Work on Pine Time

I have received a Pine Time dev-kit this week and I would like to provide some information to fellow hobbyist developers on how I got some things done.

The hard part is starting your development environment. I have worked on another embedded project but we already had a bootloader present on the SOC which implemented a Bluetooth DFU.

This time instead my developer environment has to grow to include some physical stuff. Namely a Jlink programmer/debugger and some more wiring.

On the Pine Time wiki page there is the pinout for the SWD pins but not much more information on how to get things done. This is my take.

I will be using OpenOCD and this is my configuration to talk to the dev-kit.

source [find interface/jlink.cfg]    
transport select swd    
adapter_khz 250    
source [find target/nrf52.cfg]    
init

The physical connection should not be much trouble but then you may get some interesting warnings from openocd.

Open On-Chip Debugger 0.10.0
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
adapter speed: 250 kHz
adapter speed: 10000 kHz
cortex_m reset_config sysresetreq
Info : No device selected, using first device.
Info : J-Link ARM-OB STM32 compiled Jun 30 2009 11:14:15
Info : Hardware version: 7.00
Info : VTarget = 3.300 V
Info : clock speed 10000 kHz
Info : SWD DPIDR 0x2ba01477
Error: Could not find MEM-AP to control the core

What does this mean? What is a MEM-AP? Should I send the damn thing back?

This is perfectly normal in embedded development, you are required to read the damn manual and figure out where the information is. Most likely in a 400 page PDF. Love the PDF, you may not now but you will.

But what if you are a student trying to take over the world with your new smartwatch firmware and only have the weekends to sleep and do embedded development? Then you are in the right place!

SWD is a protocol to read and write data from/to the SOC so you could actually read the whole firmware and reverse it along with most likely proprietary parts such as the Nordic soft device or some other drivers that only ships in binary blobs. To prevent your users to tamper with the firmware you can set up a protection system directly in the silicon and the SOC will refuse to let the user read whatever it wants.

We can check if the firmware is protected by poking the register APPROTECTSTATUS (0x0C) and reading the value in there. If it’s a zero then the whole chip will deny tampering.

Turns out that you can turn this off if you are willing to have the SOC erase both the FLASH and the RAM. Good enough for us.

# read the APPROTECTSTATUS register and returns the value
# at index 1. 0x00 means it is protected
# 0x0C : APPROTECTSTATUS register
dap apreg 1 0x0C
# to unprotect the firmware you need to write 0x01 at
# register ERASEALL, this will erase FLASH and RAM
# 0x04 : ERASEALL register
dap apreg 1 0x04 0x01

So create a new configuration file and now you can poke at anti tampering and even reset the whole watch to go on with your project of taking over the world.

A happy openocd ready to do stuff.

Open On-Chip Debugger 0.10.0
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
adapter speed: 250 kHz
adapter speed: 10000 kHz
cortex_m reset_config sysresetreq
Info : No device selected, using first device.
Info : J-Link ARM-OB STM32 compiled Jun 30 2009 11:14:15
Info : Hardware version: 7.00
Info : VTarget = 3.300 V
Info : clock speed 10000 kHz
Info : SWD DPIDR 0x2ba01477
Info : nrf52.cpu: hardware has 6 breakpoints, 4 watchpoints
Error: nrf52.cpu -- clearing lockup after double fault
target halted due to debug-request, current mode: Handler HardFault
xPSR: 0x01000003 pc: 0xfffffffe msp: 0xffffffd8
Polling target nrf52.cpu failed, trying to reexamine
Info : nrf52.cpu: hardware has 6 breakpoints, 4 watchpoints

and the companion of a happy GDB complaining that there is no firmware on the SOC anymore!

GNU gdb (Debian 8.3.1-1) 8.3.1
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) target remote localhost:3333
Remote debugging using localhost:3333
warning: Architecture rejected target-supplied description
warning: No executable has been specified and target does not support
determining executable automatically.  Try using the "file" command.
Truncated register 16 in remote 'g' packet
(gdb)