OpenGround – Part 2 – FS-i6s DFU Bootloader access

Disclosure: This post may contain affiliate links, meaning I get a commission if you decide to make a purchase through my links, at no cost to you.

By | September 15, 2016

This is the second post of my series documenting the development of a custom firmware for the FS-i6s transmitter. See my previous post for details about the used parts and the pinout.

DFU Bootloader

The STM32F0 has a nice feature: An on-board, un-brickable DFU bootloader. This bootloader can be entered by the following sequence:

  1. remove the batteries, disconnect the USB cable
  2. short circuit R60 on the pcb
  3. plug in the battery
  4. press both power on buttons for 5s (the lcd backlight will NOT switch on when in DFU mode)
  5. plug in the USB cable

The transmitter should not identify itself as a DFU capable device. On my linux machine dmesg shows:

[802365.168024] usb 4-1: new full-speed USB device number 46 using uhci_hcd
[802365.330639] usb 4-1: New USB device found, idVendor=0483, idProduct=df11
[802365.330644] usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[802365.330646] usb 4-1: Product: STM32 BOOTLOADER
[802365.330649] usb 4-1: Manufacturer: STMicroelectronics
[802365.330652] usb 4-1: SerialNumber: FFFFFFFEFFFF

In order to access the DFU device we will need to have some software installed. If you have never used dfu-util before i recommend that you read my post about installing and using dfu-util on linux or windows.

Once you have dfu-util installed, let’s have a look if we can detect the DFU device by executing dfu-util -l:dfu-util 0.9

Copyright 2005-2009 Weston Schmidt, Harald Welte and OpenMoko Inc.
Copyright 2010-2016 Tormod Volden and Stefan Schmidt
This program is Free Software and has ABSOLUTELY NO WARRANTY
Please report bugs to http://sourceforge.net/p/dfu-util/tickets/

Found DFU: [0483:df11] ver=2200, devnum=45, cfg=1, intf=0, path="4-1", alt=1, name="@Option Bytes /0x1FFFF800/01*016 e", serial="FFFFFFFEFFFF"
Found DFU: [0483:df11] ver=2200, devnum=45, cfg=1, intf=0, path="4-1", alt=0, name="@Internal Flash /0x08000000/064*0002Kg", serial="FFFFFFFEFFFF"

Perfect, the transmitter has enumerated as DFU device and is accepting our requests. So now it’s time to make a backup of the original firmware. Therefore we will tell dfu-util to download the current firmware and save it to a local file by executing

dfu-util -a 0 -U flysky_fs_i6s.bin -s 0x08000000:131072

Once finished we now have a backup of the firmware. Copy this file to a safe location. It is the only way to get the original firmware back onto the device! The Flysky updater does not use the DFU bootloader, it uses a custom bootloader written to the flash. We are going to erase the whole flash next, this will also erase the Flysky bootloader!

 

2 thoughts on “OpenGround – Part 2 – FS-i6s DFU Bootloader access

  1. Max

    Hey, I can’t save my image :/
    Do you know, what I am doing wrong?
    The error is:
    dfu-util 0.9

    Copyright 2005-2009 Weston Schmidt, Harald Welte and OpenMoko Inc.
    Copyright 2010-2016 Tormod Volden and Stefan Schmidt
    This program is Free Software and has ABSOLUTELY NO WARRANTY
    Please report bugs to http://sourceforge.net/p/dfu-util/tickets/

    Opening DFU capable USB device…
    ID 0483:df11
    Run-time device DFU version 011a
    Claiming USB DFU Interface…
    Setting Alternate Setting #0 …
    Determining device status: state = dfuIDLE, status = 0
    dfuIDLE, continuing
    DFU mode device DFU version 011a
    Device returned transfer size 2048
    DfuSe interface name: “Internal Flash ”
    SET_ADDRESS not correctly executed

    Reply
    1. McGiverGim

      I dump without problems the version 2.0.0.49, but after update the firmware to 2.0.0.56 trying to dump it gives me the same error than you 🙁

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *