Firmware Updates

From Pebbledev.org
Jump to: navigation, search

Downloads json information on firmware from http://pebblefw.s3.amazonaws.com/pebble/%1/%2/latest.json.

Parameter %1 is one of:

  • unknown
  • ev1
  • ev2
  • ev2_3
  • ev2_4
  • bigboard
  • v1_5
  • v2_0 (Steel)

Note that only ev2_4, bigboard, v1_5 and v2_0 seems to work currently. EV 2.4 is the kickstarter and early backers shipping version (along with hacker special version) - Bigboard is the original large test version. v1_5 is the currently shipping version.

Parameter %2 is one of:

  • nightly
  • beta
  • release
  • release-v2

ev2_4 and v1_5 have nightly as well as release, and bigboard only has release.

Json format

The json for each firmware has two entries. One for recovery and one for normal. An example for the release firmware for ev2_4 is shown below:

{
   "recovery": {
       "url": "https://pebblefw.s3.amazonaws.com/pebble/ev2_4/release/pbz/recovery_ev2_4_v1.5.2.pbz",
       "timestamp": 1356919500,
       "notes": "Official Recovery Firmware",
       "friendlyVersion": "v1.5.2",
       "sha-256": "1ca285d65d80b48b90bab85c5f9e54c907414adffa6f1168beec8aac5d6f32a2"
   },
   "normal": {
       "url": "https://pebblefw.s3.amazonaws.com/pebble/ev2_4/release/pbz/normal_ev2_4_v1.7.1.pbz",
       "timestamp": 1358897692,
       "notes": "Pebble OS v1.7.1",
       "friendlyVersion": "v1.7.1",
       "sha-256": "8cd22fbb9a5f2e3637c44c6de44ab2e0c470b431d00536a3ac284e5e4fc3a0d7"
   }
}

Known Firmware Versions

These are firmware versions posted to the nightly at various times. The url that is being checked is: http://pebblefw.s3.amazonaws.com/pebble/ev2_4/nightly/latest.json

PBZ updates

Each pbz file is simply a zip file containing zero or one system_resources.pbpack, a manifest.json and tintin_fw.bin. The tintin_fw.bin is a raw binary that the pebble runs directly. (placed at 0x0 on the flash memory).

The system_resources.pbpack is a proprietary file format specifically for the pebble. At this point, I'm unsure whether the app reads it or the pebble reads it. The file contains a number of images and fonts used by the pebble, such as watchface icons or the first-run screen.

I haven't quite nailed down the format yet, but what I have is here (all offsets are inclusive):

Address Description

0x0

Number of resources

0x4-0x7

CRC of 0x101C-EOF (all resource data without header)

0x8-0xB

Timestamp - unknown purpose

0xC-0x1B

Version string (see below)

0x1C-0x101B

Resource entries (See below)

0x101c

Data

The resource entries starts at 0x1c and consists of the following four fields (offsets are from start of each entry segment):

Address Description

0x0

Index of resource

0x4

Offset of resource

0x8

Size of resource

0xC

CRC of resource

The file contains three different types of data:

Now you can extracting resources using pebble-firmware-utils

It must be noted that in newer firmware versions (from 2.0-BETA1) the format is slightly changed: there is no more Version string, so all the remaining parts are shifted by 16 bytes. To unpack such files you may use updated utility from repository fork

Tintin firmware file

The tintin_fw.bin is a 'raw' binary for the STM32F205 cpu in a fairly standard Cortex M-3 format. It should be noted that there is a custom bootloader at the primary entry point of the CPU. At present time, we do not have a dump of this bootloader, but we know that it loads the tintin_fw.bin at the address 0x8010000, after which the reset vector table is pointed at this address, the stackpointer is setup and the PC register is loaded with the entry point.

In practice this means it has a structure similar to the following (each element is one unsigned integer, e.g. 4 bytes):

Offset Description
0x0 Address of stack top
0x4 Entry point of binary (memory/flash address)
0x8-0x180 Interrupt handlers
0x198-end Code & resources etc

Disassembling the file

Some minor notes on disassembling.

  • Binary needs to be set to load at 0x8010000
  • CPU should be set to thumb/thumb2-only, with the ARMv7-M architechture.
  • The code starts at the entry point as described above.
  • In the 1.8 firmware, the code explicitly loads the SP address into the SP register.
  • If loaded like this in a suitable disassembler, string references are correct and code disassembles nicely.
  • Once loaded, it can benefitial to look for accesses to specific memory mapped registers (UART, I2C, SPI etc)


Device Connections to STM32F205 cpu

The accelerometer appears to be connected to I2C1.