Firmware Patch Guide – LM506
Table of Contents
The LM506-0518 features at its core a Broadcom BCM20702 Bluetooth 4.0 HCI USB IC.
The BCM20702 is shipped from the factory with a generic firmware that will allow for communication between the IC and the host via HCI commands, however, this firmware does not include design-specific RF optimisations, the latest bug fixes or additional functionality. It’s therefore important for the sake of RF testing and production that the host load on to the module a ‘PatchRAM’ firmware file.
- It’s important to note that this patch is applied in volatile RAM memory and as such, must be re-applied each time the device is power-cycled. Needless to say the below routine should be integrated into the host solution that is to be deployed on the end-product.
This guide assumes that the user knows how and has the capability to issue a HCI command and to read a HCI event on their platform.
Overview
- Open HCI command socket over USB or otherwise.
- Issue the HCI reset command (OGF 0x03, OCF 0x003 or 0x0C03 together), wait for the command complete event and check that the return status code is zero.
- Issue the vendor specific HCI command ‘Download_Minidriver’ (OGF 0x3F, OCF 0x02E or 0xFC2E together) and wait for the command complete event.
- Wait for 50ms for the device to enter Download Mode.
- Parse each HCI command from the HCD firmware file and send it over the HCI command socket, checking that each command is run successfully.
- Wait 250ms for flashing to complete.
Issuing commands & command complete event
In all cases, the user should wait for the corresponding Command_Complete event when issuing a command and check the command’s return status parameter for errors.
On some platforms, there may be a convenience function which waits for the Command_Complete event, as a wait is often required with most HCI commands.
HCD file format
The HCD file consists of a set of HCI commands in the following format:
| Opcode | Unsigned 16-bit integer in little endian byte order | Bluetooth HCI command identifier |
| Parameter length | Unsigned 8-bit integer | Length of the parameter data for this command in bytes |
| Parameter data | Byte array | Zero or more bytes as specified by parameter length |
All the data is tightly packed, so each field begins directly after another as does each command.
HCD file
References
BlueZ; the Bluetooth stack used by the Linux kernel contains a working example of the patchram procedure:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/bluetooth/btusb.c
There is also a patch ram utility for Linux/Android which can be found at the following link:
https://code.google.com/p/broadcom-bluetooth/source/browse/
Leave a Reply
Want to join the discussion?Feel free to contribute!