Some time ago, while browsing aliexpress for the next thing to throw into the corner the day after receiving the parcel, I came across JDY-40 radio modules. Price $ 0.60, similar to NRF24L01 +.
What is it? I decided to dig a little deeper. BK2461 - Radio SOC with the C51. OK, "biere", for 60 cents I won't be picky. PDF skimpy after censorship, I'll see what comes out of it.
(I will emphasize right away that I will not describe how the module works with the original FW. I was interested in uploading my own.)
The radio is similar to other NRF24L01 + clones, only the registers are slightly rearranged. Procek has 8kB OTP. Hmmmm, you never know with the Chinese. Maybe it's flash?
Several times I encountered systems with ROM which turned out to be a flash. Maybe this time it will be lucky. Also, the pdf mentions loading the program from an external flash. No details. There is only a pinout.
In the meantime, while waiting for the modules, I decided to blindly design a PCB.
I decided to use the CH552 / 4 microcontroller for communication with the computer. The 25Q40 memory is used to store the program. Half a megabyte, a bit large, but I had such, I will not order smaller ones.
On 74xx244 I made a Flash disconnect buffer from BK2461. I disconnected the power supply with a stabilizer. VPP ~ 1.2V generated by a decrease in the zenith.
For this a pair of buttons. One for FW programmer upgrade, the other for BK2461 power on. LED to control what is happening.
I ordered a PCB.
After a month of waiting, the modules and boards arrived. Will it work? I will cut paths? Will I curse?
I soldered the whole thing and started soft. I wrote a simple DFU bootloader for flash programming. I wrote a simple soft test waving a pin. I loaded it into flash, it uploaded. At least that's how it works
Nothing on the BK2461 pin. I connected the analyzer to check the BK2461 flash communication. Looks ok here. I took a risk and somehow it worked. Procek reads memory, but in a loop. Hmmmm, some header required or what? Maybe CRC?
I generated a BIN with one crc, 2nd, 3rd ... 87th
Doopa.In the end, I decided to check CRC32, which I excluded at the beginning because of the speed at which the proc reads flash.
It seemed to me that C51 is not able to calculate it so quickly. Well, you can see CRC is counted by hardware because soft was read from flash only once
SUCCESSOf course, nothing appeared on the pin, it would be too easy
A few more tweaks and I have a blinking LED haha.24h later - radio communication fired.
But is it possible to upload FW to the BK2461 itself?
I connected 6.5V VPP, silence. No communication asleep with flash. Hmmmm.
Maybe you need a programmer? I hooked up another microcontroller and started generating random spi sequences. Finally, BK2461 spoke up.
Quote:0x12, 0x1F, 0xF4-0xFF, response
It looks like 0x12 is a read and the range 0x1FF4-0x1FFF can be read.
This is as much as I have found out so far.
Oh well. That's good and that's it. At least you can fire soft from the outside.
If anyone knows more, I would like to know how to program the internal BK2461 memory.
Cool? Ranking DIY
