2 # GoodFET Chipcon Example
4 # (C) 2009 Travis Goodspeed <travis at radiantmachines.com>
6 # This code is being rewritten and refactored. You've been warned!
11 from GoodFETCC import GoodFETCC;
12 from GoodFETConsole import GoodFETConsole;
13 from intelhex import IntelHex;
16 def printpacket(packet):
21 s="%s %02x" % (s,foo);
25 def handlesimplicitipacket(packet):
28 global simplepacketcount;
29 simplepacketcount=simplepacketcount+1;
45 #payload begins at byte 10.
47 if packet[len+2]&0x80==0:
48 print "# Dropped broken packet.";
56 print "%09i %03i %4i %4i %4i" % (simplepacketcount,button,x,y,z);
59 #Link request. Gotta send a proper reply to get data.
61 #14 ff ff ff ff 3c b7 e3 98
66 src[0], src[1], src[2], src[3],
67 0x78,0x56,0x34,0x10, #my address.
69 0x81, tid, #reply, tid
71 0x20,0x00,0xad,0xde, #link token
74 print "#FIXME FAST: repeatedly broadcasting ACK to catch LINK on the next attempt.";
75 for foo in range(1,50):
76 client.RF_txpacket(reply);
80 #print "Join request.";
83 print "Not a join request. WTF?";
86 reply=[0x12, #reply is one byte shorter
87 src[0], src[1], src[2], src[3],
88 0x78,0x56,0x34,0x10, #my address.
90 0x81, tid, #reply, tid
92 0xef,0xbe,0xad,0xde, #Join token
95 print "#FIXME FAST: repeatedly broadcasting ACK to catch JOIN on the next attempt.";
97 for foo in range(1,50):
98 client.RF_txpacket(reply);
102 print "Security request.";
104 print "Frequency request.";
106 print "Management request.";
108 print "Unknown Port %02x" %port;
110 if(len(sys.argv)==1):
111 print "Usage: %s verb [objects]\n" % sys.argv[0];
112 print "%s erase" % sys.argv[0];
113 print "%s flash $foo.hex" % sys.argv[0];
114 print "%s test" % sys.argv[0];
115 print "%s term" % sys.argv[0];
116 print "%s info" % sys.argv[0];
117 print "%s infotest" % sys.argv[0];
118 print "%s halt" % sys.argv[0];
119 print "%s regs" % sys.argv[0];
120 print "%s dumpcode $foo.hex [0x$start 0x$stop]" % sys.argv[0];
121 print "%s dumpdata $foo.hex [0x$start 0x$stop]" % sys.argv[0];
122 print "%s writedata $foo.hex [0x$start 0x$stop]" % sys.argv[0];
123 print "%s verify $foo.hex [0x$start 0x$stop]" % sys.argv[0];
124 print "%s peekdata 0x$start [0x$stop]" % sys.argv[0];
125 print "%s pokedata 0x$adr 0x$val" % sys.argv[0];
126 print "%s peek 0x$iram" % sys.argv[0];
127 print "%s poke 0x$iram 0x$val" % sys.argv[0];
128 print "%s peekcode 0x$start [0x$stop]" % sys.argv[0];
130 print "%s rssi [freq]\n\tGraphs signal strength on [freq] Hz." % sys.argv[0];
131 print "%s carrier [freq]\n\tHolds a carrier on [freq] Hz." % sys.argv[0];
132 print "%s reflex [freq]\n\tJams on [freq] Hz." % sys.argv[0];
133 print "%s sniffsimpliciti [us|eu|lf]\n\tSniffs SimpliciTI packets." % sys.argv[0];
134 print "%s sniffdash7 [lf]\n\tSniffs Dash7. (untested)" % sys.argv[0];
135 print "%s snifficlicker [us]\n\tSniffs iClicker." % sys.argv[0];
140 #Initailize FET and set baud rate
141 #client=GoodFET.GoodFETCC.GoodFETCC();
151 if(sys.argv[1]=="carrier"):
153 client.RF_setfreq(eval(sys.argv[2]));
158 if(sys.argv[1]=="reflex"):
159 client.CC1110_crystal();
162 client.config_simpliciti();
166 client.RF_setfreq(eval(sys.argv[2]));
167 print "Listening on %f MHz." % (client.RF_getfreq()/10**6);
168 print "Jamming if RSSI>=%i" % threshold;
170 client.pokebyte(0xFE00,threshold,"xdata"); #Write threshold to shellcode.
171 client.shellcodefile("reflex.ihx");
174 while(0==client.ishalted()):
176 rssi=client.peek8(0xFE00,"xdata");
177 print "Activated jamming with RSSI of %i, going again for another packet." % rssi;
178 #client.CCdebuginstr([0x02, 0xf0, 0x00]); #ljmp 0xF000
182 if(sys.argv[1]=="rssi"):
183 client.CC1110_crystal();
186 client.config_simpliciti();
189 client.RF_setfreq(eval(sys.argv[2]));
190 print "Listening on %f MHz." % (client.RF_getfreq()/10.0**6);
194 client.CC_RFST_CAL();
199 rssi=client.RF_getrssi();
200 client.CC_RFST_IDLE(); #idle
203 for foo in range(0,rssi>>2):
204 string=("%s."%string);
205 print "%02x %04i %s" % (rssi,rssi, string);
207 if(sys.argv[1]=="sniff"):
208 client.CC1110_crystal();
211 #client.config_simpliciti(region);
213 print "Listening as %x on %f MHz" % (client.RF_getsmac(),
214 client.RF_getfreq()/10.0**6);
215 #Now we're ready to get packets.
219 packet=client.RF_rxpacket();
223 if(sys.argv[1]=="sniffsimpliciti"):
228 client.CC1110_crystal();
231 client.config_simpliciti(region);
233 print "Listening as %x on %f MHz" % (client.RF_getsmac(),
234 client.RF_getfreq()/10.0**6);
235 #Now we're ready to get packets.
239 packet=client.RF_rxpacket();
242 if(sys.argv[1]=="sniffdash7"):
247 client.CC1110_crystal();
250 client.config_dash7(region);
252 print "Listening as %x on %f MHz" % (client.RF_getsmac(),
253 client.RF_getfreq()/10.0**6);
254 #Now we're ready to get packets.
258 packet=client.RF_rxpacket();
261 if(sys.argv[1]=="snifficlicker"):
266 client.CC1110_crystal();
269 client.config_iclicker(region);
271 print "Listening as %x on %f MHz" % (client.RF_getsmac(),
272 client.RF_getfreq()/10.0**6);
273 #Now we're ready to get packets.
277 packet=client.RF_rxpacket();
281 if(sys.argv[1]=="simpliciti"):
286 client.CC1110_crystal();
289 client.config_simpliciti(region);
291 print "# Listening as %x on %f MHz" % (client.RF_getsmac(),
292 client.RF_getfreq()/10.0**6);
293 #Now we're ready to get packets.
297 packet=client.RF_rxpacket();
298 handlesimplicitipacket(packet);
303 if(sys.argv[1]=="term"):
304 GoodFETConsole(client).run();
305 if(sys.argv[1]=="test"):
307 if(sys.argv[1]=="deadtest"):
308 for i in range(1,10):
309 print "IDENT as %s" % client.CCidentstr();
310 if(sys.argv[1]=="dumpcode"):
315 start=int(sys.argv[3],16);
317 stop=int(sys.argv[4],16);
319 print "Dumping code from %04x to %04x as %s." % (start,stop,f);
323 h[i]=client.CCpeekcodebyte(i);
325 print "Dumped %04x."%i;
328 if(sys.argv[1]=="dumpdata"):
333 start=int(sys.argv[3],16);
335 stop=int(sys.argv[4],16);
337 print "Dumping data from %04x to %04x as %s." % (start,stop,f);
341 h[i]=client.CCpeekdatabyte(i);
343 print "Dumped %04x."%i;
346 if(sys.argv[1]=="status"):
347 print "Status: %s" %client.status();
348 if(sys.argv[1]=="halt"):
352 if(sys.argv[1]=="infotest"):
355 print "Ident %s" % client.CCidentstr();
356 if(sys.argv[1]=="info"):
357 print "Ident %s" % client.CCidentstr();
360 print "Freq %10.3f MHz" % (client.RF_getfreq()/10**6);
361 print "RSSI %02x" % client.RF_getrssi();
363 print "Freq, RSSI, etc unknown. Install SmartRF7.";
364 #print "Rate %10i kbps" % (client.RF_getrate()/1000);
365 #print "PacketLen %02i bytes" % client.RF_getpacketlen();
366 #print "SMAC 0x%010x" % client.RF_getsmac();
367 #print "TMAC 0x%010x" % client.RF_gettmac();
369 if(sys.argv[1]=="regs"):
372 if(sys.argv[1]=="erase"):
373 print "Status: %s" % client.status();
374 client.CCchiperase();
375 print "Status: %s" %client.status();
377 if(sys.argv[1]=="peekinfo"):
378 print "Select info flash."
379 client.CCwr_config(1);
380 print "Config is %02x" % client.CCrd_config();
384 start=int(sys.argv[2],16);
387 stop=int(sys.argv[3],16);
388 print "Peeking from %04x to %04x." % (start,stop);
390 print "%04x: %02x" % (start,client.CCpeekcodebyte(start));
392 if(sys.argv[1]=="poke"):
393 client.CCpokeirambyte(int(sys.argv[2],16),
394 int(sys.argv[3],16));
395 if(sys.argv[1]=="randtest"):
397 client.CCpokeirambyte(0xBD,0x01); #RNDH=0x01
398 client.CCpokeirambyte(0xB4,0x04); #ADCCON1=0x04
399 client.CCpokeirambyte(0xBD,0x01); #RNDH=0x01
400 client.CCpokeirambyte(0xB4,0x04); #ADCCON1=0x04
403 for foo in range(1,10):
404 print "%02x" % client.CCpeekirambyte(0xBD); #RNDH
405 client.CCpokeirambyte(0xB4,0x04); #ADCCON1=0x04
406 client.CCreleasecpu();
408 print "%02x" % client.CCpeekdatabyte(0xDF61); #CHIP ID
409 if(sys.argv[1]=="adctest"):
410 # ADCTest 0xDF3A 0xDF3B
411 print "ADC TEST %02x%02x" % (
412 client.CCpeekdatabyte(0xDF3A),
413 client.CCpeekdatabyte(0xDF3B));
414 if(sys.argv[1]=="config"):
415 print "Config is %02x" % client.CCrd_config();
417 if(sys.argv[1]=="flash"):
422 start=int(sys.argv[3],16);
424 stop=int(sys.argv[4],16);
427 if(sys.argv[1]=="lock"):
428 print "Status: %s" %client.status();
430 print "Status: %s" %client.status();
431 if(sys.argv[1]=="flashpage"):
434 target=int(sys.argv[2],16);
435 print "Writing a page of flash from 0xF000 in XDATA"
436 client.CCflashpage(target);
437 if(sys.argv[1]=="erasebuffer"):
438 print "Erasing flash buffer.";
439 client.CCeraseflashbuffer();
441 if(sys.argv[1]=="writedata"):
446 start=int(sys.argv[3],16);
448 stop=int(sys.argv[4],16);
452 for i in h._buf.keys():
453 if(i>=start and i<=stop):
454 client.CCpokedatabyte(i,h[i]);
457 #if(sys.argv[1]=="flashtest"):
458 # client.CCflashtest();
459 if(sys.argv[1]=="peekdata"):
462 start=int(sys.argv[2],16);
465 stop=int(sys.argv[3],16);
466 print "Peeking from %04x to %04x." % (start,stop);
468 print "%04x: %02x" % (start,client.CCpeekdatabyte(start));
470 if(sys.argv[1]=="peek"):
473 start=int(sys.argv[2],16);
476 stop=int(sys.argv[3],16);
477 print "Peeking from %04x to %04x." % (start,stop);
479 print "%04x: %02x" % (start,client.CCpeekirambyte(start));
481 if(sys.argv[1]=="verify"):
486 start=int(sys.argv[3],16);
488 stop=int(sys.argv[4],16);
491 for i in h._buf.keys():
492 if(i>=start and i<stop):
493 peek=client.CCpeekcodebyte(i)
495 print "ERROR at %04x, found %02x not %02x"%(i,peek,h[i]);
498 if(sys.argv[1]=="peekcode"):
501 start=int(sys.argv[2],16);
504 stop=int(sys.argv[3],16);
505 print "Peeking from %04x to %04x." % (start,stop);
507 print "%04x: %02x" % (start,client.CCpeekcodebyte(start));
509 if(sys.argv[1]=="pokedata"):
513 start=int(sys.argv[2],16);
515 val=int(sys.argv[3],16);
516 print "Poking %04x to become %02x." % (start,val);
517 client.CCpokedatabyte(start,val);