7u83/stcgal
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Restructure documentation

Browse Source 
Move all extra documentation files into doc/ and move reverse
engineering related notes to a separate directory, to keep things tidy.
This commit is contained in:
Grigori Goronzy
2018-09-04 00:31:43 +02:00
parent 71d7257422
commit ccd4b1e26b
29 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
doc/reverse-engineering/dump-mcu.py Normal file
View File

@ -0,0 +1,40 @@
#!/usr/bin/env python3
# This curious script dumps all model info from STC-ISP.
# Data is directly read from the binary.
# Offsets are for stc-isp-15xx-v6.86O.exe, sha1sum f70e317d758ef8c942613a8b0540147d7170589b
MCU_TABLE_OFFSET = 0x0006ac80
MCU_TABLE_SIZE = 984
MCU_RECORD_SIZE = 32
MCU_NAMES_OFFSET = 0x00087810
MCU_NAMES_PTR_OFFSET = 0x00487810
import struct
import sys
inp = open(sys.argv[1], "rb")
for i in range(MCU_TABLE_SIZE):
mcu_record_offset = MCU_TABLE_OFFSET + MCU_RECORD_SIZE * i
inp.seek(mcu_record_offset)
mcu_record = inp.read(MCU_RECORD_SIZE)
flags, name_ptr, mcu_id, code_size, ee_size, _, total_size, _ = struct.unpack("<8I", mcu_record)
mcu_id &= 0xffff
mcu_name_offset = MCU_NAMES_OFFSET + (name_ptr - MCU_NAMES_PTR_OFFSET)
inp.seek(mcu_name_offset)
name_str = inp.read(16).split(b'\00')[0].decode("ascii")
# TODO: With some MCUs, the amount of available EEPROM depends on the BSL version.
# Generally, newer BSLs free up a KB of additional EEPROM. Currently, always the
# maximum amount (with newer BSL) is reported.
# STC12x54xx always have 12 KB eeprom
if name_str.startswith("STC12C54") or name_str.startswith("STC12LE54"):
ee_size = 12 * 1024
print("MCUModel(name='%s', magic=0x%02x%02x, total=%d, code=%d, eeprom=%d)," %
(name_str, mcu_id >> 8, mcu_id & 0xff, total_size, code_size, ee_size))
inp.close()

BIN
doc/reverse-engineering/hello.bin Normal file
View File

Binary file not shown.

116
doc/reverse-engineering/iap15f2k61s2.txt Normal file
View File

@ -0,0 +1,116 @@
2015-11-22 07:09:10.387121: PC
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F
2015-11-22 07:09:14.705892: MCU
46 B9 68 00 2B 50 87 D3 75 9C F5 3B 17 FF FF FF
FF FF 09 81 00 00 71 53 00 F4 49 04 06 58 9C 02
0E 14 17 19 19 00 F4 F4 04 D2 10 44 16
2015-11-22 07:09:14.834040: PC
46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80
80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A
12 16 FE FE FE FE FE FE FE FE FE FE FE
2015-11-22 07:09:15.033876: MCU
46 B9 68 00 20 00 0B 03 37 04 9A 06 02 06 6B 09
27 0B E8 0D 0A 12 5A 17 9B 14 8F 1C 96 00 00 05
91 16
2015-11-22 07:09:15.076930: PC
46 B9 6A 00 20 00 0C 75 80 76 80 77 80 78 80 79
80 7A 80 74 40 75 40 76 40 77 40 78 40 79 40 0A
AA 16 FE FE FE FE FE FE FE FE FE FE FE FE
2015-11-22 07:09:15.283813: MCU
46 B9 68 00 20 00 0C 09 04 09 09 09 0E 09 0E 09
18 09 1D 12 00 12 0F 12 19 12 23 12 2D 12 37 02
43 16
2015-11-22 07:09:15.326972: PC
46 B9 6A 00 20 00 0C 70 80 71 80 72 80 73 80 74
80 75 80 74 40 75 40 76 40 77 40 78 40 79 40 0A
8C 16 FE FE FE FE FE FE FE FE FE FE FE FE
2015-11-22 07:09:15.533848: MCU
46 B9 68 00 20 00 0C 08 E1 08 EB 08 F5 08 FA 08
FF 09 04 12 00 12 0A 12 19 12 23 12 2D 12 37 06
99 16
2015-11-22 07:09:15.602052: PC
46 B9 6A 00 0E 01 74 40 FD C0 80 72 81 04 5D 16
2015-11-22 07:09:15.625739: MCU
46 B9 68 00 07 01 00 70 16
2015-11-22 07:09:15.663175: PC
46 B9 6A 00 07 05 00 76 16
2015-11-22 07:09:15.677251: MCU
46 B9 68 00 07 05 00 74 16
2015-11-22 07:09:15.706149: PC
46 B9 6A 00 08 03 00 00 75 16
2015-11-22 07:09:19.156240: MCU
46 B9 68 00 0E 03 0D 00 00 21 02 26 32 01 01 16
2015-11-22 07:09:19.194154: PC
46 B9 6A 00 89 22 00 00 02 00 08 12 00 3F 80 FE
75 81 07 12 00 4C E5 82 60 03 02 00 03 E4 78 FF
F6 D8 FD 02 00 03 AE 82 AF 83 8E 04 8F 05 1E BE
FF 01 1F EC 4D 60 0F 7C 90 7D 01 1C BC FF 01 1D
EC 4D 70 F7 80 E4 22 90 03 E8 12 00 1E E5 80 F4
F5 80 80 F3 75 82 00 22 FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF 51 E8 16
2015-11-22 07:09:19.366679: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-22 07:09:19.383521: PC
46 B9 6A 00 89 02 00 80 FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF 80 F5 16
2015-11-22 07:09:19.566903: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-22 07:09:19.583260: PC
46 B9 6A 00 89 02 01 00 FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF 80 76 16
2015-11-22 07:09:19.776710: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-22 07:09:19.793705: PC
46 B9 6A 00 89 02 01 80 FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF 80 F6 16
2015-11-22 07:09:19.972466: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-22 07:09:20.007204: PC
46 B9 6A 00 49 04 00 00 FF FF FF 00 FF FF 00 FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00
FF A8 FF AD FF 40 FF FD 03 FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF 74 BF F7 BB 9F 38 9E 16
2015-11-22 07:09:20.132323: MCU
46 B9 68 00 08 04 54 00 C8 16

82
doc/reverse-engineering/stc-mcu.txt Normal file
View File

@ -0,0 +1,82 @@
Analysis of STC-ISP 6.63 for MCU database
The executable obviously contains a table with MCU data.
It can be easily found because we already know some MCU IDs.
I assume the BSL is actually stored in a (protected) area of the flash memory.
That is why STC MCUs have these odd user accessible memory sizes. With BSL 6.x,
it looks like the uppermost 3 KB are reserved on regular controllers, and 2 KB
on IAP controllers.
D364 (STC11F08XE)
00050990 c1 48 00 00 4c 3f 46 00 64 d3 00 00 00 20 00 00 |.H..L?F.d.... ..|
^ ^ MCU ID ^ code flash size (32 bit le)
^ pointer to name string
^ feature flags?
NOTE: the upper word of the mcu id actually contains something else for STC12C54xx
series, and the eeprom size is broken.
000509a0 00 d8 00 00 00 00 00 00 00 00 01 00 00 00 00 00 |................|
^ total flash size (incl. reserved space)
(32 bit le)
^ eeprom size (32 bit le)
doesn't really add up with datasheet, but
it *does* add up with the amount of total flash minus bsl!
parts without eeprom have zero here
apparently we need to subtract 1 KB
D3E4 (STC11L08XE)
00051090 c0 48 00 00 ac 3c 46 00 e4 d3 00 00 00 20 00 00 |.H...<F...... ..|
000510a0 00 d8 00 00 00 00 00 00 00 00 01 00 00 00 00 00 |................|
D344 (STC11F08X)
00050ab0 c1 48 00 00 e0 3e 46 00 44 d3 00 00 00 20 00 00 |.H...>F.D.... ..|
00050ac0 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 |................|
D17E (STC12C5A60S2)
0004ec30 81 08 00 00 e8 4b 46 00 7e d1 00 00 00 f0 00 00 |.....KF.~.......|
0004ec40 00 08 00 00 00 00 00 00 00 00 01 00 00 00 00 00 |................|
E202 (STC11F02)
00050510 c1 68 00 00 fc 40 46 00 02 e2 00 00 00 08 00 00 |.h...@F.........|
00050520 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 00 |......... ......|
E222 (STC11F02E)
00050470 c1 68 00 00 38 41 46 00 22 e2 00 00 00 08 00 00 |.h..8AF.".......|
00050480 00 10 00 00 00 00 00 00 00 20 00 00 00 00 00 00 |......... ......|
F110 (STC89C516RD+)
00053350 01 cc 00 00 c8 2d 46 00 10 f1 00 00 00 f8 00 00 |.....-F.........|
00053360 00 00 00 00 00 f8 00 00 00 00 01 00 00 00 00 00 |................|
^ the old STC89 controllers use this field,
which is empty for the others.
always seems to be equal to code flash size.
F401 (STC15F2K08S2)
0004e270 d1 05 03 00 68 4f 46 00 01 f4 00 00 00 20 00 00 |....hOF...... ..|
0004e280 00 d4 00 00 00 00 00 00 00 00 01 00 07 00 00 00 |................|
^ some new 15 series
extra data, not sure
what it is

100
doc/reverse-engineering/stc11f08xe.txt Normal file
View File

@ -0,0 +1,100 @@
MCU: STC11F08XE
Data: hello.bin
Handshake: 9600
Transfer: 9600
Clock: 20 MHz
2014-01-06 17:13:42.017505: host2mcu
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F
2014-01-06 17:13:42.315631: mcu2host
46 B9 68 00 39 50 04 BC 04 BD 04 BD 04 BC 04 BC
04 BD 04 BC 04 BC 65 4C 00 D3 64 8C BF 7F F7 FF
FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 6B 0B D3 00 6A 82 80 11 4F 16
2014-01-06 17:13:42.455472: host2mcu
46 B9 6A 00 0D 50 00 00 36 01 D3 64 02 35 16
2014-01-06 17:13:42.479849: mcu2host
46 B9 68 00 07 8F 00 FE 16
2014-01-06 17:13:42.504527: host2mcu
46 B9 6A 00 0D 8F C0 7E 3F FE A0 83 04 A4 16
2014-01-06 17:13:42.768346: mcu2host
46 B9 68 00 0E 8F C0 7E 3F FE A0 83 04 04 A7 16
2014-01-06 17:13:42.987584: host2mcu
46 B9 6A 00 0C 8E C0 7E 3F FE A0 04 1F 16
2014-01-06 17:13:43.244111: mcu2host
46 B9 68 00 0D 84 C0 7E 3F FE A0 04 04 18 16
2014-01-06 17:13:43.286557: host2mcu
46 B9 6A 00 8C 84 00 00 02 00 00 20 00 00 00 00
00 00 00 00 00 00 00 00 80 7F 7E 7D 7C 7B 7A 79
78 77 76 75 74 73 72 71 70 6F 6E 6D 6C 6B 6A 69
68 67 66 65 64 63 62 61 60 5F 5E 5D 5C 5B 5A 59
58 57 56 55 54 53 52 51 50 4F 4E 4D 4C 4B 4A 49
48 47 46 45 44 43 42 41 40 3F 3E 3D 3C 3B 3A 39
38 37 36 35 34 33 32 31 30 2F 2E 2D 2C 2B 2A 29
28 27 26 25 24 23 22 21 20 1F 1E 1D 1C 1B 1A 19
18 17 16 15 14 13 12 11 10 0F 0E 21 81 16
2014-01-06 17:13:43.718954: mcu2host
46 B9 68 00 0E 00 00 08 00 8E 00 A8 2E 01 E2 16
2014-01-06 17:13:43.758507: host2mcu
46 B9 6A 00 8D 00 00 00 00 00 00 80 02 00 08 12
00 3F 80 FE 75 81 07 12 00 4C E5 82 60 03 02 00
03 E4 78 FF F6 D8 FD 02 00 03 AE 82 AF 83 8E 04
8F 05 1E BE FF 01 1F EC 4D 60 0F 7C 90 7D 01 1C
BC FF 01 1D EC 4D 70 F7 80 E4 22 90 03 E8 12 00
1E E5 80 F4 F5 80 80 F3 75 82 00 22 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 22 7A 16
2014-01-06 17:13:44.050030: mcu2host
46 B9 68 00 08 00 03 00 73 16
2014-01-06 17:13:44.063502: host2mcu
46 B9 6A 00 8D 00 00 00 00 80 00 80 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 01 F7 16
2014-01-06 17:13:44.261910: mcu2host
46 B9 68 00 08 00 00 00 70 16
2014-01-06 17:13:44.279527: host2mcu
46 B9 6A 00 8D 00 00 00 01 00 00 80 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 01 78 16
2014-01-06 17:13:44.486933: mcu2host
46 B9 68 00 08 00 00 00 70 16
2014-01-06 17:13:44.503472: host2mcu
46 B9 6A 00 8D 00 00 00 01 80 00 80 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 01 F8 16
2014-01-06 17:13:44.698788: mcu2host
46 B9 68 00 08 00 00 00 70 16
2014-01-06 17:13:44.716462: host2mcu
46 B9 6A 00 0D 69 00 00 36 01 D3 64 02 4E 16
2014-01-06 17:13:44.755837: mcu2host
46 B9 68 00 07 8D 00 FC 16
2014-01-06 17:13:44.786562: host2mcu
46 B9 6A 00 1B 8D BF 7F F7 FF FF FF FF FF FF FF
FF FF FF FF FF FF 01 30 9A 92 11 97 16
2014-01-06 17:13:44.843366: mcu2host
46 B9 68 00 24 50 BF 7F F7 FF FF 03 FF 65 4C BF
7F F7 FF FF FF FF 01 00 6B 0B D3 00 6A 82 80 00
00 00 00 0F A9 16
2014-01-06 17:13:44.968518: host2mcu
46 B9 6A 00 07 82 00 F3 16

70
doc/reverse-engineering/stc12-options.txt Normal file
View File

@ -0,0 +1,70 @@
Model-specific configuration registers
Placement of configuration values
"~" means the bit is a negated boolean. Sometimes values overlap,
depending on MCU model.
In STC10/11/12 series, the first 4 MCS bytes have active
values. Generally, unused bits should be set to 1.
MCS0
----
MSB 7 6 5 4 3 2 1 0 LSB
~RS2LV OSC1 OSC0 RSPEN
~LVD
RSPEN := RESET pin enable
~RS2LV := RESET2 pin low voltage detect enable
~LVD := low voltage detect enable
OSC0, OSC1 := oscillator stabilization delay
OSC1 OSC0 delay
0 0 4096
0 1 8192
1 0 16384
1 1 32768
MCS1
----
MSB 7 6 5 4 3 2 1 0 LSB
~PORD OSCG CLKSRC
~PORD := power-on-reset (POR) delay (0 = long, 1 = short)
OSCG := high oscillator gain
CLKSRC := clock source (0 = internal RC, 1 = external crystal)
MCS2
----
MSB 7 6 5 4 3 2 1 0 LSB
~WDEN ~WDSTP WDPS2 WDPS1 WDPS0
~WDEN := watchdog enable after power-on-reset
~WDSTP := stop watchdog counter in idle mode
WDPS2...WDPS0 := watchdog counter prescaler
WDPS2 WDPS1 WDPS0 divisior
0 0 0 2
0 0 1 4
0 1 0 8
0 1 1 16
1 0 0 32
1 0 1 64
1 1 0 128
1 1 1 256
MCS3
----
MSB 7 6 5 4 3 2 1 0 LSB
~EREE ~BSLD
~EREE := enable eeprom erase next time MCU is programmed
~BSLD := enable BSL pin detect; i.e. BSL is only enabled if P1.0/P1.1
(or others, depends on MCU model) are held low on POR.

186
doc/reverse-engineering/stc12-protocol.txt Normal file
View File

@ -0,0 +1,186 @@
STC10/11/12 reverse engineering
Initialisation/Synchronisation
------------------------------
Send a constant stream of 0x7f bytes, and wait for an initial response
by the MCU.
Basic frame format
------------------
M0 M1 DR L0 L1 D0 ... Dn C0 C1 ME
M0 := 0x46
M1 := 0xb9
DR := 0x6a if host2mcu else 0x68
L := 16 bit big endian packet length, counted from DR to ME
C := 16 big endian modular sum from DR to Dn
ME := 0x16
D0..Dn is the packet payload
In most cases, the first byte of the payload marks the type of packet
or type of command. Responses by the MCU often use this type to tell
the programmer software which kind of command should follow. For
instance, after the baudrate handshake, the MCU replies with a
type 0x84 packet, and 0x84 is used for "erase" command packets from
the host.
Fun fact: The start marker (0x46, 0xb9) interpreted as UTF-16 is the
Unicode character U+46B9, which is an unusual CJK ideograph (䚹)
which translates as "to prepare" or "all ready" into English. How
fitting! This might not be a coincidence.
Packets host2mcu
----------------
1. Initiate baudrate handshake
Payload: 0x50, 0x07, 0x00, 0x36, 0x01, ID0, ID1
^ is 0x00 with current STC software and 11F08XE, what gives?
ID0 = MCU ID, byte 1
ID1 = MCU ID, byte 2
2. Test baudrate setting
Payload: 0x8f, 0xc0, brt, 0x3f, brt_csum, delay, iap
brt := MCU baudrate timer compare
brt_csum := (2 * (256 - brt)) & 0xff
delay := delay after baudrate change (0x40 seems to be fine),
STC software always seems to use 0xa0
iap := MCU IAP wait state register value
3. Switch to baudrate setting
Payload: 0x8e, 0xc0, brt, 0x3f, brt_csum, delay, iap
^ current STC software *omits* this here!
Almost the same as the test packet.
4. Erase flash memory
Payload: 0x84, 0xff, 0x00, blks, 0x00, 0x00, size,
^ no idea what that is for, current STC software uses 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00,
0x80, ..., 0x0e
blks := 256 byte blocks to clear
size := total number of 256 byte blocks (size of flash memory)
The 0x80..0x0e sequence seems to be some kind of magic code
to stop flaky connections and the like from erasing the flash
by accident.
"size" specifies the number of flash memory blocks. if blks > size,
eeprom will be erased.
Note that while erase size is specified in 256 byte blocks, the IAP
memory actually has 512 bytes physical erase block size, and the BSL
expects 512 byte aligned erase commands!
5. Program flash memory
Payload: 0x00, 0x00, 0x00, addr0, addr1, size0, size1, D0, ..., Dn
addr0, addr1 := big-endian 16 bit address
size0, size1 := big-endian 16 bit block size, always 128
D0...Dn := block data
Current STC software always seems to write at least 4 128 byte blocks
for some reason. Data is zero-padded.
Current STC software always writes a sequential set of memory. Since
flash and eeprom are essentially the same, any free space between
flash to be written and eeprom to be written is padded with zeros,
and then the whole batch is sent at once.
6. Finish flash programming
Payload: 0x69, 0x00, 0x00, 0x36, 0x01, ID0, ID1
^ kSTC-ISP uses 0x07
This should be sent after all flash programming is done. I am not
entirely sure why, though. Programming also works without it.
7. Set options
Payload: 0x8d, MS0, ..., MS15, CLK0, CLK1, CLK2, CLK3
MS0...MS15 := configuration registers specific to MCU model,
not documented here.
CLK0...CLK3 := 32 bit big endian measured clock, in Hz
8. Reset MCU
Payload: 0x82
Packets mcu2host
----------------
1. Info packet
Payload: 0x50, SYNC00, SYNC01, ..., SYNC70, SYNC71,
V1, V2, 0x00, ID0, ID1, 0x8c,
MS0, ..., MS7,
UID0, ..., UID6,
unknown bytes follow
SYNC* := sequence of 8 16-bit big-endian counter values, recorded
from the initial 0x7f sync sequence. this can be used to
determine the MCU clock frequency.
V1 := version number, two digits packed BCD.
V2 := stepping, one ASCII character.
ID0 := MCU model ID, byte 1
ID1 := MCU model ID, byte 2
UID0...UID6 := 7 bytes of unique id
UID is only sent by some BSL versions, others send zero bytes.
2. Acknowledge baudrate handshake start
Payload: 0x8f
This means the programming software should erase the flash memory as
the next step.
3. Acknowledge baudrate test
Payload: request packet payload with some pad byte appended to payload
4. Acknowledge baudrate switch
Payload: request packet payload with some pad byte appended to payload, and
first payload byte changed to 0x84
5. Acknowledge erase
Payload: 0x00, [UID0, ..., UID6]
The UID is optional, not sent by all BSL versions.
6. Acknowledge block write
Payload: 0x00, csum
csum := 8 bit modular sum of flash block data
7. Acknowledge finish flash writing
Payload: 0x8d
This means the programming software should set options as the next
step.
8. Acknowledge set options
Payload: 0x50, MS0, ..., MS4, 0x03, 0xff, V1, V2, MS0, ..., MS7,
UID0, ..., UID6,
unknown bytes follow
Some of the model-specific bytes are repeated twice (MS0-MS4).

61
doc/reverse-engineering/stc12a-options.txt Normal file
View File

@ -0,0 +1,61 @@
Model-specific configuration registers
Placement of configuration values
"~" means the bit is a negated boolean. Sometimes values overlap,
depending on MCU model.
In STC12A series, the first 7 MCS bytes have active
values. Generally, unused bits should be set to 1.
MCS0
----
MSB 7 6 5 4 3 2 1 0 LSB
CLKSRC
CLKSRC := clock source (0 = internal RC, 1 = external crystal)
MCS1
----
MSB 7 6 5 4 3 2 1 0 LSB
~WDEN ~WDSTP WDPS2 WDPS1 WDPS0
~WDEN := watchdog enable after power-on-reset
~WDSTP := stop watchdog counter in idle mode
WDPS2 WDPS1 WDPS0 divisior
0 0 0 2
0 0 1 4
0 1 0 8
0 1 1 16
1 0 0 32
1 0 1 64
1 1 0 128
1 1 1 256
MCS2
----
MSB 7 6 5 4 3 2 1 0 LSB
~EERE ~BSLD
~EREE := enable eeprom erase next time MCU is programmed
~BSLD := enable BSL pin detect; i.e. BSL is only enabled if P1.0/P1.1
(or others, depends on MCU model) are held low on POR.
MCS3 (at index 6!)
------------------
MSB 7 6 5 4 3 2 1 0 LSB
LVD
LVD := low voltage detection threshold
LVD threshold
0 3.7V
1 3.3V

24
doc/reverse-engineering/stc12a-protocol.txt Normal file
View File

@ -0,0 +1,24 @@
STC12A
This is an early STC12 protocol variant; It seems to be used on STC12Cx052 and
possibly other models. It is a mix of STC89 and STC12 protocol versions.
Differences to STC12:
* Uses NONE parity instead of EVEN parity.
* Checksum calculations are different: only a single-byte modular sum is used.
* Baudrate handshake isn't initiated with a type 0x50 packet; this is simply
skipped.
* After the handshake a special ping-pong sequence of 0x80 type packets needs
to be sent.
This doesn't appear to serve any purpose - possibly this is just done to
verify that the connection works reliably. STC12 doesn't require it anymore
because parity and the improved checksum ensure correct operation.
* Erase is acknowledged with type 0x80 packet instead of type 0x00
* After flash programming, there is no finish packet, type 0x69, sent; this
is simply skipped.

118
doc/reverse-engineering/stc12c2052ad.txt Normal file
View File

@ -0,0 +1,118 @@
host2mcu:
FF 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
2014-01-28 22:49:54.086500:
46 B9 6A 00 0C 8F C0 79 3F FE 28 85 28 16
2014-01-28 22:49:54.662532:
46 B9 6A 00 0B 8E C0 79 3F FE 28 A1 16
2014-01-28 22:49:55.051469:
46 B9 6A 00 0C 80 00 00 36 01 F2 12 31 16
2014-01-28 22:49:55.144473:
46 B9 6A 00 0C 80 00 00 36 01 F2 12 31 16
2014-01-28 22:49:55.250473:
46 B9 6A 00 0C 80 00 00 36 01 F2 12 31 16
2014-01-28 22:49:55.357505:
46 B9 6A 00 0C 80 00 00 36 01 F2 12 31 16
2014-01-28 22:49:55.463497:
46 B9 6A 00 0C 80 00 00 36 01 F2 12 31 16
2014-01-28 22:49:55.585442:
46 B9 6A 00 8B 84 00 00 02 00 00 08 00 00 00 00
00 00 00 00 00 00 00 00 80 7F 7E 7D 7C 7B 7A 79
78 77 76 75 74 73 72 71 70 6F 6E 6D 6C 6B 6A 69
68 67 66 65 64 63 62 61 60 5F 5E 5D 5C 5B 5A 59
58 57 56 55 54 53 52 51 50 4F 4E 4D 4C 4B 4A 49
48 47 46 45 44 43 42 41 40 3F 3E 3D 3C 3B 3A 39
38 37 36 35 34 33 32 31 30 2F 2E 2D 2C 2B 2A 29
28 27 26 25 24 23 22 21 20 1F 1E 1D 1C 1B 1A 19
18 17 16 15 14 13 12 11 10 0F 0E 68 16
2014-01-28 22:49:56.680538:
46 B9 6A 00 8C 00 00 00 00 00 00 80 02 00 08 12
00 3F 80 FE 75 81 07 12 00 4C E5 82 60 03 02 00
03 E4 78 FF F6 D8 FD 02 00 03 AE 82 AF 83 8E 04
8F 05 1E BE FF 01 1F EC 4D 60 0F 7C 90 7D 01 1C
BC FF 01 1D EC 4D 70 F7 80 E4 22 90 03 E8 12 00
1E E5 80 F4 F5 80 80 F3 75 82 00 22 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 79 16
2014-01-28 22:49:57.362467:
46
2014-01-28 22:49:57.384798:
B9 6A 00 8C 00 00 00 00 80 00 80 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 F6 16
2014-01-28 22:49:58.078540:
46 B9 6A 00 8C 00 00 00 01 00 00 80 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 77 16
2014-01-28 22:49:58.770492:
46 B9 6A 00 8C 00 00 00 01 80 00 80 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 F7 16
2014-01-28 22:49:59.539453:
46 B9 6A 00 26 8D FD F7 F7 FF BF 00 4F 2A 12 BF
FF FD F7 FF FF FF FF F7 FF FF FF FF FF FF FF 00
4F 2A 12 FF FF FF 77 16
2014-01-28 22:49:59.833427:
46 B9 6A 00 06 50 C0 16
2014-01-28 22:50:00.066242:
46 B9 6A 00 06 82 F2 16
mcu2host:
2014-01-28 22:53:43.948052:
46 B9 68 00 28 00 04 EC 04 EC 04 EC 04 EC 04 EC
04 EC 04 EB 04 EB 58 44 00 F2 12 83 FD F7 F7 FF
FF FF BF FF FD F7 F7 FF C1 16
2014-01-28 22:53:44.501730:
46 B9 68 00 0C 8F C0 79 3F FE 28 85 26 16
2014-01-28 22:53:45.072735:
46 B9 68 00 0B 8E C0 79 3F FE 28 9F 16
2014-01-28 22:53:45.217069:
46 B9 68 00 06 80 EE 16
2014-01-28 22:53:45.323215:
46 B9 68 00 06 80 EE 16
2014-01-28 22:53:45.429706:
46 B9 68 00 06 80 EE 16
2014-01-28 22:53:45.536344:
46 B9 68 00 06 80 EE 16
2014-01-28 22:53:45.642186:
46 B9 68 00 06 80 EE 16
2014-01-28 22:53:46.704094:
46 B9 68 00 06 80 EE 16
2014-01-28 22:53:47.393661:
46 B9 68 00 07 80 03 F2 16
2014-01-28 22:53:48.101694:
46 B9 68 00 07 80 00 EF 16
2014-01-28 22:53:48.816598:
46 B9 68 00 07 80 00 EF 16
2014-01-28 22:53:49.485851:
46 B9 68 00 07 80 00 EF 16
2014-01-28 22:53:49.784437:
46 B9 68 00 06 80 EE 16
2014-01-28 22:53:49.881792:
46 B9 68 00 1B 10 C0 16 F7 FF BF 03 FF 58 44 FD
F7 F7 FF FF FF BF FF FD F7 F7 FF 4C 16
2014-01-28 22:53:50.119724:
46 B9 68 00 06 80 EE 16

100
doc/reverse-engineering/stc12c5a60s2.txt Normal file
View File

@ -0,0 +1,100 @@
MCU: STC12C5A60S2
Data: hello.bin
Handshake: 9600
Transfer: 9600
Clock: 20 MHz
2014-01-06 17:19:52.426530: host2mcu
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F
2014-01-06 17:19:52.722646: mcu2host
46 B9 68 00 31 50 04 BD 04 BC 04 BC 04 BD 04 BC
04 BC 04 BC 04 BC 62 49 00 D1 7E 8C FF 7F F7 FF
FF FF 00 00 00 03 00 B0 02 2E 6B 00 CD 80 00 00
11 7E 16
2014-01-06 17:19:52.846519: host2mcu
46 B9 6A 00 0D 50 00 00 36 01 D1 7E 02 4D 16
2014-01-06 17:19:52.893712: mcu2host
46 B9 68 00 07 8F 00 FE 16
2014-01-06 17:19:52.928824: host2mcu
46 B9 6A 00 0D 8F C0 7E 3F FE A0 83 04 A4 16
2014-01-06 17:19:53.209386: mcu2host
46 B9 68 00 0E 8F C0 7E 3F FE A0 83 04 04 A7 16
2014-01-06 17:19:53.424544: host2mcu
46 B9 6A 00 0C 8E C0 7E 3F FE A0 04 1F 16
2014-01-06 17:19:53.679264: mcu2host
46 B9 68 00 0D 84 C0 7E 3F FE A0 04 04 18 16
2014-01-06 17:19:53.724472: host2mcu
46 B9 6A 00 8C 84 00 00 02 00 00 F0 00 00 00 00
00 00 00 00 00 00 00 00 80 7F 7E 7D 7C 7B 7A 79
78 77 76 75 74 73 72 71 70 6F 6E 6D 6C 6B 6A 69
68 67 66 65 64 63 62 61 60 5F 5E 5D 5C 5B 5A 59
58 57 56 55 54 53 52 51 50 4F 4E 4D 4C 4B 4A 49
48 47 46 45 44 43 42 41 40 3F 3E 3D 3C 3B 3A 39
38 37 36 35 34 33 32 31 30 2F 2E 2D 2C 2B 2A 29
28 27 26 25 24 23 22 21 20 1F 1E 1D 1C 1B 1A 19
18 17 16 15 14 13 12 11 10 0F 0E 22 51 16
2014-01-06 17:19:55.505307: mcu2host
46 B9 68 00 07 00 00 6F 16
2014-01-06 17:19:55.537548: host2mcu
46 B9 6A 00 8D 00 00 00 00 00 00 80 02 00 08 12
00 3F 80 FE 75 81 07 12 00 4C E5 82 60 03 02 00
03 E4 78 FF F6 D8 FD 02 00 03 AE 82 AF 83 8E 04
8F 05 1E BE FF 01 1F EC 4D 60 0F 7C 90 7D 01 1C
BC FF 01 1D EC 4D 70 F7 80 E4 22 90 03 E8 12 00
1E E5 80 F4 F5 80 80 F3 75 82 00 22 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 22 7A 16
2014-01-06 17:19:55.968298: mcu2host
46 B9 68 00 08 00 03 00 73 16
2014-01-06 17:19:55.986526: host2mcu
46 B9 6A 00 8D 00 00 00 00 80 00 80 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 01 F7 16
2014-01-06 17:19:56.412372: mcu2host
46 B9 68 00 08 00 00 00 70 16
2014-01-06 17:19:56.430530: host2mcu
46 B9 6A 00 8D 00 00 00 01 00 00 80 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 01 78 16
2014-01-06 17:19:56.865930: mcu2host
46 B9 68 00 08 00 00 00 70 16
2014-01-06 17:19:56.884481: host2mcu
46 B9 6A 00 8D 00 00 00 01 80 00 80 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 01 F8 16
2014-01-06 17:19:57.288219: mcu2host
46 B9 68 00 08 00 00 00 70 16
2014-01-06 17:19:57.306515: host2mcu
46 B9 6A 00 0D 69 00 00 36 01 D1 7E 02 66 16
2014-01-06 17:19:57.369302: mcu2host
46 B9 68 00 07 8D 00 FC 16
2014-01-06 17:19:57.412492: host2mcu
46 B9 6A 00 1B 8D FF 7F F7 FF FF FF FF FF FF FF
FF FF FF FF FF FF 01 30 5A 49 11 4E 16
2014-01-06 17:19:57.511742: mcu2host
46 B9 68 00 24 50 FF 7F F7 FF FF 03 FF 62 49 FF
7F F7 FF FF FF FF 01 00 03 00 B0 02 2E 6B 00 CD
80 00 00 10 09 16
2014-01-06 17:19:57.672474: host2mcu
46 B9 6A 00 07 82 00 F3 16

141
doc/reverse-engineering/stc15-options.txt Normal file
View File

@ -0,0 +1,141 @@
STC15 series MCS bytes
======================
MCS3 is like early STC15 MCS1.
MCS2 is like early STC15 MCS2.
MCS4 is like early STC15 MCS0 but with additions.
MCSX is like early STC15 MCS12.
MCSY is new in STC15W4 series
baseline
B5 FF F7 BB 9F
long por disabled
B6 FF F7 BB 1F
--> MCS4 bit 7 controls POR delay. low => short, high => long
reset pin as io disabled
B8 FF F7 BB 8F
--> MCS4 bit 4 controls reset pin. low => reset is normal, high => reset is io
low voltage reset disabled
B6 FF F7 FB 9F
--> MCS3 bit 6 controls low voltage reset. low => lv reset enabled, high => disabled
lvd threshold 2.61v
B8 FF F7 BA 9F
lvd threshold 2.82v
B5 FF F7 B9 9F
lvd threshold 3.08v
B6 FF F7 B8 9F
--> MCS3 bits 0-2 control LVD threshold setting. exact mapping not yet clear.
eeprom lv inhibit disabled
B7 FF F7 3B 9F
--> MCS3 bit 7 controls eeprom lv inhibit. high => eeprom lv inhibit enabled, low => disabled
watchdog after reset enabled
B6 FF D7 BB 9F
--> MCS2 bit 5 controls watchdog after reset. high => disabled, low => enabled
watchdog prescaler 128
B4 FF F6 BB 9F
watchdog prescaler 64
B5 FF F5 BB 9F
watchdog prescaler 32
B5 FF F4 BB 9F
watchdog prescaler 2
B6 FF F0 BB 9F
--> MCS2 bits 0-2 control watchdog prescaler. mapping is similar to early STC15.
wdt stop in idle disabled
B7 FF FF BB 9F
erase eeprom next programming
B4 FF F7 BB 9F
--> it's somewhere else! it's bit 1 of the extra MCSX byte that is typically 0xfd. low => erase eeprom disabled, high => erase eeprom enabled
p3.3 por state enabled
B9 FF F7 BB 97
--> MCS4 bit 3 controls the p3.3 state. high => p3.3 high, low => p3.3 low
p3.1 passthrough from p3.0 enabled
B5 FF F7 BB DF
--> MCS4 bit 2 controls the p3.1 passthrough. low => passthrough disabled, high => passthrough enabled
p3.1 push pull enabled
B5 FF F7 BB BF
--> MCS4 bit 1 controls p3.1 push pull. low => quasi-bidi, high => push-pull
bsl pindetect enabled
B5 FF F7 BB BF
--> somewhere else, MCSX bit 0. low => pindetect enabled, high => pindetect disabled.
external oscillator enabled (IAP15F2K61S2)
9C 7F F7 BB 9E
--> MCS4 bit 0 controls external oscillator. low => use external crystal, high => use RC.
external oscillator enabled + clock gain low (IAP15F2K61S2)
9C 7F F7 BB 9C
--> MCS 4 bit controls clock gain. high => high clock gain, low => low clock gain.
cpu core supply level (MCSY)
in status packet:
2.68v
46 B9 68 00 34 50 8D FF 73 96 F7 BC 9F 00 5B 7A C0 FD 27 ED 00 00 73 54 00 F5 28 04 06 70 96 02 15 19 1C 1E 23 00 EC E0 04 D7 EA 92 FF FF FF 15 09 25 60 14 BD 16
3.33v
46 B9 68 00 34 50 8D FF 73 96 F7 BC 9F 00 5B 92 30 FD 25 EA 00 FC 73 54 00 F5 28 04 06 70 96 02 15 19 1C 1E 23 00 EC E0 04 D7 F7 92 FF FF FF 15 09 25 60 15 49 16
3.63v
46 B9 68 00 34 50 8D FF 73 96 F7 BC 9F 00 5B 7A C0 FD 25 EF 00 00 73 54 00 F5 28 04 06 70 96 02 15 19 1C 1E 23 00 EC E0 04 D7 FD 92 FF FF FF 15 09 25 60 14 D0 16
3.73v
46 B9 68 00 34 50 8D FF 73 96 F7 BC 9F 00 5B 92 30 FD 25 EA 00 00 73 54 00 F5 28 04 06 70 96 02 15 19 1C 1E 23 00 EC E0 04 D7 FF 92 FF FF FF 15 09 25 60 14 55 16
^^
MCSY
voltage: ff -> 3.73v
fd -> 3.63v
f7 -> 3.33v
ea -> 2.68v
in set options packet:
46 B9 6A 00 4B 04 00 00 5A A5 FF FF FF 00 FF FF
00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00 00 FF A8 FF EE FF E0 FF FD 03 FF FF FF FF FF
^^
MCSP
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FD FF FF FF 75 BF F7 BC 9F 3A 80 16
^^
MCSY
password setting
the password is sent with packet type 0x07 and checked before erase with packet type 0x05. setting the password uses two fields.
index 22 of the option block encodes the password length in bytes (MCSP, see above). bit 3 in MCS3 decides whether the password
will be checked. if the bit is set, no password check occurs. if it is reset, a password check occurs.
quick dump from USB-ISP packets:
set: foobar
0000 ff ff ff 00 ff ff 00 05 ff ff ff ff ff ff ff 07 ................
0010 ff ff ff ff ff ff ff 07 ff 06 01 ff 6e ff 36 58 ............n.6X
0020 ff 00 ff f5 03 ff ff 0c ff ff ff ff ff ff ff 07 ................
0030 ff ff ff ff ff ff ff 07 ff ff ff ff ff ff ec 1a ................
0040 ff ff ff 99 7f f7 bc 38 9f 61 .......8.a
reset:
0000 ff ff ff 00 ff ff 00 05 ff ff ff ff ff ff ff 07 ................
0010 ff ff ff ff ff ff ff 07 ff 00 01 ff 6e ff 36 5e ............n.6^
0020 ff 00 ff fd 03 ff ff 04 ff ff ff ff ff ff ff 07 ................
0030 ff ff ff ff ff ff ff 07 ff ff ff ff ff ff ec 1a ................
0040 ff ff ff 99 7f f7 bc 38 9f 61 .......8.a

167
doc/reverse-engineering/stc15-protocol.txt Normal file
View File

@ -0,0 +1,167 @@
STC15 protocol
==============
high level
----------
-> pulse
<- info packet
-> freq challenges round 1
<- freq responses
-> freq challenges round 2
<- freq responses
-> baud switch
<- ack
-> prepare
<- ack
-> erase
<- ack + uid
-> write first block
<- ack
-> write block 2
<- ack
...
-> write block n
<- ack
-> option packet
<- ack
info packet
-----------
6 MHz:
46 B9 68 00 2B 50 66 3C 93 BA F7 BB 9F 00 5B 68 00 FD 00 00 00 00 71 51 03 F2 D4 04 06 58 BA 02 2A 31 32 38 30 80 14 10 04 D9 0D 02 16
12 MHz:
46 B9 68 00 2B 50 66 3C 93 BA F7 BB 9F 00 B6 F5 80 FD 00 00 00 00 71 51 03 F2 D4 04 06 58 BA 02 2A 31 32 38 30 80 14 10 04 D9 0E 6A 16
33 MHz:
46 B9 68 00 2B 50 66 3C 93 BA F7 B9 9F 01 F7 C2 80 FD 00 00 00 00 71 51 03 F2 D4 04 06 58 BA 02 2A 31 32 38 30 80 14 10 04 D9 0E 77 16
30 MHz:
46 B9 68 00 2B 50 66 3C 93 BA F7 B9 9F 01 C9 9E 00 FD 7F FF FD FF 71 51 03 F2 D4 04 06 58 BA 02 2A 31 32 38 30 80 14 10 04 D9 11 1F 16
^^^^^ ^^^^^^^^^^^
timer freq freq big endian
value in hz 32 bit value
^^^^^^^^ ^^
MCS2-4 MCSX
^^
factory calibration adjust for 24 MHz (range 0x40)?
STC15W4K56S4:
46 B9 68 00 34 50 8D FF 73 96 F7 BC 9F 00 5B 7A C0 FD 27 ED 00 00 73 54 00 F5 28 04 06 70 96 02 15 19 1C 1E 23 00 EC E0 04 D7 EA 92 FF FF FF 15 09 25 60 14 BD 16
^^
core voltage (MCSY)
IAP15F2K61S2:
external osc:
46 B9 68 00 2B 50 87 D3 75 9C F7 BB 9E 01 77 70 80 FD 06 57 00 00 71 53 00 F4 49 04 06 58 9C 02 0E 14 17 19 19 00 F4 F4 04 D2 0E 8A 16
^^^^^
frequency count for external (1)
(1) if external clock is active, frequency can be calculated like:
CLOCK = BAUD * COUNT
internal 11.052 MHz:
46 B9 68 00 2B 50 87 D3 75 9C F7 BB 9F 00 A8 AD 40 FD 09 FE 00 00 71 53 00 F4 49 04 06 58 9C 02 0E 14 17 19 19 00 F4 F4 04 D2 0F 62 16
i.e. operating frequency is not sampled from host pulses! it's actually much more
convenient, it is simply returned as an integer value in hz. same for the wakeup
timer.
baud switch packet
------------------
46 B9 6A 00 0E 01 8C 40 F6 FD F2 7C 83 05 29 16
^^^^^ ^^^^^ ^^
(1) (2) (3)
^^^^^
prog calib. values
(1) baud value (65535 - clk / baud) (SW UART)
(65535 - clk / baud / 4) (HW UART)
(2) some timer value (65535 - (clk / baud) * 1.5)
(3) constant? IAP delay?
trim challenge packet
---------------------
two challenges are sent, UART seems to be used as clock reference
33.1 MHz @ 9600 bps:
-> 46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A 12 16 92 92 92 92
4 MHz @ 9600 bps:
-> 46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A 12 16 92 92 92 92
6 MHz @ 9600 bps:
-> 46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A 12 16 92 92 92 92
<- 46 B9 68 00 20 00 0B 03 05 04 4F 05 9E 06 20 08 B9 0B 57 0C 60 11 6A 16 5B 13 5E 1A D4 00 00 05 91 16
-> 46 B9 6A 00 20 00 0C B4 C0 B5 C0 B6 C0 B7 C0 B8 C0 B9 C0 8C 40 8D 40 8E 40 8F 40 90 40 91 40 0E 34 16 92 92 92 92
<- 46 B9 68 00 20 00 0C 04 DB 04 DB 04 DB 04 E0 04 E5 04 E5 11 EC 11 F6 12 05 12 05 12 0F 12 14 08 60 16
12 MHz @ 9600 bps:
-> 46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A 12 16 92 92 92 92
<- 46 B9 68 00 20 00 0B 03 05 04 4F 05 99 06 20 08 B4 0B 52 0C 65 11 6F 16 56 13 5E 1A D4 00 00 05 87 16
-> 46 B9 6A 00 20 00 0C B0 80 B1 80 B2 80 B3 80 B4 80 B5 80 8B 40 8C 40 8D 40 8E 40 8F 40 90 40 0C 96 16 92 92 92 92
<- 46 B9 68 00 20 00 0C 09 B8 09 BD 09 C2 09 C7 09 C7 09 D1 11 DD 11 EC 11 FB 12 00 12 0A 12 0F 08 A6 16
^^^^^
number of challenges used (here: 12)
looks like two byte calibration values are used; second byte is the rough value, first byte is fine adjust
first round selects a rough range
second round refines inside that range and another (for programming speed)
(CLOCK / (BAUD/2)) = COUNTER
=> CLOCK = COUNTER * (BAUD/2)
the first packet always uses a fixed set of challenges.
first calibration byte of chosen frequency is stored in options. the second calibration byte is stored added together
with the value 0x3f in the next option byte.
a factory frequency value (24 MHz) is available in the info packet.
the calibration value for the programming frequency (always range 0x40) is transmitted with the baud change packet.
option packet
-------------
46 B9 6A 00 49 04 00 00 FF FF FF 00 FF FF 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 FF 5B FF 68 FF 00
^^^^^^^^^^^^^^^^^^^^
frequency in hz, with FF bytes inbetween
FF FD FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF B5 FF F7 BB 9F 3A 48 16
^ ^^^^^^^^^^^^^^
MCSX ^^ MCS0-4
MCSY
(STC15W4)
MCS bytes
---------
### MCS0
RC calibration adjust
### MCS1
0x3f + RC calibration range (0x00, 0x40, 0x80, 0xc0)
### MCS2 - MCS4, MCSX and MCSY
See stc15-options.txt

46
doc/reverse-engineering/stc15-usb-protocol.txt Normal file
View File

@ -0,0 +1,46 @@
STC15 series USB ISP protocol
=============================
General principle
-----------------
- host does OUT and IN control transfers for write and read
- IN transfer with wLength = 132, wValue = 0, wIndex = 0, bRequest = 0 are used for all reads
- OUT transfers with with specific bRequest, wValue, wIndex are used for writes
Packet coding
-------------
- packets from MCU
always start with 0x46 0xb9, similar to serial protocols
third byte is packet length, followed by data bytes
checksum at the end: 8 bit modular sum
- packets from host
no header bytes
bRequest sets packet type
wValue, wIndex interpretation according to packet type
8 bit modular checksum for every 7 bytes, interleaved
- packet types derived from the serial protocol
Specific packet information
---------------------------
- flash data
wIndex specifies write address
wValue is 0xa55a
bRequest is 0x22 for first packet, 0x02 for the following ones
unusually encoded: a total of 128 bytes per packet,
with every 7 byte checksummed in some way,
for a total of 18x7 byte segments and a final 2 byte segment
checksum: 8 bit modular sum
- option packet
generally same as with serial protocol, some header stuff omitted
wIndex is 0
wValue is 0xa55a
bRequest is 4
seems to use the same checksumming scheme as flash writes

81
doc/reverse-engineering/stc15a-options.txt Normal file
View File

@ -0,0 +1,81 @@
Model-specific configuration registers
Placement of configuration values
"~" means the bit is a negated boolean. Sometimes values overlap,
depending on MCU model.
In STC15 series, the first 13 MCS bytes have active values. Generally,
unused bits should be set to 1.
MCS0
----
MSB 7 6 5 4 3 2 1 0 LSB
RSPEN
RSPEN := RESET pin enable
MCS1
----
MSB 7 6 5 4 3 2 1 0 LSB
EEIH LVRS LVD2 LVD1 LVD0
EEIH := inhibit EEPROM writes in low-voltage conditions enable
LVRS := low-voltage reset enable
LVD2...LVD0 := low voltage detection threshold
LVD2 LVD1 LVD0 value
0 0 0 setting 0 (e.g. 3.14V)
0 0 1 setting 1 (e.g. 3.28V)
0 1 0 setting 2 (e.g. 3.43V)
0 1 1 setting 3 (e.g. 3.61V)
1 0 0 setting 4 (e.g. 3.82V)
1 0 1 setting 5 (e.g. 4.05V)
1 1 0 unknown
1 1 1 unknown
The exact voltages depend on MCU model.
MCS2
----
MSB 7 6 5 4 3 2 1 0 LSB
~WDEN ~WDSTP WDPS2 WDPS1 WDPS0
~WDEN := watchdog enable after power-on-reset
~WDSTP := stop watchdog counter in idle mode
WDPS2...WDPS0 := watchdog counter prescaler
WDPS2 WDPS1 WDPS0 divisior
0 0 0 2
0 0 1 4
0 1 0 8
0 1 1 16
1 0 0 32
1 0 1 64
1 1 0 128
1 1 1 256
This is completely similar to STC12.
MCS3...MCS11
------------
All bytes set to 0xff.
MCS12
-----
MSB 7 6 5 4 3 2 1 0 LSB
~EREE ~BSLD
~EREE := enable eeprom erase next time MCU is programmed
~BSLD := enable BSL pin detect; i.e. BSL is only enabled if P1.0/P1.1
(or others, depends on MCU model) are held low on POR.
This is like MCS3 of STC12.

313
doc/reverse-engineering/stc15a-protocol.txt Normal file
View File

@ -0,0 +1,313 @@
STC15 reverse engineering
Note: so far only based on STC15F104E! This protocol has been renamed ot STC15A.
Basic differences between STC12 and STC15
* Initial MCU response is an ack (0x80) packet. Host needs to respond
with the same ack and pulse 0x7f again, then MCU sends the info
packet.
* Frequency timings sent with info packet are different; the calculation
is the same but only four timings are sent, followed by two other
unknown timings and two zero words.
* A new handshake is used to tune the RC oscillator for a given
frequency.
* The baudrate isn't changed with a complicated handshake, it is just
switched to with a 0x8e type packet.
This may be different on other MCUs that have a hardware UART.
* Transfers use 64 bytes block size.
Possibly that's because the 15F104E only has 128 bytes RAM. It
might use bigger blocks on MCUs with more RAM.
* Position of many option bits has changed, and more bits are used.
The RC oscillator calibration
Theory of operation:
* Host sends a sequence of challenges. These are values to be
programmed into an internal RC oscillator calibration register.
* Host sends 0x7f pulses
* MCU sends back responses, which are the runtime of the baudrate
timing counter (similar to the info packet)
* Host repeats this with finer trimmed challenge values.
* Host determines calibration value with the lowest error.
* Host sends baudrate switch packet
* Host sends option packet to program frequency after flash programming
The STC software uses a fixed set of coarse grained trim values to
try. These are:
sequence clock (MHz)
0x1800 0x1880 0x1880 0x18ff [4, 7.5]
0x1880 0x18ff 0x5800 0x5880 (7.5, 10]
0x5800 0x5880 0x5880 0x58ff (10, 15]
0x5880 0x58ff 0x9800 0x9880 (15, 21]
0x9800 0x9880 0x9880 0x98ff (21, 31]
0xd800 0xd880 0xd880 0xd8b4 (31, 40]
In addition it sends a sequence for the programming speed:
0x5800 0x5880 for normal speed and 0x9800 0x9880 for high
speed programming.
Then, by linear interpolation, it choses a suitable range of
fine-tuning trim values to try according to the counter values sent
by the MCU.
The programming speed trim value is only determined by linear
interpolation of the two trim challenges sent in the first round of
calibration. This seems to be good enough.
New packets host2mcu
--------------------
1. RC calibration challenge
Payload: 0x65, T0, .., T6, 0xff, 0xff, 0x06, CNT,
TR00, TR01, 0x02, 0x00,
TR10, TR11, 0x02, 0x00,
...
T0...T6 := trim constants, from info packet
CNT := number of calibration challenges (max 11)
TRxx := calibration challenge trim values
2. Baudrate switch
Payload: 0x8e, TR0, TR1, BDIV, 0xa1, 0x64, FC,
0x00, IAP, 0x20, 0xff, 0x00
TR0, TR1 := trim value for programming frequency
(normal = 11.0592 MHz, highspeed = 22.1184 MHz)
BDIV := baud rate divider (normal: baud = 115200 / BDIV, highspeed: baud = 230400 / BDIV)
FC := some frequency constant, normal: 0xdc, highspeed: 0xb8
IAP := IAP delay, normal: 0x83, highspeed: 0x81
Communication dump with notes
-----------------------------
Firmware version: 6.7Q
Magic: F294
UID: 0A00002802C4EB
This seems to work differently from what we've seen on STC10/11/12 series with
firmware 6.2/6.5.
Get status packet
-----------------
mcu2host:
2014-01-09 11:35:17.917063:
46 B9 68 00 07 80 00 EF 16
2014-01-09 11:35:18.056583:
46 B9 68 00 40 50 02 B0 02 B0 02 AF 02 B0 02 E6
02 E7 00 00 00 00 67 51 FF F2 94 8C EF 3B F5 58
34 FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00
FF FF FF FF FF FF FF FF 58 50 0C 94 21 FF 29 21
82 16
host2mcu:
2014-01-09 11:37:13.000352:
7F 7F 7F 7F 46 B9 6A 00 07 80 00 F1 16 7F 7F 7F
7F
2014-01-09 11:37:13.298358:
46 B9 6A 00 07 82 00 F3 16
* MCU first sends an ACK packet (0x80),
which needs to be replied to with the same ACK (0x80) by the host.
after that host needs to pulse (send 0x7f until reply) again
* STC software then adjust the frequency of the RC, after that the handshake
is done.
Program hello.bin
-----------------
host2mcu:
FF 7F 7F 7F 7F 46 B9 6A 00 07 80 00 F1 16 7F 7F
7F 7F 7F 7F
2014-01-09 11:46:06.334342:
46 B9 6A 00 0D 50 00 00 36 01 F2 94 02 84 16
^ Initiate baudrate handshake, like STC12
46
B9 6A 00 2A 65 58 50 0C 95 21 FF 2B FF FF 06 06
58 00 02 00 58 80 02 00 58 80 02 00 58 FF 02 00
58 00 02 00 58 80 02 00 0A 32 16
^ This is a new type of packet (0x65), presumably
for frequency adjustment
7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F
46 B9 6A 00 3E 65 58 50 0C
95 21 FF 2B FF FF 06 0B 58 24 02 00 58 25 02 00
58 26 02 00 58 27 02 00 58 28 02 00 58 29 02 00
58 2A 02 00 58 2B 02 00 58 2C 02 00 58 2D 02 00
58 2E 02 00 0B 51 16
^ Same new packet again!
7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 46 B9 6A 00 12 8E 58 29 0C A1
64 DC 12 83 20 FF 00 05 2C 16
^ Straight jumps to setting the new baudrate,
instead of testing it like in earlier firmware.
2014-01-09 11:46:07.466357:
46 B9 6A 00 3B 84 FF 00 02 00 00 10 00 00 00 00
00 00 00 00 00 00 00 00 80 7F 7E 7D 7C 7B 7A 79
78 77 76 75 74 73 72 71 70 6F 6E 6D 6C 6B 6A 69
68 67 66 65 64 63 62 61 60 5F 11 09 16
^ erase flash
2014-01-09 11:46:08.322346:
46 B9 6A 00 4D 00 00 00 00 00 00 40 02 00 08 12
00 3F 80 FE 75 81 07 12 00 4C E5 82 60 03 02 00
03 E4 78 FF F6 D8 FD 02 00 03 AE 82 AF 83 8E 04
8F 05 1E BE FF 01 1F EC 4D 60 0F 7C 90 7D 01 1C
BC FF 01 1D EC 4D 70 F7 80 E4 22 90 1A 85 16
46
B9 6A 00 4D 00 00 00 00 40 00 40 03 E8 12 00 1E
E5 80 F4 F5 80 80 F3 75 82 00 22 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 08 AC 16
46 B9
6A 00 4D 00 00 00 00 80 00 40 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 01 77 16
46 B9 6A
00 4D 00 00 00 00 C0 00 40 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 01 B7 16
46 B9 6A 00
4D 00 00 00 01 00 00 40 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 F8 16
46 B9 6A 00 4D
00 00 00 01 40 00 40 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 01 38 16
46 B9 6A 00 4D 00
00 00 01 80 00 40 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 01 78 16
46 B9 6A 00 4D 00 00
00 01 C0 00 40 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 01 B8 16
^ flash write packets. curiously they use
a smaller block size, 64 bytes.
46 B9 6A 00 0D 69 00 00
36 01 F2 94 02 9D 16
^ finish packet
2014-01-09 11:46:09.571449:
46 B9 6A 00 1A 8D EF FC F7 58 29 FF FF FF FF FF
FF FF FF FF FF FF FF FF FF 12 66 16
^ set options packet
2014-01-09 11:46:09.774383:
46 B9 6A 00 07 82 00 F3 16
^ reset packet
mcu2host:
2014-01-09 11:49:50.004984:
46 B9 68 00 07 80 00 EF 16
^ ACK
2014-01-09 11:49:50.166675:
46 B9 68 00 40 50 02 9C 02 9C 02 9C 02 9C 02 E6
02 E7 00 00 00 00 67 51 FF F2 94 8C EF FC F7 58
29 FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00
FF FF FF 12 FF FF FF FF 58 50 0C 95 21 FF 2B 21
01 16
^ status packet
46 B9 68 00 07 8F 00 FE 16
^ acknowledge handshake
2014-01-09 11:49:50.566935:
46 B9 68 00 2A 65 58 50 0C 95 21 FF 2B FF FF 06
06 58 00 02 4A 58 80 03 45 58 80 03 46 58 FF 04
3D 58 00 02 4A 58 80 03 45 0B D6 16
^ reply to first new 0x65 packet
2014-01-09 11:49:50.941928:
46 B9 68 00 3E 65 58 50 0C 95 21 FF 2B FF FF 06
0B 58 24 02 92 58 25 02 94 58 26 02 97 58 27 02
9A 58 28 02 9A 58 29 02 9C 58 2A 02 9F 58 2B 02
A2 58 2C 02 A1 58 2D 02 A4 58 2E 02 A8 12 0A 16
^ reply to second 0x65 packet
2014-01-09 11:49:51.391860:
46 B9 68 00 13 84 58 29 0C A1 64 DC 12 83 20 FF
^ new packet type (0x84)
00 05 05 26 16
2014-01-09 11:49:52.253370:
46 B9 68 00 0E 00 0A 00 00 28 02 C4 EB 02 59 16
^ acknowledge erase
2014-01-09 11:49:52.393369:
46 B9 68 00 08 00 8E 00 FE 16
2014-01-09 11:49:52.518566:
46 B9 68 00 08 00 75 00 E5 16
2014-01-09 11:49:52.643749:
46 B9 68 00 08 00 00 00 70 16
2014-01-09 11:49:52.772755:
46 B9 68 00 08 00 00 00 70 16
2014-01-09 11:49:52.905131:
46 B9 68 00 08 00 00 00 70 16
2014-01-09 11:49:53.047673:
46 B9 68 00 08 00 00 00 70 16
2014-01-09 11:49:53.170668:
46 B9 68 00 08 00 00 00 70 16
2014-01-09 11:49:53.299131:
46 B9 68 00 08 00 00 00 70 16
^ acknowlegde flash writes
2014-01-09 11:49:53.460551:
46 B9 68 00 07 8D 00 FC 16
^ acknowledge finish flash programming
| last three bytes of UID
46 B9 68 00 2F 50 02
C4 EB 58 29 03 FF 67 51 EF FC F7 58 29 FF FF FF
FF FF FF FF FF FF FF FF FF FF FF 12 FF FF FF FF
00 00 00 00 00 00 00 1A 36 16
^ acknowledge set options

118
doc/reverse-engineering/stc15l104w.txt Normal file
View File

@ -0,0 +1,118 @@
2015-11-20 01:39:38.554555: PC
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
2015-11-20 01:39:41.744739: MCU
46 B9 68 00 2B 50 66 3C 93 BA F7 BB 9F 00 5B 68
00 FD 00 00 00 00 71 51 03 F2 D4 04 06 58 BA 02
2A 31 32 38 30 80 14 10 04 D9 0D 02 16
2015-11-20 01:39:41.839211: PC
46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80
80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A
12 16 92 92 92 92
2015-11-20 01:39:41.932603: MCU
46 B9 68 00 20 00 0B 03 0A 04 4F 05 9E 06 20 08
B9 0B 5C 0C 6A 11 7E 16 79 13 77 1A B1 00 00 05
CD 16
2015-11-20 01:39:41.975503: PC
46 B9 6A 00 20 00 0C B4 C0 B5 C0 B6 C0 B7 C0 B8
C0 B9 C0 89 40 8A 40 8B 40 8C 40 8D 40 8E 40 0E
22 16 92 92 92 92
2015-11-20 01:39:42.058079: MCU
46 B9 68 00 20 00 0C 04 D6 04 DB 04 E0 04 E0 04
E0 04 E5 11 E2 11 F1 11 FB 12 05 12 0A 12 19 09
41 16
2015-11-20 01:39:42.106052: PC
46 B9 6A 00 0E 01 8C 40 F6 FD F2 7C 83 05 29 16
2015-11-20 01:39:42.130699: MCU
46 B9 68 00 07 01 00 70 16
2015-11-20 01:39:42.355652: PC
46 B9 6A 00 07 05 00 76 16
2015-11-20 01:39:42.369748: MCU
46 B9 68 00 07 05 00 74 16
2015-11-20 01:39:42.385566: PC
46 B9 6A 00 08 03 00 00 75 16
2015-11-20 01:39:42.762099: MCU
46 B9 68 00 0E 03 0C 00 00 17 01 A0 E0 02 1D 16
2015-11-20 01:39:42.793627: PC
46 B9 6A 00 49 22 00 00 02 00 08 12 00 3F 80 FE
75 81 07 12 00 4C E5 82 60 03 02 00 03 E4 78 FF
F6 D8 FD 02 00 03 AE 82 AF 83 8E 04 8F 05 1E BE
FF 01 1F EC 4D 60 0F 7C 90 7D 01 1C BC FF 01 1D
EC 4D 70 F7 80 E4 22 90 1A 63 16
2015-11-20 01:39:42.898503: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-20 01:39:42.915747: PC
46 B9 6A 00 49 02 00 40 03 E8 12 00 1E E5 80 F4
F5 80 80 F3 75 82 00 22 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 08 6A 16
2015-11-20 01:39:43.020455: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-20 01:39:43.036976: PC
46 B9 6A 00 49 02 00 80 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 01 35 16
2015-11-20 01:39:43.142916: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-20 01:39:43.159889: PC
46 B9 6A 00 49 02 00 C0 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 01 75 16
2015-11-20 01:39:43.249802: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-20 01:39:43.266503: PC
46 B9 6A 00 49 02 01 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 B6 16
2015-11-20 01:39:43.366446: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-20 01:39:43.383638: PC
46 B9 6A 00 49 02 01 40 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 F6 16
2015-11-20 01:39:43.477298: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-20 01:39:43.494433: PC
46 B9 6A 00 49 02 01 80 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 01 36 16
2015-11-20 01:39:43.600474: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-20 01:39:43.617482: PC
46 B9 6A 00 49 02 01 C0 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 01 76 16
2015-11-20 01:39:43.721087: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-11-20 01:39:43.746765: PC
46 B9 6A 00 49 04 00 00 FF FF FF 00 FF FF 00 FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00
FF 5B FF 68 FF 00 FF FD FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF B6 FF F7 BB 9F 3A 49 16
2015-11-20 01:39:43.863822: MCU
46 B9 68 00 08 04 54 00 C8 16

128
doc/reverse-engineering/stc15w4k56s4.txt Normal file
View File

@ -0,0 +1,128 @@
2015-12-10 23:47:44.198341: PC
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
2015-12-10 23:47:48.400692: MCU
46 B9 68
2015-12-10 23:47:48.411946: PC
7F
2015-12-10 23:47:48.414811: MCU
00 34 50
2015-12-10 23:47:48.427644: PC
7F
2015-12-10 23:47:48.428894: MCU
8D FF 73 96 F5 7B 9F FF FF FF FF FF 27 ED 00 00
73 54 00 F5 28 04 06 70 96 02 15 19 1C 1E 23 00
EC E0 04 D7 F8 73 BF FF FF 15 09 25 60 16 92 16
2015-12-10 23:47:48.725370: PC
46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80
80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A
12 16 FE FE FE FE FE FE FE FE FE FE FE FE FE
2015-12-10 23:47:49.088353: MCU
46 B9 68
2015-12-10 23:47:49.099586: PC
FE
2015-12-10 23:47:49.102589: MCU
00 20 00
2015-12-10 23:47:49.115089: PC
FE
2015-12-10 23:47:49.116479: MCU
0B 0D 21 12 BC 18 3E 1A 05 24 FA 2F B3 34 D1 4A
52 5E C0 52 DB 73 1A 00 00 08 7D 16
2015-12-10 23:47:49.266317: PC
46 B9 6A 00 20 00 0C 71 80 72 80 73 80 74 80 75
80 76 80 6F 40 70 40 71 40 72 40 73 40 74 40 0A
74 16 FE FE FE FE FE FE FE FE FE FE FE FE FE FE
2015-12-10 23:47:49.650397: MCU
46 B9 68
2015-12-10 23:47:49.661888: PC
FE
2015-12-10 23:47:49.664523: MCU
00 20 00
2015-12-10 23:47:49.677636: PC
FE
2015-12-10 23:47:49.678633: MCU
0C 23 BF 23 D3 23 E7 23 F6 24 0F 24 23 47 73 47
B9 47 E1 48 09 48 36 48 59 09 5B 16
2015-12-10 23:47:49.944529: PC
46 B9 6A 00 0E 01 72 40 F6 FF 80 73 81 04 94 16
2015-12-10 23:47:50.045100: MCU
46 B9 68 00 07 01 00 70 16
2015-12-10 23:47:50.116096: PC
46 B9 6A 00 0B 05 00 00 5A A5 01 79 16
2015-12-10 23:47:50.190036: MCU
46 B9 68 00 07 05 00 74 16
2015-12-10 23:47:50.255407: PC
46 B9 6A 00 0B 03 00 00 5A A5 01 77 16
2015-12-10 23:47:53.130695: MCU
46 B9 68 00 0E 03 F5 28 00 A5 03 27 49 02 AE 16
2015-12-10 23:47:53.210814: PC
46 B9 6A 00 8B 22 00 00 5A A5 01 04 01 36 75 81
07 12 00 6A E5 82 60 03 02 00 02 E4 78 FF F6 D8
FD 01 02 AF 82 8F 06 1F EE 60 0F 7D 90 7E 01 1D
BD FF 01 1E ED 4E 70 F7 80 EB 22 AF 82 DF FE 22
E5 B0 F4 F5 B0 75 82 05 11 31 75 82 D0 11 19 E5
B0 F4 F5 B0 75 82 64 11 19 E5 B0 F4 F5 B0 75 82
64 11 19 E5 B0 F4 F5 B0 75 82 64 11 19 E5 B0 F4
F5 B0 80 D6 75 82 00 22 FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 49 E8 16
2015-12-10 23:47:54.003906: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-12-10 23:47:54.068777: PC
46 B9 6A 00 8B 02 00 80 5A A5 FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 81 F6 16
2015-12-10 23:47:54.867956: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-12-10 23:47:54.932281: PC
46 B9 6A 00 8B 02 01 00 5A A5 FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 81 77 16
2015-12-10 23:47:55.732519: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-12-10 23:47:55.796791: PC
46 B9 6A 00 8B 02 01 80 5A A5 FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF 81 F7 16
2015-12-10 23:47:56.536325: MCU
46 B9 68 00 08 02 54 00 C6 16
2015-12-10 23:47:56.616743: PC
46 B9 6A 00 4B 04 00 00 5A A5 FF FF FF 00 FF FF
00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00 00 FF A8 FF 91 FF 20 FF FD 03 FF FF FF FF FF
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF EC FF FF FF 74 BF F7 BC 9F 39 51 16
2015-12-10 23:47:57.070169: MCU
46 B9 68 00 08 04 54 00 C8 16

71
doc/reverse-engineering/stc8-options.txt Normal file
View File

@ -0,0 +1,71 @@
MCS bytes
=========
46 b9 6a 00 33 04 00 00 5a a5 ff ff ff 00 ff ff
00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
00 ff 01 31 20 80 34 00 01 ff ff ff ff ff 8b bf
^^^^^^^^^^^ ^^ ^^ ^^ ^^
frequency clkdiv 5) 1) 3)
^^^^^
trim?
f7 fe 1f cc 16
^^ ^^
4) 2)
1) not stricty related to some register
aka MCS1
bit 0: ? always 1
bit 1: oscillator high gain
bit 2: EPWM push-pull enabled
bit 3: p2.0 state after boot
bit 4: TXD signal source from RXD
bit 5: p3.7 push-pull enabled
bit 6: UART1 remap enabled
bit 7: long power-on reset delay
2) not strictly related to some register
aka MCS4
eeprom size / code space upper limit (in pages)
only seems to apply to devices with max. flash size
e.g. fe -> 63.5K, e0 -> 56K
3) like RSTCFG? inverted?
aka MCS2
bit 0: LVD0
bit 1: LVD1
bit 2: ? always 1
bit 3: ? always 1
bit 4: ~reset pin enabled
bit 5: ? always 1
bit 6: ~enable lvd reset
bit 7: ? always 1
LVD:
2.20V -> 0xbf
2.40V -> 0xbe
2.70V -> 0xbd
3.00V -> 0xbc
4) like WDT_CONTR
aka MCS3
bit 0: WDPS0
bit 1: WDPS1
bit 2: WDPS2
bit 3: ~stop wdt in idle
bit 4: ? always 1
bit 5: ~enable wdt on por
bit 6: ? always 1
bit 7: ? always 1
WDPS like in datasheet
5)
aka MCS0
bit 0: ? ~BSLD / bootloader enabled
bit 1: erase eeprom enabled
bit 2: ?
bit 3: ?
bit 4: ?
bit 5: ?
bit 6: ?
bit 7: ?

138
doc/reverse-engineering/stc8-protocol.txt Normal file
View File

@ -0,0 +1,138 @@
Overview of changes
-------------------
The following changes have been observed compared to STC15:
- Many differences in the status packet
- At least some differences in MCS
- Different challenge
- no separate program speed
- clock division was introduced; calibration always in the ~20-30 MHz range, lower clocks
use division
- the meaning of the calibration ranges and trim has changed
The good:
- Erase, Program, etc. operations are apparently unchanged. :)
Status packet
-------------
46 B9 68 00 30 50 00 54 62 58 5D 00 04 FF FD 8B BF FF 27 4A F7 FE 73 55 00 F6 28 09 85 E3 5F 80 07 20 20 20 01 00 00 FE 05 3A 17 05 25 91 FF 10 AE 16
^^^^^ wakeup clock ^^^^^ reference voltage
^^^^^^^^ mfg. date
Clock set to 20 MHz by STC-ISP (encoding is different compared to STC15):
46 B9 68 00 30 50 01 31 2E 90 38 01 01 FF FD 8B BF FF 27 35 F7 FE 73 55 00 F6 28 09 85 E3 5F 80 07 20 20 20 01 00 00 FE 05 3A 17 05 25 91 FF 10 54 16
46 B9 68 00 30 50 01 31 2E 90 38 01 01 FF FD 8B BF FF 27 3B F7 FE 73 55 00 F6 28 09 85 E3 5F 80 07 20 20 20 01 00 00 FE 05 3A 17 05 25 91 FF 10 5A 16
^^^^^ some 24 MHz reference or other clk measurement?
^^^^^ trim/adjust?
^^ clkdiv
^^^^^^^^^^^ clk
MCS bytes
46 B9 68 00 30 50 01 31 2E 90 38 01 01 FF FD 8B BF FF 27 35 F7 FE 73 55 00 F6 28 09 85 E3 5F 80 07 20 20 20 01 00 00 FE 05 3A 17 05 25 91 FF 10 54 16
^^^^^^^^ ^^^^^
Disconnect
----------
Uses FF command byte.
Basic challenge operation
-------------------------
Host sends a challenge of some kind, followed by 0xfe pulsing
46 B9 6A 00 0C 00 02 00 00 80 00 00 F8 16
Much simpler than in STC15
MCU sends back some response:
46 B9 68 00 0C 00 02 36 AD 4E 83 02 2A 16
Host now sends some longer challenge, followed by more pulses:
46 B9 6A 00 20 00 0C 7C 00 7C 01 7C 02 7C 03 7D 00 7D 01 7D 02 7D 03 7E 00 7E 01 7E 02 7E 03 06 84 16
MCU sends back some response:
46 B9 68 00 20 00 0C 4D C6 4D DB 4D E7 4D F3 4D F6 4E 0E 4E 11 4E 26 4E 26 4E 32 4E 41 4E 56 09 DC 16
Host now seems to initiate a baud switch or something like that
46 B9 6A 00 0E 01 00 00 FF CC 01 7C 80 03 41 16
MCU acknowlegdes it:
46 B9 68 00 07 01 00 70 16
Now the MCU switches to the new baud rate.
Challenges observed
-------------------
6 MHz:
46B96A0020000C 1400 1401 1402 1403 1500 1501 1502 1503 1600 1601 1602 1603 01A416
5.5 MHz:
46B96A0020000C 5C00 5C01 5C02 5C03 5D00 5D01 5D02 5D03 5E00 5E01 5E02 5E03 050416
11 MHz:
46B96A0020000C 5B00 5B01 5B02 5B03 5C00 5C01 5C02 5C03 5D00 5D01 5D02 5D03 04F816
20 MHz:
46B96A0020000C 3600 3601 3602 3603 3700 3701 3702 3703 3800 3801 3802 3803 033C16
24 MHz:
46B96A0020000C 7C00 7C01 7C02 7C03 7D00 7D01 7D02 7D03 7E00 7E01 7E02 7E03 068416
27 MHz:
46B96A0020000C B000 B001 B002 B003 B100 B101 B102 B103 B200 B201 B202 B203 08F416
Ranges vs trim value
--------------------
46 B9 6A 00 20 00 0C 00 00 80 00 FF 00 00 01 80 01 FF 01 00 02 80 02 FF 02 00 03 80 03 FF 03 06 A4 16
46 B9 68 00 20 00 0C 36 9B 4E 92 65 E4 36 CB 4E 7D 66 29 36 D1 4E 83 66 05 36 CB 4E C2 66 47 0A EA 16
first byte determines general trim value... range of ~16 to ~30 MHz, the second byte (00..03) is a fine adjustment.
Clock division?
---------------
5.5 MHz vs 11 Mhz: challenge is about the same. it's likely some kind of clock divider is used!
5.5 Mhz switch: 01 00 00 FF CC 01 5C 80 clkdiv = 4?
11 MHz switch: 01 00 00 FF CC 01 5B 80 clkdiv = 2?
22 MHz switch: 01 00 00 FF CC 01 5C 80 clkdiv = 1?
22 Mhz option packet: 0400005AA5FFFFFF00FFFF00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00FF01516D405D0201FFFDFFFFFF8BBFF7FE
11 MHz option packet: 0400005AA5FFFFFF00FFFF00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00FF00A8AF985D0102FFFDFFFFFF8BBFF7FE
5.5 MHz option packet: 0400005AA5FFFFFF00FFFF00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00FF005462585D0004FFFDFFFFFF8BBFF7FE
^^ clkdiv?
^^^^^^^^ clkspeed
Always 24 MHz for programming
-----------------------------
Calibration for anything but 24 Mhz (and around that) fails when switching baud. Another observation is that there is no
programming speed being calibrated anymore. This may suggest that a fixed speed is used for programming.
Adjusting BRT calculation to 24 MHz in the switch packet seems to work. So it is really using 24 MHz by default;
probably some pre-calibrated value.

22
doc/reverse-engineering/stc89-options.txt Normal file
View File

@ -0,0 +1,22 @@
Model-specific configuration registers
Placement of configuration values
"~" means the bit is a negated boolean. Sometimes values overlap,
depending on MCU model.
In STC89 series, there is only a single MCS byte.
MCS0
----
MSB 7 6 5 4 3 2 1 0 LSB
~WDEN XRAM ALE OSCG ~EERE ~BSLD 0 ~CPU6T
~WDEN := watchdog enable after power-on-reset
XRAM := enable access to internal XRAM
ALE := enable ALE pin function (otherwise, it's just regular GPIO)
OSCG := high oscillator gain
~EREE := enable eeprom erase next time MCU is programmed
~BSLD := enable BSL pin detect; i.e. BSL is only enabled if P1.0/P1.1
(or others, depends on MCU model) are held low on POR.
~CPU6T := enable double speed (6T cycles instead of 12T cycles) mode

40
doc/reverse-engineering/stc89-protocol.txt Normal file
View File

@ -0,0 +1,40 @@
STC89
This is the first generation protocol of STC MCUs.
Differences to STC12:
* Uses NONE parity instead of EVEN parity.
* Status packet is sent without frame start magic.
* Checksum calculations are different: a single-byte modular sum is used.
* Baudrate handshake isn't initiated with a type 0x50 packet; this is simply
skipped.
* After the handshake a special ping-pong sequence of 0x80 type packets needs
to be sent.
This doesn't appear to serve any purpose - possibly this is just done to
verify that the connection works reliably. STC12 doesn't require it anymore
because parity and the improved checksum ensure correct operation.
* Erase is acknowledged with type 0x80 packet instead of type 0x00
* After flash programming, there is no finish packet, type 0x69, sent; this
is simply skipped.
* Baudrate handshake
- Uses normal speed (/32) UART timing in 12T mode and double speed (/16)
in 6T mode
- IAP delay has some differences (see datasheet)
* Erase procedure
- A different magic sequence is used
(6 bytes with value 0x33)
- Only a single size is supplied
- response code has type 0x80
* Options
- Only a single option byte exists

130
doc/reverse-engineering/stc89c52rc.txt Normal file
View File

@ -0,0 +1,130 @@
status packet:
2014-01-23 14:23:03.132734:
68 00 3B 00 25 E6 25 E6 25 E6 25 E6 25 E6 25 E6
25 E2 25 E6 43 43 FC F0 02 82 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 ED 16
- no frame start?
programming hello.bin @ 2400 bps
host2mcu:
2014-01-23 14:28:02.284628:
7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
2014-01-23 14:28:02.723598:
46 B9 6A 00 0C 8F FD F8 02 10 28 81 B5 16
^reload
^SMOD
^SMOD checksum
^reload checksum
^delay
^IAP delay
2014-01-23 14:28:03.301552:
46 B9 6A 00 0B 8E FD F8 02 10 28 32 16
2014-01-23 14:28:03.675670:
46 B9 6A 00 0C 80 00 00 36 01 F0 02 1F 16
2014-01-23 14:28:03.781613:
46 B9 6A 00 0C 80 00 00 36 01 F0 02 1F 16
2014-01-23 14:28:03.887556:
46 B9 6A 00 0C 80 00 00 36 01 F0 02 1F 16
2014-01-23 14:28:03.994608:
46 B9 6A 00 0C 80 00 00 36 01 F0 02 1F 16
2014-01-23 14:28:04.101595:
46 B9 6A 00 0C 80 00 00 36 01 F0 02 1F 16
2014-01-23 14:28:04.223628:
46 B9 6A 00 0D 84 01 33 33 33 33 33 33 2E 16
2014-01-23 14:28:04.568604:
46 B9 6A 00 8C 00 00 00 00 00 00 80 02 00 08 12
00 3F 80 FE 75 81 07 12 00 4C E5 82 60 03 02 00
03 E4 78 FF F6 D8 FD 02 00 03 AE 82 AF 83 8E 04
8F 05 1E BE FF 01 1F EC 4D 60 0F 7C 90 7D 01 1C
BC FF 01 1D EC 4D 70 F7 80 E4 22 90 03 E8 12 00
1E E5 80 F4 F5 80 80 F3 75 82 00 22 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 79 16
2014-01-23 14:28:05.255560:
46 B9 6A 00 8C 00 00 00 00 80 00 80 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 F6 16
2014-01-23 14:28:05.929634:
46 B9 6A 00 8C 00 00 00 01 00 00 80 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 77 16
2014-01-23 14:28:06.615585:
46 B9 6A 00 8C 00 00 00 01 80 00 80 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 F7 16
2014-01-23 14:28:07.348584:
46 B9 6A 00 0A 8D FC FF F6 FF F1 16
2014-01-23 14:28:07.488602:
46 B9 6A 00 06 50 C0 16
2014-01-23 14:28:07.675520:
46 B9 6A
2014-01-23 14:28:07.716596:
00 06 82 F2 16
mcu2host:
2014-01-23 14:29:19.694735:
68 00 3B 00 25 E6 25 E6 25 E6 25 E6 25 E6 25 E6
25 E6 25 E6 43 43 FC F0 02 82 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 F1 16
^ 6 clk vs 12 clk?
2014-01-23 14:29:20.314923:
46 B9 68 00 0C 8F FD F8 02 10 28 81 B3 16
2014-01-23 14:29:20.884524:
46 B9 68 00 0B 8E FD F8 02 10 28 30 16
2014-01-23 14:29:21.045797:
46 B9 68 00 06 80 EE 16
2014-01-23 14:29:21.151802:
46 B9 68 00 06 80 EE 16
2014-01-23 14:29:21.261384:
46 B9 68 00 06 80 EE 16
2014-01-23 14:29:21.368230:
46 B9 68 00 06 80 EE 16
2014-01-23 14:29:21.474767:
46 B9 68 00 06 80 EE 16
2014-01-23 14:29:21.807191:
46 B9 68 00 06 80 EE 16
2014-01-23 14:29:22.533512:
46 B9 68 00 07 80 03 F2 16
2014-01-23 14:29:23.239793:
46 B9 68 00 07 80 00 EF 16
2014-01-23 14:29:23.914122:
46 B9 68 00 07 80 00 EF 16
2014-01-23 14:29:24.595625:
46 B9 68 00 07 80 00 EF 16
2014-01-23 14:29:24.725387:
46 B9 68 00 0A 8D FC FF F6 FF EF 16
2014-01-23 14:29:24.845962:
46 B9 68 00 10 10 C0 16 F6 FF F1 03 FF 43 43 FC
C8 16
2014-01-23 14:29:25.064892:
46 B9 68 00 06 80 EE 16

35
doc/reverse-engineering/usb15-protocol.txt Normal file
View File

@ -0,0 +1,35 @@
STC15 series USB ISP protocol
=============================
- host does OUT and IN control transfers for write and read
- IN transfer with wLength = 132, wValue = 0, wIndex = 0, bRequest = 0 are used for all reads
- OUT transfers with arbitrary size are used for writes
- packets from MCU
always start with 0x46 0xb9, similar to serial protocols
third byte is packet length
followed by data bytes
8 bit checksum at the end, looks like 8 bit modular subtraction
- packet types
most likely derived from the serial protocol, at least partially
info packet
- same as with serial protocol
option packet
- generally same as with serial protocol, some header stuff omitted
- flash data
wIndex specifies write address
wValue is 0xa55a
bRequest is 0x22 for first packet, 0x02 for the following ones
unusually encoded: a total of 128 bytes per packet, with every 7 byte checksummed in some way, for a total of 18x7 byte segments and a final 2 byte segment
checksum: 8 bit inverted modular sum
- option packet
wIndex is 0
wValue is 0xa55a
bRequest is 4
seems to use the same checksumming scheme