Flashing the BlackPill on Linux using dfu-util

If you read my previous post you know I was facing many issues to flash the firmware on BlackPill using the SWD programmer (STLinkV2, JLink, etc).

Finally I got it working! Let check it out!

These are the step to get NuttX running on BlackPill:

Clone NuttX and Apps:

$ git clone https://github.com/apache/incubator-nuttx nuttx
$ git clone https://github.com/apache/incubator-nuttx-apps apps

Configure and Compile the NuttX:

$ cd nuttx
$ ./tools/configure.sh stm32f411-minimum:nsh
$ make menuconfig  (### This Command is Optional ###)
$ make

It will create the nuttx.bin file!

Then I remembered that the STM32F4 family has DFU support, using it I was able to flash the board:

1) Remove the USB cable
2) Press and Hold the buttons NRST and BOOT0
3) Connect the cable
4) Release the NRST button
5) Wait 1 second
6) Release the BOOT0

$ dmesg

[ 8203.223506] usb 1-2: new full-speed USB device number 38 using xhci_hcd
[ 8203.372844] usb 1-2: New USB device found, idVendor=0483, idProduct=df11, bcdDevice=22.00
[ 8203.372849] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 8203.372852] usb 1-2: Product: STM32  BOOTLOADER
[ 8203.372855] usb 1-2: Manufacturer: STMicroelectronics
[ 8203.372857] usb 1-2: SerialNumber: 3870XXXXXXXX


$ sudo apt install dfu-util

$ sudo dfu-util -l
dfu-util 0.9

Copyright 2005-2009 Weston Schmidt, Harald Welte and OpenMoko Inc.
Copyright 2010-2016 Tormod Volden and Stefan Schmidt
This program is Free Software and has ABSOLUTELY NO WARRANTY
Please report bugs to http://sourceforge.net/p/dfu-util/tickets/

Found DFU: [0483:df11] ver=2200, devnum=38, cfg=1, intf=0, path="1-2", alt=3, name="@Device Feature/0xFFFF0000/01*004 e", serial="387035953339"
Found DFU: [0483:df11] ver=2200, devnum=38, cfg=1, intf=0, path="1-2", alt=2, name="@OTP Memory /0x1FFF7800/01*512 e,01*016 e", serial="387035953339"
Found DFU: [0483:df11] ver=2200, devnum=38, cfg=1, intf=0, path="1-2", alt=1, name="@Option Bytes  /0x1FFFC000/01*016 e", serial="387035953339"
Found DFU: [0483:df11] ver=2200, devnum=38, cfg=1, intf=0, path="1-2", alt=0, name="@Internal Flash  /0x08000000/04*016Kg,01*064Kg,03*128Kg", serial="387035953339"


$ sudo dfu-util -d 0483:df11 -a 0 -s 0x08000000:leave -D nuttx.bin
dfu-util 0.9

Copyright 2005-2009 Weston Schmidt, Harald Welte and OpenMoko Inc.
Copyright 2010-2016 Tormod Volden and Stefan Schmidt
This program is Free Software and has ABSOLUTELY NO WARRANTY
Please report bugs to http://sourceforge.net/p/dfu-util/tickets/

dfu-util: Invalid DFU suffix signature
dfu-util: A valid DFU suffix will be required in a future dfu-util release!!!
Opening DFU capable USB device...
ID 0483:df11
Run-time device DFU version 011a
Claiming USB DFU Interface...
Setting Alternate Setting #0 ...
Determining device status: state = dfuERROR, status = 10
dfuERROR, clearing status
Determining device status: state = dfuIDLE, status = 0
dfuIDLE, continuing
DFU mode device DFU version 011a
Device returned transfer size 2048
DfuSe interface name: "Internal Flash  "
Downloading to address = 0x08000000, size = 53664
Download	[=========================] 100%        53664 bytes
Download done.
File downloaded successfully
Transitioning to dfuMANIFEST state

After flashing, connect the USB/Serial RXD to pin label A9 and the TXD to pin label A10.

Use the minicom or other serial console tool configured to 115200, you should see:

NuttShell (NSH) NuttX-9.0.0
nsh> ?
help usage:  help [-v] [<cmd>]

  .         cd        echo      kill      mount     set       uname     
  [         cp        exec      ls        mv        sleep     umount    
  ?         cmp       exit      mb        mw        source    unset     
  basename  dirname   false     mkdir     pwd       test      usleep    
  break     date      help      mkrd      rm        time      xd        
  cat       dd        hexdump   mh        rmdir     true      

Builtin Apps:
  sh   nsh  
nsh> 

Flashing the BlackPill (STM32F411CEU6)

I was having a hard time trying to flash the firmware nuttx.bin on BlackPill board. Initially I tried OpenOCD with STLinkV2 as I used to with the BluePill, but it didn’t work. Then I tried a Atmel-ICE SWD programmer with OpenOCD and no luck. So I decided to try using JLink too.

JLink also didn’t work, none of these programmer was communicating with the board, but I knew the board was fine because the blue LED (C13 label) was dimming (fade in and fade out).

I notice that after plugging the USB-C cable on the board the program delays about 1s to start dimming the LED, to I decided to run the “connect” command on JLink prompt at same moment I plug the cable. Great it worked.

Well, partially, I was able to detect the MCU, but erase it not working:

J-Link>con
Device "STM32F411CE" selected.


Connecting to target via SWD
Found SW-DP with ID 0x2BA01477
Found SW-DP with ID 0x2BA01477
Scanning AP map to find all available APs
AP[1]: Stopped AP scan as end of AP map has been reached
AP[0]: AHB-AP (IDR: 0x24770011)
Iterating through AP map to find AHB-AP to use
AP[0]: Core found
AP[0]: AHB-AP ROM base: 0xE00FF000
CPUID register: 0x410FC241. Implementer code: 0x41 (ARM)
Found Cortex-M4 r0p1, Little endian.
FPUnit: 0 code (BP) slots and 3 literal slots
CoreSight components:
ROMTbl[0] @ E00FF000
ROMTbl[0][1]: E000E000, CID: B105E00D, PID: 0BB00CB1 ???
ROMTbl[0][2]: E0001000, CID: 05E00D0B, PID: 3BB00205 ???
ROMTbl[0][3]: E0002000, CID: 05E00D3B, PID: 2BB00305 ???
ROMTbl[0][4]: E00FF000, CID: 05100D00, PID: 0A041105 ???
ROMTbl[0][5]: E0040000, CID: 05900D0A, PID: 0BB9A105 ???
ROMTbl[0][6]: E0041000, CID: 05900D0B, PID: 0BB92505 ???
Cortex-M4 identified.
J-Link>erase

**************************
WARNING: T-bit of XPSR is 0 but should be 1. Changed to 1.
**************************

Erasing device...

****** Error: Verification of RAMCode failed @ address 0x20000000.
Write: 0xA801BE00 F0009900
Read: 0x0000100A A801BE00
Failed to prepare for programming.
Failed to download RAMCode!
ERROR: Erase returned with error code -1.
J-Link>

Then I found this post at segger website and decided to test the suggested commands: https://forum.segger.com/index.php/Thread/2723-SOLVED-Bricking-STM32F4-after-failed-programming/

J-Link>r
Reset delay: 0 ms
Reset type NORMAL: Resets core & peripherals via SYSRESETREQ & VECTRESET bit.
Reset: Halt core after reset via DEMCR.VC_CORERESET.
Reset: Reset device via AIRCR.SYSRESETREQ.
J-Link>h
PC = 080001AC, CycleCnt = 00000000
R0 = 00000000, R1 = 00000000, R2 = 00000000, R3 = 00000000
R4 = 00000000, R5 = 00000000, R6 = 00000000, R7 = 00000000
R8 = 00000000, R9 = 00000000, R10= 00000000, R11= 00000000
R12= 00000000
SP(R13)= 20001AD0, MSP= 20001AD0, PSP= 00000000, R14(LR) = FFFFFFFF
XPSR = 01000000: APSR = nzcvq, EPSR = 01000000, IPSR = 000 (NoException)
CFBP = 00000000, CONTROL = 00, FAULTMASK = 00, BASEPRI = 00, PRIMASK = 00

FPS0 = 00000000, FPS1 = 00000000, FPS2 = 00000000, FPS3 = 00000000
FPS4 = 00000000, FPS5 = 00000000, FPS6 = 00000000, FPS7 = 00000000
FPS8 = 00000000, FPS9 = 00000000, FPS10= 00000000, FPS11= 00000000
FPS12= 00000000, FPS13= 00000000, FPS14= 00000000, FPS15= 00000000
FPS16= 00000000, FPS17= 00000000, FPS18= 00000000, FPS19= 00000000
FPS20= 00000000, FPS21= 00000000, FPS22= 00000000, FPS23= 00000000
FPS24= 00000000, FPS25= 00000000, FPS26= 00000000, FPS27= 00000000
FPS28= 00000000, FPS29= 00000000, FPS30= 00000000, FPS31= 00000000
FPSCR= 00000000
J-Link>mem 0x8000000, 0x800
08000000 = D0 1A 00 20 AD 01 00 08 1F 19 00 08 35 17 00 08 
08000010 = 1D 19 00 08 4F 03 00 08 E9 2F 00 08 00 00 00 00 
08000020 = 00 00 00 00 00 00 00 00 00 00 00 00 59 19 00 08 
08000030 = 85 03 00 08 00 00 00 00 2D 19 00 08 5B 19 00 08 
08000040 = C7 01 00 08 C7 01 00 08 C7 01 00 08 C7 01 00 08 
08000050 = C7 01 00 08 C7 01 00 08 C7 01 00 08 C7 01 00 08 
08000060 = C7 01 00 08 C7 01 00 08 C7 01 00 08 C7 01 00 08 
08000070 = C7 01 00 08 C7 01 00 08 C7 01 00 08 C7 01 00 08 
08000080 = C7 01 00 08 C7 01 00 08 C7 01 00 08 00 00 00 00 
08000090 = 00 00 00 00 00 00 00 00 00 00 00 00 C7 01 00 08 
080000A0 = C7 01 00 08 C7 01 00 08 C7 01 00 08 C7 01 00 08 
080000B0 = C7 01 00 08 C7 01 00 08 C7 01 00 08 C7 01 00 08 
080000C0 = C7 01 00 08 C7 01 00 08 C7 01 00 08 C7 01 00 08 
080000D0 = C7 01 00 08 C7 01 00 08 C7 01 00 08 00 00 00 00 
080000E0 = C7 01 00 08 C7 01 00 08 C7 01 00 08 00 00 00 00 
080000F0 = 00 00 00 00 00 00 00 00 00 00 00 00 C7 01 00 08 
08000100 = 00 00 00 00 C7 01 00 08 C7 01 00 08 C7 01 00 08 
08000110 = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
08000120 = C7 01 00 08 C7 01 00 08 C7 01 00 08 C7 01 00 08 
08000130 = C7 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 
08000140 = 00 00 00 00 00 00 00 00 00 00 00 00 21 19 00 08 
08000150 = C7 01 00 08 C7 01 00 08 C7 01 00 08 C7 01 00 08 
08000160 = C7 01 00 08 C7 01 00 08 00 00 00 00 00 00 00 00 
08000170 = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
08000180 = 00 00 00 00 C7 01 00 08 00 00 00 00 00 00 00 00 
08000190 = C7 01 00 08 C7 01 00 08 DF F8 0C D0 00 F0 9A F8 
080001A0 = 00 48 00 47 C9 33 00 08 D0 1A 00 20 06 48 80 47 
080001B0 = 06 48 00 47 FE E7 FE E7 FE E7 FE E7 FE E7 FE E7 
080001C0 = FE E7 FE E7 FE E7 FE E7 55 1A 00 08 99 01 00 08 
080001D0 = 2D E9 F0 5F 05 46 00 20 92 46 9B 46 88 46 06 46 
080001E0 = 81 46 40 24 1B E0 28 46 41 46 47 46 22 46 00 F0 
080001F0 = 60 F8 53 46 5A 46 C0 1A 91 41 10 D3 11 46 18 46 
08000200 = 22 46 00 F0 47 F8 2D 1A 67 EB 01 08 4F 46 22 46 
08000210 = 01 20 00 21 00 F0 3E F8 17 EB 00 09 4E 41 20 1E 
08000220 = A4 F1 01 04 DF DC 48 46 31 46 2A 46 43 46 BD E8 
08000230 = F0 9F 40 EA 01 03 9B 07 03 D0 09 E0 08 C9 12 1F 
08000240 = 08 C0 04 2A FA D2 03 E0 11 F8 01 3B 00 F8 01 3B 
08000250 = 52 1E F9 D2 70 47 D2 B2 01 E0 00 F8 01 2B 49 1E 
08000260 = FB D2 70 47 00 22 F6 E7 10 B5 13 46 0A 46 04 46 
08000270 = 19 46 FF F7 F0 FF 20 46 10 BD 30 B5 04 46 00 20 
08000280 = 03 46 00 E0 5B 1C 93 42 03 D2 E0 5C CD 5C 40 1B 
08000290 = F8 D0 30 BD 20 2A 04 DB 20 3A 00 FA 02 F1 00 20 
080002A0 = 70 47 91 40 C2 F1 20 03 20 FA 03 F3 19 43 90 40 
080002B0 = 70 47 20 2A 04 DB 20 3A 21 FA 02 F0 00 21 70 47 
080002C0 = 21 FA 02 F3 D0 40 C2 F1 20 02 91 40 08 43 19 46 
080002D0 = 70 47 00 00 06 4C 07 4D 06 E0 E0 68 40 F0 01 03 
080002E0 = 94 E8 07 00 98 47 10 34 AC 42 F6 D3 FF F7 58 FF 
080002F0 = 38 39 00 08 58 39 00 08 70 B5 8C 18 10 F8 01 5B 
08000300 = 15 F0 07 03 01 D1 10 F8 01 3B 2A 11 06 D1 10 F8 
08000310 = 01 2B 03 E0 10 F8 01 6B 01 F8 01 6B 5B 1E F9 D1 
08000320 = 2B 07 05 D4 00 23 52 1E 0D D4 01 F8 01 3B FA E7 
08000330 = 10 F8 01 3B CB 1A 92 1C 03 E0 13 F8 01 5B 01 F8 
08000340 = 01 5B 52 1E F9 D5 A1 42 D8 D3 00 20 70 BD FE E7 
08000350 = 00 20 70 47 00 20 70 47 07 48 08 4A D0 F8 90 02 
08000360 = 00 21 40 29 03 D0 43 5C 53 54 01 31 F9 E7 04 48 
08000370 = 01 21 01 70 00 20 70 47 00 04 00 20 7C 01 00 20 
08000380 = 78 01 00 20 70 47 70 47 DE 4A 03 29 13 68 23 F4 
08000390 = 40 73 13 60 4F F4 40 73 38 BF 0B 02 11 68 19 43 
080003A0 = 11 60 11 68 21 F0 F8 01 11 60 11 68 41 EA C0 00 
080003B0 = 40 F0 02 00 10 60 10 68 40 F4 80 30 10 60 70 47 
080003C0 = 13 48 01 68 89 05 0F D5 01 68 21 F4 00 71 01 60 
080003D0 = 01 68 41 F4 00 61 01 60 01 68 21 F4 00 61 01 60 
080003E0 = 01 68 41 F4 00 71 01 60 01 68 49 05 0F D5 01 68 
080003F0 = 21 F4 80 61 01 60 01 68 41 F4 80 51 01 60 01 68 
08000400 = 21 F4 80 51 01 60 01 68 41 F4 80 61 01 60 70 47 
08000410 = 00 3C 02 40 BB 49 0A 68 22 F4 40 72 0A 60 0A 68 
08000420 = 42 F0 04 02 0A 60 0A 68 42 EA 00 20 40 F4 80 30 
08000430 = 08 60 70 47 B3 4A 13 68 23 F4 40 73 13 60 13 68 
08000440 = 13 60 13 68 43 F0 01 03 13 60 01 70 70 47 00 BF 
08000450 = 10 B5 AC 49 0C 68 24 F4 40 74 0C 60 0C 68 44 F4 
08000460 = 40 74 0C 60 0C 68 44 F0 01 04 0C 60 02 60 BF F3 
08000470 = 6F 8F 43 60 10 BD 00 BF A2 4A 13 68 23 F4 40 73 
08000480 = 13 60 13 68 43 F4 80 73 13 60 13 68 43 F0 01 03 
08000490 = 13 60 01 80 70 47 00 BF 9A 4A 13 68 23 F4 40 73 
080004A0 = 13 60 13 68 43 F4 00 73 13 60 13 68 43 F0 01 03 
080004B0 = 13 60 01 60 70 47 00 BF 32 48 01 68 C9 06 06 D5 
080004C0 = 8F 49 CA 69 42 F0 10 02 CA 61 10 21 01 60 01 68 
080004D0 = 89 06 06 D5 8A 49 CA 69 42 F0 08 02 CA 61 20 21 
080004E0 = 01 60 01 68 49 06 06 D5 85 49 CA 69 42 F0 04 02 
080004F0 = CA 61 40 21 01 60 01 68 09 06 06 D5 80 49 CA 69 
08000500 = 42 F0 02 02 CA 61 80 21 01 60 01 68 C9 05 07 D5 
08000510 = 7B 49 CA 69 42 F0 01 02 CA 61 4F F4 80 71 01 60 
08000520 = 01 68 89 07 06 D5 76 49 CA 69 42 F0 20 02 CA 61 
08000530 = 02 21 01 60 70 47 00 BF F8 B5 04 46 70 48 00 21 
08000540 = 10 4E C1 61 00 F0 46 FA 05 46 67 1C 30 68 C0 03 
08000550 = 09 D5 00 2F FA D0 24 B1 00 F0 3C FA 40 1B A0 42 
08000560 = F4 D9 03 20 F8 BD 30 68 C0 07 1C BF 01 20 30 60 
08000570 = 30 68 10 F4 F9 7F 03 D0 FF F7 9E FF 01 20 F8 BD 
08000580 = 00 20 F8 BD 0C 3C 02 40 80 B5 09 48 4F F0 FF 31 
08000590 = 00 22 01 61 02 61 41 61 42 61 01 60 02 60 41 60 
080005A0 = 42 60 81 60 82 60 00 F0 5D FA 00 20 80 BD 00 BF 
080005B0 = 10 38 02 40 B0 B5 04 46 00 F0 0C FA 05 46 05 48 
080005C0 = 61 1C 00 78 18 BF 04 44 00 F0 04 FA 40 1B A0 42 
080005D0 = FA D3 B0 BD 18 00 00 20 2D E9 F8 43 DF F8 20 81 
080005E0 = 05 46 98 F8 18 00 01 28 01 D1 02 26 3E E0 01 20 
080005F0 = 88 F8 18 00 4C F2 50 30 89 46 FF F7 9D FF 06 46 
08000600 = 88 BB 4F F0 FF 30 C9 F8 00 00 28 68 3D 4C 01 28 
08000610 = 0C D1 28 7C FF F7 FE FE 4C F2 50 30 FF F7 8C FF 
08000620 = 06 46 20 68 20 F0 04 00 20 60 1A E0 A8 68 07 46 
08000630 = E9 68 08 44 87 42 10 D2 29 7C 38 46 FF F7 A4 FE 
08000640 = 4C F2 50 30 FF F7 78 FF 06 46 20 68 20 F0 FA 00 
08000650 = 20 60 26 B9 A8 68 01 37 EA E7 00 26 01 E0 C9 F8 
08000660 = 00 70 FF F7 AD FE 00 20 88 F8 18 00 30 46 BD E8 
08000670 = F8 83 00 BF 23 48 01 68 41 F0 00 41 01 60 00 20 
08000680 = 70 47 00 BF 2D E9 F0 41 DF F8 74 80 07 46 98 F8 
08000690 = 18 00 01 28 04 BF 02 20 BD E8 F0 81 01 20 88 F8 
080006A0 = 18 00 4C F2 50 30 1E 46 14 46 0D 46 FF F7 44 FF 
080006B0 = 08 BB 02 2F 07 D0 01 2F 0A D0 77 B9 E1 B2 28 46 
080006C0 = FF F7 B8 FE 0E E0 28 46 21 46 FF F7 E5 FE 09 E0 
080006D0 = A1 B2 28 46 FF F7 D0 FE 04 E0 28 46 22 46 33 46 
080006E0 = FF F7 B6 FE 4C F2 50 30 FF F7 26 FF 05 49 0A 68 
080006F0 = 22 F0 01 02 0A 60 00 21 88 F8 18 10 BD E8 F0 81 
08000700 = A4 0A 00 20 10 3C 02 40 06 48 C1 68 B1 F1 FF 3F 
08000710 = C4 BF 00 20 70 47 04 49 01 60 04 49 01 60 C0 68 
08000720 = C0 0F 70 47 04 3C 02 40 23 01 67 45 AB 89 EF CD 
08000730 = 2D E9 F8 4F 94 4A 07 24 90 42 94 4A 08 BF 04 24 
08000740 = 02 44 4F EA B2 23 04 2B 38 BF 4F EA B2 24 90 4A 
08000750 = 00 94 4F F0 00 0A 01 23 0F 24 A2 F5 7E 7B 4F F0 
08000760 = 00 09 00 27 10 2F 08 BF BD E8 F8 8F 03 FA 07 F2 
08000770 = 0A 42 40 D0 0A F0 0C 0C 04 FA 0C F8 BC 08 5B F8 
08000780 = 24 E0 00 9B 0E EA 08 05 03 FA 0C F6 D2 43 B5 42 
08000790 = 13 D1 7F 4B 1D 68 15 40 1D 60 5D 68 15 40 5D 60 
080007A0 = 9D 68 15 40 9D 60 7B 4B 1D 68 15 40 1D 60 5B F8 
080007B0 = 24 50 25 EA 08 05 4B F8 24 50 03 23 05 68 03 FA 
080007C0 = 09 F4 A5 43 05 60 0A F0 1C 05 0F 23 03 FA 05 F5 
080007D0 = 6F F0 03 03 03 EA 57 06 06 44 33 6A AB 43 33 62 
080007E0 = C3 68 A3 43 C3 60 43 68 1A 40 42 60 82 68 01 23 
080007F0 = A2 43 0F 24 82 60 0A F1 04 0A 09 F1 02 09 01 37 
J-Link>mem 0x1fffc000, 8
1FFFC000 = EF AA 10 55 EF AA 10 55 
J-Link>mem 0x1fffc008, 8
1FFFC008 = FF 7F 00 80 FF 7F 00 80 
J-Link>

I found how to unlock the flash of STM32F4 family ( https://wiki.segger.com/images/c/cd/STM32F4_Lock.jlink ) :

J-Link>w4 0x40023C08 0x08192A3B
Writing 08192A3B -> 40023C08
J-Link>w4 0x40023C08 0x4C5D6E7F
Writing 4C5D6E7F -> 40023C08
J-Link>w1 0x40023C15 0xAA
Writing AA -> 40023C15
J-Link>w1 0x40023C14 0x55
Writing 55 -> 40023C14
J-Link>w1 0x40023C14 0xED
Writing ED -> 40023C14
J-Link>

But even after doing it the board is not responding correctly:

J-Link>erase
Erasing device...
Comparing flash   [100%] Done.
Erasing flash     [005%]
****** Error: Failed to erase sectors 0 @ address 0x08000000 (unspecified error)
Failed to erase sectors.

100%] Done.
Verifying flash   [100%] Done.

**************************
WARNING: T-bit of XPSR is 0 but should be 1. Changed to 1.
**************************

J-Link: Flash download: Total time needed: 0.165s (Prepare: 0.098s, Compare: 0.000s, Erase: 0.001s, Program: 0.000s, Verify: 0.000s, Restore: 0.065s)

**************************
WARNING: Core did not halt after single step
**************************

ERROR: Erase returned with error code -5.


J-Link>loadbin nuttx.bin 0
Downloading file [nuttx.bin]...
Comparing flash   [100%] Done.
Erasing flash     [100%] Done.
Programming flash [100%] Done.
Verifying flash   [100%] Done.
Error while programming flash: Programming failed.
J-Link>

At least now the original program that came with the board is not running, the flash was partially formatted I suppose.

Update: after flashing NuttX using DFU I noticed that SWD started to work. So I think the bootloader that guys from WeAct (the company that developed this board) was locking the SWD.