Firmware m0305

Table of Contents

Target
Purpose
Versions
Structure
Boot process
OS and Libraries
Flashing
Interfaces

Target

The firmware programs loader part of a micro-controller. MCU model depends on device generation - see application part target info for details on the model and location of the target chip.

Purpose

Loader is responsible of verifying and starting the application part of the Flight Controller firmware. It loads the application into correct address in RAM, and starts its execution. It also contains emergency reflashing procedures, in case the application part seem invalid.

Versions

There are multiple versions, but all encrypted.

Marking	Packages	Timestamp	Overview
34.01.0005	WM610_FC350Z_FW_V01.09.01.40 WM610_FC550_FW_V01.08.00.92 WM610_FW_V01.08.00.92	2016-03-24 ... 2016-11-09
34.01.0010	MATRICE100_FW_V01.02.00.60 MATRICE100_FW_V01.02.00.70 MATRICE100_FW_V01.02.00.80 MATRICE100_FW_V01.02.00.90 MATRICE100_FW_V01.03.01.00_pc MATRICE100_FW_V01.03.02.55_pc	2016-02-18 ... 2016-06-30
34.02.0008	P3S_FW_V01.01.0008 P3S_FW_V01.01.0009 P3X_FW_V01.01.0006 P3X_FW_V01.01.0008 P3X_FW_V01.01.0009 P3X_FW_V01.01.1003	2015-04-30 ... 2015-05-12
34.02.0009	P3C_FW_V01.00.0014_Beta P3C_FW_V01.00.0017_Beta P3C_FW_V01.00.0020 P3C_FW_V01.01.0030 P3C_FW_V01.02.0040 P3C_FW_V01.03.0050 P3C_FW_V01.04.0060 P3C_FW_V01.04.0060 P3C_FW_V01.05.0070 P3C_FW_V01.05.0074 P3C_FW_V01.06.0083 P3C_FW_V01.06.0086 P3C_FW_V01.07.0082 P3C_FW_V01.07.0084 P3C_FW_V01.07.0086 P3C_FW_V01.07.0090 P3S_FW_V01.02.0007 P3S_FW_V01.02.0008 P3S_FW_V01.03.0020 P3S_FW_V01.04.0010 P3S_FW_V01.05.0030 P3S_FW_V01.06.0040 P3S_FW_V01.07.0060 P3S_FW_V01.08.0080 P3S_FW_V01.09.0060 P3S_FW_V01.10.0090 P3XW_FW_V01.01.0000 P3XW_FW_V01.02.0010 P3XW_FW_V01.03.0020 P3XW_FW_V01.04.0030 P3XW_FW_V01.04.0036 P3XW_FW_V01.05.0040 P3X_FW_V01.01.1007 P3X_FW_V01.02.0006 P3X_FW_V01.03.0020 P3X_FW_V01.04.0005 P3X_FW_V01.04.0010 P3X_FW_V01.05.0030 P3X_FW_V01.06.0040 P3X_FW_V01.07.0043_beta P3X_FW_V01.07.0060 P3X_FW_V01.08.0080 P3X_FW_V01.09.0060 P3X_FW_V01.10.0090	2015-06-13 ... 2016-11-08
34.07.0018	A3_FW_V01.01.01.00 A3_FW_V01.01.02.00 A3_FW_V01.02.00.00 A3_FW_V01.03.00.00 A3_FW_V01.04.00.00 A3_FW_V01.05.00.00 A3_FW_V01.06.00.00 A3_FW_V01.06.00.01 AI900_AGR_FW_V01.00.00.29 AI900_AGR_FW_V01.00.00.80 AI900_AGR_FW_V01.00.00.81 AI900_AGR_FW_V01.00.00.83 AM603_FW_V01.00.00.43 AM603_FW_V01.00.00.43(ESC) AM603_FW_V01.00.00.47 AM603_FW_V01.00.00.51 AM603_FW_V01.00.00.70 AM603_FW_V01.00.00.80 AM603_FW_V01.00.01.01 MATRICE600PRO_FW_V01.00.00.01 MATRICE600PRO_FW_V01.00.00.51 MATRICE600PRO_FW_V01.00.00.53 MATRICE600PRO_FW_V01.00.00.54 MATRICE600PRO_FW_V01.00.00.55 MATRICE600PRO_FW_V01.00.00.60 MATRICE600PRO_FW_V01.00.00.61 MATRICE600PRO_FW_V01.00.00.62 MATRICE600PRO_FW_V01.00.00.63 MATRICE600PRO_FW_V01.00.00.64 MATRICE600PRO_FW_V01.00.00.80 MATRICE600_FW_V01.00.00.27 MATRICE600_FW_V01.00.00.27_nw MATRICE600_FW_V01.00.00.28 MATRICE600_FW_V01.00.00.39 MATRICE600_FW_V01.00.00.39_nw MATRICE600_FW_V01.00.00.42 MATRICE600_FW_V01.00.00.43 MATRICE600_FW_V01.00.00.44 MATRICE600_FW_V01.00.00.51 MATRICE600_FW_V01.00.00.53 MATRICE600_FW_V01.00.00.54 MATRICE600_FW_V01.00.00.56 MATRICE600_FW_V01.00.00.60 MATRICE600_FW_V01.00.00.80 MATRICE600_FW_V01.00.0090 MATRICE600_FW_V02.00.00.21 MATRICE600_FW_V02.00.00.95(polar) N3_FW_V01.00.01.01 N3_FW_V01.01.01.00	2016-04-18 ... 2017-01-05
34.07.0021	A3_FW_V02.00.00.01	2016-07-08

Structure

All the known firmwares are encrypted, using the standard Dji Container encryption method.

The unencrypted firmware is a memory image of ARM binary. During startup, it is being loaded into memory at address 0x20000000 and executed by bootrom. Such memory images are usually prepared by first linking the file with all libraries, and then using objcopy -O binary to get the final file without ELF header. The ELF header can be re-created if the address and boundaries of sections are known.

The binary was most likely generated using IAR Embedded Workbench.

Boot process

No analysis of the booting procedure were performed.

OS and Libraries

TODO

Flashing

TODO

Interfaces

TODO