Author Topic: EEVblog #411 - MiniPro TL866 Universal Programmer Review  (Read 983116 times)

0 Members and 5 Guests are viewing this topic.

Offline radioman

  • Regular Contributor
  • *
  • Posts: 167
  • Country: ro
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1825 on: April 16, 2020, 11:33:54 am »
I explained this strange data block here: https://www.eevblog.com/forum/blog/eevblog-411-minipro-tl866-universal-programmer-review/msg2309859/#msg2309859
This is decrypted device serial code block stored (in an encrypted format) at offset 0x1FD00.   

Your serial code was correct so it must be a CS genuine device converted to A.
Here i explained the serial code 'encryption' : https://www.eevblog.com/forum/blog/eevblog-411-minipro-tl866-universal-programmer-review/msg1878068/#msg1878068


   
 
The following users thanked this post: Shock, sathex, grizewald

Offline grizewald

  • Frequent Contributor
  • **
  • Posts: 515
  • Country: se
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1826 on: April 16, 2020, 12:47:20 pm »
Thanks for the info!

My search-fu wasn't good enough to find those messages. It's a shame that this wealth of information has grown organically on top of Dave's review thread. This thread is really crying out to be split into a separate thread where you have the first post in the thread. That would let you condense all this wonderful information into the first post and make it so much easier for people to find the nuggets of gold hidden in this thread.

Maybe Dave or Simon could make this happen?

  Lord of Sealand
 

Offline hamidsaffari

  • Newbie
  • Posts: 1
  • Country: ir
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1827 on: April 19, 2020, 01:48:11 pm »
Hi, everybody.
I've been trying to program some 29F800 both raw and programmed chips with the special TSOP48 adapter board but have got faults.
and I can read from this chip but can't pogrom it, although even for reading I have to uncheck the "Check ID".
I think there is no problem with adapter board because I did program some other chips like S29GL064N90TFI03 without problem.
also have the same writing problem with AM29LV160DT and 29F400 chips.
I attach the problem image.
I saw someone report that too: https://www.eevblog.com/forum/blog/eevblog-411-minipro-tl866-universal-programmer-review/msg343080/#msg343080
I have also tested that with TL866II as well as TL866A but the same.
Can some one check and report it?
Thanks.
« Last Edit: April 19, 2020, 01:56:50 pm by hamidsaffari »
 

Online Shock

  • Super Contributor
  • ***
  • Posts: 3357
  • Country: au
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1828 on: April 22, 2020, 12:13:10 am »
I found this online and thought it might be useful for forum members.

Code: [Select]
* Firmware Official Release Firmware
 * Version Program Date Version
 * String Version ID
 *
 * 3.2.86 6.85 Oct 19, 2018 0x0256
 * 3.2.85 6.82 Jul 14, 2018 0x0255
 * 3.2.82 6.71 Apr 17, 2018 0x0252
 * 3.2.81 6.70 Mar  7, 2018 0x0251
 * 3.2.80 6.60 May  9, 2017 0x0250
 * 3.2.72 6.50 Dec 25, 2015 0x0248
 * 3.2.69 6.17 Jul 11, 2015 0x0245
 * 3.2.68 6.16 Jun 12, 2015 0x0244
 * 3.2.66 6.13 Jun  9, 2015 0x0242
 * 3.2.63 6.10 Jul 16, 2014 0x023f
 * 3.2.62 6.00 Jan  7, 2014 0x023e
 * 3.2.61 5.91 Mar  9, 2013 0x023d
 * 3.2.60 5.90 Mar  4, 2013 0x023c
 * 3.2.59 5.80 Nov  1, 2012 0x023b
 * 3.2.58 5.71 Aug 31, 2012 0x023a
 * 3.2.57 5.70 Aug 27, 2012 0x0239
 * 3.2.56 5.60 Jun 12, 2012 0x0238
 * 3.2.51 4.95 Mar 31, 2012 0x0233
 * 1.00 Jun 18, 2010
Soldering/Rework: Pace ADS200, Pace MBT350
Multimeters: Fluke 87V, 117, 27/FM       >>> WANTED STUFF <<<
Oszilloskopen: Lecroy 9314, Phillips PM3065, Tektronix 2215a, 314
 
The following users thanked this post: oPossum, philipz, sathex, grizewald

Online Shock

  • Super Contributor
  • ***
  • Posts: 3357
  • Country: au
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1829 on: April 22, 2020, 02:28:00 am »
Radioman,

So it's update day today I was on 3.2.69 with a confirmed hardware genuine TL866A. Clean installed 3.2.82 (6.71) software did the firmware update and everything is seemingly ok. Unstalled both driver and software.

Clean installed 3.2.86 (6.85) did the firmware update and...
"This is a changed programmer from TL866CS"

Launched the TL866 updater 2.52 in Windows (I hope this is the current version). Said I had a bad/invalid checksum. So after a bit of investigation trying to write myself a new serial in the firmware menu then reflashing (flashed but no serial change) I went into the firmware dumper and did a reflash which allowed the advanced menu to be used.

From there I wrote a new bootloader, wrote a new generated device id and serial and changed the code protection bit to unchecked (which may have been a mistake). I then did a reflash and subsequently a reset but I don't think it changed into bootloader mode. My bad/invalid checksum message has gone. I have confirmed it's still the original device id and serial even though I was flashing a new random one.

So I go into Minipro and it looks all happy, passes test and no errors or warnings. However I seemingly cannot reflash with TL866 firmware updater 2.52 anymore. When I do reflash I get reset error, same thing when I reset. I assume this means I cannot get into boot mode. I've tried this on the current and older firmware cannot reflash either of them (been selecting the update.dat of course).

Your direction please, do I need perform the resistor trick? What order should I do things in? I'm thinking just to make sure everything is correct once I can get into boot mode and flash again (if that is my problem) then I start over again so I can rewrite the firmware at will. I should get your proper instructions this time. Thanks for your help.
« Last Edit: April 22, 2020, 03:42:24 am by Shock »
Soldering/Rework: Pace ADS200, Pace MBT350
Multimeters: Fluke 87V, 117, 27/FM       >>> WANTED STUFF <<<
Oszilloskopen: Lecroy 9314, Phillips PM3065, Tektronix 2215a, 314
 

Offline radioman

  • Regular Contributor
  • *
  • Posts: 167
  • Country: ro
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1830 on: April 22, 2020, 10:23:42 am »
Yes you need that resistor trick to force the boot mode. Leaving the CP bit unchecked was a bad move. That's why you cannot enter boot mode anymore.
Not a big deal, just force the botloader mode again with that resistor(don't solder anything, just keep the resistor leads still in the indicated points and plug the usb cable and remove it after) and, flash the dumper.
Then from the advanced window check the cp bit and click the write button next to it. Flash the normal firmware back and you're set.
That's all.
 
The following users thanked this post: BravoV, Shock, tsmith35, sathex

Online Shock

  • Super Contributor
  • ***
  • Posts: 3357
  • Country: au
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1831 on: April 22, 2020, 10:25:13 pm »
Had to give up on holding a resistor in place after the 4th attempt. So soldered it in with a little dip switch so I could easily toggle it. All back to normal now from what I can tell, thanks heaps.
Soldering/Rework: Pace ADS200, Pace MBT350
Multimeters: Fluke 87V, 117, 27/FM       >>> WANTED STUFF <<<
Oszilloskopen: Lecroy 9314, Phillips PM3065, Tektronix 2215a, 314
 

Offline radioman

  • Regular Contributor
  • *
  • Posts: 167
  • Country: ro
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1832 on: April 23, 2020, 12:51:13 am »
This is funny  :-DD I can't imagine you after the 4th attempt but I'm glad you finally succeeded.
 

Online Shock

  • Super Contributor
  • ***
  • Posts: 3357
  • Country: au
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1833 on: April 23, 2020, 03:24:12 pm »
Heh, I have skills ;). I was holding it on fine but the resistor was a bit oxidized so wasn't making proper contact. Rather than messing around I just soldered it on with the switch to make it easy if I needed to do it multiple times.

Any idea why the Minipro detected it as the CS version? I'm using genuine hardware with the same device id and serial correct boot loader the whole time. What did the updater end up changing?
Soldering/Rework: Pace ADS200, Pace MBT350
Multimeters: Fluke 87V, 117, 27/FM       >>> WANTED STUFF <<<
Oszilloskopen: Lecroy 9314, Phillips PM3065, Tektronix 2215a, 314
 

Offline firewalker

  • Super Contributor
  • ***
  • Posts: 2350
  • Country: gr
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1834 on: April 23, 2020, 03:32:40 pm »
My also genuine A programmer was detected as an CS converted unit and was intentionally bricked by the software a while ago. The answer from my supplier was that the autoelectric wants to push everyone to the newer plus model.

Alexander.
Become a realist, stay a dreamer.

 

Online Shock

  • Super Contributor
  • ***
  • Posts: 3357
  • Country: au
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1835 on: April 23, 2020, 05:10:24 pm »
Mine wasn't bricked, at least as far as I could tell (I locked myself out of the boot loader by mistake). Though I didn't check if flashing and ICSP was working, perhaps I should have.

It was just coming up with the converted TL866CS nag in Minipro and Radiomans updater was saying bad/invalid checksum. Was wondering what actually fixed it.

I'm going to try jumping back and update it again to see if I can get the nag back.

Edit:

Nope still works fine and no nag this time so it would seem originally I had either a bootloader that the 3.2.86 (6.85) didn't like or some other data (other than the device id and serial) that Radiomans updater corrected.
« Last Edit: April 23, 2020, 05:29:22 pm by Shock »
Soldering/Rework: Pace ADS200, Pace MBT350
Multimeters: Fluke 87V, 117, 27/FM       >>> WANTED STUFF <<<
Oszilloskopen: Lecroy 9314, Phillips PM3065, Tektronix 2215a, 314
 

Online ebastler

  • Super Contributor
  • ***
  • Posts: 3657
  • Country: de
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1836 on: April 23, 2020, 05:34:10 pm »
My also genuine A programmer was detected as an CS converted unit and was intentionally bricked by the software a while ago. The answer from my supplier was that the autoelectric wants to push everyone to the newer plus model.

Or maybe the supplier wasn't "genuine"?  ;)
 

Offline firewalker

  • Super Contributor
  • ***
  • Posts: 2350
  • Country: gr
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1837 on: April 23, 2020, 05:51:39 pm »
My also genuine A programmer was detected as an CS converted unit and was intentionally bricked by the software a while ago. The answer from my supplier was that the autoelectric wants to push everyone to the newer plus model.

Or maybe the supplier wasn't "genuine"?  ;)

Αcording to autoelectric it was genuine. I send photos to then an said it might be a fluke.

From the supplier I had bought two programmers. Only one got bricked.

Alexander.
Become a realist, stay a dreamer.

 

Offline radioman

  • Regular Contributor
  • *
  • Posts: 167
  • Country: ro
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1838 on: April 24, 2020, 08:40:42 pm »
Any idea why the Minipro detected it as the CS version? I'm using genuine hardware with the same device id and serial correct boot loader the whole time. What did the updater end up changing?
Because the device ID and serial code are not stored in clear text. Let me explain some insides because i see a lot of confusion here.
 
The central unit of this programmer is obviously a Microchip PIC18F87J50 processor. This processor has an internal flash of 128Kb which is divided like this:
- the first 6KB is reserved for the bootloader; this code region is identical in the two versions (A/CS).
-the next 121Kb is the actual firmware (i name it the normal firmware); This is the upgradable area. We have two firmware versions: the A version and  the CS version. The CS version is a castrated A version with disabled ICSP functions. This area is updated by the bootloader; nothing special here.

Now we reach the last Kbyte of flash where some magical things exists! So we have 1Kbyte of flash between the address 0x1FC00-0x1FFFF.
The last 8 bytes (1FFF8-1FFFF) are reserved for configuration bytes.

This region is divided like this:
-1FC00-1FCFF = 256bytes; here is a random generated table. Just pure random numbers. This table is used internally by the bootloader as a "key" for the decryption process. There is a table for the A version and one for the CS version;

-1FD00-1FD4F = 80 bytes. Here in this data block the device ID and serial code are stored. This block is encrypted and is unique for each device. I will explain later about this block.

- 1FD50-1FF4F = 512 bytes; Here is a precomputed CRC16 lookup table used internally by some CRC16 routines; this table is identical in the two versions.

The rest of 1FF50 to 1FFF7 is a free region (FF) followed by the configuration bytes.

But let's go back to that encrypted 80bytes data block where the device ID and serial code are stored. This block is decrypted by the firmware (either bootloader or the normal firmware) using that Random generated table from 1FC00-1FCFF. The encryption/decription process uses some byte swaping/shifting and xoring each value of this block against that random table. Nothing special here  but a weak encryption algorithm.

After decryption we have a clear text data block (80bytes). Something like this:
0-7 = 8 characters device ID (00000000 for example) only decimal digits.

8-31 = 24 characters serial number; only hex numbers (0-9; A-F); Four digits from this field are the computed CRC16 of the device ID. See this post

32-77 = 46 bytes; filled with random rubbish data.
78 and 79 = 2bytes; computed CRC16 of the first 78 bytes; if you screw this CRC the firmware will refuse any transaction.

But wait! At the offset 34 we have an 8bit checksum computed from all bytes from offset 5 to 33. Go figure! something like byte34 = SUM(5 to 33);  This is where my first version of the firmware updater screwed. I was not aware of this checksum and also the embedded crc from the serial code.
Also in my first updater version there was no advanced window to tweak the serial and other things 'on the fly'. Only the firmware generator which generates a hex file and then with the help of an external programmer (like PICKIT) the new firmware was flashed. 

The algorithm to generate that 80bytes data block was something like that:
-generate or copy the existing device ID and serial to offset 0-31;
-fill the rest of bytes from offset 32 to 78 with random numbers;
-compute a 16bit CRC of the above 78bytes and store it at the offset 78 and 79
-encrypt this block

Later this block is inserted at the offset 1FD00 in the generated firmware. So this block is unique.
In time my updater evolved and the firmware dumper was developed (a custom firmware to dump/manipulate the data in the last kilobyte) but the routine which generate that encrypted data block remained the same.

This was at year 2013/2014 if i remember correctly. A lot of people converted their programmers from CS to A for the ICSP capabilities. Also many sellers converted their CS stock and sold them like A (for extra money of course). Those programmers were genuine produced by Autolelectric.

After 4 years the Autoelectric suddenly didn't liked this anymore. And the evil Minipro V6.80 was pushed out. Flood of bricked and locked devices!
https://www.eevblog.com/forum/blog/eevblog-411-minipro-tl866-universal-programmer-review/msg1688264/#msg1688264 here is where the fun begins.

Also some counterfeit hardware appeared on the market.  Those programmers were loaded with the same generated hex file by my earlier version of firmware updater. So the same device ID and same serial code!
The autoelectric discovered this and if someone with this kind of device tried to update the firmware and the firmware update routine found such device during the update process then the bootloader is wiped out thus bricking the device.

This check was introduced in the Minipro 6.50 and is still present in the last known version (6.85).
But the check routine has one big flaw.
For example, if you want to detect a particular device ID and serial code you just compare two strings, like this:

Code: [Select]
//Pseudo code
if(deviceID == "00000000" and serialcode == "blabla") then brick_this_device

but instead the developer used something like that:
Code: [Select]
//pseudo code
if(CRC32(deviceID) + CRC32(serialcode) == 0xC8C2F013) then brick_this_device
which is very evil. That 0xC8C2F013 CRC can be computed from many pairs of device ID and serial code. Is called CRC collision and this is why so many genuine devices were bricked. This is a Russian roulette.

So if your device ID and serial code collide and you try to update your device, then the bootloader will be wiped out.

Another detection introduced in the minipro 6.8x was the block checksum (that byte at the offset 34), serial code and code protect bit check.

If the CP0 is found unset then the bootloader will be locked. So a semi brick; you can't update your device anymore (you can force the bootloader mode with the resistor trick). This was the case of my generated hex files which had the CP0 bit unset.

If the checksum at the byte 34 is wrong, but the device ID and serial code is good, then you'll get that nag screen "converted from CS" and your device will work.
This was the case of many devices either converted by the seller or the final user. Rewriting the serial code in the advanced window corrected this checksum.

The last case is random generated serial code with my earlier firmware updater. Those devices are detected as "pirated/piracy" and my last firmware upadater will show "bad serial" in the info field"
For those device a new serial must be generated to work otherwise when you read something you will get gibberish data instead of real data.

Hope this cleared some confusions about this subject.

Heh, I have skills ;).
I have no doubt about this, but it's still funny.
« Last Edit: April 25, 2020, 09:37:18 am by radioman »
 
The following users thanked this post: oPossum, BravoV, Shock, tsmith35, ebastler, grizewald

Online ebastler

  • Super Contributor
  • ***
  • Posts: 3657
  • Country: de
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1839 on: May 06, 2020, 05:07:17 am »
Forwarding a message from new user Dany, who hasn't quite figured out the forum and sent this to me as a personal message unintentionally. I will send him a reply directing him to this thread.

I have a problem with the TL866II-Plus programmer, that is, while I was updating the firmware, the system gave me an error and now it no longer connects to the USB port, the orange LED flashes and does not want to know how to connect.
I sent an email to the manufacturer, but he didn't even answer me, before throwing it away I ask this forum if anyone has the firmware to reinstall and possibly the recovery procedure
Thanks
Dany
 

Offline radioman

  • Regular Contributor
  • *
  • Posts: 167
  • Country: ro
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1840 on: May 06, 2020, 05:16:29 pm »
@Dany, the post that @ebastler forwarded here is also yours. You are just asking yourself!  :)

To answer to your question: there's no firmware released yet, so if your programmer is bricked then you have no chance to restore it.

Normally when you do an upgrade two operations are made:
an erase followed by a reflash. Depending on where the problem appeared(perhaps a usb communication error or a driver issue) you might end with an incomplete firmware upgrade.

But in this case the bootloader will keep the programmer in boot mode until a successful reflash is made.
Can you remember at which point that error appeared?
Also this kind of issue can appear when switching between normal and boot mode.
 

Offline Dany

  • Contributor
  • Posts: 35
  • Country: sm
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1841 on: May 07, 2020, 09:27:24 pm »
Hi,
I tried to reflash the firmware via ICSP (serial) with the "updateII.bin" file but now the programmer is dead.
I can write it and read it, but the program does not start.
I think there is a boot protection code at 0x02ABFE 0x02ABFC 02ABFA
Do you have any idea?
I remind you that it uses a 16 bit processor of the Microcip type 24FJ256GB110
Hi
Dany
 

Offline Dany

  • Contributor
  • Posts: 35
  • Country: sm
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1842 on: May 07, 2020, 09:33:19 pm »
Of course the question is about the TL866ii plus programmer
Hi
Dany
 

Offline radioman

  • Regular Contributor
  • *
  • Posts: 167
  • Country: ro
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1843 on: May 07, 2020, 10:01:18 pm »
Where did you get that updateII.bin file?  :palm:  You just destroyed your programmer.
 

Offline Dany

  • Contributor
  • Posts: 35
  • Country: sm
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1844 on: May 07, 2020, 11:34:38 pm »
simple, it is in the program folder
 

Offline Dany

  • Contributor
  • Posts: 35
  • Country: sm
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1845 on: May 07, 2020, 11:45:07 pm »
destroyed is a big word, only with a hammer you can no longer recover it.
Via ICSP you can reprogram, you must have another programmer, I have one and it's called UPP628 and it also has the serial connection (ICSP).
there is probably a password or key to start the prg.
The first one that finds it, we put it in the back (not to say a dirty word) to the Chinese, they have already infected us with the covid virus 19
 

Offline radioman

  • Regular Contributor
  • *
  • Posts: 167
  • Country: ro
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1846 on: May 07, 2020, 11:58:29 pm »
simple, it is in the program folder
Yeah, i know this. But we have a BIG problem here: That file is encrypted and you just flashed your programmer with garbage data. So, ciao bambina!  :-+
 

Offline Dany

  • Contributor
  • Posts: 35
  • Country: sm
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1847 on: May 08, 2020, 08:53:16 am »
so if things are as you say, that the file is encrypted, if you are good you should extract the file during the update from the program.
You would buy many points
 

Offline Dany

  • Contributor
  • Posts: 35
  • Country: sm
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1848 on: May 08, 2020, 11:38:31 am »
try to understand if with the attached file you can decrypt the firmware and if you tell me how you did it or you are running
 

Offline Dany

  • Contributor
  • Posts: 35
  • Country: sm
Re: EEVblog #411 - MiniPro TL866 Universal Programmer Review
« Reply #1849 on: May 09, 2020, 11:12:15 pm »
Hello,
where can I find the link to download this program?
See Attachment.
Thanks to those who answer me

Dany
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf