Czy wolisz polską wersję strony elektroda?
Nie, dziękuję Przekieruj mnie tamwhich software can i use to read and write Airoha AB1520H chip
• The only fully-featured, vendor-supported utility for reading and writing an Airoha AB1520H Bluetooth-audio SoC is Airoha’s “AB152x Mass-Production / Flash Tool” (often shipped as AB152x_MPTool.exe).
• For parameter editing (Bluetooth name, key mapping, EQ tables, etc.) you additionally use Airoha PSTool / MMI-Tool, which tweaks a firmware image that you later download with the MP-Tool.
• Both programmes are distributed only under NDA through Airoha / (MediaTek) or the OEM of the end product; no public, legal download exists.
Key points
– Windows-only GUI; works over a 3.3 V UART boot-ROM interface (typically 921 600 baud)
– Requires forcing the SoC into boot-loader mode by holding BOOT/DBG low during power-up
– Alternative methods (external SPI programmers or community scripts) are partial, risky and frequently blocked by security fuses
Architectural background
• AB1520H is an ARM Cortex-M0 based Bluetooth audio SoC with on-chip ROM and an external SPI-NOR flash that stores the application firmware and parameter blocks.
• At reset the boot-ROM checks BOOT/DBG; if asserted low it exposes a proprietary UART protocol that the MP-Tool speaks.
Official tool chain
a) AB152x Mass-Production / Flash Tool
– Read-back (full binary dump), erase, blank check, program, verify
– Supports single-device or multi-fixture production modes
– Accepts .bin/.dfu images generated by the SDK or PSTool
b) PSTool (Parameter-Setting Tool, sometimes called MMI-Tool)
– Opens a firmware file, presents editable fields (BT address, device name, tone tables, ANC presets, etc.)
– Saves a patched image that you subsequently flash with the MP-Tool
c) SDK / ICE driver
– Commercial license only; includes linker scripts, DSP tool-chain and optional SWD debug plug-in for Segger J-Link.
Typical hardware connection
• 3- or 4-wire UART: TX, RX, GND (+ Vcc if external 3 V3 supply)
• BOOT/DBG pad pulled low via fixture or test-point during power-up
• Recommended to use level-shifting USB-UART adapters (e.g. CP2102, FT232H) or the dedicated Airoha IB-RT programmer to guarantee timing/level compliance.
Procedure outline
• After MediaTek’s acquisition of Airoha (2020), the SDK and MP-Tool are distributed through MediaTek’s “Airoha Audio” portal; access still requires registration and a project code.
• Since 2023 the tool supports Windows 11 and adds SHA-256 image-signing for newer secure boot devices (AB156x/AB158x). AB1520H remains unsigned by default, but some OEMs enable read-out protection—these units cannot be dumped even with the MP-Tool.
• Open-source efforts (e.g. airoha-dl-flash.py on GitHub, last updated 2022) can sometimes read unprotected parts but still lack full protocol coverage (erase-write-verify commands, security challenge/response).
• Why generic SWD/J-Link cannot flash the part: the internal flash is ROM; application lives in external SPI-NOR controlled by a proprietary controller. SWD gives MCU-core debug but no access to the external flash controller without vendor extensions.
• Why OTA update apps are insufficient: they only push delta-packages via Bluetooth, signed by the OEM, and never expose raw read-back or full-chip erase.
• Tools and documentation are protected by copyright and trade-secret law; unauthorised redistribution violates the Airoha NDA.
• Flashing third-party firmware may infringe OEM IP and radio-type approval; ensure the end product maintains FCC/CE compliance.
• Devices returned from consumers (RMA) often contain user data (paired BT addresses, voice prompts); handle dumped firmware in accordance with privacy regulations (GDPR, CCPA).
• ALWAYS create a full backup before writing—even if the device is “dead”.
• Use an ESD-safe workbench; the 0.4 mm-pitch pads are easy to lift.
• If the board houses a discrete SPI-NOR (e.g. GD25Q32), you can desolder and program it off-board with a CH341A + clip. This bypasses UART security but risks pad damage and voids warranty.
• If the MP-Tool cannot handshake:
– check cross-TX/RX wiring
– verify 3 V3 logic (not 5 V)
– confirm BOOT/DBG is low at POR and released afterwards
– try slower baud (115 200) on marginal lines.
• Some OEMs blow the “Read-Disable” eFuse inside the SPI-controller; even the MP-Tool will then report “secured – read prohibited”.
• If you only need to change the Bluetooth name or prompts, avoid full reflashes; PSTool can patch the parameter block in place (incremental write) with lower risk.
• Monitor MediaTek’s audio SDK release notes for upcoming “Smart-Config over BLE” which might introduce an authenticated, DFU-like field-update method that could supersede UART flashing for AB15xx series.
• Investigate open-source decoding of the UART protocol—current community efforts are missing CRC/key-exchange stages; contributions welcome.
• Evaluate secure-element add-ons (e.g., NXP EdgeLock) for next-gen TWS designs to avoid plain-text parameter storage.
The only comprehensive, safe, and legally-obtained way to read or write the Airoha AB1520H is to use the Airoha AB152x Mass-Production / Flash Tool (with PSTool for parameter edits), accessed through a 3.3 V UART while the chip is in boot-loader mode. Alternative public scripts or generic flashers offer limited or no write capability and risk device or legal damage. Obtain the toolset directly from Airoha/MediaTek or the product OEM, make a full backup first, and follow proper ESD and regulatory practices.
