esp8266 bootloader protocol on uart

[lorenzo.raschi]

Hello,

I'm trying to flash an ESP12S module, which has 32mbit flash, connected to a custom embedded device designed on my own.
I removed the metal shield and I connected a logic analyzer on the SPI between esp8266 chip and SPI flash.
I used the code snippet written in "ESP8266 Application Note Firmware Download Protocol" v1.1.
There is no match between UART commands and SPI commands. Obiouvsly esp8266 app cannot starts.

I'm trying to upload the 512+512 user1.bin AT file (its size is 407796 bytes) found on sdk v2.2.0 to 0x1000 address.
The buffer I send via uart is the "flash download start" command:
C0 00 02 10 00 20 00 00 00 00 50 05 00 8F 01 00 00 00 04 00 00 00 10 00 00 C0
The module replies:
C0 01 02 02 00 07 07 12 20 00 00 C0 (is it OK?)
After it, I start uploading data chunks of 1024 bytes:
First chunk:
C0 00 03 10 04 9A 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EA 04 01 04 00 10 ... C0
The module replies:
C0 01 03 02 00 07 07 12 20 01 07 C0 (is it OK?)

Second chunk:
C0 00 03 10 04 B3 00 00 00 00 04 00 00 01 00 00 00 00 00 00 00 00 00 00 00 4D 01 85 C1 00 68... C0
The module replies:
C0 01 03 02 00 07 07 12 20 01 07 C0

After the last chunk I send the "flash download stop" command:
C0 00 04 04 00 EE 00 00 00 01 00 00 00 C0
The module replies:
C0 01 04 02 00 07 07 12 20 01 06 C0

On SPI side, I logged:
the first erase: 20 06 20 00, it should be 20 00 10 00 (offset 1000h)
after it:
20 06 30 00
20 06 40 00
After SPI erasing command (20h), there are some SPI write data commands (02h):
02 00 10 00 77 FF B1 72 FF 32 9D 00 C2 4B 00 01...
Address is right (001000h), but data is not from the beginning of user1.bin file as it should be, but from 10C00 user1.bin offset.

Why esp erased sectors at the end only?
Why data before the offset 10C00 was discarted?
Why esp writes data on address 0001000h which is not blank?

In order to have something to compare to, I connected a sparkfun module in which I replaced stock flash with the 32mbit flash put in ESP12S. I flashed it with "ESP8266 flash download tool". I sniffed data on UART and on SPI too.
In my opinion that comparison is a bit different, because I noticed that this software seems to upload a software bootloader which behave differently than the one in ROM. With this setup, uart commands and SPI commands match OK, for instance:

Flash erase command:
c0:00:02:10:00:00:00:00:00:f4:38:06:00:19:00:00:00:00:40:00:00:00:10:00:00:c0
the module replies:
c0:01:02:00:00:00:00:00:00:00:00:c0

Flash download data:
c0:00:03:10:40:84:00:00:00:00:40:00:00:00:00:00:00:00:00:00:00:00:00:00:00:ea:04:00:01:04:00......
the module replies:
c0:01:03:00:00:00:00:00:00:00:00:c0

On SPI side:
20 00 10 00
....
02 00 10 00 EA 04 01 04 00 10 ...

Is there someone that has worked with rommed bootloader protocol, please?

Thank you!

Lorenzo