-
Notifications
You must be signed in to change notification settings - Fork 428
Firmware m0802
Target
Purpose
Versions
Structure
Boot process
OS and Libraries
Flashing
Interfaces
The firmware programs Vision Processing Unit which handles video analysis required for collision avoidance and intelligent functions (within Tello, it does everything the drone can do). Location of this chip:
- in WM220, Movidius MA2100A VPU; is on WM220 Core Board A
- in WM004, Movidius MA2155 VPU; is on WM004 Main Processing Core Board
- in other products, the location is unknown
When used for collision avoidance and intelligent flight, the chip has several cameras connected and uses them to assess distance to surrounding obstacles, with amount of cameras and their direction dependent on specific product.
Within WM004 the focus of this chip is different, as there it is used for flight control. That solution utilizes PWM outputs of the chip to control brushed motors, and the chip also acts as CMOS sensor driver.
TODO
The firmware comes in a Myriad 2 specific container, with magic FourCC identifier MA2x. Within other Myriad 2 firmware packages, such files typically have mvcmd extension. They are generated using moviConvert tool from Myriad Development Kit.
Typically mvcmd files are plaintext code and data, generated from ELF file compiled with the Myriad toolchain, with RSA signature. But there is possibility to also encrypt the data with AES when running moviConvert. DJI firmwares have the content encrypted and signed. Keys to be used are provided to moviConvert as parameters; the same tool also has capability to generate new keys.
On rising edge of the reset signal, boot pins (BOOT_CONTROL, WAKEUP and BOOT0..BOOT4) are sampled. Then, after reset signal pulls to zero, control is given to embedded bootrom. The bootrom is made by Movidius. It contains code to read MA2x application image, verify its signature and decrypt it if needed. Keys used for that are not a part of bootrom. The bootrom acts accordingly to the previously stored boot pins configuration.
| BOOT0..BOOT4 | Boot mode |
|---|---|
| 01000 | USBD - USB Device Boot |
| 01100 | DEBUG_HALT - Doesn’t boot from any interface |
| 11100 | SPIME_24b - Onboard flash memory in fast boot mode |
| 00110 | SPIM_24b - Onboard flash memory in slower boot config |
| 10110 | SPIS - Boot from external Applications Processor connected to the SPI Slave interface |
DJI devices are configured for SPI flash memory boot, so application image is acquired from the serial flash chip and decrypted to memory. The flash chip stores MA2x image directly. After all sections of the image are loaded and verified, bootrom jumps with execution to the application.
No further analysis of the booting procedure were performed.
The DJI firmware does not seem to use any of high level frameworks prepared by Movidius. It goes with bare metal programming instead, being compiled and linked using tools available in Myriad Development Kit. These contain both clang-based compiler (moviCompile) and gcc-based cross-compile toolchain; it is unsure which one was used by DJI.
Since the chip uses bootrom provided by Movidius, their flashing methods apply.
The firmware is stored on serial flash, so the flash chip can also be reflashed without involvement of Myriad 2 chip.
It's also possible to run custom firmware without flashing it, by uploading the MA2x file with moviUsbBoot tool from Myriad Development Kit.
Using USB Device Boot requires proper pulling of BOOT0..BOOT4 service pads.
TODO
The Tello drone has a bootloader which is capable of accepting firmware update through WiFi. To boot the drone into this bootloader:
- Without the battery, press and hold the power switch,
- Connect the USB charging cable,
- Insert the battery,
- When the green LED turn off, release the power switch,
- The LED will turn into a pulsing red light, indicating bootloader mode.
The drone may also enter bootloader mode by itself, if application firmware fails verification during boot.
Note that only some old versions of the Tello mobile app can talk to the bootloader. Prepare a phone with such old version, like 1.1.1.
TODO
This page is created by drone enthusiasts for drone enthusiasts.
If you see a mistake, or you know more about specific subject, or you see an area for improvement for the wiki - create an issue in this project and attach your patch (or describe the change you propose).