Monday, October 8, 2012

USB programmer for CSR Bluetooth chips

After a lot of search through the web, I couldn't find any home-made or cheap CSR USB programmer, so I became eager to find a way how to make it myself. I've logged on csrsupport.com and started digging. Soon enough I found firmware update for theirs official USB programmer. I tought I could use it in some way to made my own programmer and my predictions were correct. In the rest of this post, you could read how to make it yourself.

DISCLAIMER: I'm not responsible for anything that might happen to you or your equipment if you follow this tutorial. I also can't guarantie that method described below will work for you. I do not own firmware and I won't host it anywhere. If you want it, create account and download it from csrsupport.com!

First, you should buy some BlueCore3-Multimedia External bluetooth modules (yes, they use their own chip for USB programmer). These modules are a little harder to get nowadays, but I managed to order a few from stalmart.com. In the mean time, when you are waiting to get your modules, I strongly suggest that you get familiar with stuff on Byron's blog and make a LPT programmer cable which is described on that page. You don't really need to make the case with pogopins, but it won't hurt. Unfortunately, you can't make USB version of programmer if you don't have a LPT version first (chicken and egg problem). Now, when you have all main components, it's time to make a breakout board. Here you can find Eagle files and partlist for my board. If you use it, please make sure that the module layout is same as yours. If you don't know how to etch and/or solder, get some help from someone who knows or study tutorials on net. Here is pinout of my board:


Breakout board pinout

After you finished your hardware, it's time to go to the software part of tutorial. I assume you are familiar with the process of dumping/flashing firmware and setting pskeys. If you aren't, please read excellent tutorial how to do that on Byron's blog. First connect the board to USB port and LPT programmer. Then make sure that your module have at least loader already flashed on. To check this, fire up BlueFlash and click "Firmware ID". If it says something like "bc3k_8unified_fl_bt2.0_22_0702091828_encr56 2007-02-09" then it is OK. Otherwise a loader should be flashed first. You can get mine here.

Firmware ID check

Now the following pskey must be set:

PSKEY_HOST_INTERFACE_PIO_USB (friendly name: USB host interface selection PIO line) to value 0x0009

This pskey is a little trick which I use to make USB connection work. Some (or most?) loaders don't want to connect to the PC via USB even if they are configured via pskeys to do so. I don't know why is that so, maybe I'm missing something but for now this workaround works perfectly. Connect the PIO9 pin to Vcc. Re-plug USB and voilà! Download firmware upgrade file from here (USB-SPI Converter section) and flash it with DFUWizard (from BlueSuite). Now you should get message that a new device has been found (otherwise just re-plug USB). Driver should be installed automatically. If not, it could be installed manually from BlueSuite folder. Congratulations, now you have fully working USB SPI programmer for CSR's chips!

This programmer supports whole line of products from CSR, not only BlueCore family. It also support JTAG interface but I didn't bother to identify pins used, because I don't own any CSR's device which could be programmed through JTAG.

How to connect your new USB programmer to other modules:
  • PIO0 -> CSB
  • PIO1 -> MISO
  • PIO2 -> MOSI
  • PIO3 -> CLK
  • GND -> GND (in case you forgot)
And a proof from my computer which runs Windows 7 64-bit (it's localized but you'll understand):

USB SPI programmer check

In the next article I'll write about reverse engineering effort to write Linux application for dumping and flashing BlueCore4-Ext devices (dumping already works :)).

EDIT:
For those who have problems with programmer: Take a look at pskeys taken from working programmer here. Make a full dump of yours pskeys before you make any change. Don't change any trim or other calibration value. It will make things worse.

52 comments:

  1. Hi Jernej,
    very nice job !!
    I have tried it.
    But I did not get it enumerated either on linux nor on windows.
    Both said new device found but where unable to enumerate it.
    Can you post all of you USB PSKEY's
    THX
    Christian

    ReplyDelete
  2. Unfortunatly I don't have any computer with parallel port or 2 USB programmers at the moment. I'll borrow one laptop and make a dump.

    ReplyDelete
  3. Dear Jernej,
    very cool project.
    One question I have try to your Bootloader.
    But the DFU Wizard is not able to connect to the Board.
    Can you explain a bit more how you have done the DFU upload.
    I wonder because I use a FTDI cable if this couled be the reason?
    I also tried to change some PSK Settings but nothing changed.
    Do I need to Pull UP/DOWN any IO Pin?
    many thanks
    regards
    Nik

    ReplyDelete
    Replies
    1. FTDI cable is converter between USB and serial, right? This device is meant to be directly connected to USB port. If you take a look in schematic, you could see D+ and D-, which are USB data lines. How did you connect these two lines?

      If you do it right, then just make sure that PSKEY_HOST_INTERFACE_PIO_USB is set to "9" and that PIO9 pin is connected to VCC pin (3.3V) while you replug USB connector. Then you should see a new device under device manager.

      In a few days I will expand this tutorial with detailed description how to flash firmware with DFU Wizard (as soon as I get a laptop with parallel port).

      In the mean time, if DFU Wizard still doesn't work, you could try to set PSKEY_USB_VENDOR_ID to 0x0A12 and PSKEY_USB_PRODUCT_ID to 0xffff. Then replug USB with PIO9 connected to VCC pin (3.3V) and then try again with DFU Wizard.

      Delete
  4. Hi Jernej,
    thanks. I was successful :-). The problem was that I have assumed to use the DFU Wizard with RS232. ok my mistake.
    I had some troubles to let windows xp load the driver. I solved it in also setting the Vendor String PSK Key to one String mentioned in the .inf file.
    Thanks again very cool hack.

    ReplyDelete
  5. is posible to use HC04/05/06 module because there is available USB+ and USB- pin out on the board.
    As you say is very hard to find the BC3 module nowaday..
    Thank you..

    ReplyDelete
  6. These modules use BC4, which doesn't have DSP unit, so the answer is no. It may be possible to use BC5 instead, but I didn't try. Firmware upgrade is specific to BC3.

    However, if you want to make programmer from cheap and easily obtainable parts, you can make compatible programmer using TI Launchpad Stellaris. You can find instructions here: https://github.com/Frans-Willem/CsrUsbSpiDeviceRE

    ReplyDelete
  7. Thanks Jernej, yes I saw that. And I'm on progress to porting the CsrUsbSpiDeviceRE to STM32 because I don't have the Stellaris Board.

    ReplyDelete
  8. BC5 won't work ;)

    ReplyDelete
    Replies
    1. Maybe it could work if you change header in firmware update file. I don't have any BC5 module, but I could help you test this if you want.

      Delete
    2. Hi Jernej,

      I'm really grateful for your great info sharing. I have successfully made one USB-SPI programmer with a BC03MM module and also another made with TI stellaris launchpad (but latter one is slower 4x than former one).

      I have many spare BC05MM modules and it would be great if I can make BC05MM works. Could you share any info how to modify header in DFU file to fake it as BC05MM update file? I have tried to change position (0x68, 0x69) from 0x08 0x00 (bc03mm) to 0x00 0x02 (bc05mm). But I have no hint how to modify the checksum at bottom position for file to pass DFUwizard corruption check.

      Delete
    3. Hi,

      I'm not sure if value 0x00 0x02 is correct, I can't find any document with enough details for this field. Anyway, you must also change values at 0x288 and 0x289 in the same way you did at 0x68 and 0x69.

      Checksum is in two places, first is at 0x916d0 and second is at 0x916e0. In your case, first should be 0xe1d3ca77 and the second is strangely enough, same as original.
      If you want poking around alone, you can contact me and I will provide you with a program for calculating checksums (nothing fancy, sample code mostly taken from usbdfu 1.0 document).

      I hope these modifications will be enough. There could be troubles with flash geometry...

      Delete
    4. Hi Jernej,

      Thanks, now dfu file passed the checking of checksum and BC05MM module can be upgraded with this patch file. Unfortunately, the bc05mm stack is replaced by a bc03 stack in the dfu file. So bc05mm can not work correctly. Manually downloading a bc05mm stack onto this module doesn't seem to help. So I think it's time to give up if no other clues. Anyway, I still have a working (made of bc03mm) USB-SPI programmer to use. Have a good day!

      Delete
    5. By the way, I got that info about target BlueCore variants in my \BlueLab412\tools\dfu\docs\psfile.html

      0000 0000 0000 0001 BlueCore01
      0000 0000 0000 0002 BlueCore2-External
      0000 0000 0000 0004 BlueCore2-ROM/Audio/FLASH
      0000 0000 0000 0008 BlueCore3-Multimedia/FLASH
      0000 0000 0000 0010 BlueCore3-ROM (should never be useful)
      0000 0000 0000 0020 BlueCore3-FLASH
      0000 0000 0000 0040 BlueCore4-External
      0000 0000 0000 0400 BlueCore4-Audio-Flash
      0000 0000 0000 0200 BlueCore5-Multimedia

      For your reference.

      Delete
  9. Hello,
    I work with a HC-05 Module. Device Manager show it as USB-SPI Converter.

    Only, the connections

    PIO0 -> CSB
    PIO1 -> MISO
    PIO2 -> MOSI
    PIO3 -> CLK

    doesnt work.

    It is possible to post a fulldump of the psr from the BC3?

    ReplyDelete
    Replies
    1. Are you sure that you are working with a module which has BC3-MM chip? If you are trying to use HC-05 module as a programmer, it won't work because it has BC4 chip.

      Technically it is not possible to change those pin meanings because they are hardcoded in DSP part of firmware. Probably you have problem somewhere else?

      Here you can download psr file extracted from firmware upgrade file. But if you want, I can post full psr dump extracted from real hardware.

      Delete
    2. I think you forgot to connect the ground pin.

      Delete
    3. Hi Jernej,

      Please provide us the fulldump. xpv/xdv files.

      Delete
    4. I already stated that I don't want to distribute CSR's firmware in any form (legal reasons).

      However, I'll be more than happy to help you with the procedure described above.

      Delete
    5. alright.
      can you provide us the psr full dump from the usb-spi adapter?

      Delete
  10. This comment has been removed by the author.

    ReplyDelete
  11. This comment has been removed by the author.

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. if one or more PIO not work - check PSKEY_PIO_PROTECT_MASK (&0202). must be 0000

    ReplyDelete
  14. I have make programmer using MB-C03 module from Modulestek.
    In PSKEY I change only two keys:
    PSKEY_HOST_INTERFACE (&01f9) from 0000 (No host to chip connection) to 0002 (USB link) and PSKEY_PIO_PROTECT_MASK (&0202) from 0001 to 0000
    Good luck

    ReplyDelete
  15. Does anybody know where I can get a module with BC03 MM-EXT from within Germany ? The typical China manufacturers will deliver only when ordering a large amount of modules.

    Thanks

    Peter

    ReplyDelete
  16. The way I did it: found as many sellers as you can on alibaba.com and similar pages and ask them for 1 or 2 samples. Usually you must pay them, but they are cheap. I bought 2 modules for 10USD each and shipping cost around 6USD from China to EU.

    ReplyDelete
  17. I understand that Jernej will not provide the programmer firmware for leagle reasons. But can someone who has modified a BC03-MM-Ext module give a hint where to find the firmware file or the name of the file for searching ? It seems to be impossible to join the CSR support page without being a customer,

    Thank's
    Peter

    ReplyDelete
    Replies
    1. IIRC you must just hit "Register" button twice. You just can't get access to the specific parts of the page and firmware is not one of them.

      Delete
  18. Good hint

    Thank's

    Peter

    ReplyDelete
  19. Dear jernej

    good work and can i replace bc3mm to bc4mm module ? please reply

    ReplyDelete
  20. I didn't heard for bc4mm yet, do you mean bc5mm?

    Anyway, I think that CSR firmware update can only be used on bc3mm chip. At least markings in firmware header suggest that. We tried to upload it on bc5mm module with no success. Unfortunately I don't own any other "mm" module to try.

    If you have troubles obtaining bc3mm module, you could try to make ARM clone mentioned somewhere in comments.

    ReplyDelete
    Replies
    1. I can confirm the CSR firmware doesn't work on a BC4-EXT module either. See below for a good $12 option

      Delete
  21. Hiya,
    I built the LPT programmer (for an old dusty laptop w/parallel port) and it worked, but...

    I tweaked Frans-Willem's Stellaris-based programmer code to run on the new Tiva C Launchpad (EK-TM4C123GXL) - USD$12 at time of writing - which is the replacement for the Stellaris Launchpad. TI delivered mine in under a week and they're cheap+work well.

    This clone USB programmer works great for me (on BlueCore 4-EXT modules) with the CSR BlueFlash, PSTool and BlueTest (etc) tools.

    It should also work fine on BC5, CSR8670 etc, but not tried it yet.

    I also added a "Turbo mode" option which roughly doubles the programming/dumping speed, YMMV.

    I included the binary in github so you can just buy a launchpad, get the TI "LM Flash Programmer" tool and get a working clone CSR USB-SPI programmer in about 5 mins; no extra tools required.

    Many thanks to you Jernej for this blog (very useful), and to Frans-Willem for his reverse-engineering and implementation.

    https://github.com/raplin/CsrUsbSpiDeviceRE

    ReplyDelete
    Replies
    1. Hi!

      Thanks for your contribution. Your implementation should work for all CSR devices which uses SPI for programming interface, so it should work also for BC5 and I assume also for CSR8670.

      About Turbo mode: when speed is within device specification, it should work. But to be on the safe side, you should take care of speed, which is set via CmdSetSpeed() in your code. By default, driver sets it to 1 MHz for BC4EXT. You actually won't see 1MHz value, but some transformed value, which is described in my other post.

      Could you measure your SPI speed in Turbo Mode and normal mode with scope or logic analyzer?

      Suggestion for further improvement: I don't see any reason why not to use HW SPI unit on uC instead of simulated one, which is used now.

      Just to clear all misunderstandings: Frans-Willem implemented clone mostly on my description of protocol, which I reverse engineered (see my other post and Frans-Willem comment bellow).

      Delete
    2. Yeah I have a BC5 board here and will have an CSR8670 soon, I'll try on those and confirm with you. I suspect it'll work just fine, CSR are pretty good at picking something sensible and sticking to it.

      In the 'turbo' mode hack I added I simply took out the majority of the SPI bit-banged delay loop when CMD_SETSPEED=4 from host. This is a very empirical hack but works reliably for me (on BC4Ext);
      Because of its hackiness I left it as an option in my modified firmware (hold down left button on Launchpad board when booting), else runs at normal speed. I can measure the actual "turbo" SPI CLK speed when I have my analyzer next hooked up; I guess it's a couple of Mhz.

      Yeah I looked briefly at using hardware SPI but it was a bit too much typing to do right now :-) Clearly it can be done, although I suspect (with the CPU clocked @ 100mhz) I'm approaching the BC4's SPI speed limits with bitbanging anyway (i.e. I did a slightly faster unrolled SPI bitbang loop and it failed to work).

      Thanks very much Jernej for your hard work; a great contribution.

      Delete
    3. I checked datasheet and I couldn't find any maximum speed specification for SPI. Can you?

      I'm afraid that if there isn't proper CmdSetSpeed() support this programmer won't work for whole range of devices.

      Delete
    4. Nope can't find any spec on that either; I recall reading somewhere in some "high level" CSR blurb they said it was a couple of Mhz but I can't find that now.

      The turbo hack is turned off by default (you need to hold a button on launchpad on boot to enable) and I put warnings on the readme AND put in a printf in the firmware as follows:
      "FAST SPI mode enabled - test reliability with BlueFlash before using!"

      Furthermore I only turn on this hack when the host PC has done "CMD_SETSPEED" of 0x0004 (during init phases it does CMD_SETSPEED of like 0x260 or something) so it's basically only used for high speed dumping of flash.

      It works 100% for me here - I did many read/erase/write/verify cycles - and going from 65sec to 25sec when processing 8mbit is nice when reprogramming frequently - but like I said, YMMV. :-)

      Delete
    5. Hi all,

      I have just finished the conversion of a GL-8A module into a CSR USB SPI Converter but it looks like its not working. I programmed the PSK's as described, updated the firmware and installed the USB SPI driver. So far so good. But when connecting for example a BC04 module the USB-SPI converter cannot read data from it. I have checked the SPI signals with a scope and recognized traffic on all four lines when trying to connect with PSTool. Voltage level is ok (3,3V). But I only got the message that the device ID could not be read. I also tried a module with a BC05MM without success. Has anybody an idea what might be the reason for this behaviour ? Must the SPI clock frequency be programmed via PSK or are pull up/down resistors necessary on the SPI lines ?

      Thanks, Klaus

      Delete
  22. Sorry, I replied to Dr. Tune but wants to open a new question, so my question again:

    Hi all,

    I have just finished the conversion of a GL-8A module into a CSR USB SPI Converter but it looks like its not working. I programmed the PSK's as described, updated the firmware and installed the USB SPI driver. So far so good. But when connecting for example a BC04 module the USB-SPI converter cannot read data from it. I have checked the SPI signals with a scope and recognized traffic on all four lines when trying to connect with PSTool. Voltage level is ok (3,3V). But I only got the message that the device ID could not be read. I also tried a module with a BC05MM without success. Has anybody an idea what might be the reason for this behaviour ? Must the SPI clock frequency be programmed via PSK or are pull up/down resistors necessary on the SPI lines ?

    Thanks, Klaus

    ReplyDelete
    Replies
    1. Hi Klaus!

      I never experienced anything like that. Are you sure that there is no noise on 3.3V? If you used linear regulator, voltage should be ok. Do you have any means to make dump of conversation between programmer and chip? Something like logic analyzer? It would be also helpful if you post full dump of pskeys somewhere so we can check them out.

      Delete
    2. Hi Jernej,

      I used a linear regulator for the 3,3V and one for the 1,8V. The voltages itself look good. The clock frequency is the same as when using the LPT programmer (around 18kHz). Unfortunately I don't have a logic analyzer so I can’t poste the data at the moment. But possibly you can compare the programmers PSK dump with yours for a first try:

      Link: http://ge.tt/9R6LBHG1/v/0

      Thank's Klaus

      Delete
    3. I took quick look and all seems fine for now. Maybe you could check that crystal speed set in pskeys corresponds to physical crystal speed on your module? What speed is it? Mine is 16MHz, but your psr dump suggests 4MHz.

      Please check if SPI speed is in range 20kHz - 1MHz. IIRC, required speed is reached with cycle counting (bit banging approach) and I'm not sure if it will work with different crystal speed.

      Delete
    4. I made a more thorough comparison between my and yours pskeys. There are some values I think you should change, namely:

      PSKEY_USB_MAX_POWER
      PSKEY_USB_PRODUCT_ID
      PSKEY_USB_DEVICE_CLASS_CODES
      PSKEY_USB_MANUF_STRING
      PSKEY_USB_PRODUCT_STRING

      maybe also:
      PSKEY_PCM_MIN_CPU_CLOCK
      PSKEY_AMUX_A
      PSKEY_AMUX_B

      probably not:
      PSKEY_UART_BAUDRATE

      Take a look at my dump here for my values.

      Delete
    5. I compared your PSK's with my values and programmed your's into the programmer (not BT address and trim values) but the behaviour is always the same. I als checked the SPI clock frequency. It's just 20kHz. Do you know the frequency of your programmer ? I think if it is also 20kHz I will stop my investigations.

      Thank you for your support

      Klaus

      Delete
    6. I got it! When I set PSKEY_USB_VM_CONTROL = TRUE its running.

      Delete
  23. Hi and at first: thanks to all for your hints.

    I'm using a hc-05 module with a bc417. With at-commands via uart everything's working fine. Now I would like to use the usb-interface (bus-powered), but nothing happened (0V on both data lines!?). As described in the user-guide, there are three ways of enabling the interface by setting pskeys via bcsp and bccmd. Therefor I'm trying to attach a new hci-device with "hciattach /dev/ttyACM3 csr", but "Initialization timed out". Also "bccmd -t BCSP -d /dev/ttyACM3 -b 38400 anycommand" returns "Initialization timed out".

    Is there anybody also trying this way or has anybody an idea?
    At the moment I'm trying to read the memory of the bc4 with spi. Does anybody know which driver is needed to use a lpt-port of an old dell docking-station? Is it possible to use spi with bc4 in general?

    Thanks in advance!
    Joe

    ReplyDelete
  24. Sorry for late response.

    I can't help you with the first problem, because I never tried to do that.

    Second problem: Technically speaking, spi is the only way to access internal flash and pskeys, you meant USB-SPI and LPT-SPI adapters. To be able to use LPT port for programming, you need driver which can be found in BlueSuite's installation folder. However, it is available only for 32 bit windows (probably only XP).

    ReplyDelete
  25. Hi. I have been looking to use CSR modules for long time, without the need of official softwares. Have you been able to reprogram some csr module already?

    ReplyDelete
  26. I'm looking for someone to update my original working prototype to use the newer BCore5 BC57E687C. Have the schematic and enclosure along with dimensioned PCB. Need new PCB and update the program. djeffarndt@gmail.com 4152152409

    ReplyDelete
  27. Hi Jernej,

    I'm using BC358239AU to build the USB-SPI converter. For the hardware design, I followed the application circuit in its datasheet. But it cannot connect to PC via USB after flashing the loader you provided. Is it a must to pull PIO9 to VCC? I didn't do pull this pin out in my PCB design. Is there a way to make it connect to PC without PIO9 pulled to VCC?

    Thanks,
    Wentao

    ReplyDelete
    Replies
    1. I must say that I didn't use this programmer for a few years now, so I don't remember any detail. Bluetooth Low Energy is better documented, easier to learn and most of all, you can get cheap tools and free compilers. But it is not direct replacement...

      But why don't you just test pulling PIO9 pin? I probably write about it for a reason.

      Delete