Merge pull request #1486 from NickeZ/nickez/factory-setup-ble-used-device

factory-setup: Check if BLE chip is booted

Author: NickeZ

bitbox-da14531-firmware.bin

@@ -82,6 +82,10 @@ struct da14531_protocol {
 
 static struct da14531_protocol _protocol;
 
+static uint8_t* ble_fw = NULL;
+static size_t ble_fw_size = 0;
+static uint8_t ble_fw_checksum = 0;
+
 #if 0
 static const char* _firmware_loader_state_str(enum firmware_loader_state state)
 {
@@ -104,14 +108,7 @@ static const char* _firmware_loader_state_str(enum firmware_loader_state state)
 
 static void _firmware_loader_init(struct firmware_loader* self)
 {
-// If we are in factory setup we expect to load the ble firmware, so we start in IDLE.
-// In production bootloader and firmware we expect the da14531 to already be booted. We will still
-// load the firmware if it happens to not be loaded.
-#if FACTORYSETUP == 1
-    self->state = FIRMWARE_LOADER_STATE_IDLE;
-#else
     self->state = FIRMWARE_LOADER_STATE_DONE;
-#endif
 }
 
 #define SOH 0x01
@@ -125,10 +122,6 @@ static void _firmware_loader_poll(
     uint16_t* buf_in_len,
     struct ringbuffer* out_queue)
 {
-    static uint8_t* ble_fw = NULL;
-    static size_t ble_fw_size = 0;
-    static uint8_t ble_fw_checksum = 0;
-
     // if (*buf_in_len > 0) {
     //     util_log(
     //         "%s, got bytes %s",
@@ -394,7 +387,7 @@ struct da14531_protocol_frame* da14531_protocol_poll(
     const uint8_t** hww_data,
     struct ringbuffer* out_queue)
 {
-    if (*hww_data) {
+    if (hww_data && *hww_data) {
         uint8_t tmp[128];
         int len = da14531_protocol_format(
             &tmp[0], sizeof(tmp), DA14531_PROTOCOL_PACKET_TYPE_BLE_DATA, *hww_data, 64);
@@ -464,11 +457,19 @@ void da14531_protocol_init(void)
 // Only attempt swd reset in factory setup or debug builds. In production swd is turned off and
 // this is therefore useless.
 #if FACTORYSETUP == 1 || !defined(NDEBUG)
+    // Load the firmware from external flash to RAM so that we are ready to flash.
+    if (ble_fw == NULL) {
+        if (!memory_spi_get_active_ble_firmware(&ble_fw, &ble_fw_size, &ble_fw_checksum)) {
+            util_log("da14531: no valid firmware");
+        }
+    }
     // Reset the device if possible, if we cannot reset it over SWD, it must already be running
     if (!_swd_reset_da14531()) {
         // This may fail if the BLE chip has been started with a production firmware that has
         // disabled the debug interface
         util_log("da14531: Failed to reset over SWD");
+        free(ble_fw);
+        ble_fw = NULL;
     } else {
         // If we successfully reset the chip, we also would like to load it with firmware
         _protocol.loader.state = FIRMWARE_LOADER_STATE_IDLE;

src/da14531/da14531_protocol.c

@@ -13,6 +13,7 @@
 // limitations under the License.
 
 #include "common_main.h"
+#include "da14531/da14531.h"
 #include "da14531/da14531_binary.h"
 #include "da14531/da14531_protocol.h"
 #include "driver_init.h"
@@ -45,8 +46,8 @@
 
 // We commit to the BLE firmware hash here to avoid accidentally installing an unexpected firmware.
 static const uint8_t _allowed_ble_fw_hash[32] =
-    "\x87\xfc\xda\x87\x69\xcd\xa6\x16\x66\xa0\x99\xbc\x23\x8b\xf7\xd8\x36\xc5\x4e\x3a\xfd\x7f\xaa"
-    "\x41\x7b\xc8\xa6\x09\x80\x9e\x1c\xb1";
+    "\xa6\xe8\xda\x32\xe5\x2c\x9b\xdf\xca\xb2\xb8\xbd\x9c\x3f\x5c\xb2\xb8\xa4\xe4\x14\x29\x49\x5e"
+    "\x98\x63\xcc\xb0\xd4\x96\xfa\xd5\xe6";
 
 // 65 bytes uncompressed secp256k1 root attestation pubkey.
 #define ROOT_PUBKEY_SIZE 65
@@ -244,18 +245,18 @@ typedef enum {
 } error_code_t;
 
 typedef enum {
-    BLE_OK,
-    BLE_ERR_FW_TOO_LARGE,
-    BLE_ERR_FLASH_FW,
-    BLE_ERR_GET_METADATA,
-    BLE_ERR_SET_METADATA,
-    BLE_ERR_READ_FW,
-    BLE_ERR_FW_SIZE_MISMATCH,
-    BLE_ERR_FW_CHECKSUM_MISMATCH,
-    BLE_ERR_FW_MISMATCH,
-    BLE_ERR_SPI_ERASE,
-    BLE_ERR_FW_NOT_ALLOWED,
-    BLE_ERR_NOT_BOOTED,
+    BLE_OK = 0,
+    BLE_ERR_FW_TOO_LARGE = 1,
+    BLE_ERR_FLASH_FW = 2,
+    BLE_ERR_GET_METADATA = 3,
+    BLE_ERR_SET_METADATA = 4,
+    BLE_ERR_READ_FW = 5,
+    BLE_ERR_FW_SIZE_MISMATCH = 6,
+    BLE_ERR_FW_CHECKSUM_MISMATCH = 7,
+    BLE_ERR_FW_MISMATCH = 8,
+    BLE_ERR_SPI_ERASE = 9,
+    BLE_ERR_FW_NOT_ALLOWED = 10,
+    BLE_ERR_NOT_BOOTED = 11,
 } ble_error_code_t;
 
 static ble_error_code_t _ble_result;
@@ -563,6 +564,10 @@ static ble_error_code_t _setup_ble(void)
     uint8_t uart_write_buf[1024];
     struct ringbuffer uart_write_queue;
     ringbuffer_init(&uart_write_queue, uart_write_buf, sizeof(uart_write_buf));
+    // If the BLE chip already was successfully booted, for example by running the factory-setup
+    // once already and not power cycled, we need to ask for something to get a uart frame back.
+    // Therefore we schedule a "get connection state".
+    da14531_get_connection_state(&uart_write_queue);
     int32_t timeout = 1000000;
     while (timeout-- > 0) {
         uart_poll(uart_read_buf, sizeof(uart_read_buf), &uart_read_buf_len, &uart_write_queue);
@@ -573,6 +578,7 @@ static ble_error_code_t _setup_ble(void)
             return BLE_OK;
         }
     }
+    screen_print_debug("Failed to check BLE chip status", 0);
     return BLE_ERR_NOT_BOOTED;
 }
 

src/factorysetup.c

@@ -27,7 +27,7 @@ use alloc::vec::Vec;
 
 use bitbox02::{memory, spi_mem};
 
-const ALLOWED_HASH: &[u8; 32] = b"\x87\xfc\xda\x87\x69\xcd\xa6\x16\x66\xa0\x99\xbc\x23\x8b\xf7\xd8\x36\xc5\x4e\x3a\xfd\x7f\xaa\x41\x7b\xc8\xa6\x09\x80\x9e\x1c\xb1";
+const ALLOWED_HASH: &[u8; 32] = b"\xa6\xe8\xda\x32\xe5\x2c\x9b\xdf\xca\xb2\xb8\xbd\x9c\x3f\x5c\xb2\xb8\xa4\xe4\x14\x29\x49\x5e\x98\x63\xcc\xb0\xd4\x96\xfa\xd5\xe6";
 
 // We want to write FW to the memory chip in erase-size chunks, so that we don't repeatedly need to
 // read-erase-write the same sector.