STM Discovery as Black Magic Probe
Last update: 2013-01-12 (Start)
- 1 Overview
- 2 Reverting
- 3 Prerequisites
- 4 Modification steps
- 5 Test, erase and reflash
- 6 Bootstraping via the F4Discovery board itself
- 7 F429Discovery board doesn't enter System DFU bootloader
- 8 Adding a CDCACM Uart to the F4 Discovery Board
- 9 Recovering from broken application software
- 10 Using cheap STLink-clones
The STM Discovery boards consist of a STM32F103C8 as debug link and the target processor. The debug link can also access other STM32 parts via SWD via connector "SWD". Some ST software is provided to program and debug under windows. With STLink an open source project exists that can do most of this task on Linux and Mac. However e.g. read protection and page write protection is not yet handled. Neither the ST programm nor STLink however expose additional cacapilities like a TRACESWO debug channel possible on all boards, UART output via the debug link possible on F0 and F3 discovery board or access to chips from other manufacturers.
Black Magic Probe is an open source project to provide firmware for STM32 processors able to
- flash and debug STM32, SAM3, TI Stellaris and some NXP processors - expose an UART link - expose a TRACESWO link
To flash the blackmagic firmware to the STM32F103C8 on discovery boards, programming access to the chip is needed. The bootloader on the original ST_Link uses encryption and can't be used. This article shows how to gain access to the SWD port of the F103 stlink CPU to reprogram the STLINK F103 with a custom firmware.
The STM8S Discovery has the JTAG pins on connector CN5 available. So it is easy to flash the bootloader on these devices without the need for soldering. Blackmagic reuses the JTAG pins as output, so not only SWD is possible, but also JTAG.
Experimantal branches for blackmagic and xc3sprog are available
https://github.com/UweBonnes/blackmagic.git (blackmagic branch) https://xc3sprog.svn.sourceforge.net/svnroot/xc3sprog xc3sprog (blackmagic branch)
to use JTAG enabled blackmagic probes as dongle, to programm Xilinx parts and JTAG AVR and XMega.
If you ever want to revert to the ST Link firmware, search for STLinkV2.J16.S4.zip on some russian forum.
Fine pitch solder skills Solder equipment Two 0805 0R jumper resistors Another SWD capable programmer Jumper wires to connect external programmer to SWD on the Discovery board My github tree contains a fixes for the F4 BMP variant(20130415).
See the pictures at right.
Test, erase and reflash
The debugger on the unmodified board should now see the target F103 on the modified board.
- Erase the option bytes and program the option byte to "not read protected". This will mass erase the device and irreversible remove the ST firmware.
- Now program the blackmagic dfu bootloader, compiled with:
- Remove the wire jumper, plug in USB to the modified board and you should see the Blackmagic DFU bootloader, e.g. with dfu-util
> dfu-util -l
Found Runtime: [1d50:6018] devnum=0, cfg=1, intf=4, alt=0, name="Black Magic Firmware Upgrade (STLINK)" serial="E0C6A5BF"
- If you see line:
> dfu-util -l
Found DFU: [1d50:6017] devnum=0, cfg=1, intf=0, alt=0, name="UNDEFINED"
you have driver problem, you must correct drivers by selecting "WinUSB" in Zadig.exe program before next steps.
- Remove the SB3/5 and SB7/9 shorts and move the jumpers from "RESERVED" to "DEFAULT". If you ever need to update the bootloader, use dfu_upgrade like:
> dfu-util -s 0x08002000:leave -D dfu_upgrade.bin > dfu-util -s 0x08000000:leave -D blackmagic_dfu.bin - Push reset buttom and reconnect to enter new dfu bootloader > dfu-util -s 0x08002000:leave -D blackmagic.bin
Bootstraping via the F4Discovery board itself
- Compile blackmagic for the F4 Discovery Target
- Force the F4 into system bootloader mode by jumpering "BOOT0" to "VDD" and "PB2" to "GND" and reset (black button B2). Connect USB cable to CN5. System bootloader should appear.
- Use DFU to upload blackmagic.bin to 0x08000000. Note: Make sure that no Option Bytes are protecting the flash.
- Remove jumpers.
- Reset F4 with buttom B2 "Reset". Orange LED should come on steady with CN5 disconnected and dim with CN5 connected and the device enumerated.
- Connect TMS: Port P1, pin PC4 to CN3, "ST-LINK", pin 4.
- Connect TCK: Port P1, pin PC5 to CN3, "ST-LINK", pin 2.
- Locate the blackmagic CDCACM modem created for the F4, e.g. /dev/ttyACM0
- Start the arm debugger with blackmagic_dfu compiled for the STLink target ("make clean, make PROBE_HOST=stlink"). In the debugger
- Reattach STLink
- Now the STLink blackmagic bootloader should appear
- Use DFU to upload blackmagic.bin compiled for STLink to 0x08002000
>dfu-util -v -d 1d50:6017 -a 0 -s 0x08000000:leave -D blackmagic.bin
(gdb) tar ext /dev/ttyACM0 Remote debugging using /dev/ttyACM2 (gdb) mon swdp_scan " Target voltage: ABSENT! Available Targets: No. Att Driver 1 STM32, Medium density." (gdb) att 1 ... (gdb) mon option erase ... (gdb) load ... (gdb) quit</pre>
F429Discovery board doesn't enter System DFU bootloader
As prerequisite to enter ther DFU bootloader, USART1_RX (PA10), USART3_RX (PB11), USART3_RX (PC11) and CAN2_RX (PB05) must keep their levels after reset. However PB5 is connected to SDCKE1 and changes level about 4 ms after reset and so probably is the reason that prevents DFU bootloader entry.
Adding a CDCACM Uart to the F4 Discovery Board
F0, F3, L100, F401 and F429 Discovery already have forseen a connection between USARTs from the debugging F103 to the debugger target CPU. It can be enabled by closing solder jumper, e.g. SB11/15 on F229 Discovery. On older STM32 Discovery boards there is no such connection. The picture on the right shows how to add such a connection to the F4 discovery board. As the involved pins are at the corner of the chips, this also can be done with reasonable solder skills. The pins used are PA2/3.
Beware: When using the F4-Discovery in connection with the STM32F4-BB base board extension, PA2 is needed for ETH_MDI! USART2 TX is also available on PD5 (Pin 86 on FQFP 100) and can be solder and mapped there.
Data send out from the F407 to the debug usart can now be seen on the second CDCACM modem of the blackmagic debug probe.
Recovering from broken application software
If by chance your application goes berserque and no longer reacts to a DFU bootloader request, press the black reset buttom when attaching the USB cable to an unpowered board. This will make the bootloader start up and not load the application even if the application has a good signature. You can now flash a good application firmware.
Using cheap STLink-clones
There are cheap STLink-clones available through ebay and Aliexpress.
They can be flashed to become a Black Magic Probe too. You need another SWD-capable interface to flash them. Use e.g. a ST-Discovery board or, as these adapters are really cheap, buy two and flash one with the other.
Open the case (pull the aluminium case towards the USB connector) and connect your other SWD interface to the programming header. You can either solder wires to the header, use a 1.27mm pitch connector or pogo pins.
There are at least two versions with different pinouts. See pictures or use a multimeter to find the pinout.
Then use the flashing procedure outlined above
Building Firmware for ST Link V2 Clones and Flash Using Two Cheap Clones
Two cheap ST Link clones, some jumper wires, arm-none-eabi toolchain, openocd and st-flash is required.
First, compile the Black Magic Probe binary, and then use one ST Link clone to flash the other ST Link clone. For your convenience the two binary files needed for flashing are available here: File:Blackmagic-v1.6-rc0-213-gdf7ad91.bin File:Blackmagic dfu-v1.6-rc0-213-gdf7ad91.bin
As of 2016-08-11 these steps yield to success:
Clone the official Blackmagic repository:
git clone --recursive https://github.com/blacksphere/blackmagic.git
Expected result is
Cloning into 'blackmagic'... remote: Counting objects: 4444, done. remote: Compressing objects: 100% (9/9), done. remote: Total 4444 (delta 3), reused 0 (delta 0), pack-reused 4435 Receiving objects: 100% (4444/4444), 1.93 MiB | 1.50 MiB/s, done. Resolving deltas: 100% (3133/3133), done. Checking connectivity... done. Submodule 'libopencm3' (https://github.com/libopencm3/libopencm3.git) registered for path 'libopencm3' Cloning into '/Users/usr/tmp/blackmagic/libopencm3'... Submodule path 'libopencm3': checked out '67242de60dec0227739cd549e8a78e1a3c15dbf5'
Go into the cloned directory
Run make in that directory
Expected result is
GENHDR include/libopencm3/efm32/efm32g/irq.json [...] CC platforms/stm32/timing_stm32.c LD blackmagic OBJCOPY blackmagic.bin CC platforms/native/usbdfu.c CC platforms/stm32/dfucore.c CC platforms/stm32/dfu_f1.c LD blackmagic_dfu OBJCOPY blackmagic_dfu.bin OBJCOPY blackmagic_dfu.hex
Now go into the src directory
Now compile for ST Link
Expected result is
GIT include/version.h CC target/adiv5.c CC target/adiv5_jtagdp.c [...] CC platforms/stm32/dfu_f1.c LD blackmagic_dfu OBJCOPY blackmagic_dfu.bin OBJCOPY blackmagic_dfu.hex CC platforms/stlink/dfu_upgrade.c LD dfu_upgrade OBJCOPY dfu_upgrade.bin OBJCOPY dfu_upgrade.hex
Now connect the first ST Link to your computer. This ST Link Clone will be used to reflash the second ST Link Clone. First, check if the clone is recognized correctly. Use the lsusb or your favourite OS' equivalent for that:
Product ID: 0x3748 Vendor ID: 0x0483 (STMicroelectronics) Version: 1.00 Serial Number: Hÿn?H USHU? Speed: Up to 12 Mb/sec Manufacturer: STMicroelectronics Location ID: 0x1a121100 / 5 Current Available (mA): 1000 Current Required (mA): 100 Extra Operating Current (mA): 0
Connect the second ST Link Clone with four jumper wires to the first ST Link Clone. Check the pinout from the paragraph above. The second ST Link Clone is not connected by USB. It is only connected by four wires.
Unlock the code protection of the ST Link clone that will become your new Black Magic Probe
openocd -f interface/stlink-v2.cfg -f target/stm32f1x.cfg -c "init" -c "halt" -c "stm32f1x unlock 0" -c "shutdown"
Open On-Chip Debugger 0.10.0-dev-gdfc6658 (2016-02-16-19:23) Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html Info : auto-selecting first available session transport "hla_swd". To override use 'transport select <transport>'. Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD adapter speed: 1000 kHz adapter_nsrst_delay: 100 none separate Info : Unable to match requested speed 1000 kHz, using 950 kHz Info : Unable to match requested speed 1000 kHz, using 950 kHz Info : clock speed 950 kHz Info : STLINK v2 JTAG v17 API v2 SWIM v4 VID 0x0483 PID 0x3748 Info : using stlink api v2 Info : Target voltage: 3.214708 Info : stm32f1x.cpu: hardware has 6 breakpoints, 4 watchpoints stm32f1x.cpu: target state: halted target halted due to debug-request, current mode: Thread xPSR: 0x81000000 pc: 0x080047a2 msp: 0x20004f08 Info : device id = 0x20036410
Now, really power cycle the ST Link clone by unplug it from the USB port and replug it.
Erase the ST Link Clone
2016-08-11T20:02:04 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Loading device parameters.... 2016-08-11T20:02:04 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Device connected is: F1 Medium-density device, id 0x20036410 2016-08-11T20:02:04 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: SRAM size: 0x5000 bytes (20 KiB), Flash: 0x20000 bytes (128 KiB) in pages of 1024 bytes Mass erasing
Write the DFU Bootloader into the ST Link Clone at the beginning of flash
st-flash write blackmagic_dfu.bin 0x8000000
2016-08-11T20:03:43 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Loading device parameters.... 2016-08-11T20:03:43 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Device connected is: F1 Medium-density device, id 0x20036410 2016-08-11T20:03:43 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: SRAM size: 0x5000 bytes (20 KiB), Flash: 0x20000 bytes (128 KiB) in pages of 1024 bytes 2016-08-11T20:03:43 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Attempting to write 6740 (0x1a54) bytes to stm32 address: 134217728 (0x8000000) Flash page at addr: 0x08001800 erased 2016-08-11T20:03:43 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Finished erasing 7 pages of 1024 (0x400) bytes 2016-08-11T20:03:43 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Starting Flash write for VL/F0/F3 core id 2016-08-11T20:03:43 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Successfully loaded flash loader in sram 6/6 pages written 2016-08-11T20:03:44 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Starting verification of write complete 2016-08-11T20:03:44 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Flash written and verified! jolly good!
Now flash the Black Magic Probe firmware
st-flash --reset write blackmagic.bin 0x8002000
2016-08-11T20:05:26 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Loading device parameters.... 2016-08-11T20:05:26 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Device connected is: F1 Medium-density device, id 0x20036410 2016-08-11T20:05:26 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: SRAM size: 0x5000 bytes (20 KiB), Flash: 0x20000 bytes (128 KiB) in pages of 1024 bytes 2016-08-11T20:05:26 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Attempting to write 54788 (0xd604) bytes to stm32 address: 134225920 (0x8002000) Flash page at addr: 0x0800f400 erased 2016-08-11T20:05:28 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Finished erasing 54 pages of 1024 (0x400) bytes 2016-08-11T20:05:28 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Starting Flash write for VL/F0/F3 core id 2016-08-11T20:05:28 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Successfully loaded flash loader in sram 53/53 pages written 2016-08-11T20:05:31 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Starting verification of write complete 2016-08-11T20:05:32 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Flash written and verified! jolly good!
Now disconnect the programming wires and the first ST Link Clone from USB. Only plug your newly flashed Black Magic Probe Clone into any USB port. The first ST Link Clone is untouched and remains usable.
Use the lsusb to verify that the device enumerated at the USB.
Black Magic Probe (STLINK), (Firmware v1.6-rc0-213-gdf7ad91):
Product ID: 0x6018 Vendor ID: 0x1d50 Version: 1.00 Serial Number: D6CE8AB1 Speed: Up to 12 Mb/sec Manufacturer: Black Sphere Technologies Location ID: 0x1a121100 / 5 Current Available (mA): 1000 Current Required (mA): 100 Extra Operating Current (mA): 0
The Black Magic Probe Clone has a DFU bootloader which may be used to updated the Black Magic Probe Firmware. I did not test it but verified it is there:
Expected result is:
Copyright 2005-2009 Weston Schmidt, Harald Welte and OpenMoko Inc. Copyright 2010-2016 Tormod Volden and Stefan Schmidt This program is Free Software and has ABSOLUTELY NO WARRANTY Please report bugs to http://sourceforge.net/p/dfu-util/tickets/
Deducing device DFU version from functional descriptor length Found Runtime: [05ac:828c] ver=0151, devnum=3, cfg=1, intf=3, path="29-3", alt=0, name="UNKNOWN", serial="UNKNOWN" Found Runtime: [1d50:6018] ver=0100, devnum=5, cfg=1, intf=4, path="26-1", alt=0, name="Black Magic Firmware Upgrade (STLINK)", serial="D6CE8AB1"
There shall be two serial ports
ls -l /dev/cu.usbmodem*
crw-rw-rw- 1 root wheel 17, 65 Aug 11 20:25 /dev/cu.usbmodemD6CE8AB1 crw-rw-rw- 1 root wheel 17, 67 Aug 11 20:24 /dev/cu.usbmodemD6CE8AB3
The first port is for GDB to connect to and the second port is for a debug UART. I did not find out to which pin this UART connects so I did not test it yet. The tty port does not work with gdb on OS X.
Now connect a target (e.g. a blue bill STM32F103 board) with SWD to your newly flashed Black Magic Probe and fire up GDB
arm-none-eabi-gdb -ex "target extended-remote /dev/cu.usbmodemD6CE8AB1"
GNU gdb (GNU Tools for ARM Embedded Processors) 220.127.116.1160616-cvs Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "--host=x86_64-apple-darwin10 --target=arm-none-eabi". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word". Remote debugging using /dev/cu.usbmodemD6CE8AB1 (gdb)
Interactively scan the SWD:
(gdb) monitor swdp_scan
Target voltage: unknown Available Targets: No. Att Driver 1 STM32F1 medium density
Attach to the target
(gdb) att 1
Attaching to Remote target 0x08006d1c in ?? ()
Now you have full control over the target, including flashing new firmware to the target. For further command refer to the GDB manual or to Black Magic Probe Documentation.