2 # GoodFET Client Library
4 # (C) 2009 Travis Goodspeed <travis at radiantmachines.com>
6 # This code is being rewritten and refactored. You've been warned!
11 from GoodFET import GoodFET;
12 from intelhex import IntelHex;
14 import xml.dom.minidom, time;
16 class GoodFETCC(GoodFET):
17 """A GoodFET variant for use with Chipcon 8051 Zigbee SoC."""
20 smartrfpath="/opt/smartrf7";
21 def loadsymbols(self):
22 try: self.SRF_loadsymbols();
24 if self.verbose>0: print "SmartRF not found at %s." % self.smartrfpath;
25 def SRF_chipdom(self,chip="cc1110", doc="register_definition.xml"):
26 """Loads the chip XML definitions from SmartRF7."""
27 fn="%s/config/xml/%s/%s" % (self.smartrfpath,chip,doc);
28 #print "Opening %s" % fn;
29 return xml.dom.minidom.parse(fn)
31 def CMDrs(self,args=[]):
32 """Chip command to grab the radio state."""
34 self.SRF_radiostate();
36 # print "Error printing radio state.";
37 # print "SmartRF not found at %s." % self.smartrfpath;
38 def SRF_bitfieldstr(self,bf):
45 for e in bf.childNodes:
46 if e.localName=="Name" and e.childNodes: name= e.childNodes[0].nodeValue;
47 elif e.localName=="Start": start=e.childNodes[0].nodeValue;
48 elif e.localName=="Stop": stop=e.childNodes[0].nodeValue;
49 return " [%s:%s] %30s " % (start,stop,name);
51 def SRF_radiostate(self):
53 chip=self.CCversions.get(ident&0xFF00);
54 dom=self.SRF_chipdom(chip,"register_definition.xml");
55 for e in dom.getElementsByTagName("registerdefinition"):
56 for f in e.childNodes:
57 if f.localName=="DeviceName":
58 print "// %s RadioState" % (f.childNodes[0].nodeValue);
59 elif f.localName=="Register":
64 for g in f.childNodes:
65 if g.localName=="Name":
66 name=g.childNodes[0].nodeValue;
67 elif g.localName=="Address":
68 address=g.childNodes[0].nodeValue;
69 elif g.localName=="Description":
71 description=g.childNodes[0].nodeValue;
72 elif g.localName=="Bitfield":
73 bitfields+="%17s/* %-50s */\n" % ("",self.SRF_bitfieldstr(g));
74 #print "SFRX(%10s, %s); /* %50s */" % (name,address, description);
75 print "%-10s=0x%02x; /* %-50s */" % (
76 name,self.CCpeekdatabyte(eval(address)), description);
77 if bitfields!="": print bitfields.rstrip();
79 def SRF_radiostate_select(self,args=[]):
82 chip=self.CCversions.get(ident&0xFF00);
83 dom=self.SRF_chipdom(chip,"register_definition.xml");
85 if reg.lower() == "help":
88 lreg.append(reg.lower())
89 for e in dom.getElementsByTagName("registerdefinition"):
90 for f in e.childNodes:
91 if f.localName=="DeviceName":
92 print "// %s RadioState" % (f.childNodes[0].nodeValue);
93 elif f.localName=="Register":
98 for g in f.childNodes:
99 if g.localName=="Name":
100 name=g.childNodes[0].nodeValue;
101 elif g.localName=="Address":
102 address=g.childNodes[0].nodeValue;
103 elif g.localName=="Description":
105 description=g.childNodes[0].nodeValue;
106 elif g.localName=="Bitfield":
107 bitfields+="%17s/* %-50s */\n" % ("",self.SRF_bitfieldstr(g));
108 #print "SFRX(%10s, %s); /* %50s */" % (name,address, description);
110 print "%-10s /* %-50s */" % (name, description);
111 elif name.lower() in lreg:
112 print "%-10s=0x%02x; /* %-50s */" % (
113 name,self.CCpeekdatabyte(eval(address)), description);
114 if bitfields!="": print bitfields.rstrip();
116 def RF_setfreq(self,frequency):
117 """Set the frequency in Hz."""
118 #FIXME CC1110 specific
119 #Some frequencies fail, probably and FSCAL thing.
122 freq=int(hz/396.728515625);
125 freq1=(freq&0xFF00)>>8;
126 freq2=(freq&0xFF0000)>>16;
128 self.pokebysym("FREQ2",freq2);
129 self.pokebysym("FREQ1",freq1);
130 self.pokebysym("FREQ0",freq0);
132 self.pokebysym("TEST1",0x31);
133 self.pokebysym("TEST0",0x09);
136 #self.pokebysym("FSCAL2" , 0x2A); #above mid
137 self.pokebysym("FSCAL2" , 0x0A); #beneath mid
139 #self.CC_RFST_CAL(); #SCAL
143 def RF_getfreq(self):
144 """Get the frequency in Hz."""
145 #FIXME CC1110 specific
147 #return (2400+self.peek(0x05))*10**6
148 #self.poke(0x05,chan);
150 #freq2=self.CCpeekdatabyte(0xdf09);
151 #freq1=self.CCpeekdatabyte(0xdf0a);
152 #freq0=self.CCpeekdatabyte(0xdf0b);
155 freq2=self.peekbysym("FREQ2");
156 freq1=self.peekbysym("FREQ1");
157 freq0=self.peekbysym("FREQ0");
158 freq=(freq2<<16)+(freq1<<8)+freq0;
162 hz=freq*396.728515625;
166 def RF_getchannel(self):
167 """Get the hex channel."""
168 #FIXME CC1110 specific
171 freq2=self.peekbysym("FREQ2");
172 freq1=self.peekbysym("FREQ1");
173 freq0=self.peekbysym("FREQ0");
174 freq=(freq2<<16)+(freq1<<8)+freq0;
181 lastshellcode="none";
182 def shellcodefile(self,filename,wait=1, alwaysreload=0):
183 """Run a fragment of shellcode by name."""
184 #FIXME: should identify chip model number, use shellcode for that chip.
186 if self.lastshellcode!=filename or alwaysreload>0:
187 self.lastshellcode=filename;
189 file=file.replace("GoodFETCC.pyc","GoodFETCC.py");
190 #TODO make this generic
191 path=file.replace("GoodFETCC.py","shellcode/chipcon/cc1110/");
192 filename=path+filename;
195 h=IntelHex(filename);
196 for i in h._buf.keys():
197 self.CCpokedatabyte(i,h[i]);
200 self.CCdebuginstr([0x02, 0xf0, 0x00]); #ljmp 0xF000
202 while wait>0 and (0==self.CCstatus()&0x20):
205 #print "Waiting for shell code to return.";
208 return self.CCstatus()&0x20;
209 def shellcode(self,code,wait=1):
210 """Copy a block of code into RAM and execute it."""
214 self.pokebyte(0xF000+i,byte);
216 #print "Code loaded, executing."
217 self.CCdebuginstr([0x02, 0xf0, 0x00]); #ljmp 0xF000
219 while wait>0 and (0==self.CCstatus()&0x20):
222 #print "Waiting for shell code to return.";
224 def CC1110_crystal(self):
225 """Start the main crystal of the CC1110 oscillating, needed for radio use."""
226 code=[0x53, 0xBE, 0xFB, #anl SLEEP, #0xFB
228 0xE5, 0xBE, #mov a,SLEEP
229 0x30, 0xE6, 0xFB, #jnb acc.6, back
230 0x53, 0xc6, 0xB8, #anl CLKCON, #0xB8
232 0xE5, 0xC6, #mov a,CLKCON
233 0x20, 0xE6, 0xFB, #jb acc.6, two
234 0x43, 0xBE, 0x04, #orl SLEEP, #0x04
237 self.shellcode(code);
239 #Slower to load, but produced from C.
240 #self.shellcodefile("crystal.ihx");
243 """Move the radio to its idle state."""
247 #Chipcon RF strobes. CC1110 specific
252 def CC_RFST_IDLE(self):
253 """Switch the radio to idle mode, clearing overflows and errors."""
254 self.CC_RFST(self.RFST_IDLE);
255 def CC_RFST_TX(self):
256 """Switch the radio to TX mode."""
257 self.CC_RFST(self.RFST_TX);
258 def CC_RFST_RX(self):
259 """Switch the radio to RX mode."""
260 self.CC_RFST(self.RFST_RX);
261 def CC_RFST_CAL(self):
262 """Calibrate strobe the radio."""
263 self.CC_RFST(self.RFST_CAL);
264 def CC_RFST(self,state=RFST_IDLE):
266 self.pokebyte(RFST,state); #Return to idle state.
268 def config_dash7(self,band="lf"):
269 #These settings came from the OpenTag project's GIT repo on 18 Dec, 2010.
270 #Waiting for official confirmation of the accuracy.
272 self.pokebysym("FSCTRL1" , 0x08) # Frequency synthesizer control.
273 self.pokebysym("FSCTRL0" , 0x00) # Frequency synthesizer control.
275 #Don't change these while the radio is active.
276 self.pokebysym("FSCAL3" , 0xEA) # Frequency synthesizer calibration.
277 self.pokebysym("FSCAL2" , 0x2A) # Frequency synthesizer calibration.
278 self.pokebysym("FSCAL1" , 0x00) # Frequency synthesizer calibration.
279 self.pokebysym("FSCAL0" , 0x1F) # Frequency synthesizer calibration.
281 if band=="ismeu" or band=="eu":
282 print "There is no official eu band for dash7."
283 self.pokebysym("FREQ2" , 0x21) # Frequency control word, high byte.
284 self.pokebysym("FREQ1" , 0x71) # Frequency control word, middle byte.
285 self.pokebysym("FREQ0" , 0x7a) # Frequency control word, low byte.
286 elif band=="ismus" or band=="us":
287 print "There is no official us band for dash7."
288 self.pokebysym("FREQ2" , 0x22) # Frequency control word, high byte.
289 self.pokebysym("FREQ1" , 0xB1) # Frequency control word, middle byte.
290 self.pokebysym("FREQ0" , 0x3B) # Frequency control word, low byte.
291 elif band=="ismlf" or band=="lf":
292 # 433.9198 MHz, same as Simpliciti.
293 self.pokebysym("FREQ2" , 0x10) # Frequency control word, high byte.
294 self.pokebysym("FREQ1" , 0xB0) # Frequency control word, middle byte.
295 self.pokebysym("FREQ0" , 0x71) # Frequency control word, low byte.
299 #Got a frequency, not a band.
300 self.RF_setfreq(eval(band));
301 self.pokebysym("MDMCFG4" , 0x8B) # 62.5 kbps w/ 200 kHz filter
302 self.pokebysym("MDMCFG3" , 0x3B)
303 self.pokebysym("MDMCFG2" , 0x11)
304 self.pokebysym("MDMCFG1" , 0x02)
305 self.pokebysym("MDMCFG0" , 0x53)
306 self.pokebysym("CHANNR" , 0x00) # Channel zero.
307 self.pokebysym("DEVIATN" , 0x50) # 50 kHz deviation
309 self.pokebysym("FREND1" , 0xB6) # Front end RX configuration.
310 self.pokebysym("FREND0" , 0x10) # Front end RX configuration.
311 self.pokebysym("MCSM2" , 0x1E)
312 self.pokebysym("MCSM1" , 0x3F)
313 self.pokebysym("MCSM0" , 0x30)
314 self.pokebysym("FOCCFG" , 0x1D) # Frequency Offset Compensation Configuration.
315 self.pokebysym("BSCFG" , 0x1E) # 6.25% data error rate
317 self.pokebysym("AGCCTRL2" , 0xC7) # AGC control.
318 self.pokebysym("AGCCTRL1" , 0x00) # AGC control.
319 self.pokebysym("AGCCTRL0" , 0xB2) # AGC control.
321 self.pokebysym("TEST2" , 0x81) # Various test settings.
322 self.pokebysym("TEST1" , 0x35) # Various test settings.
323 self.pokebysym("TEST0" , 0x09) # Various test settings.
324 self.pokebysym("PA_TABLE0", 0xc0) # Max output power.
325 self.pokebysym("PKTCTRL1" , 0x04) # Packet automation control, w/ lqi
326 #self.pokebysym("PKTCTRL1" , 0x00) # Packet automation control. w/o lqi
327 self.pokebysym("PKTCTRL0" , 0x05) # Packet automation control, w/ checksum.
328 #self.pokebysym("PKTCTRL0" , 0x00) # Packet automation control, w/o checksum, fixed length
329 self.pokebysym("ADDR" , 0x01) # Device address.
330 self.pokebysym("PKTLEN" , 0xFF) # Packet length.
333 self.pokebysym("SYNC1",0x83);
334 self.pokebysym("SYNC0",0xFE);
336 def config_iclicker(self,band="lf"):
337 #Mike Ossmann figured most of this out, with help from neighbors.
339 self.pokebysym("FSCTRL1" , 0x06) # Frequency synthesizer control.
340 self.pokebysym("FSCTRL0" , 0x00) # Frequency synthesizer control.
342 #Don't change these while the radio is active.
343 self.pokebysym("FSCAL3" , 0xE9)
344 self.pokebysym("FSCAL2" , 0x2A)
345 self.pokebysym("FSCAL1" , 0x00)
346 self.pokebysym("FSCAL0" , 0x1F)
348 if band=="ismeu" or band=="eu":
349 print "The EU band is unknown.";
350 elif band=="ismus" or band=="us":
352 self.pokebysym("FREQ2" , 0x22) # Frequency control word, high byte.
353 self.pokebysym("FREQ1" , 0xD3) # Frequency control word, middle byte.
354 self.pokebysym("FREQ0" , 0xAC) # Frequency control word, low byte.
355 elif band=="ismlf" or band=="lf":
356 print "There is no LF version of the iclicker."
360 #Got a frequency, not a band.
361 self.RF_setfreq(eval(band));
362 # 812.5kHz bandwidth, 152.34 kbaud
363 self.pokebysym("MDMCFG4" , 0x1C)
364 self.pokebysym("MDMCFG3" , 0x80)
365 # no FEC, 2 byte preamble, 250kHz chan spacing
368 #self.pokebysym("MDMCFG2" , 0x01)
370 self.pokebysym("MDMCFG2" , 0x02)
372 self.pokebysym("MDMCFG1" , 0x03)
373 self.pokebysym("MDMCFG0" , 0x3b)
375 self.pokebysym("CHANNR" , 0x2e) # Channel zero.
377 #self.pokebysym("DEVIATN" , 0x71) # 118.5
378 self.pokebysym("DEVIATN" , 0x72) # 253.9 kHz deviation
380 self.pokebysym("FREND1" , 0x56) # Front end RX configuration.
381 self.pokebysym("FREND0" , 0x10) # Front end RX configuration.
382 self.pokebysym("MCSM2" , 0x07)
383 self.pokebysym("MCSM1" , 0x30) #Auto freq. cal.
384 self.pokebysym("MCSM0" , 0x14)
386 self.pokebysym("TEST2" , 0x88) #
387 self.pokebysym("TEST1" , 0x31) #
388 self.pokebysym("TEST0" , 0x09) # High VCO (Upper band.)
389 self.pokebysym("PA_TABLE0", 0xC0) # Max output power.
390 self.pokebysym("PKTCTRL1" , 0x45) # Preamble qualidy 2*4=6, adr check, status
391 self.pokebysym("PKTCTRL0" , 0x00) # No whitening, CR, fixed len.
393 self.pokebysym("PKTLEN" , 0x09) # Packet length.
395 self.pokebysym("SYNC1",0xB0);
396 self.pokebysym("SYNC0",0xB0);
397 self.pokebysym("ADDR", 0xB0);
399 def config_ook(self,band="none"):
400 self.pokebysym("FSCTRL1" , 0x0C) #08 # Frequency synthesizer control.
401 self.pokebysym("FSCTRL0" , 0x00) # Frequency synthesizer control.
403 #Don't change these while the radio is active.
404 self.pokebysym("FSCAL3" , 0xEA) # Frequency synthesizer calibration.
405 self.pokebysym("FSCAL2" , 0x2A) # Frequency synthesizer calibration.
406 self.pokebysym("FSCAL1" , 0x00) # Frequency synthesizer calibration.
407 self.pokebysym("FSCAL0" , 0x1F) # Frequency synthesizer calibration.
409 if band=="ismeu" or band=="eu":
410 self.pokebysym("FREQ2" , 0x21) # Frequency control word, high byte.
411 self.pokebysym("FREQ1" , 0x71) # Frequency control word, middle byte.
412 self.pokebysym("FREQ0" , 0x7a) # Frequency control word, low byte.
413 elif band=="ismus" or band=="us":
414 self.pokebysym("FREQ2" , 0x22) # Frequency control word, high byte.
415 self.pokebysym("FREQ1" , 0xB1) # Frequency control word, middle byte.
416 self.pokebysym("FREQ0" , 0x3B) # Frequency control word, low byte.
417 elif band=="ismlf" or band=="lf":
418 self.pokebysym("FREQ2" , 0x0C) # Frequency control word, high byte.
419 self.pokebysym("FREQ1" , 0x1D) # Frequency control word, middle byte.
420 self.pokebysym("FREQ0" , 0x89) # Frequency control word, low byte.
424 #Got a frequency, not a band.
425 self.RF_setfreq(eval(band));
429 #self.pokebysym("MDMCFG4" , 0x85)
430 #self.pokebysym("MDMCFG3" , 0x83)
432 #self.pokebysym("MDMCFG4" , 0xf4)
433 #self.pokebysym("MDMCFG3" , 0x43)
435 #self.pokebysym("MDMCFG4" , 0xf6)
436 #self.pokebysym("MDMCFG3" , 0x83)
439 #print "Warning: Default to 4.8kbaud.";
440 #self.pokebysym("MDMCFG4" , 0xf7)
441 #self.pokebysym("MDMCFG3" , 0x83)
443 #print "Warning: Default to 9.6kbaud.";
446 self.pokebysym("MDMCFG4" , 0xf8)
447 self.pokebysym("MDMCFG3" , 0x83)
448 self.pokebysym("MDMCFG2" , 0x34) # OOK, carrier-sense, no-manchester
450 #Kind aright for keeloq
451 print "Warning: Guessing baud rate.";
452 #self.pokebysym("MDMCFG4" , 0xf6)
453 #self.pokebysym("MDMCFG3" , 0x93)
454 #self.pokebysym("MDMCFG2" , 0x3C) # OOK, carrier-sense, manchester
456 self.pokebysym("MDMCFG1" , 0x00) # Modem configuration.
457 self.pokebysym("MDMCFG0" , 0xF8) # Modem configuration.
458 self.pokebysym("CHANNR" , 0x00) # Channel number.
460 self.pokebysym("FREND1" , 0x56) # Front end RX configuration.
461 self.pokebysym("FREND0" , 0x11) # Front end RX configuration.
462 self.pokebysym("MCSM0" , 0x18) # Main Radio Control State Machine configuration.
463 #self.pokebysym("FOCCFG" , 0x1D) # Frequency Offset Compensation Configuration.
464 #self.pokebysym("BSCFG" , 0x1C) # Bit synchronization Configuration.
466 #self.pokebysym("AGCCTRL2" , 0xC7) # AGC control.
467 #self.pokebysym("AGCCTRL1" , 0x00) # AGC control.
468 #self.pokebysym("AGCCTRL0" , 0xB2) # AGC control.
470 self.pokebysym("TEST2" , 0x81) # Various test settings.
471 self.pokebysym("TEST1" , 0x35) # Various test settings.
472 self.pokebysym("TEST0" , 0x0B) # Various test settings.
473 self.pokebysym("PA_TABLE0", 0xc2) # Max output power.
474 self.pokebysym("PKTCTRL1" , 0x04) # Packet automation control, w/ lqi
475 #self.pokebysym("PKTCTRL1" , 0x00) # Packet automation control. w/o lqi
476 #self.pokebysym("PKTCTRL0" , 0x05) # Packet automation control, w/ checksum.
477 self.pokebysym("PKTCTRL0" , 0x00) # Packet automation control, w/o checksum, fixed length
478 self.pokebysym("ADDR" , 0x01) # Device address.
479 self.pokebysym("PKTLEN" , 0xFF) # Packet length.
481 self.pokebysym("SYNC1",0xD3);
482 self.pokebysym("SYNC0",0x91);
484 def config_simpliciti(self,band="none"):
485 self.pokebysym("FSCTRL1" , 0x0C) #08 # Frequency synthesizer control.
486 self.pokebysym("FSCTRL0" , 0x00) # Frequency synthesizer control.
488 #Don't change these while the radio is active.
489 self.pokebysym("FSCAL3" , 0xEA) # Frequency synthesizer calibration.
490 self.pokebysym("FSCAL2" , 0x2A) # Frequency synthesizer calibration.
491 self.pokebysym("FSCAL1" , 0x00) # Frequency synthesizer calibration.
492 self.pokebysym("FSCAL0" , 0x1F) # Frequency synthesizer calibration.
494 if band=="ismeu" or band=="eu":
495 self.pokebysym("FREQ2" , 0x21) # Frequency control word, high byte.
496 self.pokebysym("FREQ1" , 0x71) # Frequency control word, middle byte.
497 self.pokebysym("FREQ0" , 0x7a) # Frequency control word, low byte.
498 elif band=="ismus" or band=="us":
499 self.pokebysym("FREQ2" , 0x22) # Frequency control word, high byte.
500 self.pokebysym("FREQ1" , 0xB1) # Frequency control word, middle byte.
501 self.pokebysym("FREQ0" , 0x3B) # Frequency control word, low byte.
502 elif band=="ismlf" or band=="lf":
503 self.pokebysym("FREQ2" , 0x10) # Frequency control word, high byte.
504 self.pokebysym("FREQ1" , 0xB0) # Frequency control word, middle byte.
505 self.pokebysym("FREQ0" , 0x71) # Frequency control word, low byte.
509 #Got a frequency, not a band.
510 self.RF_setfreq(eval(band));
511 self.pokebysym("MDMCFG4" , 0x7B) # Modem configuration.
512 self.pokebysym("MDMCFG3" , 0x83) # Modem configuration.
513 self.pokebysym("MDMCFG2" , 0x13) # Modem configuration.
514 self.pokebysym("MDMCFG1" , 0x22) # Modem configuration.
515 self.pokebysym("MDMCFG0" , 0xF8) # Modem configuration.
516 if band=="ismus" or band=="us":
517 self.pokebysym("CHANNR" , 20) # Channel number.
519 self.pokebysym("CHANNR" , 0x00) # Channel number.
520 self.pokebysym("DEVIATN" , 0x42) # Modem deviation setting (when FSK modulation is enabled).
522 self.pokebysym("FREND1" , 0xB6) # Front end RX configuration.
523 self.pokebysym("FREND0" , 0x10) # Front end RX configuration.
524 self.pokebysym("MCSM0" , 0x18) # Main Radio Control State Machine configuration.
525 self.pokebysym("FOCCFG" , 0x1D) # Frequency Offset Compensation Configuration.
526 self.pokebysym("BSCFG" , 0x1C) # Bit synchronization Configuration.
528 self.pokebysym("AGCCTRL2" , 0xC7) # AGC control.
529 self.pokebysym("AGCCTRL1" , 0x00) # AGC control.
530 self.pokebysym("AGCCTRL0" , 0xB2) # AGC control.
532 self.pokebysym("TEST2" , 0x81) # Various test settings.
533 self.pokebysym("TEST1" , 0x35) # Various test settings.
534 self.pokebysym("TEST0" , 0x09) # Various test settings.
535 self.pokebysym("PA_TABLE0", 0xc0) # Max output power.
536 self.pokebysym("PKTCTRL1" , 0x04) # Packet automation control, w/ lqi
537 #self.pokebysym("PKTCTRL1" , 0x00) # Packet automation control. w/o lqi
538 self.pokebysym("PKTCTRL0" , 0x05) # Packet automation control, w/ checksum.
539 #self.pokebysym("PKTCTRL0" , 0x00) # Packet automation control, w/o checksum, fixed length
540 self.pokebysym("ADDR" , 0x01) # Device address.
541 self.pokebysym("PKTLEN" , 0xFF) # Packet length.
543 self.pokebysym("SYNC1",0xD3);
544 self.pokebysym("SYNC0",0x91);
546 def RF_carrier(self):
547 """Hold a carrier wave on the present frequency."""
549 self.CC1110_crystal(); #FIXME, '1110 specific.
555 self.config_simpliciti();
557 #Don't change these while the radio is active.
558 #self.pokebysym("FSCAL3" , 0xA9) # Frequency synthesizer calibration.
559 #self.pokebysym("FSCAL2" , 0x0A) # Frequency synthesizer calibration.
560 #self.pokebysym("FSCAL1" , 0x00) # Frequency synthesizer calibration.
561 #self.pokebysym("FSCAL0" , 0x11) # Frequency synthesizer calibration.
564 #self.pokebysym("PA_TABLE0", 0xFF) # PA output power setting.
566 #This is what drops to OOK.
567 #Comment to keep GFSK, might be better at jamming.
568 self.pokebysym("MDMCFG4" , 0x86) # Modem configuration.
569 self.pokebysym("MDMCFG3" , 0x83) # Modem configuration.
570 self.pokebysym("MDMCFG2" , 0x30) # Modem configuration.
571 self.pokebysym("MDMCFG1" , 0x22) # Modem configuration.
572 self.pokebysym("MDMCFG0" , 0xF8) # Modem configuration.
574 self.pokebysym("SYNC1",0xAA);
575 self.pokebysym("SYNC0",0xAA);
577 #while ((MARCSTATE & MARCSTATE_MARC_STATE) != MARC_STATE_TX);
580 while((state!=0x13)):
581 self.pokebyte(RFST,0x03); #RFST=RFST_STX
583 state=self.peekbysym("MARCSTATE")&0x1F;
584 #print "state=%02x" % state;
585 print "Holding a carrier on %f MHz." % (self.RF_getfreq()/10**6);
589 def RF_getsmac(self):
590 """Return the source MAC address."""
592 #Register 0A is RX_ADDR_P0, five bytes.
593 mac=self.peekbysym("ADDR");
595 def RF_setsmac(self,mac):
596 """Set the source MAC address."""
597 self.pokebysym("ADDR",mac);
599 def RF_gettmac(self):
600 """Return the target MAC address."""
602 def RF_settmac(self,mac):
603 """Set the target MAC address."""
605 def RF_rxpacket(self):
606 """Get a packet from the radio. Returns None if none is waiting."""
607 self.shellcodefile("rxpacket.ihx");
608 len=self.peek8(0xFE00,"xdata");
609 return self.peekblock(0xFE00,len+3,"data");
610 def RF_txpacket(self,packet):
611 """Transmit a packet. Untested."""
613 self.pokeblock(0xFE00,packet,"data");
614 self.shellcodefile("txpacket.ihx");
616 def RF_txrxpacket(self,packet):
617 """Transmit a packet. Untested."""
619 self.pokeblock(0xFE00,packet,"data");
620 self.shellcodefile("txrxpacket.ihx");
621 len=self.peek8(0xFE00,"xdata");
622 return self.peekblock(0xFE00,len+3,"data");
624 def RF_getrssi(self):
625 """Returns the received signal strenght, with a weird offset."""
627 rssireg=self.symbols.get("RSSI");
628 return self.CCpeekdatabyte(rssireg)^0x80;
630 if self.verbose>0: print "RSSI reg doesn't exist.";
632 #RSSI doesn't exist on some 2.4GHz devices. Maybe RSSIL and RSSIH?
633 rssilreg=self.symbols.get("RSSIL");
634 rssil=self.CCpeekdatabyte(rssilreg);
635 rssihreg=self.symbols.get("RSSIL");
636 rssih=self.CCpeekdatabyte(rssihreg);
637 return (rssih<<8)|rssil;
639 if self.verbose>0: print "RSSIL/RSSIH regs don't exist.";
643 def SRF_loadsymbols(self):
644 ident=self.CCident();
645 chip=self.CCversions.get(ident&0xFF00);
646 dom=self.SRF_chipdom(chip,"register_definition.xml");
647 for e in dom.getElementsByTagName("registerdefinition"):
648 for f in e.childNodes:
649 if f.localName=="Register":
654 for g in f.childNodes:
655 if g.localName=="Name":
656 name=g.childNodes[0].nodeValue;
657 elif g.localName=="Address":
658 address=g.childNodes[0].nodeValue;
659 elif g.localName=="Description":
661 description=g.childNodes[0].nodeValue;
662 elif g.localName=="Bitfield":
663 bitfields+="%17s/* %-50s */\n" % ("",self.SRF_bitfieldstr(g));
664 #print "SFRX(%10s, %s); /* %50s */" % (name,address, description);
665 self.symbols.define(eval(address),name,description,"data");
671 self.writecmd(self.APP,0x86,0,self.data);
674 def CCreleasecpu(self):
675 """Resume the CPU."""
676 self.writecmd(self.APP,0x87,0,self.data);
680 #print "Status: %s" % self.CCstatusstr();
682 #Grab ident three times, should be equal.
683 ident1=self.CCident();
684 ident2=self.CCident();
685 ident3=self.CCident();
686 if(ident1!=ident2 or ident2!=ident3):
687 print "Error, repeated ident attempts unequal."
688 print "%04x, %04x, %04x" % (ident1, ident2, ident3);
690 #Single step, printing PC.
691 print "Tracing execution at startup."
692 for i in range(1,15):
694 byte=self.CCpeekcodebyte(i);
695 #print "PC=%04x, %02x" % (pc, byte);
698 print "Verifying that debugging a NOP doesn't affect the PC."
699 for i in range(1,15):
701 self.CCdebuginstr([0x00]);
702 if(pc!=self.CCgetPC()):
703 print "ERROR: PC changed during CCdebuginstr([NOP])!";
705 print "Checking pokes to XRAM."
706 for i in range(0xf000,0xf020):
707 self.CCpokedatabyte(i,0xde);
708 if(self.CCpeekdatabyte(i)!=0xde):
709 print "Error in XDATA at 0x%04x" % i;
711 #print "Status: %s." % self.CCstatusstr();
717 """Move the FET into the CC2430/CC2530 application."""
718 #print "Initializing Chipcon.";
719 self.writecmd(self.APP,0x10,0,self.data);
720 def CCrd_config(self):
721 """Read the config register of a Chipcon."""
722 self.writecmd(self.APP,0x82,0,self.data);
723 return ord(self.data[0]);
724 def CCwr_config(self,config):
725 """Write the config register of a Chipcon."""
726 self.writecmd(self.APP,0x81,1,[config&0xFF]);
727 def CClockchip(self):
728 """Set the flash lock bit in info mem."""
729 self.writecmd(self.APP, 0x9A, 0, None);
731 """Set the flash lock bit in info mem."""
735 CCversions={0x0100:"cc1110",
741 0xA500:"cc2530", #page 57 of SWRU191B
746 CCpagesizes={0x01: 1024, #"CC1110",
747 0x11: 1024, #"CC1111",
748 0x85: 2048, #"CC2430",
749 0x89: 2048, #"CC2431",
750 0x81: 1024, #"CC2510",
751 0x91: 1024, #"CC2511",
752 0xA5: 2048, #"CC2530", #page 57 of SWRU191B
753 0xB5: 2048, #"CC2531",
754 0x95: 2048, #"CC2533",
755 0x8D: 2048, #"CC2540",
756 0xFF: 0 } #"CCmissing"};
757 def infostring(self):
758 return self.CCidentstr();
759 def CCidentstr(self):
760 ident=self.CCident();
761 chip=self.CCversions.get(ident&0xFF00);
762 pagesize=self.CCpagesizes.get(ident>0xFF);
764 return "%s/r%0.4x/ps0x%0.4x" % (chip, ident, pagesize);
766 return "%04x" % ident;
768 """Get a chipcon's ID."""
769 self.writecmd(self.APP,0x8B,0,None);
770 chip=ord(self.data[0]);
771 rev=ord(self.data[1]);
772 return (chip<<8)+rev;
773 def CCpagesize(self):
774 """Get a chipcon's ID."""
775 self.writecmd(self.APP,0x8B,0,None);
776 chip=ord(self.data[0]);
777 size=self.CCpagesizes.get(chip);
779 print "ERROR: Pagesize undefined.";
780 print "chip=%0.4x" %chip;
785 return self.CCgetPC();
787 """Get a chipcon's PC."""
788 self.writecmd(self.APP,0x83,0,None);
789 hi=ord(self.data[0]);
790 lo=ord(self.data[1]);
792 def CCcmd(self,phrase):
793 self.writecmd(self.APP,0x00,len(phrase),phrase);
794 val=ord(self.data[0]);
795 print "Got %02x" % val;
797 def CCdebuginstr(self,instr):
798 self.writecmd(self.APP,0x88,len(instr),instr);
799 return ord(self.data[0]);
800 #def peekblock(self,adr,length,memory="vn"):
801 # """Return a block of data, broken"""
802 # data=[adr&0xff, (adr&0xff00)>>8,
803 # length&0xFF,(length&0xFF00)>>8];
804 # self.writecmd(self.APP,0x91,4,data);
805 # return [ord(x) for x in self.data]
806 def peek8(self,address, memory="code"):
807 if(memory=="code" or memory=="flash" or memory=="vn"):
808 return self.CCpeekcodebyte(address);
809 elif(memory=="data" or memory=="xdata" or memory=="ram"):
810 return self.CCpeekdatabyte(address);
811 elif(memory=="idata" or memory=="iram"):
812 return self.CCpeekirambyte(address);
813 print "%s is an unknown memory." % memory;
815 def CCpeekcodebyte(self,adr):
816 """Read the contents of code memory at an address."""
817 self.data=[adr&0xff, (adr&0xff00)>>8];
818 self.writecmd(self.APP,0x90,2,self.data);
819 return ord(self.data[0]);
820 def CCpeekdatabyte(self,adr):
821 """Read the contents of data memory at an address."""
822 self.data=[adr&0xff, (adr&0xff00)>>8];
823 self.writecmd(self.APP,0x91, 2, self.data);
824 return ord(self.data[0]);
825 def CCpeekirambyte(self,adr):
826 """Read the contents of IRAM at an address."""
827 self.data=[adr&0xff];
828 self.writecmd(self.APP,0x02, 1, self.data);
829 return ord(self.data[0]);
830 def CCpeekiramword(self,adr):
831 """Read the little-endian contents of IRAM at an address."""
832 return self.CCpeekirambyte(adr)+(
833 self.CCpeekirambyte(adr+1)<<8);
834 def CCpokeiramword(self,adr,val):
835 self.CCpokeirambyte(adr,val&0xff);
836 self.CCpokeirambyte(adr+1,(val>>8)&0xff);
837 def CCpokeirambyte(self,adr,val):
838 """Write the contents of IRAM at an address."""
839 self.data=[adr&0xff, val&0xff];
840 self.writecmd(self.APP,0x02, 2, self.data);
841 return ord(self.data[0]);
842 def pokebyte(self,adr,val,mem="xdata"):
843 self.CCpokedatabyte(adr,val);
844 def CCpokedatabyte(self,adr,val):
845 """Write a byte to data memory."""
846 self.data=[adr&0xff, (adr&0xff00)>>8, val];
847 self.writecmd(self.APP, 0x92, 3, self.data);
848 return ord(self.data[0]);
849 def CCchiperase(self):
850 """Erase all of the target's memory."""
851 self.writecmd(self.APP,0x80,0,None);
853 """Erase all of the target's memory."""
858 """Check the status."""
859 self.writecmd(self.APP,0x84,0,None);
860 return ord(self.data[0])
862 CCstatusbits={0x80 : "erase_busy",
866 0x08 : "halt_status",
871 CCconfigbits={0x20 : "soft_power_mode", #new for CC2530
874 0x02 : "timer_suspend",
875 0x01 : "sel_flash_info_page" #stricken from CC2530
879 """Check the status as a string."""
880 status=self.CCstatus();
885 str="%s %s" %(self.CCstatusbits[i],str);
889 """Start debugging."""
891 self.writecmd(self.APP,0x20,0,self.data);
892 ident=self.CCident();
893 if ident==0xFFFF or ident==0x0000:
894 self.writecmd(self.APP,0x20,0,self.data);
895 ident=self.CCident();
898 #print "Target identifies as %s." % ident;
899 #print "Status: %s." % self.status();
902 #Get SmartRF Studio regs if they exist.
906 """Stop debugging."""
907 self.writecmd(self.APP,0x21,0,self.data);
908 def CCstep_instr(self):
909 """Step one instruction."""
910 self.writecmd(self.APP,0x89,0,self.data);
911 def CCeraseflashbuffer(self):
912 """Erase the 2kB flash buffer"""
913 self.writecmd(self.APP,0x99);
914 def CCflashpage(self,adr):
915 """Flash 2kB a page of flash from 0xF000 in XDATA"""
920 print "Flashing buffer to 0x%06x" % adr;
921 self.writecmd(self.APP,0x95,4,data);
923 def setsecret(self,value):
924 """Set a secret word for later retreival. Used by glitcher."""
926 pagelen = self.CCpagesize(); #Varies by chip.
927 print "page=%04x, pagelen=%04x" % (page,pagelen);
929 self.CCeraseflashbuffer();
930 print "Setting secret to %x" % value;
931 self.CCpokedatabyte(0xF000,value);
932 self.CCpokedatabyte(0xF800,value);
933 print "Setting secret to %x==%x" % (value,
934 self.CCpeekdatabyte(0xf000));
936 print "code[0]=%x" % self.CCpeekcodebyte(0);
938 """Get a secret word. Used by glitcher."""
939 secret=self.CCpeekcodebyte(0);
940 #print "Got secret %02x" % secret;
1060 def getSPR(self,args=[]):
1061 """Get special function registers."""
1062 print "Special Function Registers:"
1065 print " %-8s : 0x%0.2x"%(e,self.CCpeekcodebyte(self.CCspecfuncregs[e]))
1067 for e in self.CCspecfuncregs.keys():
1068 print " %-8s : 0x%0.2x"%(e,self.CCpeekcodebyte(self.CCspecfuncregs[e]))
1070 def dump(self,file,start=0,stop=0xffff):
1071 """Dump an intel hex file from code memory."""
1072 print "Dumping code from %04x to %04x as %s." % (start,stop,file);
1076 h[i]=self.CCpeekcodebyte(i);
1078 print "Dumped %04x."%i;
1079 h.write_hex_file(file); #buffer to disk.
1081 h.write_hex_file(file);
1083 def flash(self,file):
1084 """Flash an intel hex file to code memory."""
1085 print "Flashing %s" % file;
1089 pagelen = self.CCpagesize(); #Varies by chip.
1091 #print "page=%04x, pagelen=%04x" % (page,pagelen);
1095 #Wipe the RAM buffer for the next flash page.
1096 self.CCeraseflashbuffer();
1097 for i in h._buf.keys():
1098 while(i>=page+pagelen):
1100 self.CCflashpage(page);
1101 #client.CCeraseflashbuffer();
1103 print "Flashed page at %06x" % page
1106 #Place byte into buffer.
1107 self.CCpokedatabyte(0xF000+i-page,
1111 print "Buffering %04x toward %06x" % (i,page);
1113 self.CCflashpage(page);
1114 print "Flashed final page at %06x" % page;
projects / goodfet / blob