7u83/stcgal
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add more dumps and new STC15 protocol info

Browse Source
This commit is contained in:
Grigori Goronzy 2015-11-22 18:23:38 +01:00
parent 7a858f3334
commit aae3d946f6
6 changed files with 609 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
doc/iap15f2k61s2.txt Normal file
View File

@ -0,0 +1,116 @@
2015-11-22 07:09:10.387121: PC
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F
2015-11-22 07:09:14.705892: MCU
46 B9 68 00 2B 50 87 D3 75 9C F5 3B 17 FF FF FF
FF FF 09 81 00 00 71 53 00 F4 49 04 06 58 9C 02
0E 14 17 19 19 00 F4 F4 04 D2 10 44 16
2015-11-22 07:09:14.834040: PC
46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80
80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A
12 16 FE FE FE FE FE FE FE FE FE FE FE
2015-11-22 07:09:15.033876: MCU
46 B9 68 00 20 00 0B 03 37 04 9A 06 02 06 6B 09
27 0B E8 0D 0A 12 5A 17 9B 14 8F 1C 96 00 00 05
91 16
2015-11-22 07:09:15.076930: PC
46 B9 6A 00 20 00 0C 75 80 76 80 77 80 78 80 79
80 7A 80 74 40 75 40 76 40 77 40 78 40 79 40 0A
AA 16 FE FE FE FE FE FE FE FE FE FE FE FE
2015-11-22 07:09:15.283813: MCU
46 B9 68 00 20 00 0C 09 04 09 09 09 0E 09 0E 09
18 09 1D 12 00 12 0F 12 19 12 23 12 2D 12 37 02
43 16
2015-11-22 07:09:15.326972: PC
46 B9 6A 00 20 00 0C 70 80 71 80 72 80 73 80 74
80 75 80 74 40 75 40 76 40 77 40 78 40 79 40 0A
8C 16 FE FE FE FE FE FE FE FE FE FE FE FE
2015-11-22 07:09:15.533848: MCU
46 B9 68 00 20 00 0C 08 E1 08 EB 08 F5 08 FA 08
FF 09 04 12 00 12 0A 12 19 12 23 12 2D 12 37 06
99 16
2015-11-22 07:09:15.602052: PC
46 B9 6A 00 0E 01 74 40 FD C0 80 72 81 04 5D 16
2015-11-22 07:09:15.625739: MCU
46 B9 68 00 07 01 00 70 16
2015-11-22 07:09:15.663175: PC
46 B9 6A 00 07 05 00 76 16
2015-11-22 07:09:15.677251: MCU
46 B9 68 00 07 05 00 74 16
2015-11-22 07:09:15.706149: PC
46 B9 6A 00 08 03 00 00 75 16
2015-11-22 07:09:19.156240: MCU
46 B9 68 00 0E 03 0D 00 00 21 02 26 32 01 01 16
2015-11-22 07:09:19.194154: PC
46 B9 6A 00 89 22 00 00 02 00 08 12 00 3F 80 FE
75 81 07 12 00 4C E5 82 60 03 02 00 03 E4 78 FF
F6 D8 FD 02 00 03 AE 82 AF 83 8E 04 8F 05 1E BE
FF 01 1F EC 4D 60 0F 7C 90 7D 01 1C BC FF 01 1D
EC 4D 70 F7 80 E4 22 90 03 E8 12 00 1E E5 80 F4
F5 80 80 F3 75 82 00 22 FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF 51 E8 16
2015-11-22 07:09:19.366679: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-22 07:09:19.383521: PC
46 B9 6A 00 89 02 00 80 FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF 80 F5 16
2015-11-22 07:09:19.566903: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-22 07:09:19.583260: PC
46 B9 6A 00 89 02 01 00 FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF 80 76 16
2015-11-22 07:09:19.776710: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-22 07:09:19.793705: PC
46 B9 6A 00 89 02 01 80 FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF 80 F6 16
2015-11-22 07:09:19.972466: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-22 07:09:20.007204: PC
46 B9 6A 00 49 04 00 00 FF FF FF 00 FF FF 00 FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00
FF A8 FF AD FF 40 FF FD 03 FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF 74 BF F7 BB 9F 38 9E 16
2015-11-22 07:09:20.132323: MCU
46 B9 68 00 08 04 54 00 C8 16

137
doc/stc15-options.txt
View File

@ -1,81 +1,82 @@
Model-specific configuration registers
Placement of configuration values
STC15 series MCS bytes
======================
"~" means the bit is a negated boolean. Sometimes values overlap,
depending on MCU model.
MCS3 is like early STC15 MCS1.
MCS2 is like early STC15 MCS2.
MCS4 is like early STC15 MCS0 but with additions.
MCSX is like early STC15 MCS12.
In STC15 series, the first 13 MCS bytes have active values. Generally,
unused bits should be set to 1.
baseline
B5 FF F7 BB 9F
MCS0
----
long por disabled
B6 FF F7 BB 1F
--> MCS4 bit 7 controls POR delay. low => short, high => long
MSB 7 6 5 4 3 2 1 0 LSB
RSPEN
reset pin as io disabled
B8 FF F7 BB 8F
--> MCS4 bit 4 controls reset pin. low => reset is normal, high => reset is io
RSPEN := RESET pin enable
low voltage reset disabled
B6 FF F7 FB 9F
--> MCS3 bit 6 controls low voltage reset. low => lv reset enabled, high => disabled
lvd threshold 2.61v
B8 FF F7 BA 9F
lvd threshold 2.82v
B5 FF F7 B9 9F
lvd threshold 3.08v
B6 FF F7 B8 9F
--> MCS3 bits 0-2 control LVD threshold setting. exact mapping not yet clear.
eeprom lv inhibit disabled
B7 FF F7 3B 9F
--> MCS3 bit 7 controls eeprom lv inhibit. high => eeprom lv inhibit enabled, low => disabled
watchdog after reset enabled
B6 FF D7 BB 9F
--> MCS2 bit 5 controls watchdog after reset. high => disabled, low => enabled
watchdog prescaler 128
B4 FF F6 BB 9F
watchdog prescaler 64
B5 FF F5 BB 9F
watchdog prescaler 32
B5 FF F4 BB 9F
watchdog prescaler 2
B6 FF F0 BB 9F
--> MCS2 bits 0-2 control watchdog prescaler. mapping is similar to early STC15.
wdt stop in idle disabled
B7 FF FF BB 9F
erase eeprom next programming
B4 FF F7 BB 9F
--> it's somewhere else! it's bit 1 of the extra MCSX byte that is typically 0xfd. low => erase eeprom disabled, high => erase eeprom enabled
MCS1
----
p3.3 por state enabled
B9 FF F7 BB 97
--> MCS4 bit 3 controls the p3.3 state. high => p3.3 high, low => p3.3 low
MSB 7 6 5 4 3 2 1 0 LSB
EEIH LVRS LVD2 LVD1 LVD0
p3.1 passthrough from p3.0 enabled
B5 FF F7 BB DF
--> MCS4 bit 2 controls the p3.1 passthrough. low => passthrough disabled, high => passthrough enabled
EEIH := inhibit EEPROM writes in low-voltage conditions enable
LVRS := low-voltage reset enable
LVD2...LVD0 := low voltage detection threshold
p3.1 push pull enabled
B5 FF F7 BB BF
--> MCS4 bit 1 controls p3.1 push pull. low => quasi-bidi, high => push-pull
LVD2 LVD1 LVD0 value
0 0 0 setting 0 (e.g. 3.14V)
0 0 1 setting 1 (e.g. 3.28V)
0 1 0 setting 2 (e.g. 3.43V)
0 1 1 setting 3 (e.g. 3.61V)
1 0 0 setting 4 (e.g. 3.82V)
1 0 1 setting 5 (e.g. 4.05V)
1 1 0 unknown
1 1 1 unknown
The exact voltages depend on MCU model.
bsl pindetect enabled
B5 FF F7 BB BF
--> somewhere else, MCSX bit 0. low => pindetect enabled, high => pindetect disabled.
MCS2
----
external oscillator enabled (IAP15F2K61S2)
9C 7F F7 BB 9E
--> MCS4 bit 0 controls external oscillator. low => use external crystal, high => use RC.
MSB 7 6 5 4 3 2 1 0 LSB
~WDEN ~WDSTP WDPS2 WDPS1 WDPS0
~WDEN := watchdog enable after power-on-reset
~WDSTP := stop watchdog counter in idle mode
WDPS2...WDPS0 := watchdog counter prescaler
WDPS2 WDPS1 WDPS0 divisior
0 0 0 2
0 0 1 4
0 1 0 8
0 1 1 16
1 0 0 32
1 0 1 64
1 1 0 128
1 1 1 256
This is completely similar to STC12.
MCS3...MCS11
------------
All bytes set to 0xff.
MCS12
-----
MSB 7 6 5 4 3 2 1 0 LSB
~EREE ~BSLD
~EREE := enable eeprom erase next time MCU is programmed
~BSLD := enable BSL pin detect; i.e. BSL is only enabled if P1.0/P1.1
(or others, depends on MCU model) are held low on POR.
This is like MCS3 of STC12.
external oscillator enabled + clock gain low (IAP15F2K61S2)
9C 7F F7 BB 9C
--> MCS 4 bit controls clock gain. high => high clock gain, low => low clock gain.

199
doc/stc15-protocol.txt
View File

@ -1,92 +1,161 @@
STC15 reverse engineering
STC15 protocol
==============
Note: so far only based on STC15F104E!
high level
----------
-> pulse
<- info packet
-> freq challenges round 1
<- freq responses
-> freq challenges round 2
<- freq responses
-> baud switch
<- ack
-> prepare
<- ack
-> erase
<- ack + uid
-> write first block
<- ack
-> write block 2
<- ack
...
-> write block n
<- ack
-> option packet
<- ack
Basic differences between STC12 and STC15
info packet
-----------
* Initial MCU response is an ack (0x80) packet. Host needs to respond
with the same ack and pulse 0x7f again, then MCU sends the info
packet.
6 MHz:
46 B9 68 00 2B 50 66 3C 93 BA F7 BB 9F 00 5B 68 00 FD 00 00 00 00 71 51 03 F2 D4 04 06 58 BA 02 2A 31 32 38 30 80 14 10 04 D9 0D 02 16
* Frequency timings sent with info packet are different; the calculation
is the same but only four timings are sent, followed by two other
unknown timings and two zero words.
12 MHz:
46 B9 68 00 2B 50 66 3C 93 BA F7 BB 9F 00 B6 F5 80 FD 00 00 00 00 71 51 03 F2 D4 04 06 58 BA 02 2A 31 32 38 30 80 14 10 04 D9 0E 6A 16
* A new handshake is used to tune the RC oscillator for a given
frequency.
33 MHz:
46 B9 68 00 2B 50 66 3C 93 BA F7 B9 9F 01 F7 C2 80 FD 00 00 00 00 71 51 03 F2 D4 04 06 58 BA 02 2A 31 32 38 30 80 14 10 04 D9 0E 77 16
* The baudrate isn't changed with a complicated handshake, it is just
switched to with a 0x8e type packet.
This may be different on other MCUs that have a hardware UART.
30 MHz:
46 B9 68 00 2B 50 66 3C 93 BA F7 B9 9F 01 C9 9E 00 FD 7F FF FD FF 71 51 03 F2 D4 04 06 58 BA 02 2A 31 32 38 30 80 14 10 04 D9 11 1F 16
^^^^^ ^^^^^^^^^^^
timer freq freq big endian
value in hz 32 bit value
^^^^^^^^ ^^
MCS2-4 MCSX
^^
factory calibration adjust for 24 MHz (range 0x40)?
IAP15F2K61S2:
external osc:
46 B9 68 00 2B 50 87 D3 75 9C F7 BB 9E 01 77 70 80 FD 06 57 00 00 71 53 00 F4 49 04 06 58 9C 02 0E 14 17 19 19 00 F4 F4 04 D2 0E 8A 16
^^^^^
frequency count for external (1)
* Transfers use 64 bytes block size.
Possibly that's because the 15F104E only has 128 bytes RAM. It
might use bigger blocks on MCUs with more RAM.
(1) if external clock is active, frequency can be calculated like:
CLOCK = BAUD * COUNT
internal 11.052 MHz:
46 B9 68 00 2B 50 87 D3 75 9C F7 BB 9F 00 A8 AD 40 FD 09 FE 00 00 71 53 00 F4 49 04 06 58 9C 02 0E 14 17 19 19 00 F4 F4 04 D2 0F 62 16
* Position of many option bits has changed, and more bits are used.
i.e. operating frequency is not sampled from host pulses! it's actually much more
convenient, it is simply returned as an integer value in hz. same for the wakeup
timer.
baud switch packet
------------------
46 B9 6A 00 0E 01 8C 40 F6 FD F2 7C 83 05 29 16
^^^^^ ^^^^^ ^^
(1) (2) (3)
^^^^^
prog calib. values
(1) baud value (65535 - clk / baud) (SW UART)
(65535 - clk / baud / 4) (HW UART)
(2) some timer value (65535 - (clk / baud) * 1.5)
(3) constant? IAP delay?
The RC oscillator calibration
trim challenge packet
---------------------
Theory of operation:
* Host sends a sequence of challenges. These are values to be
programmed into an internal RC oscillator calibration register.
* Host sends 0x7f pulses
* MCU sends back responses, which are the runtime of the baudrate
timing counter (similar to the info packet)
* Host repeats this with finer trimmed challenge values.
* Host determines calibration value with the lowest error.
* Host sends baudrate switch packet
* Host sends option packet to program frequency after flash programming
two challenges are sent, UART seems to be used as clock reference
The STC software uses a fixed set of coarse grained trim values to
try. These are:
33.1 MHz @ 9600 bps:
-> 46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A 12 16 92 92 92 92
sequence clock (MHz)
0x1800 0x1880 0x1880 0x18ff [4, 7.5]
0x1880 0x18ff 0x5800 0x5880 (7.5, 10]
0x5800 0x5880 0x5880 0x58ff (10, 15]
0x5880 0x58ff 0x9800 0x9880 (15, 21]
0x9800 0x9880 0x9880 0x98ff (21, 31]
0xd800 0xd880 0xd880 0xd8b4 (31, 40]
4 MHz @ 9600 bps:
-> 46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A 12 16 92 92 92 92
In addition it sends a sequence for the programming speed:
0x5800 0x5880 for normal speed and 0x9800 0x9880 for high
speed programming.
6 MHz @ 9600 bps:
-> 46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A 12 16 92 92 92 92
<- 46 B9 68 00 20 00 0B 03 05 04 4F 05 9E 06 20 08 B9 0B 57 0C 60 11 6A 16 5B 13 5E 1A D4 00 00 05 91 16
Then, by linear interpolation, it choses a suitable range of
fine-tuning trim values to try according to the counter values sent
by the MCU.
-> 46 B9 6A 00 20 00 0C B4 C0 B5 C0 B6 C0 B7 C0 B8 C0 B9 C0 8C 40 8D 40 8E 40 8F 40 90 40 91 40 0E 34 16 92 92 92 92
<- 46 B9 68 00 20 00 0C 04 DB 04 DB 04 DB 04 E0 04 E5 04 E5 11 EC 11 F6 12 05 12 05 12 0F 12 14 08 60 16
The programming speed trim value is only determined by linear
interpolation of the two trim challenges sent in the first round of
calibration. This seems to be good enough.
12 MHz @ 9600 bps:
-> 46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A 12 16 92 92 92 92
<- 46 B9 68 00 20 00 0B 03 05 04 4F 05 99 06 20 08 B4 0B 52 0C 65 11 6F 16 56 13 5E 1A D4 00 00 05 87 16
-> 46 B9 6A 00 20 00 0C B0 80 B1 80 B2 80 B3 80 B4 80 B5 80 8B 40 8C 40 8D 40 8E 40 8F 40 90 40 0C 96 16 92 92 92 92
<- 46 B9 68 00 20 00 0C 09 B8 09 BD 09 C2 09 C7 09 C7 09 D1 11 DD 11 EC 11 FB 12 00 12 0A 12 0F 08 A6 16
^^^^^
number of challenges used (here: 12)
looks like two byte calibration values are used; second byte is the rough value, first byte is fine adjust
first round selects a rough range
second round refines inside that range and another (for programming speed)
(CLOCK / (BAUD/2)) = COUNTER
=> CLOCK = COUNTER * (BAUD/2)
the first packet always uses a fixed set of challenges.
first calibration byte of chosen frequency is stored in options. the second calibration byte is stored added together
with the value 0x3f in the next option byte.
a factory frequency value (24 MHz) is available in the info packet.
the calibration value for the programming frequency (always range 0x40) is transmitted with the baud change packet.
New packets host2mcu
--------------------
option packet
-------------
1. RC calibration challenge
46 B9 6A 00 49 04 00 00 FF FF FF 00 FF FF 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 FF 5B FF 68 FF 00
^^^^^^^^^^^^^^^^^^^^
frequency in hz, with FF bytes inbetween
Payload: 0x65, T0, .., T6, 0xff, 0xff, 0x06, CNT,
TR00, TR01, 0x02, 0x00,
TR10, TR11, 0x02, 0x00,
...
FF FD FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF B5 FF F7 BB 9F 3A 48 16
^ ^^^^^^^^^^^^^^
MCSX MCS0-4
T0...T6 := trim constants, from info packet
CNT := number of calibration challenges (max 11)
TRxx := calibration challenge trim values
MCS bytes
---------
2. Baudrate switch
### MCS0
Payload: 0x8e, TR0, TR1, BDIV, 0xa1, 0x64, FC,
0x00, IAP, 0x20, 0xff, 0x00
RC calibration adjust
TR0, TR1 := trim value for programming frequency
(normal = 11.0592 MHz, highspeed = 22.1184 MHz)
BDIV := baud rate divider (normal: baud = 115200 / BDIV, highspeed: baud = 230400 / BDIV)
FC := some frequency constant, normal: 0xdc, highspeed: 0xb8
IAP := IAP delay, normal: 0x83, highspeed: 0x81
### MCS1
0x3f + RC calibration range (0x00, 0x40, 0x80, 0xc0)
### MCS2 - MCS4 and MCSX
See stc15-options.txt

81
doc/stc15a-options.txt Normal file
View File

@ -0,0 +1,81 @@
Model-specific configuration registers
Placement of configuration values
"~" means the bit is a negated boolean. Sometimes values overlap,
depending on MCU model.
In STC15 series, the first 13 MCS bytes have active values. Generally,
unused bits should be set to 1.
MCS0
----
MSB 7 6 5 4 3 2 1 0 LSB
RSPEN
RSPEN := RESET pin enable
MCS1
----
MSB 7 6 5 4 3 2 1 0 LSB
EEIH LVRS LVD2 LVD1 LVD0
EEIH := inhibit EEPROM writes in low-voltage conditions enable
LVRS := low-voltage reset enable
LVD2...LVD0 := low voltage detection threshold
LVD2 LVD1 LVD0 value
0 0 0 setting 0 (e.g. 3.14V)
0 0 1 setting 1 (e.g. 3.28V)
0 1 0 setting 2 (e.g. 3.43V)
0 1 1 setting 3 (e.g. 3.61V)
1 0 0 setting 4 (e.g. 3.82V)
1 0 1 setting 5 (e.g. 4.05V)
1 1 0 unknown
1 1 1 unknown
The exact voltages depend on MCU model.
MCS2
----
MSB 7 6 5 4 3 2 1 0 LSB
~WDEN ~WDSTP WDPS2 WDPS1 WDPS0
~WDEN := watchdog enable after power-on-reset
~WDSTP := stop watchdog counter in idle mode
WDPS2...WDPS0 := watchdog counter prescaler
WDPS2 WDPS1 WDPS0 divisior
0 0 0 2
0 0 1 4
0 1 0 8
0 1 1 16
1 0 0 32
1 0 1 64
1 1 0 128
1 1 1 256
This is completely similar to STC12.
MCS3...MCS11
------------
All bytes set to 0xff.
MCS12
-----
MSB 7 6 5 4 3 2 1 0 LSB
~EREE ~BSLD
~EREE := enable eeprom erase next time MCU is programmed
~BSLD := enable BSL pin detect; i.e. BSL is only enabled if P1.0/P1.1
(or others, depends on MCU model) are held low on POR.
This is like MCS3 of STC12.

91
doc/stc15a-protocol.txt Normal file
View File

@ -0,0 +1,91 @@
STC15 reverse engineering
Note: so far only based on STC15F104E! This protocol has been renamed ot STC15A.
Basic differences between STC12 and STC15
* Initial MCU response is an ack (0x80) packet. Host needs to respond
with the same ack and pulse 0x7f again, then MCU sends the info
packet.
* Frequency timings sent with info packet are different; the calculation
is the same but only four timings are sent, followed by two other
unknown timings and two zero words.
* A new handshake is used to tune the RC oscillator for a given
frequency.
* The baudrate isn't changed with a complicated handshake, it is just
switched to with a 0x8e type packet.
This may be different on other MCUs that have a hardware UART.
* Transfers use 64 bytes block size.
Possibly that's because the 15F104E only has 128 bytes RAM. It
might use bigger blocks on MCUs with more RAM.
* Position of many option bits has changed, and more bits are used.
The RC oscillator calibration
Theory of operation:
* Host sends a sequence of challenges. These are values to be
programmed into an internal RC oscillator calibration register.
* Host sends 0x7f pulses
* MCU sends back responses, which are the runtime of the baudrate
timing counter (similar to the info packet)
* Host repeats this with finer trimmed challenge values.
* Host determines calibration value with the lowest error.
* Host sends baudrate switch packet
* Host sends option packet to program frequency after flash programming
The STC software uses a fixed set of coarse grained trim values to
try. These are:
sequence clock (MHz)
0x1800 0x1880 0x1880 0x18ff [4, 7.5]
0x1880 0x18ff 0x5800 0x5880 (7.5, 10]
0x5800 0x5880 0x5880 0x58ff (10, 15]
0x5880 0x58ff 0x9800 0x9880 (15, 21]
0x9800 0x9880 0x9880 0x98ff (21, 31]
0xd800 0xd880 0xd880 0xd8b4 (31, 40]
In addition it sends a sequence for the programming speed:
0x5800 0x5880 for normal speed and 0x9800 0x9880 for high
speed programming.
Then, by linear interpolation, it choses a suitable range of
fine-tuning trim values to try according to the counter values sent
by the MCU.
The programming speed trim value is only determined by linear
interpolation of the two trim challenges sent in the first round of
calibration. This seems to be good enough.
New packets host2mcu
--------------------
1. RC calibration challenge
Payload: 0x65, T0, .., T6, 0xff, 0xff, 0x06, CNT,
TR00, TR01, 0x02, 0x00,
TR10, TR11, 0x02, 0x00,
...
T0...T6 := trim constants, from info packet
CNT := number of calibration challenges (max 11)
TRxx := calibration challenge trim values
2. Baudrate switch
Payload: 0x8e, TR0, TR1, BDIV, 0xa1, 0x64, FC,
0x00, IAP, 0x20, 0xff, 0x00
TR0, TR1 := trim value for programming frequency
(normal = 11.0592 MHz, highspeed = 22.1184 MHz)
BDIV := baud rate divider (normal: baud = 115200 / BDIV, highspeed: baud = 230400 / BDIV)
FC := some frequency constant, normal: 0xdc, highspeed: 0xb8
IAP := IAP delay, normal: 0x83, highspeed: 0x81

118
doc/stc15l104w.txt Normal file
View File

@ -0,0 +1,118 @@
2015-11-20 01:39:38.554555: PC
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
2015-11-20 01:39:41.744739: MCU
46 B9 68 00 2B 50 66 3C 93 BA F7 BB 9F 00 5B 68
00 FD 00 00 00 00 71 51 03 F2 D4 04 06 58 BA 02
2A 31 32 38 30 80 14 10 04 D9 0D 02 16
2015-11-20 01:39:41.839211: PC
46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80
80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A
12 16 92 92 92 92
2015-11-20 01:39:41.932603: MCU
46 B9 68 00 20 00 0B 03 0A 04 4F 05 9E 06 20 08
B9 0B 5C 0C 6A 11 7E 16 79 13 77 1A B1 00 00 05
CD 16
2015-11-20 01:39:41.975503: PC
46 B9 6A 00 20 00 0C B4 C0 B5 C0 B6 C0 B7 C0 B8
C0 B9 C0 89 40 8A 40 8B 40 8C 40 8D 40 8E 40 0E
22 16 92 92 92 92
2015-11-20 01:39:42.058079: MCU
46 B9 68 00 20 00 0C 04 D6 04 DB 04 E0 04 E0 04
E0 04 E5 11 E2 11 F1 11 FB 12 05 12 0A 12 19 09
41 16
2015-11-20 01:39:42.106052: PC
46 B9 6A 00 0E 01 8C 40 F6 FD F2 7C 83 05 29 16
2015-11-20 01:39:42.130699: MCU
46 B9 68 00 07 01 00 70 16
2015-11-20 01:39:42.355652: PC
46 B9 6A 00 07 05 00 76 16
2015-11-20 01:39:42.369748: MCU
46 B9 68 00 07 05 00 74 16
2015-11-20 01:39:42.385566: PC
46 B9 6A 00 08 03 00 00 75 16
2015-11-20 01:39:42.762099: MCU
46 B9 68 00 0E 03 0C 00 00 17 01 A0 E0 02 1D 16
2015-11-20 01:39:42.793627: PC
46 B9 6A 00 49 22 00 00 02 00 08 12 00 3F 80 FE
75 81 07 12 00 4C E5 82 60 03 02 00 03 E4 78 FF
F6 D8 FD 02 00 03 AE 82 AF 83 8E 04 8F 05 1E BE
FF 01 1F EC 4D 60 0F 7C 90 7D 01 1C BC FF 01 1D
EC 4D 70 F7 80 E4 22 90 1A 63 16
2015-11-20 01:39:42.898503: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-20 01:39:42.915747: PC
46 B9 6A 00 49 02 00 40 03 E8 12 00 1E E5 80 F4
F5 80 80 F3 75 82 00 22 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 08 6A 16
2015-11-20 01:39:43.020455: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-20 01:39:43.036976: PC
46 B9 6A 00 49 02 00 80 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 01 35 16
2015-11-20 01:39:43.142916: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-20 01:39:43.159889: PC
46 B9 6A 00 49 02 00 C0 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 01 75 16
2015-11-20 01:39:43.249802: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-20 01:39:43.266503: PC
46 B9 6A 00 49 02 01 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 B6 16
2015-11-20 01:39:43.366446: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-20 01:39:43.383638: PC
46 B9 6A 00 49 02 01 40 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 F6 16
2015-11-20 01:39:43.477298: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-20 01:39:43.494433: PC
46 B9 6A 00 49 02 01 80 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 01 36 16
2015-11-20 01:39:43.600474: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-20 01:39:43.617482: PC
46 B9 6A 00 49 02 01 C0 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 01 76 16
2015-11-20 01:39:43.721087: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-20 01:39:43.746765: PC
46 B9 6A 00 49 04 00 00 FF FF FF 00 FF FF 00 FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00
FF 5B FF 68 FF 00 FF FD FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF B6 FF F7 BB 9F 3A 49 16
2015-11-20 01:39:43.863822: MCU
46 B9 68 00 08 04 54 00 C8 16