2 # GoodFET Client Library
4 # (C) 2009 Travis Goodspeed <travis at radiantmachines.com>
6 # This code is being rewritten and refactored. You've been warned!
11 from GoodFET import GoodFET;
12 from intelhex import IntelHex;
14 import xml.dom.minidom, time;
16 class GoodFETCC(GoodFET):
17 """A GoodFET variant for use with Chipcon 8051 Zigbee SoC."""
23 smartrfpath="/opt/smartrf7";
24 def loadsymbols(self):
25 try: self.SRF_loadsymbols();
27 if self.verbose>0: print "SmartRF not found at %s." % self.smartrfpath;
28 def SRF_chipdom(self,chip="cc1110", doc="register_definition.xml"):
29 fn="%s/config/xml/%s/%s" % (self.smartrfpath,chip,doc);
30 #print "Opening %s" % fn;
31 return xml.dom.minidom.parse(fn)
33 def CMDrs(self,args=[]):
34 """Chip command to grab the radio state."""
36 self.SRF_radiostate();
38 print "Error printing radio state.";
39 print "SmartRF not found at %s." % self.smartrfpath;
40 def SRF_bitfieldstr(self,bf):
47 for e in bf.childNodes:
48 if e.localName=="Name" and e.childNodes: name= e.childNodes[0].nodeValue;
49 elif e.localName=="Start": start=e.childNodes[0].nodeValue;
50 elif e.localName=="Stop": stop=e.childNodes[0].nodeValue;
51 return " [%s:%s] %30s " % (start,stop,name);
52 def SRF_radiostate(self):
54 chip=self.CCversions.get(ident&0xFF00);
55 dom=self.SRF_chipdom(chip,"register_definition.xml");
56 for e in dom.getElementsByTagName("registerdefinition"):
57 for f in e.childNodes:
58 if f.localName=="DeviceName":
59 print "// %s RadioState" % (f.childNodes[0].nodeValue);
60 elif f.localName=="Register":
65 for g in f.childNodes:
66 if g.localName=="Name":
67 name=g.childNodes[0].nodeValue;
68 elif g.localName=="Address":
69 address=g.childNodes[0].nodeValue;
70 elif g.localName=="Description":
72 description=g.childNodes[0].nodeValue;
73 elif g.localName=="Bitfield":
74 bitfields+="%17s/* %-50s */\n" % ("",self.SRF_bitfieldstr(g));
75 #print "SFRX(%10s, %s); /* %50s */" % (name,address, description);
76 print "%-10s=0x%02x; /* %-50s */" % (
77 name,self.CCpeekdatabyte(eval(address)), description);
78 if bitfields!="": print bitfields.rstrip();
79 def RF_setfreq(self,frequency):
80 """Set the frequency in Hz."""
81 #FIXME CC1110 specific
82 #Some frequencies fail, probably and FSCAL thing.
85 freq=int(hz/396.728515625);
88 freq1=(freq&0xFF00)>>8;
89 freq2=(freq&0xFF0000)>>16;
91 self.pokebysym("FREQ2",freq2);
92 self.pokebysym("FREQ1",freq1);
93 self.pokebysym("FREQ0",freq0);
95 self.pokebysym("TEST1",0x31);
96 self.pokebysym("TEST0",0x09);
99 #self.pokebysym("FSCAL2" , 0x2A); #above mid
100 self.pokebysym("FSCAL2" , 0x0A); #beneath mid
102 #self.CC_RFST_CAL(); #SCAL
106 def RF_getfreq(self):
107 """Get the frequency in Hz."""
108 #FIXME CC1110 specific
110 #return (2400+self.peek(0x05))*10**6
111 #self.poke(0x05,chan);
113 #freq2=self.CCpeekdatabyte(0xdf09);
114 #freq1=self.CCpeekdatabyte(0xdf0a);
115 #freq0=self.CCpeekdatabyte(0xdf0b);
118 freq2=self.peekbysym("FREQ2");
119 freq1=self.peekbysym("FREQ1");
120 freq0=self.peekbysym("FREQ0");
121 freq=(freq2<<16)+(freq1<<8)+freq0;
125 hz=freq*396.728515625;
128 lastshellcode="none";
129 def shellcodefile(self,filename,wait=1):
130 """Run a fragment of shellcode by name."""
131 #FIXME: should identify chip model number, use shellcode for that chip.
133 if self.lastshellcode!=filename:
134 self.lastshellcode=filename;
136 file=file.replace("GoodFETCC.pyc","GoodFETCC.py");
137 path=file.replace("GoodFETCC.py","shellcode/chipcon/cc1110/");
138 filename=path+filename;
141 h=IntelHex(filename);
142 for i in h._buf.keys():
143 self.CCpokedatabyte(i,h[i]);
146 self.CCdebuginstr([0x02, 0xf0, 0x00]); #ljmp 0xF000
148 while wait>0 and (0==self.CCstatus()&0x20):
151 #print "Waiting for shell code to return.";
154 return self.CCstatus()&0x20;
155 def shellcode(self,code,wait=1):
156 """Copy a block of code into RAM and execute it."""
160 self.pokebyte(0xF000+i,byte);
162 #print "Code loaded, executing."
163 self.CCdebuginstr([0x02, 0xf0, 0x00]); #ljmp 0xF000
165 while wait>0 and (0==self.CCstatus()&0x20):
168 #print "Waiting for shell code to return.";
170 def CC1110_crystal(self):
171 """Start the main crystal of the CC1110 oscillating, needed for radio use."""
172 code=[0x53, 0xBE, 0xFB, #anl SLEEP, #0xFB
174 0xE5, 0xBE, #mov a,SLEEP
175 0x30, 0xE6, 0xFB, #jnb acc.6, back
176 0x53, 0xc6, 0xB8, #anl CLKCON, #0xB8
178 0xE5, 0xC6, #mov a,CLKCON
179 0x20, 0xE6, 0xFB, #jb acc.6, two
180 0x43, 0xBE, 0x04, #orl SLEEP, #0x04
183 self.shellcode(code);
185 #Slower to load, but produced from C.
186 #self.shellcodefile("crystal.ihx");
189 """Move the radio to its idle state."""
193 #Chipcon RF strobes. CC1110 specific
198 def CC_RFST_IDLE(self):
199 """Switch the radio to idle mode, clearing overflows and errors."""
200 self.CC_RFST(self.RFST_IDLE);
201 def CC_RFST_TX(self):
202 """Switch the radio to TX mode."""
203 self.CC_RFST(self.RFST_TX);
204 def CC_RFST_RX(self):
205 """Switch the radio to RX mode."""
206 self.CC_RFST(self.RFST_RX);
207 def CC_RFST_CAL(self):
208 """Calibrate strobe the radio."""
209 self.CC_RFST(self.RFST_CAL);
210 def CC_RFST(self,state=RFST_IDLE):
212 self.pokebyte(RFST,state); #Return to idle state.
214 def config_dash7(self,band="lf"):
215 #These settings came from the OpenTag project's GIT repo on 18 Dec, 2010.
216 #Waiting for official confirmation of the accuracy.
218 self.pokebysym("FSCTRL1" , 0x08) # Frequency synthesizer control.
219 self.pokebysym("FSCTRL0" , 0x00) # Frequency synthesizer control.
221 #Don't change these while the radio is active.
222 self.pokebysym("FSCAL3" , 0xEA) # Frequency synthesizer calibration.
223 self.pokebysym("FSCAL2" , 0x2A) # Frequency synthesizer calibration.
224 self.pokebysym("FSCAL1" , 0x00) # Frequency synthesizer calibration.
225 self.pokebysym("FSCAL0" , 0x1F) # Frequency synthesizer calibration.
227 if band=="ismeu" or band=="eu":
228 print "There is no official eu band for dash7."
229 self.pokebysym("FREQ2" , 0x21) # Frequency control word, high byte.
230 self.pokebysym("FREQ1" , 0x71) # Frequency control word, middle byte.
231 self.pokebysym("FREQ0" , 0x7a) # Frequency control word, low byte.
232 elif band=="ismus" or band=="us":
233 print "There is no official us band for dash7."
234 self.pokebysym("FREQ2" , 0x22) # Frequency control word, high byte.
235 self.pokebysym("FREQ1" , 0xB1) # Frequency control word, middle byte.
236 self.pokebysym("FREQ0" , 0x3B) # Frequency control word, low byte.
237 elif band=="ismlf" or band=="lf":
238 # 433.9198 MHz, same as Simpliciti.
239 self.pokebysym("FREQ2" , 0x10) # Frequency control word, high byte.
240 self.pokebysym("FREQ1" , 0xB0) # Frequency control word, middle byte.
241 self.pokebysym("FREQ0" , 0x71) # Frequency control word, low byte.
245 #Got a frequency, not a band.
246 self.RF_setfreq(eval(band));
247 self.pokebysym("MDMCFG4" , 0x8B) # 62.5 kbps w/ 200 kHz filter
248 self.pokebysym("MDMCFG3" , 0x3B)
249 self.pokebysym("MDMCFG2" , 0x11)
250 self.pokebysym("MDMCFG1" , 0x02)
251 self.pokebysym("MDMCFG0" , 0x53)
252 self.pokebysym("CHANNR" , 0x00) # Channel zero.
253 self.pokebysym("DEVIATN" , 0x50) # 50 kHz deviation
255 self.pokebysym("FREND1" , 0xB6) # Front end RX configuration.
256 self.pokebysym("FREND0" , 0x10) # Front end RX configuration.
257 self.pokebysym("MCSM2" , 0x1E)
258 self.pokebysym("MCSM1" , 0x3F)
259 self.pokebysym("MCSM0" , 0x30)
260 self.pokebysym("FOCCFG" , 0x1D) # Frequency Offset Compensation Configuration.
261 self.pokebysym("BSCFG" , 0x1E) # 6.25% data error rate
263 self.pokebysym("AGCCTRL2" , 0xC7) # AGC control.
264 self.pokebysym("AGCCTRL1" , 0x00) # AGC control.
265 self.pokebysym("AGCCTRL0" , 0xB2) # AGC control.
267 self.pokebysym("TEST2" , 0x81) # Various test settings.
268 self.pokebysym("TEST1" , 0x35) # Various test settings.
269 self.pokebysym("TEST0" , 0x09) # Various test settings.
270 self.pokebysym("PA_TABLE0", 0xc0) # Max output power.
271 self.pokebysym("PKTCTRL1" , 0x04) # Packet automation control, w/ lqi
272 #self.pokebysym("PKTCTRL1" , 0x00) # Packet automation control. w/o lqi
273 self.pokebysym("PKTCTRL0" , 0x05) # Packet automation control, w/ checksum.
274 #self.pokebysym("PKTCTRL0" , 0x00) # Packet automation control, w/o checksum, fixed length
275 self.pokebysym("ADDR" , 0x01) # Device address.
276 self.pokebysym("PKTLEN" , 0xFF) # Packet length.
279 self.pokebysym("SYNC1",0x83);
280 self.pokebysym("SYNC0",0xFE);
282 def config_iclicker(self,band="lf"):
283 #Mike Ossmann figured most of this out, with help from neighbors.
285 self.pokebysym("FSCTRL1" , 0x06) # Frequency synthesizer control.
286 self.pokebysym("FSCTRL0" , 0x00) # Frequency synthesizer control.
288 #Don't change these while the radio is active.
289 self.pokebysym("FSCAL3" , 0xE9)
290 self.pokebysym("FSCAL2" , 0x2A)
291 self.pokebysym("FSCAL1" , 0x00)
292 self.pokebysym("FSCAL0" , 0x1F)
294 if band=="ismeu" or band=="eu":
295 print "The EU band is unknown.";
296 elif band=="ismus" or band=="us":
298 self.pokebysym("FREQ2" , 0x22) # Frequency control word, high byte.
299 self.pokebysym("FREQ1" , 0xD3) # Frequency control word, middle byte.
300 self.pokebysym("FREQ0" , 0xAC) # Frequency control word, low byte.
301 elif band=="ismlf" or band=="lf":
302 print "There is no LF version of the iclicker."
306 #Got a frequency, not a band.
307 self.RF_setfreq(eval(band));
308 # 812.5kHz bandwidth, 152.34 kbaud
309 self.pokebysym("MDMCFG4" , 0x1C)
310 self.pokebysym("MDMCFG3" , 0x80)
311 # no FEC, 2 byte preamble, 250kHz chan spacing
314 #self.pokebysym("MDMCFG2" , 0x01)
316 self.pokebysym("MDMCFG2" , 0x02)
318 self.pokebysym("MDMCFG1" , 0x03)
319 self.pokebysym("MDMCFG0" , 0x3b)
321 self.pokebysym("CHANNR" , 0x2e) # Channel zero.
323 #self.pokebysym("DEVIATN" , 0x71) # 118.5
324 self.pokebysym("DEVIATN" , 0x72) # 253.9 kHz deviation
326 self.pokebysym("FREND1" , 0x56) # Front end RX configuration.
327 self.pokebysym("FREND0" , 0x10) # Front end RX configuration.
328 self.pokebysym("MCSM2" , 0x07)
329 self.pokebysym("MCSM1" , 0x30) #Auto freq. cal.
330 self.pokebysym("MCSM0" , 0x14)
332 self.pokebysym("TEST2" , 0x88) #
333 self.pokebysym("TEST1" , 0x31) #
334 self.pokebysym("TEST0" , 0x09) # High VCO (Upper band.)
335 self.pokebysym("PA_TABLE0", 0xC0) # Max output power.
336 self.pokebysym("PKTCTRL1" , 0x45) # Preamble qualidy 2*4=6, adr check, status
337 self.pokebysym("PKTCTRL0" , 0x00) # No whitening, CR, fixed len.
339 self.pokebysym("PKTLEN" , 0x09) # Packet length.
341 self.pokebysym("SYNC1",0xB0);
342 self.pokebysym("SYNC0",0xB0);
343 self.pokebysym("ADDR", 0xB0);
345 def config_ook(self,band="none"):
346 self.pokebysym("FSCTRL1" , 0x0C) #08 # Frequency synthesizer control.
347 self.pokebysym("FSCTRL0" , 0x00) # Frequency synthesizer control.
349 #Don't change these while the radio is active.
350 self.pokebysym("FSCAL3" , 0xEA) # Frequency synthesizer calibration.
351 self.pokebysym("FSCAL2" , 0x2A) # Frequency synthesizer calibration.
352 self.pokebysym("FSCAL1" , 0x00) # Frequency synthesizer calibration.
353 self.pokebysym("FSCAL0" , 0x1F) # Frequency synthesizer calibration.
355 if band=="ismeu" or band=="eu":
356 self.pokebysym("FREQ2" , 0x21) # Frequency control word, high byte.
357 self.pokebysym("FREQ1" , 0x71) # Frequency control word, middle byte.
358 self.pokebysym("FREQ0" , 0x7a) # Frequency control word, low byte.
359 elif band=="ismus" or band=="us":
360 self.pokebysym("FREQ2" , 0x22) # Frequency control word, high byte.
361 self.pokebysym("FREQ1" , 0xB1) # Frequency control word, middle byte.
362 self.pokebysym("FREQ0" , 0x3B) # Frequency control word, low byte.
363 elif band=="ismlf" or band=="lf":
364 self.pokebysym("FREQ2" , 0x0C) # Frequency control word, high byte.
365 self.pokebysym("FREQ1" , 0x1D) # Frequency control word, middle byte.
366 self.pokebysym("FREQ0" , 0x89) # Frequency control word, low byte.
370 #Got a frequency, not a band.
371 self.RF_setfreq(eval(band));
375 #self.pokebysym("MDMCFG4" , 0x85)
376 #self.pokebysym("MDMCFG3" , 0x83)
378 #self.pokebysym("MDMCFG4" , 0xf4)
379 #self.pokebysym("MDMCFG3" , 0x43)
381 #self.pokebysym("MDMCFG4" , 0xf6)
382 #self.pokebysym("MDMCFG3" , 0x83)
385 #print "Warning: Default to 4.8kbaud.";
386 #self.pokebysym("MDMCFG4" , 0xf7)
387 #self.pokebysym("MDMCFG3" , 0x83)
389 #print "Warning: Default to 9.6kbaud.";
392 self.pokebysym("MDMCFG4" , 0xf8)
393 self.pokebysym("MDMCFG3" , 0x83)
394 self.pokebysym("MDMCFG2" , 0x34) # OOK, carrier-sense, no-manchester
396 #Kind aright for keeloq
397 print "Warning: Guessing baud rate.";
398 #self.pokebysym("MDMCFG4" , 0xf6)
399 #self.pokebysym("MDMCFG3" , 0x93)
400 #self.pokebysym("MDMCFG2" , 0x3C) # OOK, carrier-sense, manchester
402 self.pokebysym("MDMCFG1" , 0x00) # Modem configuration.
403 self.pokebysym("MDMCFG0" , 0xF8) # Modem configuration.
404 self.pokebysym("CHANNR" , 0x00) # Channel number.
406 self.pokebysym("FREND1" , 0x56) # Front end RX configuration.
407 self.pokebysym("FREND0" , 0x11) # Front end RX configuration.
408 self.pokebysym("MCSM0" , 0x18) # Main Radio Control State Machine configuration.
409 #self.pokebysym("FOCCFG" , 0x1D) # Frequency Offset Compensation Configuration.
410 #self.pokebysym("BSCFG" , 0x1C) # Bit synchronization Configuration.
412 #self.pokebysym("AGCCTRL2" , 0xC7) # AGC control.
413 #self.pokebysym("AGCCTRL1" , 0x00) # AGC control.
414 #self.pokebysym("AGCCTRL0" , 0xB2) # AGC control.
416 self.pokebysym("TEST2" , 0x81) # Various test settings.
417 self.pokebysym("TEST1" , 0x35) # Various test settings.
418 self.pokebysym("TEST0" , 0x0B) # Various test settings.
419 self.pokebysym("PA_TABLE0", 0xc2) # Max output power.
420 self.pokebysym("PKTCTRL1" , 0x04) # Packet automation control, w/ lqi
421 #self.pokebysym("PKTCTRL1" , 0x00) # Packet automation control. w/o lqi
422 #self.pokebysym("PKTCTRL0" , 0x05) # Packet automation control, w/ checksum.
423 self.pokebysym("PKTCTRL0" , 0x00) # Packet automation control, w/o checksum, fixed length
424 self.pokebysym("ADDR" , 0x01) # Device address.
425 self.pokebysym("PKTLEN" , 0xFF) # Packet length.
427 self.pokebysym("SYNC1",0xD3);
428 self.pokebysym("SYNC0",0x91);
430 def config_simpliciti(self,band="none"):
431 self.pokebysym("FSCTRL1" , 0x0C) #08 # Frequency synthesizer control.
432 self.pokebysym("FSCTRL0" , 0x00) # Frequency synthesizer control.
434 #Don't change these while the radio is active.
435 self.pokebysym("FSCAL3" , 0xEA) # Frequency synthesizer calibration.
436 self.pokebysym("FSCAL2" , 0x2A) # Frequency synthesizer calibration.
437 self.pokebysym("FSCAL1" , 0x00) # Frequency synthesizer calibration.
438 self.pokebysym("FSCAL0" , 0x1F) # Frequency synthesizer calibration.
440 if band=="ismeu" or band=="eu":
441 self.pokebysym("FREQ2" , 0x21) # Frequency control word, high byte.
442 self.pokebysym("FREQ1" , 0x71) # Frequency control word, middle byte.
443 self.pokebysym("FREQ0" , 0x7a) # Frequency control word, low byte.
444 elif band=="ismus" or band=="us":
445 self.pokebysym("FREQ2" , 0x22) # Frequency control word, high byte.
446 self.pokebysym("FREQ1" , 0xB1) # Frequency control word, middle byte.
447 self.pokebysym("FREQ0" , 0x3B) # Frequency control word, low byte.
448 elif band=="ismlf" or band=="lf":
449 self.pokebysym("FREQ2" , 0x10) # Frequency control word, high byte.
450 self.pokebysym("FREQ1" , 0xB0) # Frequency control word, middle byte.
451 self.pokebysym("FREQ0" , 0x71) # Frequency control word, low byte.
455 #Got a frequency, not a band.
456 self.RF_setfreq(eval(band));
457 self.pokebysym("MDMCFG4" , 0x7B) # Modem configuration.
458 self.pokebysym("MDMCFG3" , 0x83) # Modem configuration.
459 self.pokebysym("MDMCFG2" , 0x13) # Modem configuration.
460 self.pokebysym("MDMCFG1" , 0x22) # Modem configuration.
461 self.pokebysym("MDMCFG0" , 0xF8) # Modem configuration.
462 if band=="ismus" or band=="us":
463 self.pokebysym("CHANNR" , 20) # Channel number.
465 self.pokebysym("CHANNR" , 0x00) # Channel number.
466 self.pokebysym("DEVIATN" , 0x42) # Modem deviation setting (when FSK modulation is enabled).
468 self.pokebysym("FREND1" , 0xB6) # Front end RX configuration.
469 self.pokebysym("FREND0" , 0x10) # Front end RX configuration.
470 self.pokebysym("MCSM0" , 0x18) # Main Radio Control State Machine configuration.
471 self.pokebysym("FOCCFG" , 0x1D) # Frequency Offset Compensation Configuration.
472 self.pokebysym("BSCFG" , 0x1C) # Bit synchronization Configuration.
474 self.pokebysym("AGCCTRL2" , 0xC7) # AGC control.
475 self.pokebysym("AGCCTRL1" , 0x00) # AGC control.
476 self.pokebysym("AGCCTRL0" , 0xB2) # AGC control.
478 self.pokebysym("TEST2" , 0x81) # Various test settings.
479 self.pokebysym("TEST1" , 0x35) # Various test settings.
480 self.pokebysym("TEST0" , 0x09) # Various test settings.
481 self.pokebysym("PA_TABLE0", 0xc0) # Max output power.
482 self.pokebysym("PKTCTRL1" , 0x04) # Packet automation control, w/ lqi
483 #self.pokebysym("PKTCTRL1" , 0x00) # Packet automation control. w/o lqi
484 self.pokebysym("PKTCTRL0" , 0x05) # Packet automation control, w/ checksum.
485 #self.pokebysym("PKTCTRL0" , 0x00) # Packet automation control, w/o checksum, fixed length
486 self.pokebysym("ADDR" , 0x01) # Device address.
487 self.pokebysym("PKTLEN" , 0xFF) # Packet length.
489 self.pokebysym("SYNC1",0xD3);
490 self.pokebysym("SYNC0",0x91);
492 def RF_carrier(self):
493 """Hold a carrier wave on the present frequency."""
495 self.CC1110_crystal(); #FIXME, '1110 specific.
501 self.config_simpliciti();
503 #Don't change these while the radio is active.
504 #self.pokebysym("FSCAL3" , 0xA9) # Frequency synthesizer calibration.
505 #self.pokebysym("FSCAL2" , 0x0A) # Frequency synthesizer calibration.
506 #self.pokebysym("FSCAL1" , 0x00) # Frequency synthesizer calibration.
507 #self.pokebysym("FSCAL0" , 0x11) # Frequency synthesizer calibration.
510 #self.pokebysym("PA_TABLE0", 0xFF) # PA output power setting.
512 #This is what drops to OOK.
513 #Comment to keep GFSK, might be better at jamming.
514 self.pokebysym("MDMCFG4" , 0x86) # Modem configuration.
515 self.pokebysym("MDMCFG3" , 0x83) # Modem configuration.
516 self.pokebysym("MDMCFG2" , 0x30) # Modem configuration.
517 self.pokebysym("MDMCFG1" , 0x22) # Modem configuration.
518 self.pokebysym("MDMCFG0" , 0xF8) # Modem configuration.
521 self.pokebysym("SYNC1",0xAA);
522 self.pokebysym("SYNC0",0xAA);
526 #while ((MARCSTATE & MARCSTATE_MARC_STATE) != MARC_STATE_TX);
529 while((state!=0x13)):
530 self.pokebyte(RFST,0x03); #RFST=RFST_STX
532 state=self.peekbysym("MARCSTATE")&0x1F;
533 #print "state=%02x" % state;
534 print "Holding a carrier on %f MHz." % (self.RF_getfreq()/10**6);
538 def RF_getsmac(self):
539 """Return the source MAC address."""
541 #Register 0A is RX_ADDR_P0, five bytes.
542 mac=self.peekbysym("ADDR");
544 def RF_setsmac(self,mac):
545 """Set the source MAC address."""
546 self.pokebysym("ADDR",mac);
548 def RF_gettmac(self):
549 """Return the target MAC address."""
551 def RF_settmac(self,mac):
552 """Set the target MAC address."""
554 def RF_rxpacket(self):
555 """Get a packet from the radio. Returns None if none is waiting."""
556 self.shellcodefile("rxpacket.ihx");
557 len=self.peek8(0xFE00,"xdata");
558 return self.peekblock(0xFE00,len+3,"data");
559 def RF_txpacket(self,packet):
560 """Transmit a packet. Untested."""
562 self.pokeblock(0xFE00,packet,"data");
563 self.shellcodefile("txpacket.ihx");
565 def RF_txrxpacket(self,packet):
566 """Transmit a packet. Untested."""
568 self.pokeblock(0xFE00,packet,"data");
569 self.shellcodefile("txrxpacket.ihx");
570 len=self.peek8(0xFE00,"xdata");
571 return self.peekblock(0xFE00,len+3,"data");
573 def RF_getrssi(self):
574 """Returns the received signal strenght, with a weird offset."""
576 rssireg=self.symbols.get("RSSI");
577 return self.CCpeekdatabyte(rssireg)^0x80;
579 if self.verbose>0: print "RSSI reg doesn't exist.";
581 #RSSI doesn't exist on 2.4GHz devices. Maybe RSSIL and RSSIH?
582 rssilreg=self.symbols.get("RSSIL");
583 rssil=self.CCpeekdatabyte(rssilreg);
584 rssihreg=self.symbols.get("RSSIL");
585 rssih=self.CCpeekdatabyte(rssihreg);
586 return (rssih<<8)|rssil;
588 if self.verbose>0: print "RSSIL/RSSIH regs don't exist.";
594 def SRF_loadsymbols(self):
595 ident=self.CCident();
596 chip=self.CCversions.get(ident&0xFF00);
597 dom=self.SRF_chipdom(chip,"register_definition.xml");
598 for e in dom.getElementsByTagName("registerdefinition"):
599 for f in e.childNodes:
600 if f.localName=="Register":
605 for g in f.childNodes:
606 if g.localName=="Name":
607 name=g.childNodes[0].nodeValue;
608 elif g.localName=="Address":
609 address=g.childNodes[0].nodeValue;
610 elif g.localName=="Description":
612 description=g.childNodes[0].nodeValue;
613 elif g.localName=="Bitfield":
614 bitfields+="%17s/* %-50s */\n" % ("",self.SRF_bitfieldstr(g));
615 #print "SFRX(%10s, %s); /* %50s */" % (name,address, description);
616 self.symbols.define(eval(address),name,description,"data");
622 self.writecmd(self.APP,0x86,0,self.data);
625 def CCreleasecpu(self):
626 """Resume the CPU."""
627 self.writecmd(self.APP,0x87,0,self.data);
631 #print "Status: %s" % self.CCstatusstr();
633 #Grab ident three times, should be equal.
634 ident1=self.CCident();
635 ident2=self.CCident();
636 ident3=self.CCident();
637 if(ident1!=ident2 or ident2!=ident3):
638 print "Error, repeated ident attempts unequal."
639 print "%04x, %04x, %04x" % (ident1, ident2, ident3);
641 #Single step, printing PC.
642 print "Tracing execution at startup."
643 for i in range(1,15):
645 byte=self.CCpeekcodebyte(i);
646 #print "PC=%04x, %02x" % (pc, byte);
649 print "Verifying that debugging a NOP doesn't affect the PC."
650 for i in range(1,15):
652 self.CCdebuginstr([0x00]);
653 if(pc!=self.CCgetPC()):
654 print "ERROR: PC changed during CCdebuginstr([NOP])!";
656 print "Checking pokes to XRAM."
657 for i in range(0xf000,0xf020):
658 self.CCpokedatabyte(i,0xde);
659 if(self.CCpeekdatabyte(i)!=0xde):
660 print "Error in XDATA at 0x%04x" % i;
662 #print "Status: %s." % self.CCstatusstr();
668 """Move the FET into the CC2430/CC2530 application."""
669 #print "Initializing Chipcon.";
670 self.writecmd(self.APP,0x10,0,self.data);
671 def CCrd_config(self):
672 """Read the config register of a Chipcon."""
673 self.writecmd(self.APP,0x82,0,self.data);
674 return ord(self.data[0]);
675 def CCwr_config(self,config):
676 """Write the config register of a Chipcon."""
677 self.writecmd(self.APP,0x81,1,[config&0xFF]);
678 def CClockchip(self):
679 """Set the flash lock bit in info mem."""
680 self.writecmd(self.APP, 0x9A, 0, None);
682 """Set the flash lock bit in info mem."""
686 CCversions={0x0100:"cc1110",
692 0xA500:"cc2530", #page 52 of SWRU191
695 CCpagesizes={0x01: 1024, #"CC1110",
696 0x11: 1024, #"CC1111",
697 0x85: 2048, #"CC2430",
698 0x89: 2048, #"CC2431",
699 0x81: 1024, #"CC2510",
700 0x91: 1024, #"CC2511",
701 0xA5: 2048, #"CC2530", #page 52 of SWRU191
702 0xB5: 2048, #"CC2531",
703 0xFF: 0 } #"CCmissing"};
704 def infostring(self):
705 return self.CCidentstr();
706 def CCidentstr(self):
707 ident=self.CCident();
708 chip=self.CCversions.get(ident&0xFF00);
709 pagesize=self.CCpagesizes.get(ident>0xFF);
711 return "%s/r%0.4x/ps0x%0.4x" % (chip, ident, pagesize);
713 return "%04x" % ident;
715 """Get a chipcon's ID."""
716 self.writecmd(self.APP,0x8B,0,None);
717 chip=ord(self.data[0]);
718 rev=ord(self.data[1]);
719 return (chip<<8)+rev;
720 def CCpagesize(self):
721 """Get a chipcon's ID."""
722 self.writecmd(self.APP,0x8B,0,None);
723 chip=ord(self.data[0]);
724 size=self.CCpagesizes.get(chip);
726 print "ERROR: Pagesize undefined.";
727 print "chip=%0.4x" %chip;
732 return self.CCgetPC();
734 """Get a chipcon's PC."""
735 self.writecmd(self.APP,0x83,0,None);
736 hi=ord(self.data[0]);
737 lo=ord(self.data[1]);
739 def CCcmd(self,phrase):
740 self.writecmd(self.APP,0x00,len(phrase),phrase);
741 val=ord(self.data[0]);
742 print "Got %02x" % val;
744 def CCdebuginstr(self,instr):
745 self.writecmd(self.APP,0x88,len(instr),instr);
746 return ord(self.data[0]);
747 #def peekblock(self,adr,length,memory="vn"):
748 # """Return a block of data, broken"""
749 # data=[adr&0xff, (adr&0xff00)>>8,
750 # length&0xFF,(length&0xFF00)>>8];
751 # self.writecmd(self.APP,0x91,4,data);
752 # return [ord(x) for x in self.data]
753 def peek8(self,address, memory="code"):
754 if(memory=="code" or memory=="flash" or memory=="vn"):
755 return self.CCpeekcodebyte(address);
756 elif(memory=="data" or memory=="xdata" or memory=="ram"):
757 return self.CCpeekdatabyte(address);
758 elif(memory=="idata" or memory=="iram"):
759 return self.CCpeekirambyte(address);
760 print "%s is an unknown memory." % memory;
762 def CCpeekcodebyte(self,adr):
763 """Read the contents of code memory at an address."""
764 self.data=[adr&0xff, (adr&0xff00)>>8];
765 self.writecmd(self.APP,0x90,2,self.data);
766 return ord(self.data[0]);
767 def CCpeekdatabyte(self,adr):
768 """Read the contents of data memory at an address."""
769 self.data=[adr&0xff, (adr&0xff00)>>8];
770 self.writecmd(self.APP,0x91, 2, self.data);
771 return ord(self.data[0]);
772 def CCpeekirambyte(self,adr):
773 """Read the contents of IRAM at an address."""
774 self.data=[adr&0xff];
775 self.writecmd(self.APP,0x02, 1, self.data);
776 return ord(self.data[0]);
777 def CCpeekiramword(self,adr):
778 """Read the little-endian contents of IRAM at an address."""
779 return self.CCpeekirambyte(adr)+(
780 self.CCpeekirambyte(adr+1)<<8);
781 def CCpokeiramword(self,adr,val):
782 self.CCpokeirambyte(adr,val&0xff);
783 self.CCpokeirambyte(adr+1,(val>>8)&0xff);
784 def CCpokeirambyte(self,adr,val):
785 """Write the contents of IRAM at an address."""
786 self.data=[adr&0xff, val&0xff];
787 self.writecmd(self.APP,0x02, 2, self.data);
788 return ord(self.data[0]);
789 def pokebyte(self,adr,val,mem="xdata"):
790 self.CCpokedatabyte(adr,val);
791 def CCpokedatabyte(self,adr,val):
792 """Write a byte to data memory."""
793 self.data=[adr&0xff, (adr&0xff00)>>8, val];
794 self.writecmd(self.APP, 0x92, 3, self.data);
795 return ord(self.data[0]);
796 def CCchiperase(self):
797 """Erase all of the target's memory."""
798 self.writecmd(self.APP,0x80,0,None);
800 """Erase all of the target's memory."""
805 """Check the status."""
806 self.writecmd(self.APP,0x84,0,None);
807 return ord(self.data[0])
809 CCstatusbits={0x80 : "erase_busy",
813 0x08 : "halt_status",
818 CCconfigbits={0x20 : "soft_power_mode", #new for CC2530
821 0x02 : "timer_suspend",
822 0x01 : "sel_flash_info_page" #stricken from CC2530
826 """Check the status as a string."""
827 status=self.CCstatus();
832 str="%s %s" %(self.CCstatusbits[i],str);
836 """Start debugging."""
838 self.writecmd(self.APP,0x20,0,self.data);
839 ident=self.CCident();
840 if ident==0xFFFF or ident==0x0000:
841 self.writecmd(self.APP,0x20,0,self.data);
842 ident=self.CCident();
845 #print "Target identifies as %s." % ident;
846 #print "Status: %s." % self.status();
849 #Get SmartRF Studio regs if they exist.
853 """Stop debugging."""
854 self.writecmd(self.APP,0x21,0,self.data);
855 def CCstep_instr(self):
856 """Step one instruction."""
857 self.writecmd(self.APP,0x89,0,self.data);
858 def CCeraseflashbuffer(self):
859 """Erase the 2kB flash buffer"""
860 self.writecmd(self.APP,0x99);
861 def CCflashpage(self,adr):
862 """Flash 2kB a page of flash from 0xF000 in XDATA"""
867 print "Flashing buffer to 0x%06x" % adr;
868 self.writecmd(self.APP,0x95,4,data);
870 def setsecret(self,value):
871 """Set a secret word for later retreival. Used by glitcher."""
873 pagelen = self.CCpagesize(); #Varies by chip.
874 print "page=%04x, pagelen=%04x" % (page,pagelen);
876 self.CCeraseflashbuffer();
877 print "Setting secret to %x" % value;
878 self.CCpokedatabyte(0xF000,value);
879 self.CCpokedatabyte(0xF800,value);
880 print "Setting secret to %x==%x" % (value,
881 self.CCpeekdatabyte(0xf000));
883 print "code[0]=%x" % self.CCpeekcodebyte(0);
885 """Get a secret word. Used by glitcher."""
886 secret=self.CCpeekcodebyte(0);
887 #print "Got secret %02x" % secret;
890 def dump(self,file,start=0,stop=0xffff):
891 """Dump an intel hex file from code memory."""
892 print "Dumping code from %04x to %04x as %s." % (start,stop,file);
896 h[i]=self.CCpeekcodebyte(i);
898 print "Dumped %04x."%i;
899 h.write_hex_file(file); #buffer to disk.
901 h.write_hex_file(file);
903 def flash(self,file):
904 """Flash an intel hex file to code memory."""
905 print "Flashing %s" % file;
909 pagelen = self.CCpagesize(); #Varies by chip.
911 #print "page=%04x, pagelen=%04x" % (page,pagelen);
915 #Wipe the RAM buffer for the next flash page.
916 self.CCeraseflashbuffer();
917 for i in h._buf.keys():
918 while(i>=page+pagelen):
920 self.CCflashpage(page);
921 #client.CCeraseflashbuffer();
923 print "Flashed page at %06x" % page
926 #Place byte into buffer.
927 self.CCpokedatabyte(0xF000+i-page,
931 print "Buffering %04x toward %06x" % (i,page);
933 self.CCflashpage(page);
934 print "Flashed final page at %06x" % page;
projects / goodfet / blob