Some time ago I was asked to help with Cosmo Moto device that turned off unexpectedly (probably due to low battery) during firmware update. Unfortunately device got bricked during that process and owner claimed that it stopped working.
After confirming that device is indeed not working at all, I’ve decided to open it and investigate. I’ve fully charged battery using lab PSU but still device was not reacting to any commands.
Inside I’ve found NRF51822 chip and on other side of the board there are four pins grouped together that allow us to connect using ST-LINK
To be able to proceed I’ve needed to get firmware binary that I could flash to device. I didn’t found any download links on manufacturer website, so I’ve decided to investigate Android version of app and it’s .apk file.
Inside I’ve found bunch of references to https://cosmo-api.cosmoconnected.com/api/ URLs
After investigating a little I’ve found out that I need to login using one of API calls to be able to execute any of API commands
I’ve created account on https://cosmoconnected.com/en/user/login and then I’ve used my credentials to login using following call
curl -X POST -v -k -d ‘{“userName”:”XXXXXXX”, “password”:”XXXXXXX", “loginType”:”EMAIL”}’ -H “Content-Type: application/json” https://cosmo-api.cosmoconnected.com/open/login
In response I’ve received a token that is needed for any API calls to succeed
In example to download latest firmware for COSMO Moto following command needs to be executed
curl -X GET -k -v -H ‘X-Auth-Token: XXXXXXXXX’ “https://cosmo-api.cosmoconnected.com/api/device/firmware/downloadFile/MOTO/1.5.0"
In response I’ve received .zip file which contained file I needed to fix device.
Next step was to prepare board for flashing, to do so I’ve connected it to STLINK and used nrfsec tool to check if board is responding and if it’s possible to read it’s current flash content.
Unfortunately NRF51822 was locked and there was no possibility to read it’s content with nrfsec or OpenOCD. There was nothing left to do but to fully erase flash to unlock it.
Of course at this moment I was left with empty flash and I wasn’t sure if I could make device work again. I didn’t know NRF51822 chip so I’ve tried to simply flash firmware file. But after flashing nothing changed, device still didn’t worked.
After spending some time with chip documentation I’ve found that I need ‘softdevice’ file that in short acts somewhat like a bootloader for our firmware. It setups chip and peripherals to be used by apps.
After some tests I’ve found correct file on Nordic Semiconductor website (manufacturer of chip) . Before it can be flashed on device, it needs to be converted to binary format using following command
arm-none-eabi-objcopy -I ihex -O binary s130_nrf51_2.0.1_softdevice.hex
It’s important to note that for each softdevice there is an location where an app needs to be located on flash. This location can be found on Nordic website.
In case of above file it’s 0x0001B000 and I’ve found it here:
https://infocenter.nordicsemi.com/pdf/S130_SDS_v2.0.pdf
After flashing softdevice at offset 0x00000000 and COSMO firmware at 0x0001B000 device started to work again.
For flashing OpenOCD was used
openocd -f interface/stlink.cfg -f target/nrf51.cfg -c init -c ‘reset halt’
telnet 127.0.0.1 4444
nrf51 mass_erase
flash write_image s130_nrf51_2.0.1_softdevice.hex 0x00000000
flash write_image cosmo.hex 0x0001B000
Few weeks later device still works without issues, it connects to manufacturer iPhone app and owner is happy with it.
