Writing to PROGMEM (!) Surprise! You can write to AVR flash memory (PROGMEM) from

Mark_Kriegsman · July 6, 2014, 12:25pm

Writing to PROGMEM (!)

Surprise! You can write to AVR flash memory (PROGMEM) from your own program code, in a controlled, purposeful way.

*WARNING: SUPERDUPEREXPERTS ONLY *
As in: even though I have all kinds of ideas here, I’m extremely skeptical of my own ability to bend this technique to my will without ‘bricking’ my Arduino… repeatedly. And I deal with these quasi-ROP tricks for a living.

The technique presented here is brilliant, and the developer has “made the theoretical practical”… clearly a kindred spirit. The genie he’s summoned is very very powerful and cares nothing for your project or your time. That said, I had to share this.

Background is: the SPM instruction (which is the only way to write to PROGMEM flash on AVR) cannot execute outside of the bootloader. It can only execute when it’s inside the bootloader code itself – not your application code. So… you just find an SPM in the bootloader code, and use it where it sits!

Find SPM opcode in bootloader. You’re going to jump to it, but not yet. You’d just keep executing more bootloader code, which would be Bad.
Load the registers as you wish, to write the right thing to the right place, in preparation for executing SPM.
Set an interrupt timer to go off in just a couple of exactly timed clock cycles – just after the SPM instruction you’ve found completes but before the next instruction in the bootloader executes.
Jump to the SPM you found in the bootloader. It executes as you wish, writing into PROGMEM flash. Then, just before the next bootloader instruction can execute, the interrupt fires, and control returns to your code.

p0w! You just wrote to PROGMEM flash from your own code!

On the one hand, this rocks and is sort of absolutely fantastic. One could, in theory, write code to load a new HEX file from SD, or use PROGMEM as storage, or persistent data, or you could write a JIT for an LED language,… or, you know- anything.

On the other hand,when I think about what it would take to get there, I see a huge, sad pile of twitching, half-mangled, half-dead AVR chips, mauled in the process of debugging this monstrosity. I mean: they’re not dead DEAD dead; you just need to use an external programmer to revive them. And I suspect you’d be doing that a lot during the development process. Which seems like a giant pain in the bootloader.

And yet…

Adrian_Carter · July 6, 2014, 12:42pm

Thanks for that. Agree that it’s for higher level users at this stage, but they are also the same who are likely to have multiple ext. Programmer options from either from another arduino running say MegaISP through BusPirate to actual “real” programmers… theres about 100 ways to HV program AVRs as long as you have one working one

So I think the “smoking pile of AVRs” is maybe overstating it a smidgen, it is definitely not at this stage for the feint hearted…

Cheers again for the pointer

OT: Got the LeoStick yet?

Mark_Kriegsman · July 6, 2014, 1:08pm

Yep! Got the LeoStick and I really do like the form factor! Thanks!

Adam_Sharp · July 6, 2014, 5:17pm

I can see some very big holes to fall into in the dark with this at the finger tips of the less experienced (shall we say). There is a very good reason why the SPM command is so difficult to use…

Ashley_M_Kirchner_No · July 7, 2014, 4:33pm

Yeah, I’m with Adam on this one. While possible, I do see the potential for some serious problems and people bricking their AVRs. Not that it’s permanently damaged, but for the uninitiated, it can be a daunting task trying to recover a dead board.

Adrian_Carter · July 7, 2014, 11:09pm

Oh well, clearly I’m giving too much credit to your average arduino hacker who has progressed past ‘blink’ . I never once considered having to use an ISP a daunting task, as bootloaders that act as a sys programming interface in microcontroller land are mostly a luxury of the modern era … and its not like ISPs are unavailable (through alibaba for $5) or makeable in a moment (MegaISP Sketch on any 'duino)…

I guess you guys just err far more to the “Lowest Common Denominator” side of things, where as I’m clearly a cowboy who is happy to assume people know the basics and there should be no ‘dramas’ in treading well document, highly utilized methods (programming using ISP…) Lifes already too full of ‘oh noes, don’t do that!’ warnings about well established practices that have existed for eons so I do tend to brush past them

Mark_Kriegsman · July 7, 2014, 11:26pm

I think mostly I put the big scary warnings to persuade the less-experienced folk to master the basics of things like switch statements before tackling self-modifying machine code.

But believe me, I love teaching the fancy stuff too!

Adrian_Carter · July 7, 2014, 11:42pm

That I definitely concur with

Adam_Sharp · July 8, 2014, 6:14am

There are certain things that expert developers ‘know’ about but are not discussed. Particularly if it goes wrong and things and people might die. Mains electricity is one, giving people access beyond the normal IDE is another.

If you’re good enough to work these sorts of things out from the datasheets and read deeper than the manuals, you probably have the skills to fix it again.

Example: An person contacted me about an Arduino Mega they had purchased, wanting to know how you connected the mouse, keyboard, monitor and hard drive, and then how to load Windows onto it, as it didn’t appear to ‘do anything’. Life does have its little chuckles…

And believe you me, over the years in electronics and computing I have seen better examples of why people should NOT be allowed to touch things. Like bypassing the mains transformer on an Atari 800 to make it go faster. Well it did. It compressed its entire life into a few microseconds!

Adrian_Carter · July 8, 2014, 8:01am

I never considered stepping outside the arduino IDE could risk someones life, given that IDE is nothing but an abstracted layer anyway… Clearly I’m wrong.

And anyone that uses Eclipse as an IDE to write code for the AVR’s must be constantly living under threat (All I was ever pointing out was that context is important. If any mention of anything must always be preceded by throwing some FUD in the mix… then we aren’t exactly going to encourage innovation Given the scenario here is entirely non-destructive, life threatening, or otherwise and at most an inconvenience, I would have thought this was entirely low-risk in the grand scheme of things… But we’ve established I’m obviously a cowboy not just a realist)

Mark_Kriegsman · July 8, 2014, 11:24am

We’re all cowboys (and cowgirls) here-- some of us have just been riding the range for longer than others.

There are some pretty experienced folks here. They know how to interpret these these warnings, as they may or may not apply to them.

/me rides slowly off into the 0xE02000 subset.