Vault 7: Projects
This publication series is about specific projects related to the Vault 7 main publication.
#define ProgramMemStart 0x00002400
2. Next find the #ifdef section that applies to the device that you are working with. This section will contain definitions used
by the boot loader to determine what memory is should erase and re-write.
#if defined(__PIC24FJ256GB110__) || defined(__PIC24FJ256GB108__) ||
defined(__PIC24FJ256GB106__)
#define BeginPageToErase 5 //Bootloader and vectors occupy first six 1024 word (1536 bytes
due to 25% unimplemented bytes) pages
#define MaxPageToEraseNoConfigs 169 //Last full page of flash on the PIC24FJ256GB110, which
does not contain the flash configuration words.
#define MaxPageToEraseWithConfigs 170 //Page 170 contains the flash configurations words on
the PIC24FJ256GB110. Page 170 is also smaller than the rest of the (1536 byte) pages.
#define ProgramMemStopNoConfigs 0x0002A800 //Must be instruction word aligned address. This
address does not get updated, but the one just below it does:
//IE: If AddressToStopPopulating = 0x200, 0x1FF is the last programmed address (0x200 not
programmed)
#define ProgramMemStopWithConfigs 0x0002ABF8 //Must be instruction word aligned address.
This address does not get updated, but the one just below it does: IE: If
AddressToStopPopulating = 0x200, 0x1FF is the last programmed address (0x200 not programmed)
#define ConfigWordsStartAddress 0x0002ABF8 //0x2ABFA is start of CW3 on PIC24FJ256GB110
Family devices
#define ConfigWordsStopAddress 0x0002AC00
3. Modify the BeginPageToErase to indicate which page is the first page it should erase. This will be the
ProgramMemStart/Page Size. In this case we are starting at 0x2400 and each page is 0x400 so this should now be 9.
#define BeginPageToErase
9
4. Locate the start of the main() function. In the first few lines of code there is a check to determine of the code should stay
in the boot loader or jump to the application code. Change the address in the "goto" statement to match the new end of
the boot loader and start of the application.
__asm__("goto
0x2400
");
This should be all of the changes required in order to change the size of the HID boot loader.
Please note that since the boot loader and the application code are developed as two separate applications, they do not
need to use the same optimization settings.
1.6.3.2.4 Flash Signature
Discusses what a flash signature is, why it is important, and how it is used.
Description
The flash signature feature is a robustness/recoverability feature, which is particularly useful for applications that are not
using an I/O pin for entry into the bootloader mode, and instead rely on entry into the bootloader only by software from the
application firmware image.
Consider the following situation:
1. User boots up microcontroller and begins running application image.
2. User runs special PC application (or something similar) that sends command to the application image, to switch into the
bootloader mode.
3. Firmware executes a goto 0x001C jump straight into the bootloader mode (via software entry).
4. User starts an erase/program/verify sequence using the PC GUI program for bootloading new application firmware
images.
5. The firmware erases some or all of the application flash contents.
6. Before the flash has been reprogrammed with the new values, the user unplugs the USB cable and/or AC power is lost to
the entire system.
At this point, the application would normally be permanently “bricked” (unless the user plugs in a conventional ICSP
programmer like the MPLAB ICD3), since the application image would be corrupt or missing, and that may have been the
only method for receiving the command to jump into bootloader mode.
The above scenario can however be made recoverable, through the use of a “flash signature” process.
1.6 Demos MLA - USB Library Help Device - Boot Loader - HID
267
Protego_Release_01_05-Related-OEM-Documentation-MLA_v2013_12_20-help_mla_usb.pdf