BootJacker: The Amazing AVR Bootloader Hack!
92 views
Skip to first unread message
Julian Skidmore
Jul 4, 2014, 7:17:18 PM7/4/14
to FIGnition
Hi folks,
Here's the blog on the topic of the Bootloader hack that makes Firmware 1.0.0 possible!
Happy reading:
-cheers from Julz
--
![]()
![]()
The DIY 8-bit computer from nichemachines™
The DIY 8-bit computer from nichemachines™
Romilly Cocking
Jul 5, 2014, 12:49:56 AM7/5/14
to fign...@googlegroups.com
That's a super blog post, and a very useful technique.
Thanks.
--
You received this message because you are subscribed to the Google Groups "FIGnition" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fignition+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
@rareblog http://romillys-robots.blogspot.co.uk/
Stuart Taylor
Jul 5, 2014, 4:03:45 AM7/5/14
to fign...@googlegroups.com
That is a simply brilliant and rather cheeky little hack that I've never considered, but now my head is simply spinning, I can think of quite a few places I could use the same technique.
I have to ask, how hard was it to devise the timing strategy, was it a case running a few tests and making notes?
My hat is well and truly doffed!
Stuart
Julian Skidmore
Jul 5, 2014, 5:18:42 AM7/5/14
to FIGnition
Hi Stuart and Romilly,
I didn't include it in the snippet for clarity, but here it is:
void TestTimer0Jump(void)
{
byte k;
gSpmSequenceAddr=0xff;
while((volatile byte)gFrameSyncState!=kFrameSyncBotMargin)
; // wait for bottom sync. No other interrupts will happen for about 3.5ms.
asm volatile(
"push r16\n"
"ldi r16,1\n" // timer 0 start at fClk
"out %0,r16\n" // set TCCR0B so off we go. This is 1c.
// 40c later we should get an interrupt, but when precisely?
"rjmp 1f\n"
"1:rjmp 1f\n"
"1:rjmp 1f\n"
"1:rjmp 1f\n"
"1:rjmp 1f\n"
"1:rjmp 1f\n"
"1:rjmp 1f\n"
"1:rjmp 1f\n"
"1:rjmp 1f\n"
"1:rjmp 1f\n"
"1:rjmp 1f\n"
"1:rjmp 1f\n"
"1:rjmp 1f\n"
"1:rjmp 1f\n"
"1:rjmp 1f\n" // 30c so far
"1:ldi r16,0\n" // Use r16 value to determine where interrupt takes place
"ldi r16,1\n"
"ldi r16,2\n"
"ldi r16,3\n"
"ldi r16,4\n"
"ldi r16,5\n"
"ldi r16,6\n"
"ldi r16,7\n"
"ldi r16,8\n"
"ldi r16,9\n" // 40c should have happened by now.
"ldi r16,10\n"
"ldi r16,11\n" // **************
"ldi r16,12\n"
"ldi r16,13\n"
"ldi r16,14\n" // at some point here we've returned from the interrupt.
"ldi r16,15\n"
"ldi r16,16\n"
"ldi r16,17\n"
"ldi r16,18\n"
"ldi r16,19\n"
"ldi r16,20\n" // 50c should really have happened by now!
"ldi r16,0\n"
"out %0,r16\n" // stop the clock
"pop r16\n" : : "I" (kTCCR0B));
DotQuotePgm(TestTimer0JumpMsg);
DotHex((volatile ushort)gSpmSequenceAddr);
k=Key();
}
ISR(__vector_15) // OCR0B
{
asm volatile(
"sts %0,r16\n"
"ldi r16,0\n"
"out %0,r16\n" // stop timer 0
: : "g" (gSpmSequenceAddr));
}
I used SetupTimer0B(40) to set it up called TestTimer0Jump and at the end, gSpmSequenceAddr contains the last value of r16 loaded. So, then you know exactly how many execution cycles after Timer0 started corresponded to OCR0B=40. It turned out it was 42 execution cycles (comment marked *************).
That was the answer.
As if I should have been surprised ;-)
Ironically, the actual code itself ended up with a timer setting of 40 - an amazing guess huh?
-cheers from Julz
Julian Skidmore
Jul 5, 2014, 7:09:51 AM7/5/14
to FIGnition
Small correction:
"out %0,r16\n" // set TCCR0B so off we go. This is 1c.
Should be:
"out %0,r16\n" // set TCCR0B so off we go. This is 0c.
What I meant by the original comment was that the out instruction takes one cycle. But since the timer register is only set at the end, then I shouldn't count it.
-cheers from Julz
Stuart Taylor
Jul 5, 2014, 7:14:20 AM7/5/14
to fign...@googlegroups.com
Off by one errors ;-)
Julian Skidmore
Jul 6, 2014, 2:01:09 AM7/6/14
to FIGnition
Hi guys,
Yay! I submitted it to Hackaday & it's been featured :-)
-cheers julz
Romilly Cocking
Jul 6, 2014, 2:08:17 AM7/6/14
to fign...@googlegroups.com
carl
Jul 6, 2014, 3:43:01 PM7/6/14
to fign...@googlegroups.com
Well done Julz. I wonder how many times in life we just take it that 'it can't be done' - the FIGnition has taught us that this is not always true. Its brilliant that you have constructively challenge convention and discover something new. There really is room for karma between 0's and 1's :-)
Si Brindley
Jul 6, 2014, 5:08:13 PM7/6/14
to fign...@googlegroups.com
Some nice comments already on that Lackaday article.
I'm sure you'd have been very useful at NASA in the days of the early Apollo missions!
0 new messages