HID firmware on HC-06 Bluetooth modules

371412603_147

TL;DR – HC-05/06 shares the same MCU used in the RN-42HID and RN-41HID. You can dump the firmware from these HID modules and transfer it onto the HC-05/06 modules. Doing so may infringe Roving Network’s intellectual property so it’s best if you don’t distribute their firmware. I post this because I found it interesting.

For educational purposes, I’ve been playing with these HC-05, HC-06 Bluetooth modules. They are cheap, widely available and their firmware can be changed. But the best thing about these modules is the microcontroller BC417 that is used to handle all their logic, the CSR Bluecore4-Ext, which shall be referred to from now as BC4-Ext.

CSR BC4 is available in different flavours, so far I’ve heard of BC4-Ext and BC4-ROM. The ‘Ext’ uses an external ROM to store some data, what, I can’t remember. These guys are the core of many Bluetooth modules, including the ones from Bluegiga and Roving Networks.

I have been learning to program these modules to handle UART communication to send HID key codes but it was difficult. The resources on this is quite limited and since Bluetooth 2.0 was so 2004, CSR Support website wasn’t of much help.

I wrote a custom firmware for the HM-10 CC2540/1 but it requires Bluetooth 4.0. For a keyboard and mouse, what good would Bluetooth 4.0 do. Bluetooth 2.0 is much more suitable as it is compatible with almost all Bluetooth devices that has been around for the last 10 years. In slight frustration, I gave in and bought a BlueSmirf RN-42-HID from Sparkfun. After reading the datasheet, however, it turns out they also use CSR BC4-Ext! This is great news.

The BlueSmirf arrived yesterday. After searching for the pinout of the RN-42, I soldered some jumper cables to its SPI pins and used a USB SPI programmer that is CSR-compatible and dump the firmware with BlueFlash. After flashing this firmware onto a HC-06 module, voilà, I now have an exact copy of a RN-42-HID in firmware.

There is still the issue of conflicting Bluetooth addresses, but may that be resolved by changing the PSR settings. Byron’s blogpost gives some steps on how this can be done. And of course, the firmware of the RN-42-HID will not be shared.

Advertisements

10 thoughts on “HID firmware on HC-06 Bluetooth modules

  1. Hi there, very interesting. We are trying to do something similar and need help with CSR chips and firmare. Would you be interested to chat?

      1. Ok, but if you are ready to share some of your experience with firmware in a short call that will really help.

  2. Hi,
    nice work. I have a basic idea of making my own android gamepad over bluetooth, and therefore the gamepad should be recognized as a HID.
    My understanding so far, is that neither the HC-05/6 nor the HM-10 support a HID functionality from scratch. This raises the following questions regarding to your work.

    -To be able to use the HID functionality, I need to flash alternative firmware which provides he needed software stack?
    -Did you modify this firmware?
    -To detect and send the keyboard buttons you use an Launchpad connected over UART?

    In any case i don’t want to use closed software, so the IAR would be a major disadvantage. Or can you briefly explain what the IAR is needed for? Can i program the 8051 on the cc254x in case i use the IAR?

    Thanks for your time.

    1. -To be able to use the HID functionality, I need to flash alternative firmware which provides he needed software stack?
      Yes you do.
      -Did you modify this firmware?
      I wrote the HID firmware for the HM-10, the firmware for the HC-05/06 was not modified.
      -To detect and send the keyboard buttons you use an Launchpad connected over UART?
      I use a uart-to-USB adapter to talk to the modules. As long as it supports 3.3V, it’s fine.
      -What the IAR is needed for?
      IAR is the default and the only officially supported IDE from TI that can use their BLE stack. There are alternatives but they are all closed. Bluetooth is a hard topic to get free software. Go to the TI wiki on CC254x and get more info there

  3. Thanks for your reply.

    So the HC-05/6 is HD compatible? I thought they only support SPP or recommending.

    Do you have any link how to start modifying the firmware for the HM-10 and what steps to take? I assume you needed to implement the Bee Stack, or did you use the one from TI?

    thanks for your time
    eimer

    1. With the appropriate firmware, they can support HID.

      You have to use TI stack. It’s the only stack there is akaik. Try TI wiki on the CC254x series.

  4. I just wonder: does the pinning change when programming a RN-42 software on a HC-06 module?
    From what I can say, I successfully dumped a RN-42 HID software (611), stored the bluetooth address etc. of the HC-06, reprogrammed the HID software into the HC-06 module and restored the bluetooth address, frequency and trim.
    Now I can see that the current increased every second or so, so I guess the module is running correctly with RN-42 firmware. Yet I can’t communicate with it over TX/RX and also the LED is not blinking anymore. So my first guess would be the pinning of the HC06 module changed due to the firmware update, but I can’t find any hint in this direction. Any clues?

    1. The Tx/Rx pins of the Bluecore4 chip is the same so that shouldn’t be a problem. I’ve found that some HC-05/06 modules do not breakout all the PIO pins as listed in eBay schematics, which could be a primary reason to why some of the LEDs don’t blink when they’re supposed to. For example, one of my HC-06 modules do not have a PIO pin for the CONNECT LED. It’s supposed to but it’s just not there. It took me a while to realize that my module wasn’t broken out properly.

      What you could do for further testing is to make a breakout board for the HC-06 with same PIOx pins connecting to various LEDs and buttons as Sparkfun’s RN-42HID breakout board and see what’s missing.

      Hope that helps.

  5. I could solve my issues yesterday, so in case someone else stumbled over the same issues: yes the pinning is a bit different, but nothing to worry about
    1) Status and connect LEDs. On RN-42, there are two LED outputs: Status on PIO5 and Connect on PIO2.
    On my HC-06 breakout board, only PIO2 is connected to an LED which seems to be a status LED.
    -> when flashing RN-42 software into a HC-06 module, the status LED becomes the connect LED, which explains that it’s initially off while with the HC-06 software, the LED is slowly blinking.
    -> OK, you just have to know.

    2) On my RN-42 module (makeyBT), there is a pullup on PIO7 which is missing in my HC-06 module (internal weak pulldown -> low). A high level on PIO7 selects 9600baud in the RN-42 software, while the default baudrate is 115200baud.
    -> The same software defaults to 115200 baud instead of 9600baud.

    3) As an additional note, there is a 10k pulldown placed on my HC-06 board on PIO11 which seems to be a relic of the HC-05 population where PIO11 is used to read in the key. According to the RN-42 HID manual, the level of PIO11 is used to override to HID mode even if configured as SPP if PIO11 is high during reset and Bit9 of the “HID Flag Register Bits” is set. So I guess in a HC-05 you could actually use the key as HID override in SPP mode.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s