DFU Packet Analysis

0%

In this lesson, we’ll look at the packets being exchanged between the DFU controller and the DFU target during a DFU operation over BLE. To accomplish this, I’ll be capturing the BLE traffic using an Ellisys Bluetooth Tracker. The capture file is available for download at the bottom of the page.

Going through this exercise helps us better understand the different commands and BLE packets involved with the DFU process, and is very useful in the case of a bug or failure in the process.

NOTE: Capture files were recorded using the Ellisys Bluetooth Tracker. You do NOT need to own an Ellisys analyzer in order to view the capture files. Simply contact Ellisys at [email protected] and request the link to download the “Ellisys Bluetooth Analyzer” PC Software – and mention that you are a member of Novel Bits’ Bluetooth Developer Academy. Once you’ve downloaded the software, you can open and view the .BTT file(s) and look at all the packets in detail.

If you recall from the nRF DFU Introduction lesson, the nRF DFU over BLE process involves the following steps:

  1. The init packet gets transferred to the DFU target.
  2. The target validates the init packet.
  3. If the init packet is successfully validated, the DFU controller then transfers the binary data.
  4. The target then post-validates the binary data.
  5. If the target validates the binary successfully, it then resets.
  6. After reset, the bootloader activates the new firmware image.

Transfer of Init Packet to DFU Target (Steps #1 & #2)

Referring to Nordic’s documentation on the BLE DFU process, we look at the following sequence diagram:

 

Let’s list the commands and packets that are involved with this process from a clean start (taken from the above sequence diagram):

  1. Select command: [06 01]
    (DFU Controller —> DFU Target)
  2. Response Select Success: [60 06 01 (max_size) (offset) (CRC32)]
    (DFU Target —> DFU Controller)
  3. Create command: [01 01 (size)]
    (DFU Controller —> DFU Target)
  4. Response Create Success: [60 01 01]
    (DFU Target —> DFU Controller)
  5. Transfer Init Packet: (potentially in multiple BLE packets)
    (DFU Controller —> DFU Target)
  6. Response PRN Success: [60 03 01 (offset) (CRC32)]
    (DFU Target —> DFU Controller)
  7. Continue Transfer of Init Packet (if needed): (potentially in multiple BLE packets)
    (DFU Controller —> DFU Target)
  8. Response PRN Success (if previous step occurs): [60 03 01 (offset) (CRC32)]
    (DFU Target —> DFU Controller)
  9. Continue until all chunks of Init Packet have been transferred…
    (DFU Controller —> DFU Target)
  10. Calculate CRC command: [03]
    (DFU Controller —> DFU Target)
  11. Response Calculate CRC Success: [60 03 01 (offset) (CRC)]
    (DFU Target —> DFU Controller)
  12. Execute Command: [04]
    (DFU Controller —> DFU Target)
  13. Response Execute Success: [60 04 01]
    (DFU Target —> DFU Controller)

 

Notice that all the packets (commands and responses) involve the DFU Control Point Characteristic (0x8EC90001-F315-4F60-9FB8-838830DAEA50) except for the transfer of the actual Init Packet data which involves the DFU Packet Characteristic (0x8EC90002-F315-4F60-9FB8-838830DAEA50).

Once the Init Packet transfer-validation stage is completed, the DFU Controller can now transfer the actual firmware image. The steps are documented in the following sequence diagram (taken from Nordic’s documentation):

 

The commands and packets involved with this process are identical to the ones in the Init Packet transfer stage, with the exception of the following commands:

  • Select command: [06 02] (instead of [06 01])
  • Create command: [01 02 (size)] (instead of [01 01 (size)])

As with the Init Packet transfer process, all the packets (commands and responses) involve the DFU Control Point Characteristic (0x8EC90001-F315-4F60-9FB8-838830DAEA50) except for the transfer of the actual Init Packet data which involves the DFU Packet Characteristic (0x8EC90002-F315-4F60-9FB8-838830DAEA50).

Downloads for this lesson