Uploading firmware

The Grandstream devices are based on Texas Instruments' TMS320VC5402 DSP processor. These processors support at least two ways of uploading firmware without accessing the flash memory directly. Going through the processor is interesting because it stands a better chance of eventually being possible without hardware modifications.

On-chip bootloader

The default version of the 5402 comes with a ROM-baked bootloader. This bootloader may be password-protected though.

To activate it, the MP/_MC pin must be low during hardware reset. TODO: Is this the case? Once in the bootloader, communication is possible through one of the buffered serial ports. Note that port 1 is available on JP1, and this is the one operating in 8-bit mode. The pins are BDR1/BDX1 for read/xmit and BDCLKX1/BFSX1 for clock/framesync. It is also possible to connect an SPI EEPROM to this port, from which the bootloader can then be run.

The bootloader application note from TI specifies that the bootloader will do a lot; but the only interesting options on GrandStream devices seem to be:

In other words: After a reset, you should either activate INT3 or send the proper startup word to BSP1, or else the usual code will become active.

EEPROM bootstrapping

The rules are as follows:

See JP1 for details.


The alternative option is going through JTAG, that is, if it has not been disabled for security reasons. This basically works by driving the external pins of the processor in such a way that they drive the attached flash chip, and through that mechanism dump its contents or send it new contents.

Read about the JP1 connectors for more information.

Grandstream bootloader?

Grandstream has a first part of the firmware which they call a bootloader. This might also make it possible to upload other code, either by sending a new bootloader or by sending a new application image. Chances of this working are slim though -- this is the stage where the devices won't downgrade firmware, a common complaint heard about these devices.