X-Git-Url: http://git.rot13.org/?p=goodfet;a=blobdiff_plain;f=client%2FGoodFETCC.py;h=2427e03d9e5466a8cc3d54ec7ce9384d22149d5c;hp=3be0ca45a1d98db813ae08b397e51db0d6c64bd7;hb=24af045d93c9c835757e96147a37db9383f7b6c4;hpb=1f2a8a4593c69edd03f774a2df080103814faeae diff --git a/client/GoodFETCC.py b/client/GoodFETCC.py index 3be0ca4..2427e03 100644 --- a/client/GoodFETCC.py +++ b/client/GoodFETCC.py @@ -11,32 +11,43 @@ import binascii; from GoodFET import GoodFET; from intelhex import IntelHex; -import xml.dom.minidom, time; +import xml.dom.minidom, time, os; class GoodFETCC(GoodFET): """A GoodFET variant for use with Chipcon 8051 Zigbee SoC.""" APP=0x30; - - - - smartrfpath="/opt/smartrf7"; + smartrfpath=None; + def __init__(self,filename=None): + """GoodFETCC constructor. + Mostly concerned with finding SmartRF7.""" + if self.smartrfpath==None: + self.smartrfpath=os.environ.get("SMARTRF"); + if self.smartrfpath==None and os.name=='nt': + pf=os.environ['PROGRAMFILES']; + self.smartrfpath="%s\\\\Texas Instruments\\\\SmartRF Tools\\\\SmartRF Studio 7" % pf; + + if self.smartrfpath==None: + self.smartrfpath="/opt/smartrf7"; + + def loadsymbols(self): try: self.SRF_loadsymbols(); except: - if self.verbose>0: print "SmartRF not found at %s." % self.smartrfpath; + print "SmartRF not found at %s." % self.smartrfpath; def SRF_chipdom(self,chip="cc1110", doc="register_definition.xml"): + """Loads the chip XML definitions from SmartRF7.""" fn="%s/config/xml/%s/%s" % (self.smartrfpath,chip,doc); #print "Opening %s" % fn; return xml.dom.minidom.parse(fn) def CMDrs(self,args=[]): """Chip command to grab the radio state.""" - try: - self.SRF_radiostate(); - except: - print "Error printing radio state."; - print "SmartRF not found at %s." % self.smartrfpath; + #try: + self.SRF_radiostate(); + #except: + # print "Error printing radio state."; + # print "SmartRF not found at %s." % self.smartrfpath; def SRF_bitfieldstr(self,bf): name="unused"; start=0; @@ -49,6 +60,7 @@ class GoodFETCC(GoodFET): elif e.localName=="Start": start=e.childNodes[0].nodeValue; elif e.localName=="Stop": stop=e.childNodes[0].nodeValue; return " [%s:%s] %30s " % (start,stop,name); + def SRF_radiostate(self): ident=self.CCident(); chip=self.CCversions.get(ident&0xFF00); @@ -76,6 +88,44 @@ class GoodFETCC(GoodFET): print "%-10s=0x%02x; /* %-50s */" % ( name,self.CCpeekdatabyte(eval(address)), description); if bitfields!="": print bitfields.rstrip(); + + def SRF_radiostate_select(self,args=[]): + lreg = [] + ident=self.CCident(); + chip=self.CCversions.get(ident&0xFF00); + dom=self.SRF_chipdom(chip,"register_definition.xml"); + for reg in args: + if reg.lower() == "help": + lreg = "help" + break + lreg.append(reg.lower()) + for e in dom.getElementsByTagName("registerdefinition"): + for f in e.childNodes: + if f.localName=="DeviceName": + print "// %s RadioState" % (f.childNodes[0].nodeValue); + elif f.localName=="Register": + name="unknownreg"; + address="0xdead"; + description=""; + bitfields=""; + for g in f.childNodes: + if g.localName=="Name": + name=g.childNodes[0].nodeValue; + elif g.localName=="Address": + address=g.childNodes[0].nodeValue; + elif g.localName=="Description": + if g.childNodes: + description=g.childNodes[0].nodeValue; + elif g.localName=="Bitfield": + bitfields+="%17s/* %-50s */\n" % ("",self.SRF_bitfieldstr(g)); + #print "SFRX(%10s, %s); /* %50s */" % (name,address, description); + if lreg == "help": + print "%-10s /* %-50s */" % (name, description); + elif name.lower() in lreg: + print "%-10s=0x%02x; /* %-50s */" % ( + name,self.CCpeekdatabyte(eval(address)), description); + if bitfields!="": print bitfields.rstrip(); + def RF_setfreq(self,frequency): """Set the frequency in Hz.""" #FIXME CC1110 specific @@ -125,16 +175,33 @@ class GoodFETCC(GoodFET): hz=freq*396.728515625; return hz; + + def RF_getchannel(self): + """Get the hex channel.""" + #FIXME CC1110 specific + freq=0; + try: + freq2=self.peekbysym("FREQ2"); + freq1=self.peekbysym("FREQ1"); + freq0=self.peekbysym("FREQ0"); + freq=(freq2<<16)+(freq1<<8)+freq0; + except: + freq=0; + + return freq; + + lastshellcode="none"; - def shellcodefile(self,filename,wait=1): + def shellcodefile(self,filename,wait=1, alwaysreload=0): """Run a fragment of shellcode by name.""" #FIXME: should identify chip model number, use shellcode for that chip. - if self.lastshellcode!=filename: + if self.lastshellcode!=filename or alwaysreload>0: self.lastshellcode=filename; file=__file__; file=file.replace("GoodFETCC.pyc","GoodFETCC.py"); - path=file.replace("client/GoodFETCC.py","shellcode/chipcon/cc1110/"); + #TODO make this generic + path=file.replace("GoodFETCC.py","shellcode/chipcon/cc1110/"); filename=path+filename; #Load the shellcode. @@ -275,12 +342,158 @@ class GoodFETCC(GoodFET): self.pokebysym("ADDR" , 0x01) # Device address. self.pokebysym("PKTLEN" , 0xFF) # Packet length. + #Sync word hack + self.pokebysym("SYNC1",0x83); + self.pokebysym("SYNC0",0xFE); + return; + def config_iclicker(self,band="lf"): + #Mike Ossmann figured most of this out, with help from neighbors. + + self.pokebysym("FSCTRL1" , 0x06) # Frequency synthesizer control. + self.pokebysym("FSCTRL0" , 0x00) # Frequency synthesizer control. + #Don't change these while the radio is active. + self.pokebysym("FSCAL3" , 0xE9) + self.pokebysym("FSCAL2" , 0x2A) + self.pokebysym("FSCAL1" , 0x00) + self.pokebysym("FSCAL0" , 0x1F) + if band=="ismeu" or band=="eu": + print "The EU band is unknown."; + elif band=="ismus" or band=="us": + #905.5MHz + self.pokebysym("FREQ2" , 0x22) # Frequency control word, high byte. + self.pokebysym("FREQ1" , 0xD3) # Frequency control word, middle byte. + self.pokebysym("FREQ0" , 0xAC) # Frequency control word, low byte. + elif band=="ismlf" or band=="lf": + print "There is no LF version of the iclicker." + elif band=="none": + pass; + else: + #Got a frequency, not a band. + self.RF_setfreq(eval(band)); + # 812.5kHz bandwidth, 152.34 kbaud + self.pokebysym("MDMCFG4" , 0x1C) + self.pokebysym("MDMCFG3" , 0x80) + # no FEC, 2 byte preamble, 250kHz chan spacing + + #15/16 sync + #self.pokebysym("MDMCFG2" , 0x01) + #16/16 sync + self.pokebysym("MDMCFG2" , 0x02) + + self.pokebysym("MDMCFG1" , 0x03) + self.pokebysym("MDMCFG0" , 0x3b) + + self.pokebysym("CHANNR" , 0x2e) # Channel zero. + + #self.pokebysym("DEVIATN" , 0x71) # 118.5 + self.pokebysym("DEVIATN" , 0x72) # 253.9 kHz deviation + + self.pokebysym("FREND1" , 0x56) # Front end RX configuration. + self.pokebysym("FREND0" , 0x10) # Front end RX configuration. + self.pokebysym("MCSM2" , 0x07) + self.pokebysym("MCSM1" , 0x30) #Auto freq. cal. + self.pokebysym("MCSM0" , 0x14) + + self.pokebysym("TEST2" , 0x88) # + self.pokebysym("TEST1" , 0x31) # + self.pokebysym("TEST0" , 0x09) # High VCO (Upper band.) + self.pokebysym("PA_TABLE0", 0xC0) # Max output power. + self.pokebysym("PKTCTRL1" , 0x45) # Preamble qualidy 2*4=6, adr check, status + self.pokebysym("PKTCTRL0" , 0x00) # No whitening, CR, fixed len. + + self.pokebysym("PKTLEN" , 0x09) # Packet length. + + self.pokebysym("SYNC1",0xB0); + self.pokebysym("SYNC0",0xB0); + self.pokebysym("ADDR", 0xB0); + return; + def config_ook(self,band="none"): + self.pokebysym("FSCTRL1" , 0x0C) #08 # Frequency synthesizer control. + self.pokebysym("FSCTRL0" , 0x00) # Frequency synthesizer control. + + #Don't change these while the radio is active. + self.pokebysym("FSCAL3" , 0xEA) # Frequency synthesizer calibration. + self.pokebysym("FSCAL2" , 0x2A) # Frequency synthesizer calibration. + self.pokebysym("FSCAL1" , 0x00) # Frequency synthesizer calibration. + self.pokebysym("FSCAL0" , 0x1F) # Frequency synthesizer calibration. + + if band=="ismeu" or band=="eu": + self.pokebysym("FREQ2" , 0x21) # Frequency control word, high byte. + self.pokebysym("FREQ1" , 0x71) # Frequency control word, middle byte. + self.pokebysym("FREQ0" , 0x7a) # Frequency control word, low byte. + elif band=="ismus" or band=="us": + self.pokebysym("FREQ2" , 0x22) # Frequency control word, high byte. + self.pokebysym("FREQ1" , 0xB1) # Frequency control word, middle byte. + self.pokebysym("FREQ0" , 0x3B) # Frequency control word, low byte. + elif band=="ismlf" or band=="lf": + self.pokebysym("FREQ2" , 0x0C) # Frequency control word, high byte. + self.pokebysym("FREQ1" , 0x1D) # Frequency control word, middle byte. + self.pokebysym("FREQ0" , 0x89) # Frequency control word, low byte. + elif band=="none": + pass; + else: + #Got a frequency, not a band. + self.RF_setfreq(eval(band)); + + #data rate + #~1 + #self.pokebysym("MDMCFG4" , 0x85) + #self.pokebysym("MDMCFG3" , 0x83) + #0.5 + #self.pokebysym("MDMCFG4" , 0xf4) + #self.pokebysym("MDMCFG3" , 0x43) + #2.4 + #self.pokebysym("MDMCFG4" , 0xf6) + #self.pokebysym("MDMCFG3" , 0x83) + + #4.8 kbaud + #print "Warning: Default to 4.8kbaud."; + #self.pokebysym("MDMCFG4" , 0xf7) + #self.pokebysym("MDMCFG3" , 0x83) + #9.6 kbaud + #print "Warning: Default to 9.6kbaud."; + # + + self.pokebysym("MDMCFG4" , 0xf8) + self.pokebysym("MDMCFG3" , 0x83) + self.pokebysym("MDMCFG2" , 0x34) # OOK, carrier-sense, no-manchester + + #Kind aright for keeloq + print "Warning: Guessing baud rate."; + #self.pokebysym("MDMCFG4" , 0xf6) + #self.pokebysym("MDMCFG3" , 0x93) + #self.pokebysym("MDMCFG2" , 0x3C) # OOK, carrier-sense, manchester + + self.pokebysym("MDMCFG1" , 0x00) # Modem configuration. + self.pokebysym("MDMCFG0" , 0xF8) # Modem configuration. + self.pokebysym("CHANNR" , 0x00) # Channel number. + + self.pokebysym("FREND1" , 0x56) # Front end RX configuration. + self.pokebysym("FREND0" , 0x11) # Front end RX configuration. + self.pokebysym("MCSM0" , 0x18) # Main Radio Control State Machine configuration. + #self.pokebysym("FOCCFG" , 0x1D) # Frequency Offset Compensation Configuration. + #self.pokebysym("BSCFG" , 0x1C) # Bit synchronization Configuration. + + #self.pokebysym("AGCCTRL2" , 0xC7) # AGC control. + #self.pokebysym("AGCCTRL1" , 0x00) # AGC control. + #self.pokebysym("AGCCTRL0" , 0xB2) # AGC control. + + self.pokebysym("TEST2" , 0x81) # Various test settings. + self.pokebysym("TEST1" , 0x35) # Various test settings. + self.pokebysym("TEST0" , 0x0B) # Various test settings. + self.pokebysym("PA_TABLE0", 0xc2) # Max output power. + self.pokebysym("PKTCTRL1" , 0x04) # Packet automation control, w/ lqi + #self.pokebysym("PKTCTRL1" , 0x00) # Packet automation control. w/o lqi + #self.pokebysym("PKTCTRL0" , 0x05) # Packet automation control, w/ checksum. + self.pokebysym("PKTCTRL0" , 0x00) # Packet automation control, w/o checksum, fixed length + self.pokebysym("ADDR" , 0x01) # Device address. + self.pokebysym("PKTLEN" , 0xFF) # Packet length. self.pokebysym("SYNC1",0xD3); self.pokebysym("SYNC0",0x91); - return; + def config_simpliciti(self,band="none"): self.pokebysym("FSCTRL1" , 0x0C) #08 # Frequency synthesizer control. self.pokebysym("FSCTRL0" , 0x00) # Frequency synthesizer control. @@ -371,12 +584,9 @@ class GoodFETCC(GoodFET): self.pokebysym("MDMCFG1" , 0x22) # Modem configuration. self.pokebysym("MDMCFG0" , 0xF8) # Modem configuration. - self.pokebysym("SYNC1",0xAA); self.pokebysym("SYNC0",0xAA); - - #while ((MARCSTATE & MARCSTATE_MARC_STATE) != MARC_STATE_TX); state=0; @@ -432,7 +642,7 @@ class GoodFETCC(GoodFET): except: if self.verbose>0: print "RSSI reg doesn't exist."; try: - #RSSI doesn't exist on 2.4GHz devices. Maybe RSSIL and RSSIH? + #RSSI doesn't exist on some 2.4GHz devices. Maybe RSSIL and RSSIH? rssilreg=self.symbols.get("RSSIL"); rssil=self.CCpeekdatabyte(rssilreg); rssihreg=self.symbols.get("RSSIL"); @@ -443,8 +653,6 @@ class GoodFETCC(GoodFET): return 0; - - def SRF_loadsymbols(self): ident=self.CCident(); chip=self.CCversions.get(ident&0xFF00); @@ -543,8 +751,10 @@ class GoodFETCC(GoodFET): 0x8900:"cc2431", 0x8100:"cc2510", 0x9100:"cc2511", - 0xA500:"cc2530", #page 52 of SWRU191 + 0xA500:"cc2530", #page 57 of SWRU191B 0xB500:"cc2531", + 0x9500:"CC2533", + 0x8D00:"CC2540", 0xFF00:"CCmissing"}; CCpagesizes={0x01: 1024, #"CC1110", 0x11: 1024, #"CC1111", @@ -552,8 +762,10 @@ class GoodFETCC(GoodFET): 0x89: 2048, #"CC2431", 0x81: 1024, #"CC2510", 0x91: 1024, #"CC2511", - 0xA5: 2048, #"CC2530", #page 52 of SWRU191 + 0xA5: 2048, #"CC2530", #page 57 of SWRU191B 0xB5: 2048, #"CC2531", + 0x95: 2048, #"CC2533", + 0x8D: 2048, #"CC2540", 0xFF: 0 } #"CCmissing"}; def infostring(self): return self.CCidentstr(); @@ -690,7 +902,12 @@ class GoodFETCC(GoodFET): """Start debugging.""" self.setup(); self.writecmd(self.APP,0x20,0,self.data); - ident=self.CCidentstr(); + ident=self.CCident(); + if ident==0xFFFF or ident==0x0000: + self.writecmd(self.APP,0x20,0,self.data); + ident=self.CCident(); + + #print "Target identifies as %s." % ident; #print "Status: %s." % self.status(); self.CCreleasecpu(); @@ -736,6 +953,135 @@ class GoodFETCC(GoodFET): #print "Got secret %02x" % secret; return secret; + #FIXME: This is CC1110-specific and duplicates functionality of + # SmartRF7 integration. + CCspecfuncregs={ + 'P0':0x80, + 'SP':0x81, + 'DPL0':0x82, + 'DPH0':0x83, + 'DPL1':0x84, + 'DPH1':0x85, + 'U0CSR':0x86, + 'PCON':0x87, + 'TCON':0x88, + 'P0IFG':0x89, + 'P1IFG':0x8A, + 'P2IFG':0x8B, + 'PICTL':0x8C, + 'P1IEN':0x8D, + 'P0INP':0x8F, + 'P1':0x90, + 'RFIM':0x91, + 'DPS':0x92, + 'MPAGE':0x93, + 'ENDIAN':0x95, + 'S0CON':0x98, + 'IEN2':0x9A, + 'S1CON':0x9B, + 'T2CT':0x9C, + 'T2PR':0x9D, + 'T2CTL':0x9E, + 'P2':0xA0, + 'WORIRQ':0xA1, + 'WORCTRL':0xA2, + 'WOREVT0':0xA3, + 'WOREVT1':0xA4, + 'WORTIME0':0xA5, + 'WORTIME1':0xA6, + 'IEN0':0xA8, + 'IP0':0xA9, + 'FWT':0xAB, + 'FADDRL':0xAC, + 'FADDRH':0xAD, + 'FCTL':0xAE, + 'FWDATA':0xAF, + 'ENCDI':0xB1, + 'ENCDO':0xB2, + 'ENCCS':0xB3, + 'ADCCON1':0xB4, + 'ADCCON2':0xB5, + 'ADCCON3':0xB6, + 'IEN1':0xB8, + 'IP1':0xB9, + 'ADCL':0xBA, + 'ADCH':0xBB, + 'RNDL':0xBC, + 'RNDH':0xBD, + 'SLEEP':0xBE, + 'IRCON':0xC0, + 'U0DBUF':0xC1, + 'U0BAUD':0xC2, + 'U0UCR':0xC4, + 'U0GCR':0xC5, + 'CLKCON':0xC6, + 'MEMCTR':0xC7, + 'WDCTL':0xC9, + 'T3CNT':0xCA, + 'T3CTL':0xCB, + 'T3CCTL0':0xCC, + 'T3CC0':0xCD, + 'T3CCTL1':0xCE, + 'T3CC1':0xCF, + 'PSW':0xD0, + 'DMAIRQ':0xD1, + 'DMA1CFGL':0xD2, + 'DMA1CFGH':0xD3, + 'DMA0CFGL':0xD4, + 'DMA0CFGH':0xD5, + 'DMAARM':0xD6, + 'DMAREQ':0xD7, + 'TIMIF':0xD8, + 'RFD':0xD9, + 'T1CC0L':0xDA, + 'T1CC0H':0xDB, + 'T1CC1L':0xDC, + 'T1CC1H':0xDD, + 'T1CC2L':0xDE, + 'T1CC2H':0xDF, + 'ACC':0xE0, + 'RFST':0xE1, + 'T1CNTL':0xE2, + 'T1CNTH':0xE3, + 'T1CTL':0xE4, + 'T1CCTL0':0xE5, + 'T1CCTL1':0xE6, + 'T1CCTL2':0xE7, + 'IRCON2':0xE8, + 'RFIF':0xE9, + 'T4CNT':0xEA, + 'T4CTL':0xEB, + 'T4CCTL0':0xEC, + 'T4CC0':0xED, + 'T4CCTL1':0xEE, + 'T4CC1':0xEF, + 'B':0xF0, + 'PERCFG':0xF1, + 'ADCCFG':0xF2, + 'P0SEL':0xF3, + 'P1SEL':0xF4, + 'P2SEL':0xF5, + 'P1INP':0xF6, + 'P2INP':0xF7, + 'U1CSR':0xF8, + 'U1DBUF':0xF9, + 'U1BAUD':0xFA, + 'U1UCR':0xFB, + 'U1GCR':0xFC, + 'P0DIR':0xFD, + 'P1DIR':0xFE, + 'P2DIR':0xFF + } + def getSPR(self,args=[]): + """Get special function registers.""" + print "Special Function Registers:" + if len(args): + for e in args: + print " %-8s : 0x%0.2x"%(e,self.CCpeekcodebyte(self.CCspecfuncregs[e])) + else: + for e in self.CCspecfuncregs.keys(): + print " %-8s : 0x%0.2x"%(e,self.CCpeekcodebyte(self.CCspecfuncregs[e])) + def dump(self,file,start=0,stop=0xffff): """Dump an intel hex file from code memory.""" print "Dumping code from %04x to %04x as %s." % (start,stop,file);