STM Discovery as Black Magic Probe

Jump to: navigation, search

Last update: 2013-01-12 (Start)

Locate the "Default" and "Reserved" jumpers.
Move (unsolded, then resolder) the jumper from the "Default" to the "Reserved" position. Check with an Ohmmeter there is no short in the "Default" jumpers.
To allow the F103 to still access the target CPU on the discovey board, short SB3 to SB5 and SB7 to SB9 on the side next to the board corner.
Now you can test if everything went right. The test here is done with an unmodified board (F4Discovery, above) to a modified board (F3Discovery, below). Connector "SWD" Pin 2,3 and 4 from the unmodified board are connected to connector "ST-LINK" pin 2, 3 and 4 of the modified board. The unmodified board supplies the modified board with 3 Volt from a pin labeled "3V" to connector "ST-LINK" pin 1 on the modified board.
Added USART connection between F103 and F407.

Overview

The STM Discovery boards consist of a STM32F103C8 as debug link and the target processor. The debug link can also access other STM32 parts via SWD via connector "SWD". Some ST software is provided to program and debug under windows. With STLink an open source project exists that can do most of this task on Linux and Mac. However e.g. read protection and page write protection is not yet handled. Neither the ST programm nor STLink however expose additional cacapilities like a TRACESWO debug channel possible on all boards, UART output via the debug link possible on F0 and F3 discovery board or access to chips from other manufacturers.

Black Magic Probe is an open source project to provide firmware for STM32 processors able to

- flash and debug STM32, SAM3, TI Stellaris and some NXP processors
- expose an UART link
- expose a TRACESWO link

To flash the blackmagic firmware to the STM32F103C8 on discovery boards, programming access to the chip is needed. The bootloader on the original ST_Link uses encryption and can't be used. This article shows how to gain access to the SWD port of the F103 stlink CPU to reprogram the STLINK F103 with a custom firmware.

The STM8S Discovery has the JTAG pins on connector CN5 available. So it is easy to flash the bootloader on these devices without the need for soldering. Blackmagic reuses the JTAG pins as output, so not only SWD is possible, but also JTAG.

Experimantal branches for blackmagic and xc3sprog are available

https://github.com/UweBonnes/blackmagic.git (blackmagic branch)
https://xc3sprog.svn.sourceforge.net/svnroot/xc3sprog xc3sprog
      (blackmagic branch)

to use JTAG enabled blackmagic probes as dongle, to programm Xilinx parts and JTAG AVR and XMega.

Reverting

If you ever want to revert to the ST Link firmware, search for STLinkV2.J16.S4.zip on some russian forum.

Prerequisites

Fine pitch solder skills
Solder equipment
Two 0805 0R jumper resistors
Another SWD capable programmer
Jumper wires to connect external programmer
  to SWD on the Discovery board
My github tree contains a fixes for the F4 BMP variant(20130415).

Modification steps

See the pictures at right.

Test, erase and reflash

The debugger on the unmodified board should now see the target F103 on the modified board.

  • Erase the option bytes and program the option byte to "not read protected". This will mass erase the device and irreversible remove the ST firmware.
  • Now program the blackmagic dfu bootloader, compiled with:
   make PROBE_HOST=stlink 
  • Remove the wire jumper, plug in USB to the modified board and you should see the Blackmagic DFU bootloader, e.g. with dfu-util
   > dfu-util -l
   Found Runtime: [1d50:6018] devnum=0, cfg=1, intf=4, alt=0,
       name="Black Magic Firmware Upgrade (STLINK)" serial="E0C6A5BF"
  • If you see line:
   > dfu-util -l
   Found DFU: [1d50:6017] devnum=0, cfg=1, intf=0, alt=0, name="UNDEFINED"

you have driver problem, you must correct drivers by selecting "WinUSB" in Zadig.exe program before next steps.

  • Remove the SB3/5 and SB7/9 shorts and move the jumpers from "RESERVED" to "DEFAULT". If you ever need to update the bootloader, use dfu_upgrade like:
  > dfu-util -s 0x08002000:leave -D dfu_upgrade.bin
  > dfu-util -s 0x08000000:leave -D blackmagic_dfu.bin
  - Push reset buttom and reconnect to enter new dfu bootloader
  > dfu-util -s 0x08002000:leave -D blackmagic.bin

Bootstraping via the F4Discovery board itself

  1. Compile blackmagic for the F4 Discovery Target
  2.   make PROBE_HOST=f4discovery
    
  3. Force the F4 into system bootloader mode by jumpering "BOOT0" to "VDD" and "PB2" to "GND" and reset (black button B2). Connect USB cable to CN5. System bootloader should appear.
  4. Use DFU to upload blackmagic.bin to 0x08000000. Note: Make sure that no Option Bytes are protecting the flash.
  5.  >dfu-util -v -d 1d50:6017 -a 0 -s 0x08000000:leave -D blackmagic.bin
    
  6. Remove jumpers.
  7. Reset F4 with buttom B2 "Reset". Orange LED should come on steady with CN5 disconnected and dim with CN5 connected and the device enumerated.
  8. Connect TMS: Port P1, pin PC4 to CN3, "ST-LINK", pin 4.
  9. Connect TCK: Port P1, pin PC5 to CN3, "ST-LINK", pin 2.
  10. Locate the blackmagic CDCACM modem created for the F4, e.g. /dev/ttyACM0
  11. Start the arm debugger with blackmagic_dfu compiled for the STLink target ("make clean, make PROBE_HOST=stlink"). In the debugger
  12. (gdb) tar ext /dev/ttyACM0
    Remote debugging using /dev/ttyACM2
    (gdb) mon swdp_scan
    " Target voltage: ABSENT!
    Available Targets:
    No. Att Driver
    1      STM32, Medium density."
    (gdb) att 1
    ...
    (gdb) mon option erase
    ...
    (gdb) load
    ...
    (gdb) quit</pre>
    
  13. Reattach STLink
  14. Now the STLink blackmagic bootloader should appear
  15. Use DFU to upload blackmagic.bin compiled for STLink to 0x08002000

F429Discovery board doesn't enter System DFU bootloader

As prerequisite to enter ther DFU bootloader, USART1_RX (PA10), USART3_RX (PB11), USART3_RX (PC11) and CAN2_RX (PB05) must keep their levels after reset. However PB5 is connected to SDCKE1 and changes level about 4 ms after reset and so probably is the reason that prevents DFU bootloader entry.

Adding a CDCACM Uart to the F4 Discovery Board

F0, F3, L100, F401 and F429 Discovery already have forseen a connection between USARTs from the debugging F103 to the debugger target CPU. It can be enabled by closing solder jumper, e.g. SB11/15 on F229 Discovery. On older STM32 Discovery boards there is no such connection. The picture on the right shows how to add such a connection to the F4 discovery board. As the involved pins are at the corner of the chips, this also can be done with reasonable solder skills. The pins used are PA2/3.

Beware: When using the F4-Discovery in connection with the STM32F4-BB base board extension, PA2 is needed for ETH_MDI! USART2 TX is also available on PD5 (Pin 86 on FQFP 100) and can be solder and mapped there.

Data send out from the F407 to the debug usart can now be seen on the second CDCACM modem of the blackmagic debug probe.

Recovering from broken application software

If by chance your application goes berserque and no longer reacts to a DFU bootloader request, press the black reset buttom when attaching the USB cable to an unpowered board. This will make the bootloader start up and not load the application even if the application has a good signature. You can now flash a good application firmware.

Using cheap STLink-clones

There are cheap STLink-clones available through ebay and Aliexpress.

STLink clone

They can be flashed to become a Black Magic Probe too. You need another SWD-capable interface to flash them. Use e.g. a ST-Discovery board or, as these adapters are really cheap, buy two and flash one with the other.

Open the case (pull the aluminium case towards the USB connector) and connect your other SWD interface to the programming header. You can either solder wires to the header, use a 1.27mm pitch connector or pogo pins.

There are at least two versions with different pinouts. See pictures or use a multimeter to find the pinout.

Version 1

STLink clone programming header

Version 2

STLink clone programming header version 2013
STLink clone programming header version 2013 Back

Then use the flashing procedure outlined above

Building Firmware for ST Link V2 Clones and Flash Using Two Cheap Clones

Two cheap ST Link clones, some jumper wires, arm-none-eabi toolchain, openocd and st-flash is required.

First, compile the Black Magic Probe binary, and then use one ST Link clone to flash the other ST Link clone. For your convenience the two binary files needed for flashing are available here: File:Blackmagic-v1.6-rc0-213-gdf7ad91.bin File:Blackmagic dfu-v1.6-rc0-213-gdf7ad91.bin

As of 2016-08-11 these steps yield to success:

Clone the official Blackmagic repository:

  git clone --recursive https://github.com/blacksphere/blackmagic.git

Expected result is

   Cloning into 'blackmagic'...
   remote: Counting objects: 4444, done.
   remote: Compressing objects: 100% (9/9), done.
   remote: Total 4444 (delta 3), reused 0 (delta 0), pack-reused 4435
   Receiving objects: 100% (4444/4444), 1.93 MiB | 1.50 MiB/s, done.
   Resolving deltas: 100% (3133/3133), done.
   Checking connectivity... done.
   Submodule 'libopencm3' (https://github.com/libopencm3/libopencm3.git) registered for path 'libopencm3'
   Cloning into '/Users/usr/tmp/blackmagic/libopencm3'...
   Submodule path 'libopencm3': checked out '67242de60dec0227739cd549e8a78e1a3c15dbf5'

Go into the cloned directory

  cd blackmagic

Run make in that directory

   make

Expected result is

    GENHDR  include/libopencm3/efm32/efm32g/irq.json
  [...]
    CC      platforms/stm32/timing_stm32.c
    LD      blackmagic
    OBJCOPY blackmagic.bin
    CC      platforms/native/usbdfu.c
    CC      platforms/stm32/dfucore.c
    CC      platforms/stm32/dfu_f1.c
    LD      blackmagic_dfu
    OBJCOPY blackmagic_dfu.bin
    OBJCOPY blackmagic_dfu.hex

Now go into the src directory

  cd src

and clean

  make clean

Now compile for ST Link

  make PROBE_HOST=stlink

Expected result is

    GIT     include/version.h
    CC      target/adiv5.c
    CC      target/adiv5_jtagdp.c
  [...]
    CC      platforms/stm32/dfu_f1.c
    LD      blackmagic_dfu
    OBJCOPY blackmagic_dfu.bin
    OBJCOPY blackmagic_dfu.hex
    CC      platforms/stlink/dfu_upgrade.c
    LD      dfu_upgrade
    OBJCOPY dfu_upgrade.bin
    OBJCOPY dfu_upgrade.hex

Now connect the first ST Link to your computer. This ST Link Clone will be used to reflash the second ST Link Clone. First, check if the clone is recognized correctly. Use the lsusb or your favourite OS' equivalent for that:

  system_profiler SPUSBDataType

Expected output:

                     Product ID: 0x3748
                     Vendor ID: 0x0483  (STMicroelectronics)
                     Version: 1.00
                     Serial Number: Hÿn?H…USHU?‡
                     Speed: Up to 12 Mb/sec
                     Manufacturer: STMicroelectronics
                     Location ID: 0x1a121100 / 5
                     Current Available (mA): 1000
                     Current Required (mA): 100
                     Extra Operating Current (mA): 0

Connect the second ST Link Clone with four jumper wires to the first ST Link Clone. Check the pinout from the paragraph above. The second ST Link Clone is not connected by USB. It is only connected by four wires.

Unlock the code protection of the ST Link clone that will become your new Black Magic Probe

  openocd -f interface/stlink-v2.cfg -f target/stm32f1x.cfg -c "init" -c "halt" -c "stm32f1x unlock 0" -c "shutdown"

Expected result

  Open On-Chip Debugger 0.10.0-dev-gdfc6658 (2016-02-16-19:23)
  Licensed under GNU GPL v2
  For bug reports, read
  	http://openocd.org/doc/doxygen/bugs.html
  Info : auto-selecting first available session transport "hla_swd". To override use 'transport select <transport>'.
  Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD
  adapter speed: 1000 kHz
  adapter_nsrst_delay: 100
  none separate
  Info : Unable to match requested speed 1000 kHz, using 950 kHz
  Info : Unable to match requested speed 1000 kHz, using 950 kHz
  Info : clock speed 950 kHz
  Info : STLINK v2 JTAG v17 API v2 SWIM v4 VID 0x0483 PID 0x3748
  Info : using stlink api v2
  Info : Target voltage: 3.214708
  Info : stm32f1x.cpu: hardware has 6 breakpoints, 4 watchpoints
  stm32f1x.cpu: target state: halted
  target halted due to debug-request, current mode: Thread
  xPSR: 0x81000000 pc: 0x080047a2 msp: 0x20004f08
  Info : device id = 0x20036410

Now, really power cycle the ST Link clone by unplug it from the USB port and replug it.

Erase the ST Link Clone

  st-flash erase

Expected result

  2016-08-11T20:02:04 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Loading device parameters....
  2016-08-11T20:02:04 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Device connected is: F1 Medium-density device, id 0x20036410
  2016-08-11T20:02:04 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: SRAM size: 0x5000 bytes (20 KiB), Flash: 0x20000 bytes (128 KiB) in pages of 1024 bytes
  Mass erasing

Write the DFU Bootloader into the ST Link Clone at the beginning of flash

  st-flash write blackmagic_dfu.bin 0x8000000

Expected result:

  2016-08-11T20:03:43 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Loading device parameters....
  2016-08-11T20:03:43 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Device connected is: F1 Medium-density device, id 0x20036410
  2016-08-11T20:03:43 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: SRAM size: 0x5000 bytes (20 KiB), Flash: 0x20000 bytes (128 KiB) in pages of 1024 bytes
  2016-08-11T20:03:43 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Attempting to write 6740 (0x1a54) bytes to stm32 address: 134217728 (0x8000000)
  Flash page at addr: 0x08001800 erased
  2016-08-11T20:03:43 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Finished erasing 7 pages of 1024 (0x400) bytes
  2016-08-11T20:03:43 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Starting Flash write for VL/F0/F3 core id
  2016-08-11T20:03:43 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Successfully loaded flash loader in sram
    6/6 pages written
  2016-08-11T20:03:44 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Starting verification of write complete
  2016-08-11T20:03:44 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Flash written and verified! jolly good!

Now flash the Black Magic Probe firmware

  st-flash --reset write blackmagic.bin 0x8002000

Expected result:

  2016-08-11T20:05:26 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Loading device parameters....
  2016-08-11T20:05:26 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Device connected is: F1 Medium-density device, id 0x20036410
  2016-08-11T20:05:26 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: SRAM size: 0x5000 bytes (20 KiB), Flash: 0x20000 bytes (128 KiB) in pages of 1024 bytes
  2016-08-11T20:05:26 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Attempting to write 54788 (0xd604) bytes to stm32 address: 134225920 (0x8002000)
  Flash page at addr: 0x0800f400 erased
  2016-08-11T20:05:28 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Finished erasing 54 pages of 1024 (0x400) bytes
  2016-08-11T20:05:28 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Starting Flash write for VL/F0/F3 core id
  2016-08-11T20:05:28 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Successfully loaded flash loader in sram
   53/53 pages written
  2016-08-11T20:05:31 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Starting verification of write complete
  2016-08-11T20:05:32 INFO /tmp/stlink-20160608-18806-p6zk82/stlink-1.2.0/src/stlink-common.c: Flash written and verified! jolly good!

Now disconnect the programming wires and the first ST Link Clone from USB. Only plug your newly flashed Black Magic Probe Clone into any USB port. The first ST Link Clone is untouched and remains usable.

Use the lsusb to verify that the device enumerated at the USB.

  system_profiler SPUSBDataType

Expected result:

                   Black Magic Probe (STLINK), (Firmware v1.6-rc0-213-gdf7ad91):
                     Product ID: 0x6018
                     Vendor ID: 0x1d50
                     Version: 1.00
                     Serial Number: D6CE8AB1
                     Speed: Up to 12 Mb/sec
                     Manufacturer: Black Sphere Technologies
                     Location ID: 0x1a121100 / 5
                     Current Available (mA): 1000
                     Current Required (mA): 100
                     Extra Operating Current (mA): 0

The Black Magic Probe Clone has a DFU bootloader which may be used to updated the Black Magic Probe Firmware. I did not test it but verified it is there:

  dfu-util -l

Expected result is:

  dfu-util 0.9
  Copyright 2005-2009 Weston Schmidt, Harald Welte and OpenMoko Inc.
  Copyright 2010-2016 Tormod Volden and Stefan Schmidt
  This program is Free Software and has ABSOLUTELY NO WARRANTY
  Please report bugs to http://sourceforge.net/p/dfu-util/tickets/
  Deducing device DFU version from functional descriptor length
  Found Runtime: [05ac:828c] ver=0151, devnum=3, cfg=1, intf=3, path="29-3", alt=0, name="UNKNOWN", serial="UNKNOWN"
  Found Runtime: [1d50:6018] ver=0100, devnum=5, cfg=1, intf=4, path="26-1", alt=0, name="Black Magic Firmware Upgrade (STLINK)", serial="D6CE8AB1"

There shall be two serial ports

  ls -l /dev/cu.usbmodem*

Expected result

  crw-rw-rw-  1 root  wheel   17,  65 Aug 11 20:25 /dev/cu.usbmodemD6CE8AB1
  crw-rw-rw-  1 root  wheel   17,  67 Aug 11 20:24 /dev/cu.usbmodemD6CE8AB3

The first port is for GDB to connect to and the second port is for a debug UART. I did not find out to which pin this UART connects so I did not test it yet. The tty port does not work with gdb on OS X.

Now connect a target (e.g. a blue bill STM32F103 board) with SWD to your newly flashed Black Magic Probe and fire up GDB

  arm-none-eabi-gdb -ex "target extended-remote /dev/cu.usbmodemD6CE8AB1"

Expected result

  GNU gdb (GNU Tools for ARM Embedded Processors) 7.10.1.20160616-cvs
  Copyright (C) 2015 Free Software Foundation, Inc.
  License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
  and "show warranty" for details.
  This GDB was configured as "--host=x86_64-apple-darwin10 --target=arm-none-eabi".
  Type "show configuration" for configuration details.
  For bug reporting instructions, please see:
  <http://www.gnu.org/software/gdb/bugs/>.
  Find the GDB manual and other documentation resources online at:
  <http://www.gnu.org/software/gdb/documentation/>.
  For help, type "help".
  Type "apropos word" to search for commands related to "word".
  Remote debugging using /dev/cu.usbmodemD6CE8AB1
  (gdb)

Interactively scan the SWD:

  (gdb) monitor swdp_scan

Expected result

  Target voltage: unknown
  Available Targets:
  No. Att Driver
   1      STM32F1 medium density

Attach to the target

  (gdb) att 1

Expected result

  Attaching to Remote target
  0x08006d1c in ?? ()

Now you have full control over the target, including flashing new firmware to the target. For further command refer to the GDB manual or to Black Magic Probe Documentation.