"""A GoodFET variant for use with Chipcon 8051 Zigbee SoC."""
APP=0x30;
-
-
-
smartrfpath="/opt/smartrf7";
def loadsymbols(self):
try: self.SRF_loadsymbols();
except:
if self.verbose>0: print "SmartRF not found at %s." % self.smartrfpath;
def SRF_chipdom(self,chip="cc1110", doc="register_definition.xml"):
+ """Loads the chip XML definitions from SmartRF7."""
fn="%s/config/xml/%s/%s" % (self.smartrfpath,chip,doc);
#print "Opening %s" % fn;
return xml.dom.minidom.parse(fn)
def CMDrs(self,args=[]):
"""Chip command to grab the radio state."""
- try:
- self.SRF_radiostate();
- except:
- print "Error printing radio state.";
- print "SmartRF not found at %s." % self.smartrfpath;
+ #try:
+ self.SRF_radiostate();
+ #except:
+ # print "Error printing radio state.";
+ # print "SmartRF not found at %s." % self.smartrfpath;
def SRF_bitfieldstr(self,bf):
name="unused";
start=0;
self.pokebysym("TEST1",0x31);
self.pokebysym("TEST0",0x09);
- #self.pokebysym("PA_TABLE0" , 0x60); #above mid
#self.pokebysym("FSCAL2" , 0x2A); #above mid
self.pokebysym("FSCAL2" , 0x0A); #beneath mid
hz=freq*396.728515625;
return hz;
+
+ def RF_getchannel(self):
+ """Get the hex channel."""
+ #FIXME CC1110 specific
+ freq=0;
+ try:
+ freq2=self.peekbysym("FREQ2");
+ freq1=self.peekbysym("FREQ1");
+ freq0=self.peekbysym("FREQ0");
+ freq=(freq2<<16)+(freq1<<8)+freq0;
+ except:
+ freq=0;
+
+ return freq;
+
+
lastshellcode="none";
- def shellcodefile(self,filename,wait=1):
+ def shellcodefile(self,filename,wait=1, alwaysreload=0):
"""Run a fragment of shellcode by name."""
#FIXME: should identify chip model number, use shellcode for that chip.
- if self.lastshellcode!=filename:
+ if self.lastshellcode!=filename or alwaysreload>0:
self.lastshellcode=filename;
file=__file__;
file=file.replace("GoodFETCC.pyc","GoodFETCC.py");
- path=file.replace("client/GoodFETCC.py","shellcode/chipcon/cc1110/");
+ #TODO make this generic
+ path=file.replace("GoodFETCC.py","shellcode/chipcon/cc1110/");
filename=path+filename;
#Load the shellcode.
RFST=0xDFE1
self.pokebyte(RFST,state); #Return to idle state.
return;
+ def config_dash7(self,band="lf"):
+ #These settings came from the OpenTag project's GIT repo on 18 Dec, 2010.
+ #Waiting for official confirmation of the accuracy.
+
+ self.pokebysym("FSCTRL1" , 0x08) # Frequency synthesizer control.
+ self.pokebysym("FSCTRL0" , 0x00) # Frequency synthesizer control.
+
+ #Don't change these while the radio is active.
+ self.pokebysym("FSCAL3" , 0xEA) # Frequency synthesizer calibration.
+ self.pokebysym("FSCAL2" , 0x2A) # Frequency synthesizer calibration.
+ self.pokebysym("FSCAL1" , 0x00) # Frequency synthesizer calibration.
+ self.pokebysym("FSCAL0" , 0x1F) # Frequency synthesizer calibration.
+
+ if band=="ismeu" or band=="eu":
+ print "There is no official eu band for dash7."
+ self.pokebysym("FREQ2" , 0x21) # Frequency control word, high byte.
+ self.pokebysym("FREQ1" , 0x71) # Frequency control word, middle byte.
+ self.pokebysym("FREQ0" , 0x7a) # Frequency control word, low byte.
+ elif band=="ismus" or band=="us":
+ print "There is no official us band for dash7."
+ self.pokebysym("FREQ2" , 0x22) # Frequency control word, high byte.
+ self.pokebysym("FREQ1" , 0xB1) # Frequency control word, middle byte.
+ self.pokebysym("FREQ0" , 0x3B) # Frequency control word, low byte.
+ elif band=="ismlf" or band=="lf":
+ # 433.9198 MHz, same as Simpliciti.
+ self.pokebysym("FREQ2" , 0x10) # Frequency control word, high byte.
+ self.pokebysym("FREQ1" , 0xB0) # Frequency control word, middle byte.
+ self.pokebysym("FREQ0" , 0x71) # Frequency control word, low byte.
+ elif band=="none":
+ pass;
+ else:
+ #Got a frequency, not a band.
+ self.RF_setfreq(eval(band));
+ self.pokebysym("MDMCFG4" , 0x8B) # 62.5 kbps w/ 200 kHz filter
+ self.pokebysym("MDMCFG3" , 0x3B)
+ self.pokebysym("MDMCFG2" , 0x11)
+ self.pokebysym("MDMCFG1" , 0x02)
+ self.pokebysym("MDMCFG0" , 0x53)
+ self.pokebysym("CHANNR" , 0x00) # Channel zero.
+ self.pokebysym("DEVIATN" , 0x50) # 50 kHz deviation
+
+ self.pokebysym("FREND1" , 0xB6) # Front end RX configuration.
+ self.pokebysym("FREND0" , 0x10) # Front end RX configuration.
+ self.pokebysym("MCSM2" , 0x1E)
+ self.pokebysym("MCSM1" , 0x3F)
+ self.pokebysym("MCSM0" , 0x30)
+ self.pokebysym("FOCCFG" , 0x1D) # Frequency Offset Compensation Configuration.
+ self.pokebysym("BSCFG" , 0x1E) # 6.25% data error rate
+
+ self.pokebysym("AGCCTRL2" , 0xC7) # AGC control.
+ self.pokebysym("AGCCTRL1" , 0x00) # AGC control.
+ self.pokebysym("AGCCTRL0" , 0xB2) # AGC control.
+
+ self.pokebysym("TEST2" , 0x81) # Various test settings.
+ self.pokebysym("TEST1" , 0x35) # Various test settings.
+ self.pokebysym("TEST0" , 0x09) # Various test settings.
+ self.pokebysym("PA_TABLE0", 0xc0) # Max output power.
+ self.pokebysym("PKTCTRL1" , 0x04) # Packet automation control, w/ lqi
+ #self.pokebysym("PKTCTRL1" , 0x00) # Packet automation control. w/o lqi
+ self.pokebysym("PKTCTRL0" , 0x05) # Packet automation control, w/ checksum.
+ #self.pokebysym("PKTCTRL0" , 0x00) # Packet automation control, w/o checksum, fixed length
+ self.pokebysym("ADDR" , 0x01) # Device address.
+ self.pokebysym("PKTLEN" , 0xFF) # Packet length.
+
+ #Sync word hack
+ self.pokebysym("SYNC1",0x83);
+ self.pokebysym("SYNC0",0xFE);
+ return;
+ def config_iclicker(self,band="lf"):
+ #Mike Ossmann figured most of this out, with help from neighbors.
+
+ self.pokebysym("FSCTRL1" , 0x06) # Frequency synthesizer control.
+ self.pokebysym("FSCTRL0" , 0x00) # Frequency synthesizer control.
+
+ #Don't change these while the radio is active.
+ self.pokebysym("FSCAL3" , 0xE9)
+ self.pokebysym("FSCAL2" , 0x2A)
+ self.pokebysym("FSCAL1" , 0x00)
+ self.pokebysym("FSCAL0" , 0x1F)
+
+ if band=="ismeu" or band=="eu":
+ print "The EU band is unknown.";
+ elif band=="ismus" or band=="us":
+ #905.5MHz
+ self.pokebysym("FREQ2" , 0x22) # Frequency control word, high byte.
+ self.pokebysym("FREQ1" , 0xD3) # Frequency control word, middle byte.
+ self.pokebysym("FREQ0" , 0xAC) # Frequency control word, low byte.
+ elif band=="ismlf" or band=="lf":
+ print "There is no LF version of the iclicker."
+ elif band=="none":
+ pass;
+ else:
+ #Got a frequency, not a band.
+ self.RF_setfreq(eval(band));
+ # 812.5kHz bandwidth, 152.34 kbaud
+ self.pokebysym("MDMCFG4" , 0x1C)
+ self.pokebysym("MDMCFG3" , 0x80)
+ # no FEC, 2 byte preamble, 250kHz chan spacing
+
+ #15/16 sync
+ #self.pokebysym("MDMCFG2" , 0x01)
+ #16/16 sync
+ self.pokebysym("MDMCFG2" , 0x02)
+
+ self.pokebysym("MDMCFG1" , 0x03)
+ self.pokebysym("MDMCFG0" , 0x3b)
+
+ self.pokebysym("CHANNR" , 0x2e) # Channel zero.
+
+ #self.pokebysym("DEVIATN" , 0x71) # 118.5
+ self.pokebysym("DEVIATN" , 0x72) # 253.9 kHz deviation
+
+ self.pokebysym("FREND1" , 0x56) # Front end RX configuration.
+ self.pokebysym("FREND0" , 0x10) # Front end RX configuration.
+ self.pokebysym("MCSM2" , 0x07)
+ self.pokebysym("MCSM1" , 0x30) #Auto freq. cal.
+ self.pokebysym("MCSM0" , 0x14)
+
+ self.pokebysym("TEST2" , 0x88) #
+ self.pokebysym("TEST1" , 0x31) #
+ self.pokebysym("TEST0" , 0x09) # High VCO (Upper band.)
+ self.pokebysym("PA_TABLE0", 0xC0) # Max output power.
+ self.pokebysym("PKTCTRL1" , 0x45) # Preamble qualidy 2*4=6, adr check, status
+ self.pokebysym("PKTCTRL0" , 0x00) # No whitening, CR, fixed len.
+
+ self.pokebysym("PKTLEN" , 0x09) # Packet length.
+
+ self.pokebysym("SYNC1",0xB0);
+ self.pokebysym("SYNC0",0xB0);
+ self.pokebysym("ADDR", 0xB0);
+ return;
+ def config_ook(self,band="none"):
+ self.pokebysym("FSCTRL1" , 0x0C) #08 # Frequency synthesizer control.
+ self.pokebysym("FSCTRL0" , 0x00) # Frequency synthesizer control.
+
+ #Don't change these while the radio is active.
+ self.pokebysym("FSCAL3" , 0xEA) # Frequency synthesizer calibration.
+ self.pokebysym("FSCAL2" , 0x2A) # Frequency synthesizer calibration.
+ self.pokebysym("FSCAL1" , 0x00) # Frequency synthesizer calibration.
+ self.pokebysym("FSCAL0" , 0x1F) # Frequency synthesizer calibration.
+
+ if band=="ismeu" or band=="eu":
+ self.pokebysym("FREQ2" , 0x21) # Frequency control word, high byte.
+ self.pokebysym("FREQ1" , 0x71) # Frequency control word, middle byte.
+ self.pokebysym("FREQ0" , 0x7a) # Frequency control word, low byte.
+ elif band=="ismus" or band=="us":
+ self.pokebysym("FREQ2" , 0x22) # Frequency control word, high byte.
+ self.pokebysym("FREQ1" , 0xB1) # Frequency control word, middle byte.
+ self.pokebysym("FREQ0" , 0x3B) # Frequency control word, low byte.
+ elif band=="ismlf" or band=="lf":
+ self.pokebysym("FREQ2" , 0x0C) # Frequency control word, high byte.
+ self.pokebysym("FREQ1" , 0x1D) # Frequency control word, middle byte.
+ self.pokebysym("FREQ0" , 0x89) # Frequency control word, low byte.
+ elif band=="none":
+ pass;
+ else:
+ #Got a frequency, not a band.
+ self.RF_setfreq(eval(band));
+
+ #data rate
+ #~1
+ #self.pokebysym("MDMCFG4" , 0x85)
+ #self.pokebysym("MDMCFG3" , 0x83)
+ #0.5
+ #self.pokebysym("MDMCFG4" , 0xf4)
+ #self.pokebysym("MDMCFG3" , 0x43)
+ #2.4
+ #self.pokebysym("MDMCFG4" , 0xf6)
+ #self.pokebysym("MDMCFG3" , 0x83)
+
+ #4.8 kbaud
+ #print "Warning: Default to 4.8kbaud.";
+ #self.pokebysym("MDMCFG4" , 0xf7)
+ #self.pokebysym("MDMCFG3" , 0x83)
+ #9.6 kbaud
+ #print "Warning: Default to 9.6kbaud.";
+ #
+
+ self.pokebysym("MDMCFG4" , 0xf8)
+ self.pokebysym("MDMCFG3" , 0x83)
+ self.pokebysym("MDMCFG2" , 0x34) # OOK, carrier-sense, no-manchester
+
+ #Kind aright for keeloq
+ print "Warning: Guessing baud rate.";
+ #self.pokebysym("MDMCFG4" , 0xf6)
+ #self.pokebysym("MDMCFG3" , 0x93)
+ #self.pokebysym("MDMCFG2" , 0x3C) # OOK, carrier-sense, manchester
+
+ self.pokebysym("MDMCFG1" , 0x00) # Modem configuration.
+ self.pokebysym("MDMCFG0" , 0xF8) # Modem configuration.
+ self.pokebysym("CHANNR" , 0x00) # Channel number.
+
+ self.pokebysym("FREND1" , 0x56) # Front end RX configuration.
+ self.pokebysym("FREND0" , 0x11) # Front end RX configuration.
+ self.pokebysym("MCSM0" , 0x18) # Main Radio Control State Machine configuration.
+ #self.pokebysym("FOCCFG" , 0x1D) # Frequency Offset Compensation Configuration.
+ #self.pokebysym("BSCFG" , 0x1C) # Bit synchronization Configuration.
+
+ #self.pokebysym("AGCCTRL2" , 0xC7) # AGC control.
+ #self.pokebysym("AGCCTRL1" , 0x00) # AGC control.
+ #self.pokebysym("AGCCTRL0" , 0xB2) # AGC control.
+
+ self.pokebysym("TEST2" , 0x81) # Various test settings.
+ self.pokebysym("TEST1" , 0x35) # Various test settings.
+ self.pokebysym("TEST0" , 0x0B) # Various test settings.
+ self.pokebysym("PA_TABLE0", 0xc2) # Max output power.
+ self.pokebysym("PKTCTRL1" , 0x04) # Packet automation control, w/ lqi
+ #self.pokebysym("PKTCTRL1" , 0x00) # Packet automation control. w/o lqi
+ #self.pokebysym("PKTCTRL0" , 0x05) # Packet automation control, w/ checksum.
+ self.pokebysym("PKTCTRL0" , 0x00) # Packet automation control, w/o checksum, fixed length
+ self.pokebysym("ADDR" , 0x01) # Device address.
+ self.pokebysym("PKTLEN" , 0xFF) # Packet length.
+
+ self.pokebysym("SYNC1",0xD3);
+ self.pokebysym("SYNC0",0x91);
def config_simpliciti(self,band="none"):
- self.pokebysym("FSCTRL1" , 0x08) # Frequency synthesizer control.
+ self.pokebysym("FSCTRL1" , 0x0C) #08 # Frequency synthesizer control.
self.pokebysym("FSCTRL0" , 0x00) # Frequency synthesizer control.
#Don't change these while the radio is active.
self.pokebysym("TEST2" , 0x81) # Various test settings.
self.pokebysym("TEST1" , 0x35) # Various test settings.
self.pokebysym("TEST0" , 0x09) # Various test settings.
- self.pokebysym("PA_TABLE0", 0xC0) # PA output power setting.
+ self.pokebysym("PA_TABLE0", 0xc0) # Max output power.
self.pokebysym("PKTCTRL1" , 0x04) # Packet automation control, w/ lqi
#self.pokebysym("PKTCTRL1" , 0x00) # Packet automation control. w/o lqi
self.pokebysym("PKTCTRL0" , 0x05) # Packet automation control, w/ checksum.
"""Get a packet from the radio. Returns None if none is waiting."""
self.shellcodefile("rxpacket.ihx");
len=self.peek8(0xFE00,"xdata");
- return self.peekblock(0xFE00,len+1,"data");
+ return self.peekblock(0xFE00,len+3,"data");
def RF_txpacket(self,packet):
"""Transmit a packet. Untested."""
self.pokeblock(0xFE00,packet,"data");
self.shellcodefile("txrxpacket.ihx");
len=self.peek8(0xFE00,"xdata");
- return self.peekblock(0xFE00,len+1,"data");
+ return self.peekblock(0xFE00,len+3,"data");
def RF_getrssi(self):
"""Returns the received signal strenght, with a weird offset."""
except:
if self.verbose>0: print "RSSI reg doesn't exist.";
try:
- #RSSI doesn't exist on 2.4GHz devices. Maybe RSSIL and RSSIH?
+ #RSSI doesn't exist on some 2.4GHz devices. Maybe RSSIL and RSSIH?
rssilreg=self.symbols.get("RSSIL");
rssil=self.CCpeekdatabyte(rssilreg);
rssihreg=self.symbols.get("RSSIL");
0x8900:"cc2431",
0x8100:"cc2510",
0x9100:"cc2511",
- 0xA500:"cc2530", #page 52 of SWRU191
+ 0xA500:"cc2530", #page 57 of SWRU191B
0xB500:"cc2531",
+ 0x9500:"CC2533",
+ 0x8D00:"CC2540",
0xFF00:"CCmissing"};
CCpagesizes={0x01: 1024, #"CC1110",
0x11: 1024, #"CC1111",
0x89: 2048, #"CC2431",
0x81: 1024, #"CC2510",
0x91: 1024, #"CC2511",
- 0xA5: 2048, #"CC2530", #page 52 of SWRU191
+ 0xA5: 2048, #"CC2530", #page 57 of SWRU191B
0xB5: 2048, #"CC2531",
+ 0x95: 2048, #"CC2533",
+ 0x8D: 2048, #"CC2540",
0xFF: 0 } #"CCmissing"};
def infostring(self):
return self.CCidentstr();
"""Start debugging."""
self.setup();
self.writecmd(self.APP,0x20,0,self.data);
- ident=self.CCidentstr();
+ ident=self.CCident();
+ if ident==0xFFFF or ident==0x0000:
+ self.writecmd(self.APP,0x20,0,self.data);
+ ident=self.CCident();
+
+
#print "Target identifies as %s." % ident;
#print "Status: %s." % self.status();
self.CCreleasecpu();
projects / goodfet / blobdiff