int do_flash_write(uint32_t addr, uint32_t len, uint32_t erase) {
struct uart_buf ub;
uint8_t digest[16];
uint32_t num_written = 0, num_erased = 0;
struct MD5Context ctx;
MD5Init(&ctx);
if (addr % FLASH_SECTOR_SIZE != 0) return 0x32;
if (len % FLASH_SECTOR_SIZE != 0) return 0x33;
if (SPIUnlock() != 0) return 0x34;
ub.nr = 0;
ub.pr = ub.pw = ub.data;
ets_isr_attach(ETS_UART_INUM, uart_isr, &ub);
SET_PERI_REG_MASK(UART_INT_ENA(0), UART_RX_INTS);
ets_isr_unmask(1 << ETS_UART_INUM);
SLIP_send(&num_written, 4);
while (num_written < len) {
volatile uint32_t *nr = &ub.nr;
/* Prepare the space ahead. */
while (erase && num_erased < num_written + SPI_WRITE_SIZE) {
const uint32_t num_left = (len - num_erased);
if (num_left > FLASH_BLOCK_SIZE && addr % FLASH_BLOCK_SIZE == 0) {
if (SPIEraseBlock(addr / FLASH_BLOCK_SIZE) != 0) return 0x35;
num_erased += FLASH_BLOCK_SIZE;
} else {
/* len % FLASH_SECTOR_SIZE == 0 is enforced, no further checks needed */
if (SPIEraseSector(addr / FLASH_SECTOR_SIZE) != 0) return 0x36;
num_erased += FLASH_SECTOR_SIZE;
}
}
/* Wait for data to arrive. */
while (*nr < SPI_WRITE_SIZE) {
}
MD5Update(&ctx, ub.pr, SPI_WRITE_SIZE);
if (SPIWrite(addr, ub.pr, SPI_WRITE_SIZE) != 0) return 0x37;
ets_intr_lock();
*nr -= SPI_WRITE_SIZE;
ets_intr_unlock();
num_written += SPI_WRITE_SIZE;
addr += SPI_WRITE_SIZE;
ub.pr += SPI_WRITE_SIZE;
if (ub.pr >= ub.data + UART_BUF_SIZE) ub.pr = ub.data;
SLIP_send(&num_written, 4);
}
ets_isr_mask(1 << ETS_UART_INUM);
MD5Final(digest, &ctx);
SLIP_send(digest, 16);
return 0;
}
void stub_main() {
uint32_t baud_rate = params[0];
uint32_t greeting = 0x4941484f; /* OHAI */
uint8_t last_cmd;
/* This points at us right now, reset for next boot. */
ets_set_user_start(NULL);
/* Selects SPI functions for flash pins. */
SelectSpiFunction();
if (baud_rate > 0) {
ets_delay_us(1000);
uart_div_modify(0, UART_CLKDIV_26MHZ(baud_rate));
}
/* Give host time to get ready too. */
ets_delay_us(10000);
SLIP_send(&greeting, 4);
last_cmd = cmd_loop();
ets_delay_us(10000);
if (last_cmd == CMD_BOOT_FW) {
/*
* Find the return address in our own stack and change it.
* "flash_finish" it gets to the same point, except it doesn't need to
* patch up its RA: it returns from UartDwnLdProc, then from f_400011ac,
* then jumps to 0x4000108a, then checks strapping bits again (which will
* not have changed), and then proceeds to 0x400010a8.
*/
volatile uint32_t *sp = &baud_rate;
while (*sp != (uint32_t) 0x40001100) sp++;
*sp = 0x400010a8;
/*
* The following dummy asm fragment acts as a barrier, to make sure function
* epilogue, including return address loading, is added after our stack
* patching.
*/
__asm volatile("nop.n");
return; /* To 0x400010a8 */
} else {
void cmd_loop() {
while(1) {
/* Wait for a command */
while(ub.command == NULL) { }
esp_command_req_t *command = ub.command;
ub.command = NULL;
/* provide easy access for 32-bit data words */
uint32_t *data_words = (uint32_t *)command->data_buf;
/* Send command response header */
esp_command_response_t resp = {
.resp = 1,
.op_ret = command->op,
.len_ret = 0, /* esptool.py ignores this value */
.value = 0,
};
/* ESP_READ_REG is the only command that needs to write into the
'resp' structure before we send it back. */
if (command->op == ESP_READ_REG && command->data_len == 4) {
resp.value = REG_READ(data_words[0]);
}
/* Send the command response. */
SLIP_send_frame_delimiter();
SLIP_send_frame_data_buf(&resp, sizeof(esp_command_response_t));
if(command->data_len > MAX_WRITE_BLOCK+16) {
SLIP_send_frame_data(ESP_BAD_DATA_LEN);
SLIP_send_frame_data(0xEE);
SLIP_send_frame_delimiter();
continue;
}
/* ... some commands will insert in-frame response data
between here and when we send the end of the frame */
esp_command_error error = ESP_CMD_NOT_IMPLEMENTED;
int status = 0;
/* First stage of command processing - before sending error/status */
switch (command->op) {
case ESP_ERASE_FLASH:
error = verify_data_len(command, 0) || SPIEraseChip();
break;
case ESP_ERASE_REGION:
/* Params for ERASE_REGION are addr, len */
error = verify_data_len(command, 8) || handle_flash_erase(data_words[0], data_words[1]);
break;
case ESP_SET_BAUD:
/* ESP_SET_BAUD sends two args, we ignore the second one */
error = verify_data_len(command, 8);
/* actual baud setting happens after we send the reply */
break;
case ESP_READ_FLASH:
error = verify_data_len(command, 16);
/* actual data is sent after we send the reply */
break;
case ESP_FLASH_VERIFY_MD5:
/* unsure why the MD5 command has 4 params but we only pass 2 of them,
but this is in ESP32 ROM so we can't mess with it.
*/
error = verify_data_len(command, 16) || handle_flash_get_md5sum(data_words[0], data_words[1]);
break;
case ESP_FLASH_BEGIN:
/* parameters (interpreted differently to ROM flasher):
0 - erase_size (used as total size to write)
1 - num_blocks (ignored)
2 - block_size (should be MAX_WRITE_BLOCK, relies on num_blocks * block_size >= erase_size)
3 - offset (used as-is)
*/
if (command->data_len == 16 && data_words[2] != MAX_WRITE_BLOCK) {
error = ESP_BAD_BLOCKSIZE;
} else {
error = verify_data_len(command, 16) || handle_flash_begin(data_words[0], data_words[3]);
}
break;
case ESP_FLASH_DEFLATED_BEGIN:
/* parameters:
0 - uncompressed size
1 - num_blocks (based on compressed size)
2 - block_size (should be MAX_WRITE_BLOCK, total bytes over serial = num_blocks * block_size)
3 - offset (used as-is)
*/
if (command->data_len == 16 && data_words[2] != MAX_WRITE_BLOCK) {
error = ESP_BAD_BLOCKSIZE;
} else {
error = verify_data_len(command, 16) || handle_flash_deflated_begin(data_words[0], data_words[1] * data_words[2], data_words[3]); }
break;
case ESP_FLASH_DATA:
case ESP_FLASH_DEFLATED_DATA:
/* ACK DATA commands immediately, then process them a few lines down,
allowing next command to buffer */
if(is_in_flash_mode()) {
error = get_flash_error();
int payload_len = command->data_len - 16;
if (data_words[0] != payload_len) {
/* First byte of data payload header is length (repeated) as a word */
error = ESP_BAD_DATA_LEN;
}
uint8_t data_checksum = calculate_checksum(command->data_buf + 16, payload_len);
if (data_checksum != command->checksum) {
error = ESP_BAD_DATA_CHECKSUM;
}
}
else {
error = ESP_NOT_IN_FLASH_MODE;
}
break;
case ESP_FLASH_END:
case ESP_FLASH_DEFLATED_END:
error = handle_flash_end();
break;
case ESP_SPI_SET_PARAMS:
/* data params: fl_id, total_size, block_size, sector_Size, page_size, status_mask */
error = verify_data_len(command, 24) || handle_spi_set_params(data_words, &status);
break;
case ESP_SPI_ATTACH:
/* parameter is 'hspi mode' (0, 1 or a pin mask for ESP32. Ignored on ESP8266.) */
error = verify_data_len(command, 4) || handle_spi_attach(data_words[0]);
break;
case ESP_WRITE_REG:
/* params are addr, value, mask (ignored), delay_us (ignored) */
error = verify_data_len(command, 16);
if (error == ESP_OK) {
REG_WRITE(data_words[0], data_words[1]);
}
break;
case ESP_READ_REG:
/* actual READ_REG operation happens higher up */
error = verify_data_len(command, 4);
break;
case ESP_MEM_BEGIN:
error = verify_data_len(command, 16) || handle_mem_begin(data_words[0], data_words[3]);
break;
case ESP_MEM_DATA:
error = handle_mem_data(command->data_buf + 16, command->data_len - 16);
break;
case ESP_MEM_END:
error = verify_data_len(command, 8) || handle_mem_finish();
break;
case ESP_RUN_USER_CODE:
/* Returning from here will run user code, ie standard boot process
This command does not send a response.
*/
return;
}
SLIP_send_frame_data(error);
SLIP_send_frame_data(status);
SLIP_send_frame_delimiter();
/* Some commands need to do things after after sending this response */
if (error == ESP_OK) {
switch(command->op) {
case ESP_SET_BAUD:
ets_delay_us(10000);
uart_div_modify(0, baud_rate_to_divider(data_words[0]));
ets_delay_us(1000);
break;
case ESP_READ_FLASH:
/* args are: offset, length, block_size, max_in_flight */
handle_flash_read(data_words[0], data_words[1], data_words[2],
data_words[3]);
break;
case ESP_FLASH_DATA:
/* drop into flashing mode, discard 16 byte payload header */
handle_flash_data(command->data_buf + 16, command->data_len - 16);
break;
case ESP_FLASH_DEFLATED_DATA:
handle_flash_deflated_data(command->data_buf + 16, command->data_len - 16);
break;
case ESP_FLASH_DEFLATED_END:
case ESP_FLASH_END:
/* passing 0 as parameter for ESP_FLASH_END means reboot now */
if (data_words[0] == 0) {
/* Flush the FLASH_END response before rebooting */
#ifdef ESP32
uart_tx_flush(0);
#endif
ets_delay_us(10000);
software_reset();
}
break;
case ESP_MEM_END:
if (data_words[1] != 0) {
void (*entrypoint_fn)(void) = (void (*))data_words[1];
/* this is a little different from the ROM loader,
which exits the loader routine and _then_ calls this
function. But for our purposes so far, having a bit of
extra stuff on the stack doesn't really matter.
*/
entrypoint_fn();
}
break;
}
}
}
}
extern uint32_t _bss_start;
extern uint32_t _bss_end;
void __attribute__((used)) stub_main();
#ifdef ESP8266
__asm__ (
".global stub_main_8266\n"
".literal_position\n"
".align 4\n"
"stub_main_8266:\n"
/* ESP8266 wrapper for "stub_main()" manipulates the return address in
* a0, so 'return' from here runs user code.
*
* After setting a0, we jump directly to stub_main_inner() which is a
* normal C function
*
* Adapted from similar approach used by Cesanta Software for ESP8266
* flasher stub.
*
*/
"movi a0, 0x400010a8;"
"j stub_main;");
#endif
/* This function is called from stub_main, with return address
reset to point to user code. */
void stub_main()
{
const uint32_t greeting = 0x4941484f; /* OHAI */
/* this points to stub_main now, clear for next boot */
ets_set_user_start(0);
/* zero bss */
for(uint32_t *p = &_bss_start; p < &_bss_end; p++) {
*p = 0;
}
SLIP_send(&greeting, 4);
/* All UART reads come via uart_isr */
ub.reading_buf = ub.buf_a;
ets_isr_attach(ETS_UART0_INUM, uart_isr, NULL);
SET_PERI_REG_MASK(UART_INT_ENA(0), UART_RX_INTS);
ets_isr_unmask(1 << ETS_UART0_INUM);
/* Configure default SPI flash functionality.
Can be overriden later by esptool.py. */
#ifdef ESP8266
SelectSpiFunction();
#else
uint32_t spiconfig = ets_efuse_get_spiconfig();
uint32_t strapping = REG_READ(GPIO_STRAP_REG);
/* If GPIO1 (U0TXD) is pulled low and no other boot mode is
set in efuse, assume HSPI flash mode (same as normal boot)
*/
if (spiconfig == 0 && (strapping & 0x1c) == 0x08) {
spiconfig = 1; /* HSPI flash mode */
}
spi_flash_attach(spiconfig, 0);
#endif
SPIParamCfg(0, 16*1024*1024, FLASH_BLOCK_SIZE, FLASH_SECTOR_SIZE,
FLASH_PAGE_SIZE, FLASH_STATUS_MASK);
cmd_loop();
/* if cmd_loop returns, it's due to ESP_RUN_USER_CODE command. */
return;
}
uint8_t cmd_loop() {
uint8_t cmd;
do {
uint32_t args[4];
uint32_t len = SLIP_recv(&cmd, 1);
if (len != 1) {
continue;
}
uint8_t resp = 0xff;
switch (cmd) {
case CMD_FLASH_ERASE: {
len = SLIP_recv(args, sizeof(args));
if (len == 8) {
resp = do_flash_erase(args[0] /* addr */, args[1] /* len */);
} else {
resp = 0x31;
}
break;
}
case CMD_FLASH_WRITE: {
len = SLIP_recv(args, sizeof(args));
if (len == 12) {
resp = do_flash_write(args[0] /* addr */, args[1] /* len */,
args[2] /* erase */);
} else {
resp = 0x41;
}
break;
}
case CMD_FLASH_READ: {
len = SLIP_recv(args, sizeof(args));
if (len == 16) {
resp = do_flash_read(args[0] /* addr */, args[1], /* len */
args[2] /* block_size */,
args[3] /* max_in_flight */);
} else {
resp = 0x51;
}
break;
}
case CMD_FLASH_DIGEST: {
len = SLIP_recv(args, sizeof(args));
if (len == 12) {
resp = do_flash_digest(args[0] /* addr */, args[1], /* len */
args[2] /* digest_block_size */);
} else {
resp = 0x61;
}
break;
}
case CMD_FLASH_READ_CHIP_ID: {
resp = do_flash_read_chip_id();
break;
}
case CMD_FLASH_ERASE_CHIP: {
resp = SPIEraseChip();
break;
}
case CMD_BOOT_FW:
case CMD_REBOOT: {
resp = 0;
SLIP_send(&resp, 1);
return cmd;
}
}
SLIP_send(&resp, 1);
} while (cmd != CMD_BOOT_FW && cmd != CMD_REBOOT);
return cmd;
}
