NRF24LU1+

Chip

nrf24lu1+

24LU1P is F32 (32k)
LU1P16 is F16 (16k)

For the F32:

Infopage

5a 5a ff ff ff ff ff ff ff ff ff aa bb cc dd ee
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
...

Where aa bb cc dd ee is the CHIPID (see § 17.3.2)

Ressources

boot24lu1p-f32.hex - original Nordic bootloader from nRFgo Studio
boot24lu1p_0x3800_or_0x7800.bin - original Nordic bootloader from nRFgo Studio
crazy_radio_f32.bin - Crazyradio Firmware for 32k version without PA
crazy_radio_f16.bin - Crazyradio Firmware for 16k version without PA
crazy_radio_pa_f32.bin - Crazyradio firmware for 32k version with PA
crazy_radio_pa_f16.bin - Crazyradio firmware for 16k version with PA
nrf-research-firmware_f32.bin - RFStorm Research firmware for 32k version
nrf-research-firmware_f16.bin - RFStorm Research firmware for 16k version
RQR12_bootloader_02B0015_0x7400.bin - Logitech Unifying USB Bootloader for C-U0007
RQR12.11_B0032.bin - Logitech RQR12.11 firmware for C-U0007

Nordic’s bootloader is located @ 0x7800 (0x3800 on F16 chip flavor). Logitech one is @ 0x7400.

SHA2-256(boot24lu1p_0x3800_or_0x7800.bin)= fe1b146b769b059a35915156fe42a777a134adc43dfe47caacd5e9233c010b16
SHA2-256(crazy_radio_f16.bin)= a82d58318c686565d63dc0e1b657d5273650e94d00b3507ef7f70279c8e6cfa6
SHA2-256(crazy_radio_f32.bin)= 67604a09591eb86071dd35499e99d485dff859d5bfe5761073fd15126aebf8de
SHA2-256(crazy_radio_pa_f16.bin)= 3c39e7b5a71f12b7e6a997e8f78a00ff549377e982812d5b01049551f7fd4c9c
SHA2-256(crazy_radio_pa_f32.bin)= 559dfa3a0e9d709ed1c22c7186114c352e73c12a2b7d49d7781d8ebc2b1be7ee
SHA2-256(nrf-research-firmware_f16.bin)= 028e8f7ee8fe5be024209ebeecf0b8631d49fe2256625e02a76e43552212472a
SHA2-256(nrf-research-firmware_f32.bin)= df006d454109b1899e741a4f411eea57f811a5b330c2144699c7188be290379f
SHA2-256(RQR12.11_B0032.bin)= e7db69331e8a09165b377889de561f12f309976d36c86caf11ad68cbc9f87f8f
SHA2-256(RQR12_bootloader_02B0015_0x7400.bin)= c7bc2c7e293034547e11dda1e8e6a05572b07455304194ad1cd7076bc8c82489

kiflashrom

See: https://github.com/gentilkiwi/kiflashrom

Unbrick

To unbrick a F32 dongle, using the PROG pin, with a default Nordic bootloader (/f16 for a F16, /infopage to erase it too) - DFU will be available after:

> kiflashrom /nrf24lu1p /prog /unbrick
...

** NRF24LU1P specifics **
| Using PIN #4 for PROG signal
Status: 0x00
FPCR  : 0x7f
> NRF24LU1P_Unbrick
| Product   : F32
| Bootloader: 0x7800
| Write enable for MainBlock
| Erase All
| Write NRF24LU1P_USB_BOOTLOADER #1
| Write NRF24LU1P_USB_BOOTLOADER #2
| Write NRF24LU1P_USB_BOOTSTRAP
< NRF24LU1P_Unbrick

Compared read @ 0x0 for 32768 byte(s) - 5 iteration(s)
├ Read: 32768 byte(s) - 46 ms - SHA2-256(data)= 0a2b66595e274a38a47539abe3ca85cc819a6218efd312fc4a885abb0bd5d77e
├ Read: 32768 byte(s) - 54 ms - SHA2-256(data)= 0a2b66595e274a38a47539abe3ca85cc819a6218efd312fc4a885abb0bd5d77e
├ Read: 32768 byte(s) - 43 ms - SHA2-256(data)= 0a2b66595e274a38a47539abe3ca85cc819a6218efd312fc4a885abb0bd5d77e
├ Read: 32768 byte(s) - 55 ms - SHA2-256(data)= 0a2b66595e274a38a47539abe3ca85cc819a6218efd312fc4a885abb0bd5d77e
├ Read: 32768 byte(s) - 49 ms - SHA2-256(data)= 0a2b66595e274a38a47539abe3ca85cc819a6218efd312fc4a885abb0bd5d77e
└ Data: 02 78 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ..

Writing a firmware

To flash Bastille Research firmware in a Aliexpress F16 dongle

> kiflashrom /nrf24lu1p /prog /f16 /write /file:nrf-research-firmware_f16.bin
...

** NRF24LU1P specifics **
| Using PIN #4 for PROG signal
Status: 0x00
FPCR  : 0x7f
> File: 'nrf-research-firmware_f16.bin' is 5895 byte(s)
> Target size is: 5895
> Target hash: 028e8f7ee8fe5be024209ebeecf0b8631d49fe2256625e02a76e43552212472a
> Writing 0x1707 (5895) bytes @ 0x0 (with ERASE_PAGE before)...
> Reading back...
> Readed hash: 028e8f7ee8fe5be024209ebeecf0b8631d49fe2256625e02a76e43552212472a

Connectors

CrazyRadio programming connector

                SCK  MOSI MISO
          PROG _    |  |  |    _ CS
                \---|--|--|---/
 USB <]        | 2  4  6  8  10|        (>  SMA /
               | 1  3  5  7  9 |        (>  ANTENNA
               _/---|--|--x---\_
           +5V      |  |         GND
                RESET  +3V3

‘Aliexpress’ dongle programming connector

          [1]  (2)  (3)  (4)  (5)  (6)  (7)
 USB <]    |    |    |    |    |    |    |   (>  ANTENNA
          +5V  PROG SCK  MOSI MISO CS   GND

FT232H side

AD0: SCK
AD1: MOSI
AD2: MISO
AD3: CS
AD4: PROG (optional if managed manually)