2 Protocol Analysis

JayPiKay edited this page 2021-03-10 18:33:28 +01:00

Table of Contents

• EZP2010: USB-Highspeed programmer
• Development
• Chip details
• USB Enumeration
• Lsusb
• USB Protocol Analysis
• Sniffed Opcode Overview
• Sniffed Packets
• Firmware Version
• Read Rom
• Write Rom
• Erase Rom
• Detect Chip
• Firmware Update
• Self-Test
• Serial Number

EZP2010: USB-Highspeed programmer

Development

• Look into flashrom/pickit2_spi.c

Chip details

Manufacturer	Chip name	Link
Silicon Labs	C8051F340	view

USB Enumeration

Lsusb

Bus 003 Device 033: ID 10c4:f5a0 Cygnal Integrated Products, Inc. 
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x10c4 Cygnal Integrated Products, Inc.
  idProduct          0xf5a0 
  bcdDevice            0.00
  iManufacturer           0 
  iProduct                0 
  iSerial                 0 
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0020
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              480mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         0 
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               5
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               5
can't get device qualifier: Resource temporarily unavailable
can't get debug descriptor: Resource temporarily unavailable
Device Status:     0x0065
  Self Powered
  Test Mode
  Debug Mode 

USB Protocol Analysis

Sniffed Opcode Overview

Opcode	Function	Code Offset
0x11	#Read Rom	0x00409aa0
0x12	#Write Rom	0x00409bd0
0x13	#Erase Rom Packet	0x0040a2a0
0x14	#Erase Rom	0x00409d00
0x15	#Detect Chip	0x0040a220
0x17	#Firmware Version	0x00409d90
0x18	#Serial Number	0x00409ee0
0xf2	#Firmware Update	0x00409fa0
0xf3	#Self-Test	0x00409e20

Sniffed Packets

Firmware Version

Request firmware version of programmer.

Function offset	Output size	Input size
0x00409d90	0x02	0x20

BULK out:

0000    17 00

BULK in:

0000   17 1e 45 5a 50 32 30 31 30 20 56 33 2e 30 00 00   ..EZP2010 V3.0..
0010   c2 85 7f 05 12 6a ff 12 6a 69 d2 85 22 c2 a5 7f   .....j..ji.."...

Read Rom

Function offset	Output size	Input size
0x00409aa0	0x0f	0x03
		0x1000

BULK out:

0000   11 0a 01 00 00 00 00 00 08 00 00 03 00 00 00      ...............

BULK in:

0000   11 01 00                                          ...

BULK in:

[...] // repeated until transfer completed.

Write Rom

Function offset	Output size	Input size
0x00409bd0	0x11	0x03

BULK out:

0000   12 0c 01 00 00 00 00 00 08 00 00 01 00 03 00 00   ................

BULK in:

0000   12 01 01                                          ...

BULK out:

[...] // repeated until transfer completed.

Erase Rom

Function offset	Output size	Input size
0x00409d00	0x3	0x3

BULK out:

0000   14 01 01                                          ...

BULK in:

0000   14 01 01                                          ...

BULK out:

0000   13 00 01                                          ...

BULK in:

0000   13 01 01                                          ...

Last BULK out:

0000   13 00 01                                          ...

Last BULK in:

0000   13 01 00                                          ...

Detect Chip

Function offset	Output size	Input size
0x0040a220	0x3	0x5

BULK out:

0000   15 00 01                                          ...

BULK in:

0000   15 02 ef 12 01                                    .....
             ^  ^
             |  |
             |  +--- Device ID (W25P40)                     (ID7-ID0)
             |
             +------ MANUFACTURER ID (Winbond Serial Flash) (M7-M0)

Firmware Update

Function offset	Output size	Input size
0x00409fa0	0x2	0x2

BULK out:

0000   f2 55 53 42 20 42 4f 4f 54 20 43 4f 4d 4d 41 4e   .USB BOOT COMMAN
0010   44 00 00 00 c6 10 db                              D......

BULK in:

0000   f2 55 53 42 20 42 4f 4f 54 20 43 4f 4d 4d 41 4e   .USB BOOT COMMAN
0010   44 00 01 b1 12                                    D....

Self-Test

Function offset	Output size	Input size
0x00409e20	0x2	0x13

BULK out:

0000   f3 00                                             ..

BULK in:

0000   f3 00                                             ..

BULK in:

0000   48 61 72 64 77 61 72 65 20 74 65 73 74 20 6f 6b   Hardware test ok
0010   21 0d 0a                                          !..

Serial Number

Function offset	Output size	Input size
0x00409ee0	0x2	0x14

BULK out:

0000   18 00                                             ..

BULK in:

0000   18 10 30 31 36 30 35 39 33 30 32 2d 31 32 31 31   ..016059302-1211
0010   ff ff                                             ..