#ARM SWD (Single Wire Debug) Probe

Modern microcontrollers have support for the two wire debug interface SWD, which makes wiring a lot simpler.
When reverse engineering, finding these two pins is a los easier than with JTAG, where you had to wire up twice or more pins. However, finding the two pins is still a bit of work, which gets simplified even more with this application.

This application tries to detect a valid SWD response on the wires you have picked and beeps when you have found the correct pins, showing the detected ID register and, more important, the SWD pinout. It doesn't matter which two pins you choose, just pick any two from the GPIOs on the breakout header.

To achieve this, the application sends packets and scans the response on all pins and elaborates the pins within a few retries. Using some kind of bisect pattern reduces this number to a hand full of tries, yielding in a seemingly instant detection.

For the user it is as simple as a continuity tester - wire up your two test needles (or accupuncture needles), connect the obvious GND pin and probe all test pads.
Now it depends on your bisect capabilities finding all pad combinations, how long it will take this time.

Github: http://www.github.com/g3gg0/flipper-swd_probe/
https://cdn.discordapp.com/attachments/954430078882816021/1071603366741938176/20230205_022641.mp4
https://cdn.discordapp.com/attachments/1071712925171056690/1072306469057347594/qFlipper_2023-02-07_01-01-24.mp4

Tried with:

0x6BA02477 (0xBC rev 6) Flipper itself
0x0BC11477 (0xBC rev 0) B-L072Z-LRWAN1 STM32L0 Discovery kit LoRa, Sigfox, low-power wireless
0x1BA01477 (0xBA rev 1) STM32WB5MM-DK Discovery kit with STM32WB5MMG MCU
0x0BB11477 (0xBB rev 0) Bluetooth gyroball - firmware suggests PanChip PAN1020
0x2BA01477 (0xBA rev 2) STM32F401 Devboard
0x0BB11477 (0xBB rev 0) iFlight 50A ESC with seemingly F405 clones
0x0BC11477 (0xBC rev 0) DA14531-based custom PCB

Scripting support, files need to be placed in /sd/swd/ folder and named <file>.swd

# <comment>
message <delay_ms> <string to show>
beep [<id>]           # 0=success, 1=fail
apscan                # force an AP scan
apselect <ap_id>      # select a specific AP
max_tries <retries>   # on read error retry that many times, 100ms delay
swd_clock_delay <us>  # set a lower SWD clock speed
block_size <size>     # change dump block size (4-4096) HINT: some targets only support 4, else mem_dump writes zeroes only
abort                 # do a SWD abort
mem_dump <file> <start> <length> [<flags>]   # dump memory into file, flags&1: skip failed blocks, flags&2: successfully finish even when block failed
mem_ldmst <address> <data> <mask>            # read from <address>, write (old_data & <mask>) | <data>
mem_write <address> <data>                   # write <data> to <address>

example script:

apselect 0
max_tries 50
block_size 1024
mem_dump /ext/swd/flash.bin 0x08000000 0x100000 2
beep 0
message 5 "Reading sucessful"

Here a video showing the plugin:

• detect a target
• view its memory
• set a "detected"-script to be executed on the next detection
• execute the script that dumps memory
• intentional cable disconnect, dumping will try to recover for 5 seconds as configured
  Button input is sometimes laggy when the qFlipper app is connected. Thus the seemingly hanging UI sometimes.
  https://cdn.discordapp.com/attachments/1071712925171056690/1073180155285094470/qFlipper_2023-02-09_10-50-49.mp4

Wow, this is an amazing project! And very suitable in spirit to the Flipper.

hey thanks, great to hear you like it 🙂

please test if the .fap works for you and just give me feedback if it starts, crashes or works as expected 🙂

added scripting support

such scripts can now be selected and upon detection, it gets executed and (in this script) e.g. dumps memory content to a bin file

there is still something odd with events etc, so it sometimes hangs when selecting a file or going back from file selector

i am trying to build app for myself, but unable to on stock dev firmware, i think something is missing in repo as you were showing a successful build

Oh. Will check tonight

Thanks

should be fixed, can you check?

new API

yes, built with regular fbt, works perfectly

unable to build on ufbt, maybe something is off

also there are no scripts by default, had to add them manually

also i think you should add a wiring help page, like cmcis/dap link and spi dumper apps

aside from that - thank you so much, it's awesome tool that might be worth commiting into official firmware

absolutely love it

thanks 🙂 yeah polishing has not happened yet

also the script language will get updates

e.g. support for empty lines or calls and conditions

wiring: connect GND with GND and place two of the pin header anywhere to check if those are SWD/SWC 🙂

yeah, but it took me a while to realise which pins to connect to flipper itself, please check the pages in listed apps as sometimes i (and many other different tinkerers) tend to forget wiring for different apps or devices

yeah, need to tell that "it doesn't matter" and "just pick two IO pins"

small UI updates (added hints) and scripts can now call other scripts

didnt know it yet. can you explain what's wrong?

fun with sine and cosine

thats fun

any github pulls?

i prefer building from scratch

just pushed

thank you for work

oh, just appeared

i knew you were going to ask, so i pushed before you asked 😉

need to add some "write DP register" etc functions

could not pause or single step a cpu and have to dig deeper, which is better done using scripts

someone around with a second flipper or some other ARM device who can contribute here a bit?

especially making scripts for dumping flashes etc or whatever might be useful

also sketching use cases that should work

This is actually something I was thinking of implementing, so thank you so much for starting the project! When I have some time I will try to test it/make it work with some swd enabled devices (game and watch, some gamepad and a stm-nucleo board)

also the coresight stuff and ROM tables is still not very clear to me

well, the general concept is, but questions like "how can i detect the chip type?" or "can i still use fixed addresses for single step etc?" are open to me

well, i have seen reading the CPUID register is done via fixed 0xE000xxxx addresses, but ARM does recommend to use the ROM tables

not sure if there is a chance to get some detection implemented that says: "hey, i've detected a STM device, seems a STM32F407, rev a"

and how hierarchically i should start this.

checking lauterbach debugger files, even STM32F4x looks like a sheer neverending list of devices

finding the common properties of those devices to detect something halfway reliable looks impossible

Another example, here a ARTERY AT32F403ACGT7 based USB (PD) tester

STM32 and also this clone seem to have 0xE0042000 as DEBUG_IDCODE register

STM32WB55 has 0x20016495

this is the ARTERYs idcode list

(I’m sorry I still didn’t have time to do the tests) but this writeup goes over some steps to identify a chip over swd, which might be helpful: https://wrongbaud.github.io/posts/stm-xbox-jtag/

ah, thanks. need to go through mem tables

ok, pushed some basic parsing

that helped me definitely. great link, thanks. guess, i'll leave it like that. adi.c contains the "known" devices

if you have more resources with device ids and such, just post it here. sources i know so far
https://github.com/openocd-org/openocd/blob/master/src/target/arm_adi_v5.c
https://github.com/ARMmbed/DAPLink/
https://github.com/ataradov/edbg

I think that targets in https://github.com/blackmagic-debug/blackmagic can help

thanks for this resource

reading this explains why i had so much trouble just halting a cpu

seeing this video again, i have the urgent pressure to do exactly that using flipper....
https://www.youtube.com/watch?v=_E0PWQvW-14

https://blog.zapb.de/stm32f1-exceptional-failure/

https://www.aisec.fraunhofer.de/en/FirmwareProtection.html

https://github.com/bp0/armids/blob/master/arm.ids

hey guys, any idea if the swd probe can be used to install bipropellant on a hoverboard's stm32? https://github.com/bipropellant/bipropellant-hoverboard-firmware the docs indicate a four-pin connection but the flipper's swd app docs says it's two-wire. would the dap-link prove more useful?

Two signal wires. The other two are power and ground

And the title of this thread is wrong, it's Serial Wire Debug, not Single Wire Debug

so i use 4 pins but for the two unspecified just make sure ground goes to GND and power goes to 5V?

what sort of file do i need to generate/download and put on my flipper in order to use the flipper to flash the stm32?

There is no unspecified pins. Check what's marked on the schematic or whatever documentation you're referencing, don't just guess

There's probably a .bin file or something you can program. Again, follow whatever documentation you're using

This may be a dumb question, but I'm trying to detect a board which has swd pins, so i connected the gnd and swd terminals. The problem is that the app only detects the board randomly when unplugging and replugging the wires, and then seems to instantly disconnect, starting the 3 second timer. If it helps at all, the power indicator light on the board flashes while the wires are connected to the flipper, and then turns off for the 3 seconds in which the connected screen is displayed in the app. I have no experience with SWD, so is there anything I can try to start a proper connection with the board?

Application is awesome!

It helps to quickly check the serviceability of soldered microcontrollers

haha great! happy that it even fulfills practical use 🙂

hey, @deep acorn thx for this app ! i love your work. I would like to use it in order to program new firmware updates to devices in the field. Any help on how i could/should write an .swd script for that? I tried some things but it does not seem to work for me. Its an STM32L4 target, so just writing a bin file to 0x08000000 should do to it.

hi. great that you like it. to program flash, there is much more needed than just writing to some RAM location. you have to program a flash state machine which isn't too complex but still some work

Hi I tried to replicate what you did show with the flipper with official firmware and nothing happen with 2 different flipper using latest firmware. Do you have any tip on how to investigate the issue ? Thanks

Flash official firmware and try.
I can see you're on cfw.

I did on official too latest dev build first and then stable, I have the same issue

Not sure what I did wrong at that point

I used a compiled version from flipc

hi do you have any suggestin on what I should test to make sure the .fap is working as expected ?

Hello @deep acorn ! Is it possible to add a mem_fill script macro to program a target from a .bin file ?
I've taken a look at the source code (and added a leds and delay macro, pull request coming soon™!), but I don't really understand how you manage to make the SWD communication work without a reset wire 🤔

Technically possible, but it's highly uC-dependent and probably not feasible in a script.

PR welcome 🙂

You rock @deep acorn . I just used your Flipper app to dump firmware for the first time outside of training

was able to easily reverse it in radare after