More actions
This article is a stub. You can help Repair Wiki grow by expanding it
Steam Deck - dump/modify controller board firmware | |
---|---|
Device | Steam Deck |
Affects part(s) | Controller board revision B; R7FA4E10B2CFM; R7FA4E10D2CFM |
Needs equipment | |
Difficulty | ◉◌◌◌ Easy |
Type | Software |
Necessary Software:
All tools can be found in SteamOS under
/usr/share/jupiter_controller_fw_updater
They can also be found in the online repository:
https://gitlab.com/evlaV/jupiter-hw-support/-/tree/master/usr/share/jupiter_controller_fw_updater/
RFP-CLI
To dump the controller board firmware, the Renesas Flash Programmer CLI is used in this guide.
It can be used to read/write to the MCU via USB.
It can be found under
/usr/share/jupiter_controller_fw_updater/RA_bootloader_updater/linux_host_tools/rfp-linux-x64
The documentation for the rfp-cli program contains is a list with useful commands. Unfortunately, you have to download and install the Renesas flash programmer to read it.
https://www.renesas.com/en/software-tool/renesas-flash-programmer-programming-gui#downloads
The documentation "rfp-cli.md" can be found in the "docs" folder in the install directory.
Examples of Processing from Command Lines with the Use of rfp-cli
Examples are listed in the guide below (starting with page 14)
https://www.renesas.com/en/document/apn/renesas-flash-programmer-usage-command-line
Further tools
Firmware files:
- Bootloader file: boot_ra_Release.srec
- Controller Application: RA_APP_REL_6670771D.bin
Battery Control
Under /usr/share/jupiter_controller_fw_updater/RA_bootloader_updater/linux_host_tools
you will find the BatCtrl program. It can be used to power cycle the controller.
sudo ./linux_host_tools/BatCtrl SetCBPower 0
turns the USB Power off for the controller board
sudo ./linux_host_tools/BatCtrl SetCBPower 1
turns USB Power on
Commands to make the programs executable
chmod u+x "linux_host_tools/BatCtrl" chmod u+x "linux_host_tools/rfp-linux-x64/rfp-cli"
Dumping the controller firmware
Using/modifying the flashing script.
I re-wrote chunks of the script under
/usr/share/jupiter_controller_fw_updater/RA_bootloader_updater/rfp_cli_linux.sh
to run my own commands.
Dumping the firmware:
Set the controller board to USB boot mode as described here: Steam Deck - Flash MCU on controller board R rev. B
Connecting the MD pin to ground is a easy way to do it.
To dump the firmware, you can simply use the following command:
sudo ./rfp-cli -d RA -port /dev/serial/by-id/usb-Renesas_RA_USB_Boot-if00 -read dump.srec
The firmware will be dumped in the Motorola SREC format.
Modifying the firmware
Motorola SREC format
Read this: https://en.wikipedia.org/wiki/SREC_%28file_format%29
The chart on the top right of the wikipedia page should explain the format it sufficiently.
Open the SREC File (in Notepad++)
Set the language to Motorola SREC
The relevant part (see Figure 1): The blue numbers are the Hex-address, the code is written to.
The numbers in the middle are the Code, that is to be written.
The last two numbers are the checksum. It has to be correct, in order to be written by the CLI tool
Notepad++ is useful for this. It tells you, if the checksum is wrong
Trim the firmware file
You can use Notepad++ to cut out irrelevant parts. In the "search/replace" mode switch to "regular expressions".
Delete the first line and the last line. It is just a comment.
In the replace function type (.{2})$
to replace the last two characters.
Type ^.{12}(.*)
into „search for“ and \1
into „replace with“ to cut the first 12 characters.
The result should look like Figure 4.
Edit the firmware
Paste the trimmed firmware into a hex editor like HxD (Figure 5)
At the beginning, there is the bootloader area (see boot_ra_Release.srec).
Between 0x00008000 and 0x00040000 sits the application data (see RA_APP_REL_6670771D.bin).
Between 0x08000000 and 0x08002000 there is provisioning and calibration data.
There is also some other data. I have not figured out what is what.