Toniebox Firmware Dump

The Microcontroller within the Toniebox is a Ti CC3200 (ARM Cortex-M4). Fortunately there are some development Tools available to get further Access which gives us the possibility to dump the Firmware and get access to the files stored within the internal FileSystem.

Structure of Article

  • Toniebox Debug Port
    • Tag-Connector for Debug Port
    • FTDI Adapter / Connection Toniebox to USB
  • Boot Mode
    • SWD mode
    • UART mode
  • extracting firmware
    • CC3200Tools
    • dump firmware
    • read files from internal FatFS
  • SWD debug port

Toniebox Debug Port

A closer look at the Toniebox PCB reveals a Debug Port which makes further steps much easier. Reverse engineering helped with finding the function of most of the debug pins.

Debug PinFunctionMCU Pin
1TX55
2RX57
3VCC (+3,3V)
4RST32
5GND
6?
7TCK19
8TMS20
9SOP221 (indirect SOP0 35)
10?

Tag-Connector

The debug port is designed to fit a Tag-Connector which is meant for debugging purpose. The data sheet for the Tag-Connector can be found here.

You can get the Tag-Connector at Amazon (Affiliate Link).

PCB Pin Layout
of debug port
10 Pin Tag-Connector
end view
IDC connector (2×5 0.1″)
end view
(Connector on ribbon cable to Tag-Connector)

FTDI Adapter / UART-USB

To talk to the debug port of the Toniebox with the Tag Connector you need an FTDI Adapter (UART-USB). It is more comfortable to use one with an DTR and RTS port. In this case it can automate the needed reset and the bootflag (set SOP2 high).

FTDI Adapter (UART-USB)

You can get the FTDI Adapter at Amazon (Affiliate Link).

Boot Mode

The CC3200 Microcontroller implements a sense-on-power (SoP) scheme to switch between three modes where two of these are available within the Tonie project. (To switch between the boot modes a restart of the device is needed.)

SWD mode

SOP2 (pin 9) low will activate the functional mode with a 2-wire SWD mapped to TCK (pin 7) and TMS (pin 8) of the debug port.

UART mode

SOP2 (pin 9) high will activate the UART load mode to flash the system during development and in OEM assembly line.

extract firmware

To extract the firmware from the board, UART Mode needs to be activated (SOP2 / pin 9 needs to be pulled high).

CC3200Tools

In UART mode not only the upload of firmware for development or while in production line at OEM is possible, with the CC3200Tools a dump of the existing firmware and all files of the internal file system is possible as well.

The CC3200Tools can be downloaded here (GitHub).

dump firmware

Use following command to extract full firmware:
c3200tool -p /dev/ttyUSB2 --sop2 ~dtr --reset rts read_flash firmware.dmp

read files from internal FatFS

to dump the files within the internal file system (FatFS) of the CC3200 microcontroller, each file hast to be loaded separately.

  • List files in FatFS:
    cc3200tool -p /dev/ttyUSB2 --sop2 ~dtr --reset rts list_filesystem
  • Extract the files you like:
    cc3200tool -p /dev/ttyUSB2 --sop2 ~dtr --reset rts read_file /sys/mcuimg.bin ./sys/mcuimg.bin

SWD debug port

Attention!
The whole SWD debugging methode is not tested yet!
Needs to be verified.

By pulling SOP2 (pin 9) low, SWD debug mode on TCK (pin 7) and TMS (pin 8) can be activated.

To start debugging with SWD a debugger like the J-Link OB ARM debugger is needed.

J-Link OB ARM debugger

You can get the J-Link OB ARM debugger at Amazon (Affiliate Link).

Attention!
The whole SWD debugging methode is not tested yet!
Needs to be verified.

Schreibe einen Kommentar