@mihaigsm2003:

Quote

I need help to read and write TMS320F2809, i have interface XDS100 V2

I thought I'd start a new topic for this, though this one might fizzle out very fast because of the password issue.

First, a few preliminaries, for readers that haven't gotten up to speed on this. This applies to Axpert inverters only, though some of it may apply in general to other designs.

* Firmware is usually flashed into microcontrollers at the factory using a JTAG interface, as it programs in several seconds, compared to several minutes over a serial port.

* This applies to both main DSP (Digital Signals Processor) firmware, and to display firmware (removable or fixed displays). The very oldest displays (non-removable, usually white on blue, no hexagons) were driven by the DSP processor, so there is no separate display firmware for those.

* Solar Charge Controllers (SCCs) for 145 V max models (Axpert MKS I, Axpert King I) have their own 8-bit firmware. I know nothing about updating those.

* Inverters with Bluetooth sometimes have their own firmware, I know nothing about those.

* JTAG operates at a low level, so it's often necessary to know the exact chip part number that you are dealing with.

* Main DSP firmware used to use the Texas Instruments TMS320F2809 processor. This one uses two power supplies (3.3 V and 1.8 V) and has 128k words (256k bytes) of flash. Later models use the more modern single power supply (3.3V) chips: either the TMS320F28062 with 64k words (128k bytes) of flash for the Value models (Axpert VM II, VM III, VM IV etc), or the TMS320F28066 for models that can be paralleled (128k words, 256k bytes). All main DSP firmware is password protected; you need a 128-bit password to be able to see or copy the firmware. Without the password, all you see is zeroes.

* Display firmware uses some form of ARM processor, often the ST Microelectronics STM32F107VC. It's an ARM_Cortex-M3 V7 or V7M3. The firmware uses the THUMB instruction set (not the native 32-bit set), little endian. It seems that the display firmware is not password protected at present. Some displays since about 2022 use a GigaDevice GD32F105VCT6 chip. This chip may or may not need a different JTAG device to the ST one. 

* You do need a different JTAG device for the DSP as for the display.

* The commonly available DSP JTAG devices are known as XDS100 compatible. These are convenient because they are common, inexpensive, and work for free with the TI Code Composer Studio software. If you want to use that software with other JTAG devices, you have to pay. Code Composer Studio is a large, complex software development environment, but there are much smaller utilities that can be used to do simple jobs like reading and writing blocks of memory (e.g. firmware). Axpert firmware uses the addresses 3D 8000-3F 7FFF (for the larger firmwares), or 3E 8000-3F 7FFF for the smaller firmwares. The bootloader starts at 3F 4000. [ Edit: Was 3F 8000 ]

* However, inexpensive JTAG devices can be bought online, and often come with their own JTAG software to read and program the DSP chip. You still need the password, if course. 

* There is a similar JTAG device for ARM. @mihaigsm2003 is actually the expert here. I believe that the usual JTAG device used is this one: https://www.st.com/en/development-tools/st-link-v2.html . It seems that there are economical third party devices available from Ebay and the like. Mihaigsm2003's information starts with this post. Typical display firmware uses addresses 8003000 - typically 802 6FFF? The end of flash memory is probably 800 3FFF (256k bytes). The bootloader starts at 800 0000.

* Both processor types (DSP and display) have a special program that I call the bootloader, which takes control at reset, checks for the presence of main flash, and jumps to main flash only if the main flash appears to be present. If not, it waits for serial commands to commence a reflash or main firmware. When you "brick" an inverter, usually the bootloader is still present and is still running. The bootloader is never updated after loading from the factory, and its code is not present in a firmware update file. If you have to replace the processor with a new one because the processor chip is damaged, the bootloader will not be present, so you can't load any new firmware without a JTAG programmer. It may be possible to replace the boot loader with one or a few jump instructions, to branch always to the main firmware. In that case, firmware can only be updated using JTAG. I have extracted a bootloader for a very few Axpert models. The bootloader is involved with security protection; without the original bootloader, your inverter may fail after 60 days of operation with fault code 90.

* The smaller Axpert inverters seem to have the bootloader as part of the code that is in the hex file of a firmware update file set. I have no idea how that works, and have not investigated. 

* TI 320F28xx processors have a smallish mask programmed read-only memory containing what could be described as a bootloader, but it's not the same as the Voltronic bootloader. In theory, it could be used to load firmware, but you'd need special programs, and the control board is not designed to use this fixed bootloader.

* Hex files were invented by Intel back in the 1980s; they were limited to 64k (16 bit addresses) because that's all the processors at the time could address. So Axpert firmware updates use extended intel hex files. These allow for 32 bit addresses. Firmware is compiled to a .out file (binary format, not human readable), and the following command is used to generate the extended hex file:

hex2000 foo.out --intel --memwidth=16 --romwidth=16 -o dsp.hex

hex2000 is a TI specific tool that comes with Code Composer Studio and other TI packages. It can probably be downloaded on its own, but unless you have a .out file, it won't be very useful. The single -o flag seems to be needed to prevent creating two interleaved hex files. There must be a similar tool to generate extended display hex files but I don't know the details. At least the ARM code is byte addressed, so the display hex files look more like traditional Intel hex files. Note that TI by default use their own incompatible hex format that no-one else has adopted.

* I'll add more information here as I think of it.

Quote

I need help to read and write TMS320F2809

Back to the original question. What model inverter is this for, or generally for many models? The problem is that without the password, there is so little that can be done. You might be able to erase everything, but that includes the bootloader, and I have precious few of those.

I do have a few extracted passwords, but they probably change those regularly, so I don't hold much hope for them. If we get to that stage, I'll talk via PM. I don't want to enable the clone makers to easily steal firmware. I won't help anyone attempting to steal firmware for profit; there are a few cases where this reading and writing of firmware is legitimately needed. I'm happy to help with those cases where I can.

[ Edit: Fixed addresses, added bootloader start addresses ]

[ Edit: added hex file info. ]

[ Edit: Added GigaDevice parr number, mentioned inexpensive online JTAG devices and flashing software, added section on bootloaders for smaller Axperts. ] 

Edited May 22, 20233 yr by Coulomb

Interesting. Is the firmware not protected? Usually it is impossible to readout the firmware after the protection fuse is blown (except if you successfully glitch the processor when it is reading the fuse). If you are able to read the firmware over jtag, the manufacturer made quite a stuff-up.

You usually also encrypt firmware updates before you ship it, with decryption keys in the bootloader. (so you REALLY want to keep your bootloader secret)

3 hours ago, Coulomb said:

Back to the original question. What model inverter is this for, or generally for many models? The problem is that without the password, there is so little that can be done. You might be able to erase everything, but that includes the bootloader, and I have precious few of those.
 

I do have a few extracted passwords, but they probably change those regularly, so I don't hold much hope for them. If we get to that stage, I'll talk via PM. I don't want to enable the clone makers to easily steal firmware. I won't help anyone attempting to steal firmware for profit; there are a few cases where this reading and writing of firmware is legitimately needed. I'm happy to help with those cases where I can.

[ Edit: Fixed addresses, added bootloader start addresses ]

[ Edit: added hex file info. ]

Hi, I have a problem with an 8048 Max inverter, the owner writes the DSP firmware after that no communication, the display shows error 32, no way to write the firmware.

I connect XDS100 V2 to CPU, I can write, but I can't load DSP.HEX firmware or other hex to write.

I'm also trying to use C2Prog, but the software stuck on the server started!

1 minute ago, P1000 said:

Interesting. Is the firmware not protected? Usually it is impossible to readout the firmware after the protection fuse is blown (except if you successfully glitch the processor when it is reading the fuse). If you are able to read the firmware over jtag, the manufacturer made quite a stuff-up.

You usually also encrypt firmware updates before you ship it, with decryption keys in the bootloader. (so you REALLY want to keep your bootloader secret)

Firmware for display or communication board is not protected.

I try to write with c2prog but is passwaord protect

I am no expert on JTAG flashing but I am wondering how the JTAG firmware update methods for computer BIOS' compare to the methods for Inverter Firmware.
There are numerous articles and guides available, but would the same principles apply for Inverters?

https://electrolama.com/radio-docs/advanced/flash-jtag/

https://embeddedbits.org/2020-02-20-extracting-firmware-from-devices-using-jtag/

Edited September 27, 20223 yr by zsde

23 hours ago, P1000 said:

Is the firmware not protected?

DSP firmware is protected (after some time in 2013; the earliest firmwares were not protected at all).

The display firmware is (so far) not protected.

23 hours ago, P1000 said:

Usually it is impossible to readout the firmware after the protection fuse is blown

It's not a fuse with the TI DSP processors, but a 128-bit binary "password" that is programmed into a special area of the flash memory. You have to send the password to the magic registers to unlock the Code Security Module (CSM).

23 hours ago, P1000 said:

You usually also encrypt firmware updates before you ship it, with decryption keys in the bootloader.

They haven't gone to that trouble. At least not yet.

23 hours ago, mihaigsm2003 said:

Hi, I have a problem with an 8048 Max inverter, the owner writes the DSP firmware after that no communication, the display shows error 32, no way to write the firmware.

Unfortunately, I don't have a password for that model. I could maybe help you extract one if absolutely necessary.

But it sounds like the DSP flashing merely failed. Check out the If You Think Your Inverter Is Bricked topic. I've never attempted to restart a MAX software update, so the timing is unknown. They key is starting the firmware update process at the right time. This will be about 100x less effort than trying to JTAG the firmware.

Nothing help me, i gest change control module with other and solve problem. but i still have board with bricked processor.

On 2022/09/27 at 2:29 PM, Coulomb said:

* The commonly available DSP JTAG devices are known as XDS100 compatible. These are convenient because they are common, inexpensive, and work for free with the TI Code Composer Studio software. If you want to use that software with other JTAG devices, you have to pay. Code Composer Studio is a large, complex software development environment, but there are much smaller utilities that can be used to do simple jobs like reading and writing blocks of memory (e.g. firmware). Axpert firmware uses the addresses 3D 8000-3F 7FFF (for the larger firmwares), or 3E 8000-3F 7FFF for the smaller firmwares. The bootloader starts at 3F 8000.

 

[ Edit: Fixed addresses, added bootloader start addresses ]

[ Edit: added hex file info. ]

Thanks for the useful information!
Question. Is the bootloader address 0x3F8000 correct?
TMS320F2809 processor.
Isn't the bootloader in flash memory?
The Single-access RAM (SARAM) area starts from address 0x3F8000

Edited April 20, 20233 yr by biletskiy

4 hours ago, biletskiy said:

Is the bootloader address 0x3F8000 correct?
TMS320F2809 processor.
Isn't the bootloader in flash memory?

Arrgh! You are right, it can't be at 3F 8000. In fact, it's at 3F 4000. I've corrected my post.

3F 4000 is the start of flash segment A, which has special properties, and processes the start vector after TI's internal ROM (a form of primitive bootloader) has taken control at actual reset.

Sorry for the misinformation.

Hello,

I have been playing around with my inverter and bricked it... The model is a SMP 5000 from EASUN. It had firmware 72.10 inside.

I don't have the firmware but have access to another one to read it from.

I have a XDS100 V2 and can connect to it with ccs. Problem is that I need the CSM password to read, erase or program the flash.

When I bricked it I was able to load firmware 72.70b and onwards 72.20e. After the last one it bricked with error 32.

I'm guessing that during the firmware loading the CSM password is used to allow the flash writing. Meaning that the password used on firmware 72.70b is same as the 72.10. Onward when I loaded the 72.20e it has changed making it impossible to reflash.

If my guessing is right can someone PM me both CSM password?

 

 

On 2023/04/21 at 6:35 PM, ACruz said:

When I bricked it I was able to load firmware 72.70b and onwards 72.20e. After the last one it bricked with error 32.

These are somewhat different firmwares, unfortunately badly numbered. 72.70b is for 58.4 V max PF0.8 models, 72.20e is for 64 V max PF1 models.

But neither of these is for models that even have a removable display.

If you can tell me your original firmware version, or the exact model number, I may be able to help.

On 2023/04/21 at 6:35 PM, ACruz said:

I'm guessing that during the firmware loading the CSM password is used to allow the flash writing.

No, that's not the case.

On 2023/04/21 at 6:35 PM, ACruz said:

Meaning that the password used on firmware 72.70b is same as the 72.10.

The relevant factor is the reflash command that the firmware is looking for. Is 72.10 your original firmware? [ Edit: Duh! You already said it was. ] If so, it seems to me that you must have an older model from around 2016 or so. But these do not have removable displays, and I thought that only removable displays or the latest colour displays with round LED rings can display this fault code.

On 2023/04/21 at 6:35 PM, ACruz said:

Onward when I loaded the 72.20e it has changed making it impossible to reflash.

I'm guessing that you used a mismatched reflash tool and dsp.hex file. You may be able to recover with a suitable combination of reflash tool and hex file. It sounds like the 72.20e reflash tool coupled with say 73.00e or 72.70b hex file should work. BTW, do not use factory firmware version 73.00 on a model that came with 72.xx; you will eventually run into fault code 90. 73.00e is the most recent patched firmware for the Axpert MKS 1 models (PF0.8, 5 kVA and 4 kW).

A warning to others: Don't be tempted to mismatch reflash tools and hex files. It's far more likely that you brick your inverter than do anything good. Only use a mismatch like this to undo a previous mismatch that led to a bricking. This is not intended as a criticism, I just don't want anyone getting the bright idea from the above that they might be able to unlock some magical result with a mismatch.

Edited April 23, 20233 yr by Coulomb

Hello again,

You're right about all you wrote!

Unfortunately I leave in GMT timeframe and had a lot of experiencing before I read your reply.

I tried to see if I could find the CSM password in the .out and .hex file found in both firmwares. I found all keys to be set to FFFF and thats just not it...

I found that address 0xAE0 to 0xAE7 is automatically set to FFFF as soon as we try to debug. I modified the GEL in ccs to bypass this and load the CSM to those address in order to read it without success. I guess we I have to load a custom firmware to extract them. Unfortunately I'm not that skilled to do it by self.

What I don't understand is that if the .hex and .out files have the CSM keys set to FFFF why doesn't it update them to that? My guessing is that during the flashing it makes a "and" of the actual keys with the FFFF and keep them as is.

By then I decided to try a different approach and took the risk to flash the other inverter to see if during the reflash it would unlock the chip and allow me to read the CSM password... guess not!

I ended up with both inverters down! I decided to order 2 controller cards. They should arrive in a couple of weeks.

Learning something is priceless but at this point it is starting to be expensive... I'm sure that with your help I can read the Keys from the old boards and read the firmware and bootloader from the new ones. That would be very satisfying should you decide to help me.

I almost forgot. From too much experimentation I ended up connecting the JTAG connector to the controller to PWM controller plug and almost fried my computer. The XDS is dead and I need to order a new one... I believe I'm not the only one making such a stupid mistake but the JTAG plugs there so nicely..

I have good news! I managed to fix the XDS and I'm able to connect to the controller again. Luckly it only damaged the SRV05 chip. It can be removed without compromising the XDS functioning. I'll get a new one on Monday.

The controller card doesn't seams to have suffer from my mistake and should be goos for some more experimenting 😊.

In other words can you help me to read the CSM password? I'm not an expert at this but I believe I need to load a patched firmware or some sort of program to it to be able to read the CSM. Can you at least point me in the right direction.

3 hours ago, ACruz said:

In other words can you help me to read the CSM password?

At this point, we need to switch to Private Messages.

On 2023/04/22 at 2:39 PM, ACruz said:

I have good news! I managed to fix the XDS and I'm able to connect to the controller again. Luckly it only damaged the SRV05 chip. It can be removed without compromising the XDS functioning. I'll get a new one on Monday.

The controller card doesn't seams to have suffer from my mistake and should be goos for some more experimenting 😊.

In other words can you help me to read the CSM password? I'm not an expert at this but I believe I need to load a patched firmware or some sort of program to it to be able to read the CSM. Can you at least point me in the right direction.

Any news?

It's posible to read bootloader from good DSP from inverter?

I think, if buy new DSP (chip only) if I can write firmware from hex and bootloader from good DSP ?

Edited April 25, 20233 yr by mihaigsm2003

Not easy to read it. It is locked! In my case I ended damaging both boards to read the password...I lost a lot of time on it but in the end was satisfying to be able to read it! Better buy a new board if you are just in it for repair! If you're in it for the challenge...

Note that to read the keys like I did you'll end up damaging the original firmware.

 

hi, i found this, maybe help:

https://www.amosplanet.org/how-to-activate-control-board-of-off-grid-inverter-that-failed-upgrading/#comment-1451

I am currently working on a MPI10k aka Infinisolar 10k hybrid inverter, that doesn't boot up correctly and shows only ERROR 18 in display (=mismatch master/slave firmware):

I expect that the controller board was flashed with master firmware only, slave firmware was probably forgotten to update.

So I tried to catch up that and upgrade the slave firmware to the correct version via serial too, but unfortunately the IAP (in-application programming) commands of the flash tool for setting the µC into flash mode seem not to work:

I tried some different ReflashTools, but non of them worked.

As the customer support of mpp-solar will 4 sure suggest to replace the board, I want to give it a try with a XD100v2 JTAG programmer.
Master cpu is a TMS320F28335PGF DSP, slave is a 320F2808PZA. So I guess it would be sufficient to flash the slave cpu in my case.
As the firmware updates for the 10+15k hybrid inverters come along with the .out files, I guess I would simply have to flash the Inv_slave.out via the JTAG pins near the 2808 cpu, just like posted above. Memory map seems to be almost identical to 2809:

@Coulomb
As you seem to be the most experienced tech here, do you have any hints or suggestions for me? Do I have to take care of the password (according to posts above no) and how I make sure that I don't destroy the bootloader?
How do I set the "Flash Sectors to be Erased" correctly for my cpu - should I set it to "b" to "h" like posted above?

 

 

Edited October 30, 20241 yr by riogrande75

On 2024/10/30 at 4:10 PM, riogrande75 said:

As the firmware updates for the 10+15k hybrid inverters come along with the .out files, I guess I would simply have to flash the Inv_slave.out via the JTAG pins near the 2808 cpu, just like posted above.

Sorry, I expect the firmware to be password protected. The '2808 seems to be basically the same as a '2809, but half-sized flash sectors (so half the total flash, still 8flash segments), and a few minor downgrades (half the ADC speed, etc). If the flash memory (0x38000 to 0x3E7FFF) reads as all zeroes, then it's CSM protected (i.e. you need the password).

On 2024/10/30 at 4:10 PM, riogrande75 said:

how I make sure that I don't destroy the bootloader?
How do I set the "Flash Sectors to be Erased" correctly for my cpu - should I set it to "b" to "h" like posted above?

Yes, I expect that to be the case. In other words, segment A (the one with the highest start address, 0x3F6000 in this case) should contain the bootloader, as well as the CSM password, flash entry point, and so on). The Axpert bootloader that I looked at was way less than 50% used, so the bootloader, even if a bit bigger for the Infinis, should still fit comfortably in flash segment A.

But again, without the 128-bit password, I expect that you won't be able to read anything of the existing code, and won't be able to flash erase only segments B-H. You might be able to erase everything, but I have no idea where you'd get a bootloader. Maybe the slave code isn't considered important enough to warrant password protection, but I seriously doubt it.

Concerning the "cannot open serial port", check the usual suspects: have you exited SolarPower properly (not just closed the window), is COM2 the correct COM port for your USB to serial adapter, is the USB to serial adapter a known good one (e.g. does it run Watchpower through that COM port), etc.