/Amazon_Dash_Button/
- Adafruit’s article is one of the best for getting started. Details DASH hardware, and setting up a Vagrant VM to compile your own code against the DASH. It also provides instructions for reviving a bricked DASH. (https://learn.adafruit.com/dash-hacking-bare-metal-stm32-programming/overview) Vagrant may be the way to go, but in this article I am using standalone tools.
- OpenOCD Flash Commands for unlocking firmware/querying DASH flash (http://openocd.org/doc/html/Flash-Commands.html)
- I wanted to get started fast, so instead of going with the Adafruit ST-Link v2 programmer (Adafruit’s shipping is crazy expensive) I bought this one on Amazon Prime (2 Day shipping baby!): http://www.amazon.com/Qunqi-ST-LINK-STLINK-debugger-programmer/dp/B016ZPNEYC/ref=sr_1_2?ie=UTF8&qid=1464097219&sr=8-2&keywords=st-link
- The Adafruit article discusses the solder and prototyping wire sizing. Just needs to be small enough to work for how tiny the connections are.
- UPDATE: As Bjorn noted below in the comment section, you can bypass the solder steps with this fancy breakout board: http://circuitmaker.com/Projects/BCF37BFD-E524-41E2-B370-649701462F82
Check out Adafruit’s article on soldering the connections. Once you have that done, it should look something like this:
Now you are ready to get OpenOCD and the ST-Link utility going.
BATTERY NOTE: I couldn’t find any clear documentation, but I have to DISCONNECT the battery to successfully connect with OpenOCD.
VCC 3.3 NOTE: Although the ST-Link v2 programmer has a 3.3v pin and ground, I found references stating that it would mess up the SWCLK. So, I only used (3) of the pins on the programmer (shown below) and connected and external 3.3v source:
Windows ST-Link Utility
- Newbie Note: Copy firmware from/to device
- This tool provides a great visual indication that things were working. It also allowed me to upload/download the firmware once connected to the DASH
- Download: You will need to register for a free account, but this will give you access to the utility, and also the latest ST-Link v2 programmer firmware. I had to update it to version V2J27S6
ST-Link Connectivity Notes:
- Cannot read memory! Disable Read Out Protection and retry
See the ‘Unlock STM32 Flash’ note in the OpenOCD Section.
- Newbie Note: Connects to device, then lets you telnet to OpenOCD and interact with the device.
- This tool can do what the ST-Link utility did, but most importantly, has the ‘stm32f2x unlock 0’ firmware command to unlock the DASH firmware.
- Ubunutu NOTE: I had to download and install OpenOCD 0.9 to get this to work. The version installed with ‘apt-get install openocd’ was version 0.7. Unfortunately, it seems that some of the stm32 commands aren’t supported. I received this error: invalid command name ‘jtag_ntrst_delay’
- To correct this, Install OpenOCD Version 0.9
- I followed the GNU/Linux instructions found here (http://gnuarmeclipse.github.io/openocd/install/) and installed version 0.9
- Once I pulled down the binary, I ran the following:
- sudo mkdir -p /opt/gnuarmeclipse
- cd /opt/gnuarmeclipse
- sudo tar xvf ~/Downloads/gnuarmeclipse-openocd-debian64-0.9.0-201505190955.tgz
OpenOCD Connectivity Notes:
Connecting with OpenOCD.
- Move to the ‘/opt/gnuarmeclipse/openocd/0.9.0-201505190955/bin’ directory
- Connect to the device using the following command
- sudo ./openocd –f ../scripts/interface/stlink-v2.cfg –f ../script/target/stm32f2x.cfg
- Now you can establish a telnet session to the OpenOCD process which will let you interact with the device
Here is a successful connection attempt with OpenOCD
Telnet to the OpenOCD process to access the On-Chip Debugger.
This will let you interact with the DASH microcontroller
- Launch a separate terminal window. Now that openocd is running (see connecting above), you can ‘telnet localhost 4444’.
Here is a successful telnet connection
- Now run the following commands to view the device details
- Run ‘flash banks’ command
Run ‘stm32f2x unlock num’ to unlock flash contents
- Reboot for the unlock to take effect. To reboot run ‘reset init’
Once the device reboots, OpenOCD should automatically reconnect. You may have to relaunch the telnet session.
Unlocked Firmware Status
Dump Firmware Using OpenOCD
Run the following:
- flash list
- flash probe 0
- flash banks
Note the size is 0x00100000 (That’s 1024KB, the size of the flash)
dump_image dash_fw.bin 0x0 0x100000.
I also tried to use the location 0x08000000.
Empty Firmware Dump: In both cases, the firmware I dump was empty. This may be due to disabling the flash protection. If you know how to disable the protection bit and recover the flash, please leave a comment.
This dumps the firmware to the local directory you ran the openocd command from.
Unlock STM32 Flash (This unlocks the flash, but may wipe the firmware)
Next Steps and challenges
- [Need to unlock firmware without overwriting] During the STM32 flash unlock process, I found the source firmware unreadable. In the ST-Link utility it appears as ASCI character 152 (ÿ). I have not been able to find a way to disable the memory protection, and also save the firmware. It is possible (see the Cottenelle firmware retrieved here: https://github.com/dekuNukem/Amazon_Dash_Button/)
- [3D Printers] Ok, so after soldering about (4) buttons, I am getting better at it. The problem is, it’s time consuming and likelihood of turning it into a paper weight is high. I want to create a 3D printable model where you can insert header pins that will make contact with the (5) pins required to flash the DASH. Checkout Adafruit’s article above for more detail, but the basic pins are (SWCLK,SWDATA,Vcc 3.3, Reset, Ground). Here is a link to the image.(https://learn.adafruit.com/assets/27092) Also, not sure why, but someone created a fake DASH button on Thingiverse. We may be able to use this model to start: http://www.thingiverse.com/thing:766551/#files
Ok, so I need your help. In order to make Part 2 of this series, I need someone to continue where I left off. If anyone has successfully pulled the firmware and cares to share, please leave a comment below, or hit me up @ubergiek.