//This could be more accurate.
//Does it ever need to be?
#define CCSPEED 3
-#define CCDELAY(x) delay(x)
+//#define CCDELAY(x) delay(x)
+#define CCDELAY(x)
#define SETMOSI P5OUT|=MOSI
#define CLRMOSI P5OUT&=~MOSI
void ccsetup(){
P5OUT|=MOSI+SCK+RST;
P5DIR|=MOSI+SCK+RST;
- //P5DIR&=~MISO; //MOSI is MISO
+ //P5REN=0xFF;
}
//! Initialize the debugger
void ccdebuginit(){
+ //Port output BUT NOT DIRECTION is set at start.
+ P5OUT|=MOSI+SCK+RST;
+
+ delay(30); //So the beginning is ready for glitching.
+
//Two positive debug clock pulses while !RST is low.
//Take RST low, pulse twice, then high.
P5OUT&=~SCK;
P5OUT&=~RST;
- //pulse twice
- CCDELAY(CCSPEED);
- P5OUT|=SCK; //up
- CCDELAY(CCSPEED);
- P5OUT&=~SCK; //down
- CCDELAY(CCSPEED);
- P5OUT|=SCK; //up
- CCDELAY(CCSPEED);
- P5OUT&=~SCK; //down
+ //Two rising edges.
+ P5OUT^=SCK; //up
+ P5OUT^=SCK; //down
+ P5OUT^=SCK; //up
+ P5OUT^=SCK; //Unnecessary.
+
//Raise !RST.
P5OUT|=RST;
if(cmddata[0]&0x4)
ccread(1);
txdata(app,verb,1);
-
break;
case WRITE: //Write a command with no reply.
cccmd(len);
txdata(app,verb,0);
break;
case START://enter debugger
- ccsetup();
+ //ccsetup(); //interferes with glitching
ccdebuginit();
txdata(app,verb,0);
break;
txdata(app,NOK,0);//TODO add me
break;
case CC_GET_CHIP_ID:
- cc_get_chip_id();
+ cmddataword[0]=cc_get_chip_id();
txdata(app,verb,2);
break;
void cc_lockchip(){
register int i;
- debugstr("Locking chip.");
+ //debugstr("Locking chip.");
cc_wr_config(1);//Select Info Flash
if(!(cc_rd_config()&1))
debugstr("Config forgotten!");
//! Read the CHIP ID bytes.
unsigned short cc_get_chip_id(){
- unsigned short toret;
cmddata[0]=CCCMD_GET_CHIP_ID; //0x68
cccmd(1);
ccread(2);
+
+
+ //Find the flash word size.
+ switch(cmddata[0]){
+ case 0x01://CC1110
+ case 0x81://CC2510
+ case 0x91://CC2511
+ flash_word_size=0x02;
+ //debugstr("2 bytes/flash word");
+ break;
+ default:
+ debugstr("Warning: Guessing flash word size.");
+ case 0x85://CC2430
+ case 0x89://CC2431
+ //debugstr("4 bytes/flash word");
+ flash_word_size=0x04;
+ break;
+ }
//Return the word.
- toret=cmddata[1];
- toret=(toret<<8)+cmddata[1];
- return toret;
+ return cmddataword[0];
}
//! Populates flash buffer in xdata.
//32-bit words, 2KB pages
+//0x20 0x00 for CC2430, CC1110
#define HIBYTE_WORDS_PER_FLASH_PAGE 0x02
#define LOBYTE_WORDS_PER_FLASH_PAGE 0x00
-#define FLASHPAGE_SIZE 0x800
-//32 bit words
-#define FLASH_WORD_SIZE 0x4
+/** Ugh, this varies by chip.
+ 0x800 for CC2430
+ 0x400 for CC1110
+*/
+//#define FLASHPAGE_SIZE 0x400
+#define MAXFLASHPAGE_SIZE 0x800
+#define MINFLASHPAGE_SIZE 0x400
+
+
+//32 bit words on CC2430
+//16 bit words on CC1110
+//#define FLASH_WORD_SIZE 0x2
+u8 flash_word_size = 0; //0x02;
+
+
+/* Flash Write Timing
+ MHZ | FWT (0xAB)
+ 12 | 0x10
+ 13 | 0x11
+ 16 | 0x15
+ 24 | 0x20
+ 26 | 0x23 (IM ME)
+ 32 | 0x2A (Modula.si)
+*/
+//#define FWT 0x23
const u8 flash_routine[] = {
+ //0:
//MOV FADDRH, #imm;
0x75, 0xAD,
0x00,//#imm=((address >> 8) / FLASH_WORD_SIZE) & 0x7E,
+ //0x75, 0xAB, 0x23, //Set FWT per clock
0x75, 0xAC, 0x00, // MOV FADDRL, #00;
/* Erase page. */
0x75, 0xAE, 0x01, // MOV FLC, #01H; // ERASE
// ; Wait for flash erase to complete
0xE5, 0xAE, // eraseWaitLoop: MOV A, FLC;
0x20, 0xE7, 0xFB, // JB ACC_BUSY, eraseWaitLoop;
+
/* End erase page. */
// ; Initialize the data pointer
0x90, 0xF0, 0x00, // MOV DPTR, #0F000H;
0x7E, LOBYTE_WORDS_PER_FLASH_PAGE, // MOV R6, #imm;
0x75, 0xAE, 0x02, // MOV FLC, #02H; // WRITE
// ; Inner loops
- 0x7D, FLASH_WORD_SIZE, // writeLoop: MOV R5, #imm;
+ //24:
+ 0x7D, 0xde /*FLASH_WORD_SIZE*/, // writeLoop: MOV R5, #imm;
0xE0, // writeWordLoop: MOVX A, @DPTR;
0xA3, // INC DPTR;
0xF5, 0xAF, // MOV FWDATA, A;
0xDF, 0xEF, // DJNZ R7, writeLoop;
// ; Done, fake a breakpoint
0xA5 // DB 0xA5;
-};
+};
//! Copies flash buffer to flash.
//Assumes that page has already been written to XDATA 0xF000
//debugstr("Flashing 2kb at 0xF000 to given adr.");
- if(adr&(FLASHPAGE_SIZE-1)){
- debugstr("Flash page address is not on a multiple of 2kB. Aborting.");
+ if(adr&(MINFLASHPAGE_SIZE-1)){
+ debugstr("Flash page address is not on a page boundary. Aborting.");
return;
}
+ if(flash_word_size==0){
+ debugstr("Flash word size is wrong.");
+ while(1);
+ }
+
//Routine comes next
//WRITE_XDATA_MEMORY(IN: 0xF000 + FLASH_PAGE_SIZE, sizeof(routine), routine);
- cc_write_xdata(0xF000+FLASHPAGE_SIZE,
+ cc_write_xdata(0xF000+MAXFLASHPAGE_SIZE,
(u8*) flash_routine, sizeof(flash_routine));
//Patch routine's third byte with
//((address >> 8) / FLASH_WORD_SIZE) & 0x7E
- cc_pokedatabyte(0xF000+FLASHPAGE_SIZE+2,
- ((adr>>8)/FLASH_WORD_SIZE)&0x7E);
+ cc_pokedatabyte(0xF000+MAXFLASHPAGE_SIZE+2,
+ ((adr>>8)/flash_word_size)&0x7E);
+ //Patch routine to define FLASH_WORD_SIZE
+ if(flash_routine[25]!=0xde)
+ debugstr("Ugly patching code failing in chipcon.c");
+ cc_pokedatabyte(0xF000+MAXFLASHPAGE_SIZE+25,
+ flash_word_size);
+
//debugstr("Wrote flash routine.");
cmddata[1]=0xc7;
cmddata[2]=0x51;
cc_debug_instr(3);
- debugstr("Loaded bank info.");
+ //debugstr("Loaded bank info.");
- cc_set_pc(0xf000+FLASHPAGE_SIZE);//execute code fragment
+ cc_set_pc(0xf000+MAXFLASHPAGE_SIZE);//execute code fragment
cc_resume();
- debugstr("Executing.");
+ //debugstr("Executing.");
while(!(cc_read_status()&CC_STATUS_CPUHALTED)){
}
- debugstr("Done flashing.");
+ //debugstr("Done flashing.");
P1OUT&=~1;//clear LED
}