The Grandstream devices are based on Texas Instruments' TMS320VC5402 DSP processor. These processors support at least two ways of uploading firmware without accessing the flash memory directly. Going through the processor is interesting because it stands a better chance of eventually being possible without hardware modifications.
The default version of the 5402 comes with a ROM-baked bootloader. This bootloader may be password-protected though.
To activate it, the MP/_MC pin must be low during hardware reset. TODO: Is this the case? Once in the bootloader, communication is possible through one of the buffered serial ports. Note that port 1 is available on JP1, and this is the one operating in 8-bit mode. The pins are BDR1/BDX1 for read/xmit and BDCLKX1/BFSX1 for clock/framesync. It is also possible to connect an SPI EEPROM to this port, from which the bootloader can then be run.
The bootloader application note from TI specifies that the bootloader will do a lot; but the only interesting options on GrandStream devices seem to be:
If INT3: Boot from serial EEPROM
If INT3 is found to be active, the bootloader assumes that the boot table is located in an 8-bit serial EEPROM connected to McBSP1. The bootloader reads the value stored at address 0 of the EEPROM. If the value read contains a valid keyword for the beginning of the boot table, the bootloader proceeds to load the remainder of the boot table from the serial EEPROM.
If proper word from BSP1: Serial boot at 8-bit
The bootloader receives the boot table from the multi-channel buffered serial port 1 (McBSP1) operating in standard mode, and loads the code according to the information specified in the boot table. McBSP1 supports 8-bit serial receive mode.
If valid entry point: branch to it
Repeat serial port booting attempts
In other words: After a reset, you should either activate INT3 or send the proper startup word to BSP1, or else the usual code will become active.
The rules are as follows:
INT3 should be active within 30 cycles after reset
Connect as follows:
DSP |
EEPROM |
BCLKX1 |
SCK |
BFSX1 |
_CS |
BDR1 |
SO |
BDX1 & _INT3 |
SI |
See JP1 for details.
The alternative option is going through JTAG, that is, if it has not been disabled for security reasons. This basically works by driving the external pins of the processor in such a way that they drive the attached flash chip, and through that mechanism dump its contents or send it new contents.
Read about the JP1 connectors for more information.
Grandstream has a first part of the firmware which they call a bootloader. This might also make it possible to upload other code, either by sending a new bootloader or by sending a new application image. Chances of this working are slim though -- this is the stage where the devices won't downgrade firmware, a common complaint heard about these devices.