From aae3d946f6797d656d9ae82ae0647eee7b10b688 Mon Sep 17 00:00:00 2001 From: Grigori Goronzy Date: Sun, 22 Nov 2015 18:23:38 +0100 Subject: [PATCH] Add more dumps and new STC15 protocol info --- doc/iap15f2k61s2.txt | 116 +++++++++++++++++++++++ doc/stc15-options.txt | 137 +++++++++++++-------------- doc/stc15-protocol.txt | 199 +++++++++++++++++++++++++++------------- doc/stc15a-options.txt | 81 ++++++++++++++++ doc/stc15a-protocol.txt | 91 ++++++++++++++++++ doc/stc15l104w.txt | 118 ++++++++++++++++++++++++ 6 files changed, 609 insertions(+), 133 deletions(-) create mode 100644 doc/iap15f2k61s2.txt create mode 100644 doc/stc15a-options.txt create mode 100644 doc/stc15a-protocol.txt create mode 100644 doc/stc15l104w.txt diff --git a/doc/iap15f2k61s2.txt b/doc/iap15f2k61s2.txt new file mode 100644 index 0000000..2461ed5 --- /dev/null +++ b/doc/iap15f2k61s2.txt @@ -0,0 +1,116 @@ +2015-11-22 07:09:10.387121: PC +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F +2015-11-22 07:09:14.705892: MCU +46 B9 68 00 2B 50 87 D3 75 9C F5 3B 17 FF FF FF +FF FF 09 81 00 00 71 53 00 F4 49 04 06 58 9C 02 +0E 14 17 19 19 00 F4 F4 04 D2 10 44 16 +2015-11-22 07:09:14.834040: PC +46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 +80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A +12 16 FE FE FE FE FE FE FE FE FE FE FE +2015-11-22 07:09:15.033876: MCU +46 B9 68 00 20 00 0B 03 37 04 9A 06 02 06 6B 09 +27 0B E8 0D 0A 12 5A 17 9B 14 8F 1C 96 00 00 05 +91 16 +2015-11-22 07:09:15.076930: PC +46 B9 6A 00 20 00 0C 75 80 76 80 77 80 78 80 79 +80 7A 80 74 40 75 40 76 40 77 40 78 40 79 40 0A +AA 16 FE FE FE FE FE FE FE FE FE FE FE FE +2015-11-22 07:09:15.283813: MCU +46 B9 68 00 20 00 0C 09 04 09 09 09 0E 09 0E 09 +18 09 1D 12 00 12 0F 12 19 12 23 12 2D 12 37 02 +43 16 +2015-11-22 07:09:15.326972: PC +46 B9 6A 00 20 00 0C 70 80 71 80 72 80 73 80 74 +80 75 80 74 40 75 40 76 40 77 40 78 40 79 40 0A +8C 16 FE FE FE FE FE FE FE FE FE FE FE FE +2015-11-22 07:09:15.533848: MCU +46 B9 68 00 20 00 0C 08 E1 08 EB 08 F5 08 FA 08 +FF 09 04 12 00 12 0A 12 19 12 23 12 2D 12 37 06 +99 16 +2015-11-22 07:09:15.602052: PC +46 B9 6A 00 0E 01 74 40 FD C0 80 72 81 04 5D 16 +2015-11-22 07:09:15.625739: MCU +46 B9 68 00 07 01 00 70 16 +2015-11-22 07:09:15.663175: PC +46 B9 6A 00 07 05 00 76 16 +2015-11-22 07:09:15.677251: MCU +46 B9 68 00 07 05 00 74 16 +2015-11-22 07:09:15.706149: PC +46 B9 6A 00 08 03 00 00 75 16 +2015-11-22 07:09:19.156240: MCU +46 B9 68 00 0E 03 0D 00 00 21 02 26 32 01 01 16 +2015-11-22 07:09:19.194154: PC +46 B9 6A 00 89 22 00 00 02 00 08 12 00 3F 80 FE +75 81 07 12 00 4C E5 82 60 03 02 00 03 E4 78 FF +F6 D8 FD 02 00 03 AE 82 AF 83 8E 04 8F 05 1E BE +FF 01 1F EC 4D 60 0F 7C 90 7D 01 1C BC FF 01 1D +EC 4D 70 F7 80 E4 22 90 03 E8 12 00 1E E5 80 F4 +F5 80 80 F3 75 82 00 22 FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF 51 E8 16 +2015-11-22 07:09:19.366679: MCU +46 B9 68 00 08 02 54 00 C6 16 +2015-11-22 07:09:19.383521: PC +46 B9 6A 00 89 02 00 80 FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF 80 F5 16 +2015-11-22 07:09:19.566903: MCU +46 B9 68 00 08 02 54 00 C6 16 +2015-11-22 07:09:19.583260: PC +46 B9 6A 00 89 02 01 00 FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF 80 76 16 +2015-11-22 07:09:19.776710: MCU +46 B9 68 00 08 02 54 00 C6 16 +2015-11-22 07:09:19.793705: PC +46 B9 6A 00 89 02 01 80 FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF 80 F6 16 +2015-11-22 07:09:19.972466: MCU +46 B9 68 00 08 02 54 00 C6 16 +2015-11-22 07:09:20.007204: PC +46 B9 6A 00 49 04 00 00 FF FF FF 00 FF FF 00 FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 +FF A8 FF AD FF 40 FF FD 03 FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF 74 BF F7 BB 9F 38 9E 16 +2015-11-22 07:09:20.132323: MCU +46 B9 68 00 08 04 54 00 C8 16 + diff --git a/doc/stc15-options.txt b/doc/stc15-options.txt index d0ee3ef..91a5eee 100644 --- a/doc/stc15-options.txt +++ b/doc/stc15-options.txt @@ -1,81 +1,82 @@ -Model-specific configuration registers -Placement of configuration values +STC15 series MCS bytes +====================== -"~" means the bit is a negated boolean. Sometimes values overlap, -depending on MCU model. +MCS3 is like early STC15 MCS1. +MCS2 is like early STC15 MCS2. +MCS4 is like early STC15 MCS0 but with additions. +MCSX is like early STC15 MCS12. -In STC15 series, the first 13 MCS bytes have active values. Generally, -unused bits should be set to 1. +baseline +B5 FF F7 BB 9F -MCS0 ----- +long por disabled +B6 FF F7 BB 1F +--> MCS4 bit 7 controls POR delay. low => short, high => long -MSB 7 6 5 4 3 2 1 0 LSB - RSPEN +reset pin as io disabled +B8 FF F7 BB 8F +--> MCS4 bit 4 controls reset pin. low => reset is normal, high => reset is io -RSPEN := RESET pin enable +low voltage reset disabled +B6 FF F7 FB 9F +--> MCS3 bit 6 controls low voltage reset. low => lv reset enabled, high => disabled + +lvd threshold 2.61v +B8 FF F7 BA 9F +lvd threshold 2.82v +B5 FF F7 B9 9F +lvd threshold 3.08v +B6 FF F7 B8 9F + +--> MCS3 bits 0-2 control LVD threshold setting. exact mapping not yet clear. + +eeprom lv inhibit disabled +B7 FF F7 3B 9F +--> MCS3 bit 7 controls eeprom lv inhibit. high => eeprom lv inhibit enabled, low => disabled + +watchdog after reset enabled +B6 FF D7 BB 9F +--> MCS2 bit 5 controls watchdog after reset. high => disabled, low => enabled + +watchdog prescaler 128 +B4 FF F6 BB 9F +watchdog prescaler 64 +B5 FF F5 BB 9F +watchdog prescaler 32 +B5 FF F4 BB 9F +watchdog prescaler 2 +B6 FF F0 BB 9F +--> MCS2 bits 0-2 control watchdog prescaler. mapping is similar to early STC15. + +wdt stop in idle disabled +B7 FF FF BB 9F + +erase eeprom next programming +B4 FF F7 BB 9F +--> it's somewhere else! it's bit 1 of the extra MCSX byte that is typically 0xfd. low => erase eeprom disabled, high => erase eeprom enabled -MCS1 ----- +p3.3 por state enabled +B9 FF F7 BB 97 +--> MCS4 bit 3 controls the p3.3 state. high => p3.3 high, low => p3.3 low -MSB 7 6 5 4 3 2 1 0 LSB - EEIH LVRS LVD2 LVD1 LVD0 +p3.1 passthrough from p3.0 enabled +B5 FF F7 BB DF +--> MCS4 bit 2 controls the p3.1 passthrough. low => passthrough disabled, high => passthrough enabled -EEIH := inhibit EEPROM writes in low-voltage conditions enable -LVRS := low-voltage reset enable -LVD2...LVD0 := low voltage detection threshold +p3.1 push pull enabled +B5 FF F7 BB BF +--> MCS4 bit 1 controls p3.1 push pull. low => quasi-bidi, high => push-pull -LVD2 LVD1 LVD0 value -0 0 0 setting 0 (e.g. 3.14V) -0 0 1 setting 1 (e.g. 3.28V) -0 1 0 setting 2 (e.g. 3.43V) -0 1 1 setting 3 (e.g. 3.61V) -1 0 0 setting 4 (e.g. 3.82V) -1 0 1 setting 5 (e.g. 4.05V) -1 1 0 unknown -1 1 1 unknown - -The exact voltages depend on MCU model. +bsl pindetect enabled +B5 FF F7 BB BF +--> somewhere else, MCSX bit 0. low => pindetect enabled, high => pindetect disabled. -MCS2 ----- +external oscillator enabled (IAP15F2K61S2) +9C 7F F7 BB 9E +--> MCS4 bit 0 controls external oscillator. low => use external crystal, high => use RC. -MSB 7 6 5 4 3 2 1 0 LSB - ~WDEN ~WDSTP WDPS2 WDPS1 WDPS0 - -~WDEN := watchdog enable after power-on-reset -~WDSTP := stop watchdog counter in idle mode -WDPS2...WDPS0 := watchdog counter prescaler - -WDPS2 WDPS1 WDPS0 divisior -0 0 0 2 -0 0 1 4 -0 1 0 8 -0 1 1 16 -1 0 0 32 -1 0 1 64 -1 1 0 128 -1 1 1 256 - -This is completely similar to STC12. - - -MCS3...MCS11 ------------- - -All bytes set to 0xff. - - -MCS12 ------ - -MSB 7 6 5 4 3 2 1 0 LSB - ~EREE ~BSLD - -~EREE := enable eeprom erase next time MCU is programmed -~BSLD := enable BSL pin detect; i.e. BSL is only enabled if P1.0/P1.1 - (or others, depends on MCU model) are held low on POR. - -This is like MCS3 of STC12. +external oscillator enabled + clock gain low (IAP15F2K61S2) +9C 7F F7 BB 9C +--> MCS 4 bit controls clock gain. high => high clock gain, low => low clock gain. diff --git a/doc/stc15-protocol.txt b/doc/stc15-protocol.txt index 742f334..85c44e8 100644 --- a/doc/stc15-protocol.txt +++ b/doc/stc15-protocol.txt @@ -1,92 +1,161 @@ -STC15 reverse engineering +STC15 protocol +============== -Note: so far only based on STC15F104E! +high level +---------- + +-> pulse +<- info packet + +-> freq challenges round 1 +<- freq responses + +-> freq challenges round 2 +<- freq responses + +-> baud switch +<- ack + +-> prepare +<- ack + +-> erase +<- ack + uid + +-> write first block +<- ack + +-> write block 2 +<- ack + +... + +-> write block n +<- ack + +-> option packet +<- ack -Basic differences between STC12 and STC15 +info packet +----------- -* Initial MCU response is an ack (0x80) packet. Host needs to respond - with the same ack and pulse 0x7f again, then MCU sends the info - packet. +6 MHz: +46 B9 68 00 2B 50 66 3C 93 BA F7 BB 9F 00 5B 68 00 FD 00 00 00 00 71 51 03 F2 D4 04 06 58 BA 02 2A 31 32 38 30 80 14 10 04 D9 0D 02 16 -* Frequency timings sent with info packet are different; the calculation - is the same but only four timings are sent, followed by two other - unknown timings and two zero words. +12 MHz: +46 B9 68 00 2B 50 66 3C 93 BA F7 BB 9F 00 B6 F5 80 FD 00 00 00 00 71 51 03 F2 D4 04 06 58 BA 02 2A 31 32 38 30 80 14 10 04 D9 0E 6A 16 -* A new handshake is used to tune the RC oscillator for a given - frequency. +33 MHz: +46 B9 68 00 2B 50 66 3C 93 BA F7 B9 9F 01 F7 C2 80 FD 00 00 00 00 71 51 03 F2 D4 04 06 58 BA 02 2A 31 32 38 30 80 14 10 04 D9 0E 77 16 -* The baudrate isn't changed with a complicated handshake, it is just - switched to with a 0x8e type packet. - This may be different on other MCUs that have a hardware UART. +30 MHz: +46 B9 68 00 2B 50 66 3C 93 BA F7 B9 9F 01 C9 9E 00 FD 7F FF FD FF 71 51 03 F2 D4 04 06 58 BA 02 2A 31 32 38 30 80 14 10 04 D9 11 1F 16 + ^^^^^ ^^^^^^^^^^^ + timer freq freq big endian + value in hz 32 bit value + ^^^^^^^^ ^^ + MCS2-4 MCSX + ^^ + factory calibration adjust for 24 MHz (range 0x40)? + +IAP15F2K61S2: +external osc: +46 B9 68 00 2B 50 87 D3 75 9C F7 BB 9E 01 77 70 80 FD 06 57 00 00 71 53 00 F4 49 04 06 58 9C 02 0E 14 17 19 19 00 F4 F4 04 D2 0E 8A 16 + ^^^^^ + frequency count for external (1) -* Transfers use 64 bytes block size. - Possibly that's because the 15F104E only has 128 bytes RAM. It - might use bigger blocks on MCUs with more RAM. +(1) if external clock is active, frequency can be calculated like: +CLOCK = BAUD * COUNT + +internal 11.052 MHz: +46 B9 68 00 2B 50 87 D3 75 9C F7 BB 9F 00 A8 AD 40 FD 09 FE 00 00 71 53 00 F4 49 04 06 58 9C 02 0E 14 17 19 19 00 F4 F4 04 D2 0F 62 16 -* Position of many option bits has changed, and more bits are used. + +i.e. operating frequency is not sampled from host pulses! it's actually much more +convenient, it is simply returned as an integer value in hz. same for the wakeup +timer. + +baud switch packet +------------------ + +46 B9 6A 00 0E 01 8C 40 F6 FD F2 7C 83 05 29 16 + ^^^^^ ^^^^^ ^^ + (1) (2) (3) + ^^^^^ + prog calib. values +(1) baud value (65535 - clk / baud) (SW UART) + (65535 - clk / baud / 4) (HW UART) +(2) some timer value (65535 - (clk / baud) * 1.5) +(3) constant? IAP delay? -The RC oscillator calibration +trim challenge packet +--------------------- -Theory of operation: -* Host sends a sequence of challenges. These are values to be - programmed into an internal RC oscillator calibration register. -* Host sends 0x7f pulses -* MCU sends back responses, which are the runtime of the baudrate - timing counter (similar to the info packet) -* Host repeats this with finer trimmed challenge values. -* Host determines calibration value with the lowest error. -* Host sends baudrate switch packet -* Host sends option packet to program frequency after flash programming +two challenges are sent, UART seems to be used as clock reference -The STC software uses a fixed set of coarse grained trim values to -try. These are: +33.1 MHz @ 9600 bps: +-> 46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A 12 16 92 92 92 92 -sequence clock (MHz) -0x1800 0x1880 0x1880 0x18ff [4, 7.5] -0x1880 0x18ff 0x5800 0x5880 (7.5, 10] -0x5800 0x5880 0x5880 0x58ff (10, 15] -0x5880 0x58ff 0x9800 0x9880 (15, 21] -0x9800 0x9880 0x9880 0x98ff (21, 31] -0xd800 0xd880 0xd880 0xd8b4 (31, 40] +4 MHz @ 9600 bps: +-> 46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A 12 16 92 92 92 92 -In addition it sends a sequence for the programming speed: -0x5800 0x5880 for normal speed and 0x9800 0x9880 for high -speed programming. +6 MHz @ 9600 bps: +-> 46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A 12 16 92 92 92 92 +<- 46 B9 68 00 20 00 0B 03 05 04 4F 05 9E 06 20 08 B9 0B 57 0C 60 11 6A 16 5B 13 5E 1A D4 00 00 05 91 16 -Then, by linear interpolation, it choses a suitable range of -fine-tuning trim values to try according to the counter values sent -by the MCU. +-> 46 B9 6A 00 20 00 0C B4 C0 B5 C0 B6 C0 B7 C0 B8 C0 B9 C0 8C 40 8D 40 8E 40 8F 40 90 40 91 40 0E 34 16 92 92 92 92 +<- 46 B9 68 00 20 00 0C 04 DB 04 DB 04 DB 04 E0 04 E5 04 E5 11 EC 11 F6 12 05 12 05 12 0F 12 14 08 60 16 -The programming speed trim value is only determined by linear -interpolation of the two trim challenges sent in the first round of -calibration. This seems to be good enough. +12 MHz @ 9600 bps: +-> 46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A 12 16 92 92 92 92 +<- 46 B9 68 00 20 00 0B 03 05 04 4F 05 99 06 20 08 B4 0B 52 0C 65 11 6F 16 56 13 5E 1A D4 00 00 05 87 16 + +-> 46 B9 6A 00 20 00 0C B0 80 B1 80 B2 80 B3 80 B4 80 B5 80 8B 40 8C 40 8D 40 8E 40 8F 40 90 40 0C 96 16 92 92 92 92 +<- 46 B9 68 00 20 00 0C 09 B8 09 BD 09 C2 09 C7 09 C7 09 D1 11 DD 11 EC 11 FB 12 00 12 0A 12 0F 08 A6 16 + ^^^^^ + number of challenges used (here: 12) + +looks like two byte calibration values are used; second byte is the rough value, first byte is fine adjust +first round selects a rough range +second round refines inside that range and another (for programming speed) + +(CLOCK / (BAUD/2)) = COUNTER +=> CLOCK = COUNTER * (BAUD/2) + +the first packet always uses a fixed set of challenges. +first calibration byte of chosen frequency is stored in options. the second calibration byte is stored added together +with the value 0x3f in the next option byte. +a factory frequency value (24 MHz) is available in the info packet. +the calibration value for the programming frequency (always range 0x40) is transmitted with the baud change packet. -New packets host2mcu --------------------- +option packet +------------- -1. RC calibration challenge +46 B9 6A 00 49 04 00 00 FF FF FF 00 FF FF 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 FF 5B FF 68 FF 00 + ^^^^^^^^^^^^^^^^^^^^ + frequency in hz, with FF bytes inbetween -Payload: 0x65, T0, .., T6, 0xff, 0xff, 0x06, CNT, - TR00, TR01, 0x02, 0x00, - TR10, TR11, 0x02, 0x00, - ... +FF FD FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF B5 FF F7 BB 9F 3A 48 16 + ^ ^^^^^^^^^^^^^^ + MCSX MCS0-4 + -T0...T6 := trim constants, from info packet -CNT := number of calibration challenges (max 11) -TRxx := calibration challenge trim values +MCS bytes +--------- -2. Baudrate switch +### MCS0 -Payload: 0x8e, TR0, TR1, BDIV, 0xa1, 0x64, FC, - 0x00, IAP, 0x20, 0xff, 0x00 +RC calibration adjust -TR0, TR1 := trim value for programming frequency - (normal = 11.0592 MHz, highspeed = 22.1184 MHz) -BDIV := baud rate divider (normal: baud = 115200 / BDIV, highspeed: baud = 230400 / BDIV) -FC := some frequency constant, normal: 0xdc, highspeed: 0xb8 -IAP := IAP delay, normal: 0x83, highspeed: 0x81 +### MCS1 + +0x3f + RC calibration range (0x00, 0x40, 0x80, 0xc0) + +### MCS2 - MCS4 and MCSX + +See stc15-options.txt diff --git a/doc/stc15a-options.txt b/doc/stc15a-options.txt new file mode 100644 index 0000000..d0ee3ef --- /dev/null +++ b/doc/stc15a-options.txt @@ -0,0 +1,81 @@ +Model-specific configuration registers +Placement of configuration values + +"~" means the bit is a negated boolean. Sometimes values overlap, +depending on MCU model. + +In STC15 series, the first 13 MCS bytes have active values. Generally, +unused bits should be set to 1. + +MCS0 +---- + +MSB 7 6 5 4 3 2 1 0 LSB + RSPEN + +RSPEN := RESET pin enable + + +MCS1 +---- + +MSB 7 6 5 4 3 2 1 0 LSB + EEIH LVRS LVD2 LVD1 LVD0 + +EEIH := inhibit EEPROM writes in low-voltage conditions enable +LVRS := low-voltage reset enable +LVD2...LVD0 := low voltage detection threshold + +LVD2 LVD1 LVD0 value +0 0 0 setting 0 (e.g. 3.14V) +0 0 1 setting 1 (e.g. 3.28V) +0 1 0 setting 2 (e.g. 3.43V) +0 1 1 setting 3 (e.g. 3.61V) +1 0 0 setting 4 (e.g. 3.82V) +1 0 1 setting 5 (e.g. 4.05V) +1 1 0 unknown +1 1 1 unknown + +The exact voltages depend on MCU model. + + +MCS2 +---- + +MSB 7 6 5 4 3 2 1 0 LSB + ~WDEN ~WDSTP WDPS2 WDPS1 WDPS0 + +~WDEN := watchdog enable after power-on-reset +~WDSTP := stop watchdog counter in idle mode +WDPS2...WDPS0 := watchdog counter prescaler + +WDPS2 WDPS1 WDPS0 divisior +0 0 0 2 +0 0 1 4 +0 1 0 8 +0 1 1 16 +1 0 0 32 +1 0 1 64 +1 1 0 128 +1 1 1 256 + +This is completely similar to STC12. + + +MCS3...MCS11 +------------ + +All bytes set to 0xff. + + +MCS12 +----- + +MSB 7 6 5 4 3 2 1 0 LSB + ~EREE ~BSLD + +~EREE := enable eeprom erase next time MCU is programmed +~BSLD := enable BSL pin detect; i.e. BSL is only enabled if P1.0/P1.1 + (or others, depends on MCU model) are held low on POR. + +This is like MCS3 of STC12. diff --git a/doc/stc15a-protocol.txt b/doc/stc15a-protocol.txt new file mode 100644 index 0000000..53c97aa --- /dev/null +++ b/doc/stc15a-protocol.txt @@ -0,0 +1,91 @@ +STC15 reverse engineering + +Note: so far only based on STC15F104E! This protocol has been renamed ot STC15A. + +Basic differences between STC12 and STC15 + +* Initial MCU response is an ack (0x80) packet. Host needs to respond + with the same ack and pulse 0x7f again, then MCU sends the info + packet. + +* Frequency timings sent with info packet are different; the calculation + is the same but only four timings are sent, followed by two other + unknown timings and two zero words. + +* A new handshake is used to tune the RC oscillator for a given + frequency. + +* The baudrate isn't changed with a complicated handshake, it is just + switched to with a 0x8e type packet. + This may be different on other MCUs that have a hardware UART. + +* Transfers use 64 bytes block size. + Possibly that's because the 15F104E only has 128 bytes RAM. It + might use bigger blocks on MCUs with more RAM. + +* Position of many option bits has changed, and more bits are used. + + +The RC oscillator calibration + +Theory of operation: +* Host sends a sequence of challenges. These are values to be + programmed into an internal RC oscillator calibration register. +* Host sends 0x7f pulses +* MCU sends back responses, which are the runtime of the baudrate + timing counter (similar to the info packet) +* Host repeats this with finer trimmed challenge values. +* Host determines calibration value with the lowest error. +* Host sends baudrate switch packet +* Host sends option packet to program frequency after flash programming + +The STC software uses a fixed set of coarse grained trim values to +try. These are: + +sequence clock (MHz) +0x1800 0x1880 0x1880 0x18ff [4, 7.5] +0x1880 0x18ff 0x5800 0x5880 (7.5, 10] +0x5800 0x5880 0x5880 0x58ff (10, 15] +0x5880 0x58ff 0x9800 0x9880 (15, 21] +0x9800 0x9880 0x9880 0x98ff (21, 31] +0xd800 0xd880 0xd880 0xd8b4 (31, 40] + +In addition it sends a sequence for the programming speed: +0x5800 0x5880 for normal speed and 0x9800 0x9880 for high +speed programming. + +Then, by linear interpolation, it choses a suitable range of +fine-tuning trim values to try according to the counter values sent +by the MCU. + +The programming speed trim value is only determined by linear +interpolation of the two trim challenges sent in the first round of +calibration. This seems to be good enough. + + +New packets host2mcu +-------------------- + +1. RC calibration challenge + +Payload: 0x65, T0, .., T6, 0xff, 0xff, 0x06, CNT, + TR00, TR01, 0x02, 0x00, + TR10, TR11, 0x02, 0x00, + ... + +T0...T6 := trim constants, from info packet +CNT := number of calibration challenges (max 11) +TRxx := calibration challenge trim values + +2. Baudrate switch + +Payload: 0x8e, TR0, TR1, BDIV, 0xa1, 0x64, FC, + 0x00, IAP, 0x20, 0xff, 0x00 + +TR0, TR1 := trim value for programming frequency + (normal = 11.0592 MHz, highspeed = 22.1184 MHz) +BDIV := baud rate divider (normal: baud = 115200 / BDIV, highspeed: baud = 230400 / BDIV) +FC := some frequency constant, normal: 0xdc, highspeed: 0xb8 +IAP := IAP delay, normal: 0x83, highspeed: 0x81 + + diff --git a/doc/stc15l104w.txt b/doc/stc15l104w.txt new file mode 100644 index 0000000..3e945c4 --- /dev/null +++ b/doc/stc15l104w.txt @@ -0,0 +1,118 @@ +2015-11-20 01:39:38.554555: PC +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F +2015-11-20 01:39:41.744739: MCU +46 B9 68 00 2B 50 66 3C 93 BA F7 BB 9F 00 5B 68 +00 FD 00 00 00 00 71 51 03 F2 D4 04 06 58 BA 02 +2A 31 32 38 30 80 14 10 04 D9 0D 02 16 +2015-11-20 01:39:41.839211: PC +46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 +80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A +12 16 92 92 92 92 +2015-11-20 01:39:41.932603: MCU +46 B9 68 00 20 00 0B 03 0A 04 4F 05 9E 06 20 08 +B9 0B 5C 0C 6A 11 7E 16 79 13 77 1A B1 00 00 05 +CD 16 +2015-11-20 01:39:41.975503: PC +46 B9 6A 00 20 00 0C B4 C0 B5 C0 B6 C0 B7 C0 B8 +C0 B9 C0 89 40 8A 40 8B 40 8C 40 8D 40 8E 40 0E +22 16 92 92 92 92 +2015-11-20 01:39:42.058079: MCU +46 B9 68 00 20 00 0C 04 D6 04 DB 04 E0 04 E0 04 +E0 04 E5 11 E2 11 F1 11 FB 12 05 12 0A 12 19 09 +41 16 +2015-11-20 01:39:42.106052: PC +46 B9 6A 00 0E 01 8C 40 F6 FD F2 7C 83 05 29 16 +2015-11-20 01:39:42.130699: MCU +46 B9 68 00 07 01 00 70 16 +2015-11-20 01:39:42.355652: PC +46 B9 6A 00 07 05 00 76 16 +2015-11-20 01:39:42.369748: MCU +46 B9 68 00 07 05 00 74 16 +2015-11-20 01:39:42.385566: PC +46 B9 6A 00 08 03 00 00 75 16 +2015-11-20 01:39:42.762099: MCU +46 B9 68 00 0E 03 0C 00 00 17 01 A0 E0 02 1D 16 +2015-11-20 01:39:42.793627: PC +46 B9 6A 00 49 22 00 00 02 00 08 12 00 3F 80 FE +75 81 07 12 00 4C E5 82 60 03 02 00 03 E4 78 FF +F6 D8 FD 02 00 03 AE 82 AF 83 8E 04 8F 05 1E BE +FF 01 1F EC 4D 60 0F 7C 90 7D 01 1C BC FF 01 1D +EC 4D 70 F7 80 E4 22 90 1A 63 16 +2015-11-20 01:39:42.898503: MCU +46 B9 68 00 08 02 54 00 C6 16 +2015-11-20 01:39:42.915747: PC +46 B9 6A 00 49 02 00 40 03 E8 12 00 1E E5 80 F4 +F5 80 80 F3 75 82 00 22 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 08 6A 16 +2015-11-20 01:39:43.020455: MCU +46 B9 68 00 08 02 54 00 C6 16 +2015-11-20 01:39:43.036976: PC +46 B9 6A 00 49 02 00 80 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 01 35 16 +2015-11-20 01:39:43.142916: MCU +46 B9 68 00 08 02 54 00 C6 16 +2015-11-20 01:39:43.159889: PC +46 B9 6A 00 49 02 00 C0 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 01 75 16 +2015-11-20 01:39:43.249802: MCU +46 B9 68 00 08 02 54 00 C6 16 +2015-11-20 01:39:43.266503: PC +46 B9 6A 00 49 02 01 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 B6 16 +2015-11-20 01:39:43.366446: MCU +46 B9 68 00 08 02 54 00 C6 16 +2015-11-20 01:39:43.383638: PC +46 B9 6A 00 49 02 01 40 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 F6 16 +2015-11-20 01:39:43.477298: MCU +46 B9 68 00 08 02 54 00 C6 16 +2015-11-20 01:39:43.494433: PC +46 B9 6A 00 49 02 01 80 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 01 36 16 +2015-11-20 01:39:43.600474: MCU +46 B9 68 00 08 02 54 00 C6 16 +2015-11-20 01:39:43.617482: PC +46 B9 6A 00 49 02 01 C0 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +00 00 00 00 00 00 00 00 01 76 16 +2015-11-20 01:39:43.721087: MCU +46 B9 68 00 08 02 54 00 C6 16 +2015-11-20 01:39:43.746765: PC +46 B9 6A 00 49 04 00 00 FF FF FF 00 FF FF 00 FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 +FF 5B FF 68 FF 00 FF FD FF FF FF FF FF FF FF FF +FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF +FF FF FF B6 FF F7 BB 9F 3A 49 16 +2015-11-20 01:39:43.863822: MCU +46 B9 68 00 08 04 54 00 C8 16 \ No newline at end of file