-
Notifications
You must be signed in to change notification settings - Fork 402
Firmware m0900
Target
Purpose
Versions
Structure
Boot process
OS and Libraries
Flashing
Interfaces
The firmware programs radio communication protocol (Lightbridge) main controller. Location of this chip:
- in P3X and P3S, Lightbridge MCU is STM32F103 micro-controller; it is on P3X OFDM Receiver board
- in P3C and P3XW, the module is included even though Lightbridge is not supported; maybe it programs chip of different function
- in WM330, Lightbridge MCU is STM32F103 micro-controller; it is on WM330 Receiver Main Processor 3-in-1 board
- in other products, the location is unknown
The module contains programming which controls Lightbridge. It configures and drives both the FPGA array and WiMAX RF transceiver used for Lightbridge states encoding and transmission. The chip controls external components via SPI.
With the shift to OcuSync, the communication system stopped having a separate control system, radio system and encoder. One chip became responsible for all those functions. See m0907 or m0901 for details on that.
There are multiple versions, always unencrypted.
| Marking | Packages | Timestamp | Overview |
|---|---|---|---|
| 00.00.0001 | HG300_FW_V01.01.00.01 | 2016-04-29 | |
| 00.00.0002 | HG300_FW_V01.01.00.02 | 2016-05-06 | |
| 00.00.0004 | HG300_FW_V01.01.00.04 | 2016-05-19 | |
| 00.00.0005 | HG300_FW_V01.01.00.05 HG300_FW_V01.01.00.06_PC HG300_FW_V01.01.00.07_PC | 2016-05-30 ... 2016-06-16 | |
| 00.00.0006 | HG300_FW_V01.01.00.08_PC HG300_FW_V01.01.00.11_PC HG300_FW_V01.01.00.12_PC | 2016-06-23 ... 2016-07-05 | |
| 00.00.0007 | HG300_FW_V01.01.00.13_PC | 2016-07-11 | |
| 00.00.0008 | HG300_FW_V01.01.00.14_PC | 2016-07-18 | |
| 00.00.0009 | HG300_FW_V01.01.00.15_PC | 2016-07-21 | |
| 00.00.0062 | OSMO_FW_V01.00.01.19 | 2015-10-15 | |
| 00.00.0073 | OSMO_FW_V01.04.01.80 | 2015-12-26 | |
| 00.00.0075 | OSMO_FC550_FW_V01.01.00.02 | 2016-01-19 | |
| 00.00.0076 | OSMO_FW_V01.05.01.88 OSMO_FW_V01.05.01.89 | 2016-01-31 ... 2016-02-05 | |
| 00.00.0077 | OSMO_FC550_FW_V01.01.00.03 OSMO_FC550_FW_V01.01.00.04 OSMO_FW_V01.05.01.92 | 2016-02-24 ... 2016-02-25 | |
| 00.00.0078 | OSMO_FC550_FW_V01.01.00.05 OSMO_FC550_FW_V01.01.00.07 OSMO_FW_V01.05.01.93 OSMO_FW_V01.05.01.94 OSMO_FW_V01.05.01.95 OSMO_FW_V01.05.01.96 OSMO_FW_V01.05.01.97 OSMO_FW_V01.05.02.00 | 2016-02-26 ... 2016-03-16 | |
| 00.00.0081 | OSMO_FC550_FW_V01.01.00.08 OSMO_FW_V01.06.02.10 | 2016-03-24 ... 2016-03-25 | |
| 00.00.0082 | OSMO_FC550_FW_V01.01.00.09 OSMO_FC550_FW_V01.01.00.11 | 2016-04-01 ... 2016-04-07 | |
| 00.00.0084 | OSMO_FC550R_FW_V01.01.00.01 | 2016-04-12 | |
| 00.00.0085 | OSMO_FC550_FW_V01.01.00.13 | 2016-04-14 | |
| 00.00.0088 | OSMO_FC550R_FW_V01.01.00.03 OSMO_FC550R_FW_V01.01.00.04 OSMO_FC550R_FW_V01.01.00.10 OSMO_FC550R_FW_V01.02.00.11 | 2016-04-21 ... 2016-05-09 | |
| 00.00.0089 | HG300_FW_V01.01.00.06 HG300_FW_V01.01.00.07 HG300_FW_V01.01.00.08 HG300_FW_V01.01.00.11 HG300_FW_V01.01.00.12 HG300_FW_V01.01.00.13 HG300_FW_V01.01.00.14 HG300_FW_V01.01.00.15 HG300_FW_V01.01.00.16 HG300_FW_V01.01.00.17 HG300_FW_V01.01.00.18 HG300_FW_V01.01.00.19 HG300_FW_V01.01.00.21 HG300_FW_V01.01.00.22 HG300_FW_V01.01.00.23 HG300_FW_V01.01.00.24 HG300_FW_V01.01.00.30 HG300_FW_V01.01.00.30_1 HG300_FW_V01.02.00.31 HG300_FW_V01.02.00.33 HG300_FW_V01.02.00.34 HG300_FW_V01.02.00.40 HG300_FW_V01.03.00.41 HG300_FW_V01.03.00.42 HG300_FW_V01.03.00.44 HG300_FW_V01.03.00.45 HG300_FW_V01.03.00.45_new HG300_FW_V01.03.00.46 HG300_FW_V01.03.00.50 OSMO_FC350Z_FW_V01.00.00.03 OSMO_FC350Z_FW_V01.00.00.05 OSMO_FC350Z_FW_V01.00.00.06 OSMO_FC350Z_FW_V01.00.00.07 OSMO_FC350Z_FW_V01.00.00.08 OSMO_FC350Z_FW_V01.00.00.09 OSMO_FC350Z_FW_V01.00.00.11 OSMO_FC350Z_FW_V01.00.00.12 OSMO_FC350Z_FW_V01.00.00.13 OSMO_FC350Z_FW_V01.00.00.14 OSMO_FC550R_FW_V01.03.00.30 OSMO_FC550_FW_V01.03.00.30 OSMO_FW_V01.08.02.30 | 2016-05-25 ... 2016-11-22 | |
| 00.00.0090 | OSMO_FC350Z_FW_V01.00.00.15 OSMO_FC350Z_FW_V01.00.00.16 OSMO_FC350Z_FW_V01.00.00.17 OSMO_FC350Z_FW_V01.00.00.20 OSMO_FC350Z_FW_V01.01.00.21 OSMO_FC350Z_FW_V01.01.00.30 OSMO_FC350Z_FW_V01.02.00.32 OSMO_FC350Z_FW_V01.02.00.33 OSMO_FC350Z_FW_V01.02.00.38 OSMO_FC350Z_FW_V01.02.00.40 OSMO_FC350Z_FW_V01.03.00.50 OSMO_FC550R_FW_V01.03.00.40 OSMO_FC550_FW_V01.03.00.40 OSMO_FW_V01.08.02.35 OSMO_FW_V01.08.02.36 OSMO_FW_V01.08.02.40 | 2016-08-15 ... 2016-11-14 | |
| 00.00.0093 | HG300_FW_V01.03.00.43 | 2016-11-11 | |
| 00.00.0094 | HG300_FW_V01.03.00.43_3 HG300_FW_V01.04.00.51 | 2016-11-11 ... 2016-12-02 | |
| 00.00.0096 | HG300_FW_V01.04.00.52 HG300_FW_V01.04.00.53 HG300_FW_V01.04.00.54 | 2016-12-14 ... 2016-12-21 | |
| 00.00.0097 | HG300_FW_V01.04.00.55 | 2016-12-22 | |
| 00.00.0098 | HG300_FW_V01.04.00.56 | 2016-12-27 | |
| 00.00.0099 | HG300_FW_V01.04.00.60 | 2017-01-09 | |
| 00.00.0256 | HG300_FW_V01.04.00.60-4 | 2017-01-09 | |
| 00.01.0002 | P3C_FW_V01.00.0014_Beta | 2015-07-21 | |
| 00.01.0004 | P3C_FW_V01.00.0017_Beta P3C_FW_V01.00.0020 | 2015-07-30 ... 2015-08-12 | |
| 00.01.0008 | P3C_FW_V01.01.0030 | 2015-09-02 | |
| 00.01.0009 | P3C_FW_V01.02.0040 | 2015-11-23 | |
| 00.01.0011 | P3XW_FW_V01.01.0000 | 2015-12-15 | |
| 00.01.0012 | P3XW_FW_V01.02.0010 P3XW_FW_V01.03.0020 P3XW_FW_V01.04.0030 P3XW_FW_V01.04.0036 P3XW_FW_V01.05.0040 | 2016-01-22 ... 2016-05-09 | |
| 00.01.0256 | P3C_FW_V01.03.0050 P3C_FW_V01.04.0060 P3C_FW_V01.04.0060 P3C_FW_V01.05.0070 P3C_FW_V01.05.0074 P3C_FW_V01.06.0080 P3C_FW_V01.06.0083 P3C_FW_V01.07.0082 P3C_FW_V01.07.0084 P3C_FW_V01.07.0086 P3C_FW_V01.07.0090 | 2015-12-21 ... 2016-11-08 | |
| 00.01.0258 | P3C_FW_V01.06.0086 | 2016-09-27 | |
| 01.00.1040 | MG1S_FW_V01.00.00.02 | 2016-11-29 | |
| 01.06.0004 | P3X_FW_V01.01.1003 | 2015-04-30 | |
| 01.07.0001 | P3X_FW_V01.01.0006 | 2015-05-01 | |
| 01.07.0003 | P3S_FW_V01.01.0008 P3S_FW_V01.01.0009 P3S_FW_V01.02.0007 P3S_FW_V01.02.0008 P3S_FW_V01.03.0020 P3S_FW_V01.04.0010 P3X_FW_V01.01.0008 P3X_FW_V01.01.0009 P3X_FW_V01.01.1007 P3X_FW_V01.02.0006 P3X_FW_V01.03.0020 P3X_FW_V01.04.0005 P3X_FW_V01.04.0010 | 2015-05-06 ... 2015-09-02 | |
| 01.08.0000 | MATRICE100_FW_V01.02.00.80 | 2016-04-01 | |
| 02.00.0003 | LBTX_FW_V01.01.00 LBTX_FW_V01.01.0010 | 2016-03-28 ... 2016-04-05 | |
| 02.01.0002 | LBTX_FW_V01.01.0030 | 2016-05-25 | |
| 02.02.0000 | LBTX_FW_V01.01.0031 LBTX_FW_V01.01.0040 LBTX_FW_V01.01.0041 | 2016-06-27 ... 2016-08-18 | |
| 02.13.0000 | P3S_FW_V01.05.0030 P3S_FW_V01.06.0040 P3S_FW_V01.07.0060 P3X_FW_V01.05.0030 P3X_FW_V01.06.0040 P3X_FW_V01.07.0043_beta P3X_FW_V01.07.0060 | 2015-11-23 ... 2016-03-13 | |
| 03.00.0004 | MATRICE100_FW_V01.02.00.90 MATRICE100_FW_V01.03.01.00_pc MATRICE100_FW_V01.03.02.55_pc WM610_FC350Z_FW_V01.09.01.40 WM610_FC550_FW_V01.08.00.92 WM610_FW_V01.08.00.92 | 2016-03-24 ... 2016-11-09 | |
| 03.00.0010 | P3S_FW_V01.08.0080 P3S_FW_V01.09.0060 P3S_FW_V01.10.0090 P3X_FW_V01.08.0080 P3X_FW_V01.09.0060 P3X_FW_V01.10.0090 | 2016-04-05 ... 2016-11-07 |
The module is always unencrypted.
The firmware is a memory image of ARM binary. During startup, it is being loaded into memory at constant address and executed by a loader. Such memory images are usually prepared by first linking the file with all libraries, and then using objcopy -O binary to get the final file without ELF header. The ELF header can be re-created if the address and boundaries of sections are known.
No analysis of the booting procedure were performed.
TODO
Since this firmware is used on various products, some of the flashing may not apply to a specific platform.
This method requires a working communication between the camera module and OFDM Receiver. Ambarella FW within camera and bootloader of the target micro-controller must be in working order.
See Flashing firmware via SD-card by official package in camera for details.
This method requires a working communication between the camera module and OFDM Receiver. Ambarella FW within camera and bootloader of the target micro-controller must be in working order. The firmware module file needs to be unencrypted - flashing an encrypted firmware this way will cause the updated device to crash during startup, and the only way to bring it back to life will be to hook to it directly and flash it using a hardware programmer stick.
See Flashing firmware via SD-card by firmware module in camera for details.
The most independent and direct way of flashing is to connect STM STLink USB Programmer to proper pins of the Receiver board (SWDIO, SWCLK, RES, GND, POWER), and do the flashing from PC using ST-LINK utility.
The module communicates to Flight Controller m0306 through ribbon cable connected to P3X ESC center board or WM330 Flight Controller board. The communication uses one of UART interfaces of the micro-controller (either USART1, USART2 or USART3).
Transmission configuration is 256000 8N1. It uses 3.3V logic. The packets sent through the link are in DUPC binary format. They can be captured by comm_serial2pcap, and then viewed in Wireshark with use of DUPC dissectors.
The module uses SPI to talk with radio transceiver. It can support both AD9363 and AR8003, as those two chips have identical interfaces (with only minimal difference in some register addresses). The transmission parameters are in conformance with AD9363 specification.
The module can communicate to FPGA part of the radio channel (Altera Cyclone or AR8001 equivalent), by means unknown.
This page is created by drone enthusiasts for drone enthusiasts.
If you see a mistake, or you know more about specific subject, or you see an area for improvement for the wiki - create an issue in this project and attach your patch (or describe the change you propose).