The image upload process is not exactly XModem, but may be similar in some ways.
The process can be generally divided into a few steps:
- Establish contact and change communication speed
- Send flashloader binary
- Re-establish contact and change communication speed
- Send
km0_boot_all.binkm4_boot_all.binkm0_km4_image2.bin
Establish Contact and change communication speed
- BW16 sends 0x15 (NAK) repeatedly at 115200 baud rate while in image download mode
- Image tool replies with 0x05 (ENQ) followed by a byte that indicates a higher UART speed
- E.g. 0x18 for 1500000, 0x17 for 1444400
- BW16 replies with 0x06 (ACK) to agree to change speed
- both sides change UART speed
- Image tool tests new UART speed with 0x07, BW16 replies with 0x06
Send binary
- The flashloader binary needs to be sent first, as this contains code that enables BW16 to receive UART firmware binary and write it to flash
- binary data is send in blocks of 1024 bytes
- each block contains these fields:
- one byte header 0x02
- one byte block number starting with 0x01
- one byte bit-inverse of block number
- four byte flash address of following binary data
- 1024 bytes of binary data
- one byte checksum
- BW16 replies with 0x06 for each correctly received block
After sending the flashloader, BW16 reboots into the flashloader code. Communication is re-established and the three firmware binaries are sent in the same method. You may choose to only send one of the three firmware binaries, and it will only update that part.
There are a few other minor details that I may have missed out, but the overall flow is still there.
I suggest you look at this code. It can be used to upload images, and will also provide detailed information on what it is sending and receiving. Comparing the source code with logic analyzer captures should give you a better idea of what the upload process is doing.