BX3100 Firmware update

I am trying to update firmware on my BX3100 with the bootloader tool. I downloaded the tool at https://source.sierrawireless.com/resources/airprime/software/bx310x-firmware-upgrade-tool/.
When executing command “BX31xxBlTest.exe com10 -v” I get BC310x bootloader version 1.0. but I expected version 2 as the folder I downloaded is BC310x FW Updater v2. Is this a know bug or do I only have version 1.

I tried to continue with the process anyway and it appeared the download was successful (completed update with 0) but when I check the version number with an AT command I still get the following result.

AT+CGMR
R1.3.0.201816011422.BX310x_1

@dargaj,

I have explained this in my earlier note in your other posting BX100 AT Command for SPI Error.

Regards

Matt

We have the same problem. We have AirPrime BX310x development kit with firmware version R1.3.0.201816011422.BX310x_1 and can not upgrade firmware to version 2.5.0.
Are there any solutions? Is it possible to download new firmware after erasing flash?

Hi, I try to change digest directly in flash @0x0 but this dosn’t work the bootloader respond with error

rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0x00
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff80b8,len:8
load:0x3fff80c0,len:460
ho 0 tail 12 room 4
load:0x40078000,len:16040
ho 0 tail 12 room 4
load:0x40080000,len:296
secure boot check fail
ets_main.c 371
When I write image to flash it also dont work. Bootloader reseting with error.
rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
ets Jun 8 2016 00:22:57

It seems that the image must be written to flash also encrypted. When I readback the image it is in plain text as I wrote it. But original image was in encrypted form. After writing previously read image to flash it works as an original firmware (old version).
So may be it is possible to readback original image directly from flash in encrypted form and update device with old firmware?


Fuse configuration on demo board are
EFUSE_NAME Description = [Meaningful Value] [Readable/Writeable] (Hex Value)

Security fuses:
FLASH_CRYPT_CNT Flash encryption mode counter = 1 R/W (0x1)
FLASH_CRYPT_CONFIG Flash encryption config (key tweak bits) = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE Disable ROM BASIC interpreter fallback = 1 R/W (0x1)
ABS_DONE_0 secure boot enabled for bootloader = 1 R/W (0x1)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)
JTAG_DISABLE Disable JTAG = 1 R/W (0x1)
DISABLE_DL_ENCRYPT Disable flash encryption in UART bootloader = 1 R/W (0x1)
DISABLE_DL_DECRYPT Disable flash decryption in UART bootloader = 1 R/W (0x1)
DISABLE_DL_CACHE Disable flash cache in UART bootloader = 1 R/W (0x1)
BLK1 Flash encryption key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK2 Secure boot key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK3 Variable Block 3
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-

Efuse fuses:
WR_DIS Efuse write disable mask = 896 R/W (0x380)
RD_DIS Efuse read disablemask = 3 R/W (0x3)
CODING_SCHEME Efuse variable block length scheme = 0 R/W (0x0)
KEY_STATUS Usage of efuse block 3 (reserved) = 0 R/W (0x0)

Any suggestions?
Kind regards.

@dargaj,

If the units have been produced without the ability t run signed firmware then they will never be able to run it. You need to get your hands on a new unit.

Regards

MAtt

Hi,

If the units have been produced without the ability t run signed firmware then they will never be able to run it.

If the units don’t support signed firmware why I cannot run firmware without signing check?
The ROM bootloader work in secure boot mode and should check firmware signing. Or I am not right?

The firmware has 9 segments

Image version: 1
Entry point: 40080eb0
9 segments
Segment 1: len 0x1ac30 load 0x3f400020 file_offs 0x00000018
Segment 2: len 0x03d38 load 0x3ffbdb60 file_offs 0x0001ac50
Segment 3: len 0x00000 load 0x3ffc1898 file_offs 0x0001e990
Segment 4: len 0x00400 load 0x40080000 file_offs 0x0001e998
Segment 5: len 0x01268 load 0x40080400 file_offs 0x0001eda0
Segment 6: len 0xf64c4 load 0x400d0018 file_offs 0x00020010
Segment 7: len 0x14c6c load 0x40081668 file_offs 0x001164dc
Segment 8: len 0x00064 load 0x400c0000 file_offs 0x0012b150
Segment 9: len 0x00000 load 0x50000000 file_offs 0x0012b1bc
Checksum: 14 (valid)
Validation Hash: 7a99827d8e294701f209cc2a3a7060f03e9061b1d2432f009ea7f675da82829a (valid)

Segment 9 contain signing digest but zero length, is it correct?

@dargaj,

I am not going to get into the internals of the unit and trying to hack it. My statement stands, you need to get some new hardware.

Regards

Matt