Professional Documents
Culture Documents
TL48 Bootloader
TL48 Bootloader
which is used to update the firmware. The hardware reset vector (the instruction at
0000h) points to the bootloader. On each boot the bootloader inspects various state
(TBD) and determines whether it should execute itself to allow firmware updates or
jump into the main firmware.
- 1 USB Protocol
- 1.1 Reset
- 1.2 Report
- 1.3 Erase
- 1.4 Write Block
## USB Protocol
The bootloader and the stock firmware communicate with the host via a simple custom
USB protocol. It uses three bidirectional bulk endpoints on Interface 0. Endpoint 1
Out is used to send commands and Endpoint 1 In is used to read status responses.
For commands that transfer large amounts of data the payload is split evenly
between Endpoint 2 and Endpoint 3, presumably to increase transfer speed.
When sending a command, the first 8 bytes are always the command header and are
written to Endpoint 1. The behavior for the payload — the data, if any, to be sent
after the command header — depends on its size. If the payload plus the 8-byte
header fit in a single 64-byte packet, the payload is sent in the same packet as
the header on Endpoint 1. If the payload is exactly 64 bytes, it's sent in a single
packet on Endpoint 2. Otherwise, the payload is split between Endpoint 2 and
Endpoint 3. If the total size of the payload is less than 128 bytes, each endpoint
gets exactly half, with Endpoint 2 first. Otherwise, the data is split into 64-byte
blocks. The first half of the blocks are sent to Endpoint 2 and the other half to
Endpoint 3. If there are an odd number of whole blocks Endpoint 3 gets the extra
one. If the final block is partial, it is always sent to Endpoint 3.
### Reset
The reset command asks the device to reboot. When used from the stock firmware the
device resets into the bootloader, and when used from the bootloader the device
resets to the stock firmware.
When resetting from the stock firmware, another command is transmitted first. This
may be some kind of key required to permit reset. If this command isn't sent first,
the reset command appears to succeed but the device reboots to the stock firmware,
not the bootloader.
### Report
The report command requests that the firmware identify itself.
In versions of the TL866 A/CS firmware 03.2.82 and earlier, the bStatus field was
used to indicate whether the device was currently running the stock firmware (value
01) or the bootloader (value 02). A/CS firmware 03.2.85 and the TL866II-Plus appear
to always return 01. The only difference in the report output between the stock
firmware and the bootloader on the TL866II-Plus is the version number, for which
the bootloader always returns 1.0.
### Erase
The erase command erases the firmware area of the internal flash (i.e. everything
but the bootloader).
The write block command receives an encrypted data block, decrypts it, and writes
the cleartext to the flash. As with all commands, it has an 8-byte header. The
encrypted data is sent after the command header.
The device does not send a response to the write block command. Instead, another
command is sent to retrieve the status.
The device responds with a 32-byte packet. The unknown parts of the structure have
only ever been observed to be all zeroes.