//This could be more accurate.
//Does it ever need to be?
#define CCSPEED 3
-#define CCDELAY(x) delay(x)
+//#define CCDELAY(x) delay(x)
+#define CCDELAY(x)
#define SETMOSI P5OUT|=MOSI
#define CLRMOSI P5OUT&=~MOSI
void ccsetup(){
P5OUT|=MOSI+SCK+RST;
P5DIR|=MOSI+SCK+RST;
- //P5DIR&=~MISO; //MOSI is MISO
+ //P5REN=0xFF;
}
+
+/* 33 cycle critical region
+0000000e <ccdebuginit>:
+ e: f2 d0 0d 00 bis.b #13, &0x0031 ;5 cycles
+ 12: 31 00
+ 14: f2 c2 31 00 bic.b #8, &0x0031 ;4 cycles
+ 18: d2 c3 31 00 bic.b #1, &0x0031 ;4
+ 1c: f2 e2 31 00 xor.b #8, &0x0031 ;4
+ 20: f2 e2 31 00 xor.b #8, &0x0031 ;4
+ 24: f2 e2 31 00 xor.b #8, &0x0031 ;4
+ 28: f2 e2 31 00 xor.b #8, &0x0031 ;4
+ 2c: d2 d3 31 00 bis.b #1, &0x0031 ;4
+ 30: 30 41 ret
+*/
+
+
//! Initialize the debugger
void ccdebuginit(){
+ //Port output BUT NOT DIRECTION is set at start.
+ P5OUT|=MOSI+SCK+RST;
+
+ //delay(30); //So the beginning is ready for glitching.
+
//Two positive debug clock pulses while !RST is low.
//Take RST low, pulse twice, then high.
P5OUT&=~SCK;
P5OUT&=~RST;
- //pulse twice
- CCDELAY(CCSPEED);
- P5OUT|=SCK; //up
- CCDELAY(CCSPEED);
- P5OUT&=~SCK; //down
- CCDELAY(CCSPEED);
- P5OUT|=SCK; //up
- CCDELAY(CCSPEED);
- P5OUT&=~SCK; //down
+ //Two rising edges.
+ P5OUT^=SCK; //up
+ P5OUT^=SCK; //down
+ P5OUT^=SCK; //up
+ P5OUT^=SCK; //Unnecessary.
+
//Raise !RST.
P5OUT|=RST;
break;
case READ: //Write a command and return 1-byte reply.
cccmd(len);
- ccread(1);
+ if(cmddata[0]&0x4)
+ ccread(1);
txdata(app,verb,1);
break;
case WRITE: //Write a command with no reply.
txdata(app,NOK,0);//TODO add me
break;
case CC_GET_CHIP_ID:
- cc_get_chip_id();
+ cmddataword[0]=cc_get_chip_id();
txdata(app,verb,2);
break;
//! Locks the chip.
void cc_lockchip(){
- debugstr("Locking chip.");
+ register int i;
+
+ //debugstr("Locking chip.");
cc_wr_config(1);//Select Info Flash
if(!(cc_rd_config()&1))
debugstr("Config forgotten!");
//Clear config page.
- cc_pokedatabyte(0xf000,0);
+ for(i=0;i<2048;i++)
+ cc_pokedatabyte(0xf000+i,0);
cc_write_flash_page(0);
if(cc_peekcodebyte(0))
debugstr("Failed to clear info flash byte.");
//! Read the CHIP ID bytes.
unsigned short cc_get_chip_id(){
- unsigned short toret;
cmddata[0]=CCCMD_GET_CHIP_ID; //0x68
cccmd(1);
ccread(2);
+
+
+ //Find the flash word size.
+ switch(cmddata[0]){
+ case 0x01://CC1110
+ case 0x81://CC2510
+ case 0x91://CC2511
+ flash_word_size=0x02;
+ //debugstr("2 bytes/flash word");
+ break;
+ default:
+ debugstr("Warning: Guessing flash word size.");
+ case 0x85://CC2430
+ case 0x89://CC2431
+ //debugstr("4 bytes/flash word");
+ flash_word_size=0x04;
+ break;
+ }
//Return the word.
- toret=cmddata[1];
- toret=(toret<<8)+cmddata[1];
- return toret;
+ return cmddataword[0];
}
//! Populates flash buffer in xdata.
//32-bit words, 2KB pages
+//0x20 0x00 for CC2430, CC1110
#define HIBYTE_WORDS_PER_FLASH_PAGE 0x02
#define LOBYTE_WORDS_PER_FLASH_PAGE 0x00
-#define FLASHPAGE_SIZE 0x800
-//32 bit words
-#define FLASH_WORD_SIZE 0x4
+/** Ugh, this varies by chip.
+ 0x800 for CC2430
+ 0x400 for CC1110
+*/
+//#define FLASHPAGE_SIZE 0x400
+#define MAXFLASHPAGE_SIZE 0x800
+#define MINFLASHPAGE_SIZE 0x400
+
+
+//32 bit words on CC2430
+//16 bit words on CC1110
+//#define FLASH_WORD_SIZE 0x2
+u8 flash_word_size = 0; //0x02;
+
+
+/* Flash Write Timing
+ MHZ | FWT (0xAB)
+ 12 | 0x10
+ 13 | 0x11
+ 16 | 0x15
+ 24 | 0x20
+ 26 | 0x23 (IM ME)
+ 32 | 0x2A (Modula.si)
+*/
+//#define FWT 0x23
const u8 flash_routine[] = {
+ //0:
//MOV FADDRH, #imm;
0x75, 0xAD,
0x00,//#imm=((address >> 8) / FLASH_WORD_SIZE) & 0x7E,
+ //0x75, 0xAB, 0x23, //Set FWT per clock
0x75, 0xAC, 0x00, // MOV FADDRL, #00;
/* Erase page. */
0x75, 0xAE, 0x01, // MOV FLC, #01H; // ERASE
// ; Wait for flash erase to complete
0xE5, 0xAE, // eraseWaitLoop: MOV A, FLC;
0x20, 0xE7, 0xFB, // JB ACC_BUSY, eraseWaitLoop;
+
/* End erase page. */
// ; Initialize the data pointer
0x90, 0xF0, 0x00, // MOV DPTR, #0F000H;
0x7E, LOBYTE_WORDS_PER_FLASH_PAGE, // MOV R6, #imm;
0x75, 0xAE, 0x02, // MOV FLC, #02H; // WRITE
// ; Inner loops
- 0x7D, FLASH_WORD_SIZE, // writeLoop: MOV R5, #imm;
+ //24:
+ 0x7D, 0xde /*FLASH_WORD_SIZE*/, // writeLoop: MOV R5, #imm;
0xE0, // writeWordLoop: MOVX A, @DPTR;
0xA3, // INC DPTR;
0xF5, 0xAF, // MOV FWDATA, A;
0xDF, 0xEF, // DJNZ R7, writeLoop;
// ; Done, fake a breakpoint
0xA5 // DB 0xA5;
-};
+};
//! Copies flash buffer to flash.
//Assumes that page has already been written to XDATA 0xF000
//debugstr("Flashing 2kb at 0xF000 to given adr.");
- if(adr&(FLASHPAGE_SIZE-1)){
- debugstr("Flash page address is not on a multiple of 2kB. Aborting.");
+ if(adr&(MINFLASHPAGE_SIZE-1)){
+ debugstr("Flash page address is not on a page boundary. Aborting.");
return;
}
+ if(flash_word_size==0){
+ debugstr("Flash word size is wrong.");
+ while(1);
+ }
+
//Routine comes next
//WRITE_XDATA_MEMORY(IN: 0xF000 + FLASH_PAGE_SIZE, sizeof(routine), routine);
- cc_write_xdata(0xF000+FLASHPAGE_SIZE,
+ cc_write_xdata(0xF000+MAXFLASHPAGE_SIZE,
(u8*) flash_routine, sizeof(flash_routine));
//Patch routine's third byte with
//((address >> 8) / FLASH_WORD_SIZE) & 0x7E
- cc_pokedatabyte(0xF000+FLASHPAGE_SIZE+2,
- ((adr>>8)/FLASH_WORD_SIZE)&0x7E);
+ cc_pokedatabyte(0xF000+MAXFLASHPAGE_SIZE+2,
+ ((adr>>8)/flash_word_size)&0x7E);
+ //Patch routine to define FLASH_WORD_SIZE
+ if(flash_routine[25]!=0xde)
+ debugstr("Ugly patching code failing in chipcon.c");
+ cc_pokedatabyte(0xF000+MAXFLASHPAGE_SIZE+25,
+ flash_word_size);
+
//debugstr("Wrote flash routine.");
cc_debug_instr(3);
//debugstr("Loaded bank info.");
- cc_set_pc(0xf000+FLASHPAGE_SIZE);//execute code fragment
+ cc_set_pc(0xf000+MAXFLASHPAGE_SIZE);//execute code fragment
cc_resume();
//debugstr("Executing.");
unsigned char cc_peekdatabyte(unsigned int adr){
unsigned char
hb=(adr&0xFF00)>>8,
- lb=adr&0xFF,
- toret;
+ lb=adr&0xFF;
//MOV DPTR, adr
cc_debug(3, 0x90, hb, lb);
//MOVX A, @DPTR
//Must be 2, perhaps for clocking?
- toret=cc_debug(3, 0xE0, 0, 0);
- return toret;
+ return cc_debug(3, 0xE0, 0, 0);
}
//! Fetch a byte of IRAM.
u8 cc_peekirambyte(u8 adr){
+ //CLR A
+ cc_debug(2, 0xE4, 0, 0);
//MOV A, #iram
return cc_debug(3, 0xE5, adr, 0);
}
//! Write a byte of IRAM.
u8 cc_pokeirambyte(u8 adr, u8 val){
+ //CLR A
+ cc_debug(2, 0xE4, 0, 0);
//MOV #iram, #val
return cc_debug(3, 0x75, adr, val);
+ //return cc_debug(3, 0x75, val, adr);
}