7u83/stcgal
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Restructure documentation

Browse Source 
Move all extra documentation files into doc/ and move reverse
engineering related notes to a separate directory, to keep things tidy.
This commit is contained in:
Grigori Goronzy
2018-09-04 00:31:43 +02:00
parent 71d7257422
commit ccd4b1e26b
29 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

167
doc/reverse-engineering/stc15-protocol.txt Normal file
View File

@ -0,0 +1,167 @@
STC15 protocol
==============
high level
----------
-> pulse
<- info packet
-> freq challenges round 1
<- freq responses
-> freq challenges round 2
<- freq responses
-> baud switch
<- ack
-> prepare
<- ack
-> erase
<- ack + uid
-> write first block
<- ack
-> write block 2
<- ack
...
-> write block n
<- ack
-> option packet
<- ack
info packet
-----------
6 MHz:
46 B9 68 00 2B 50 66 3C 93 BA F7 BB 9F 00 5B 68 00 FD 00 00 00 00 71 51 03 F2 D4 04 06 58 BA 02 2A 31 32 38 30 80 14 10 04 D9 0D 02 16
12 MHz:
46 B9 68 00 2B 50 66 3C 93 BA F7 BB 9F 00 B6 F5 80 FD 00 00 00 00 71 51 03 F2 D4 04 06 58 BA 02 2A 31 32 38 30 80 14 10 04 D9 0E 6A 16
33 MHz:
46 B9 68 00 2B 50 66 3C 93 BA F7 B9 9F 01 F7 C2 80 FD 00 00 00 00 71 51 03 F2 D4 04 06 58 BA 02 2A 31 32 38 30 80 14 10 04 D9 0E 77 16
30 MHz:
46 B9 68 00 2B 50 66 3C 93 BA F7 B9 9F 01 C9 9E 00 FD 7F FF FD FF 71 51 03 F2 D4 04 06 58 BA 02 2A 31 32 38 30 80 14 10 04 D9 11 1F 16
^^^^^ ^^^^^^^^^^^
timer freq freq big endian
value in hz 32 bit value
^^^^^^^^ ^^
MCS2-4 MCSX
^^
factory calibration adjust for 24 MHz (range 0x40)?
STC15W4K56S4:
46 B9 68 00 34 50 8D FF 73 96 F7 BC 9F 00 5B 7A C0 FD 27 ED 00 00 73 54 00 F5 28 04 06 70 96 02 15 19 1C 1E 23 00 EC E0 04 D7 EA 92 FF FF FF 15 09 25 60 14 BD 16
^^
core voltage (MCSY)
IAP15F2K61S2:
external osc:
46 B9 68 00 2B 50 87 D3 75 9C F7 BB 9E 01 77 70 80 FD 06 57 00 00 71 53 00 F4 49 04 06 58 9C 02 0E 14 17 19 19 00 F4 F4 04 D2 0E 8A 16
^^^^^
frequency count for external (1)
(1) if external clock is active, frequency can be calculated like:
CLOCK = BAUD * COUNT
internal 11.052 MHz:
46 B9 68 00 2B 50 87 D3 75 9C F7 BB 9F 00 A8 AD 40 FD 09 FE 00 00 71 53 00 F4 49 04 06 58 9C 02 0E 14 17 19 19 00 F4 F4 04 D2 0F 62 16
i.e. operating frequency is not sampled from host pulses! it's actually much more
convenient, it is simply returned as an integer value in hz. same for the wakeup
timer.
baud switch packet
------------------
46 B9 6A 00 0E 01 8C 40 F6 FD F2 7C 83 05 29 16
^^^^^ ^^^^^ ^^
(1) (2) (3)
^^^^^
prog calib. values
(1) baud value (65535 - clk / baud) (SW UART)
(65535 - clk / baud / 4) (HW UART)
(2) some timer value (65535 - (clk / baud) * 1.5)
(3) constant? IAP delay?
trim challenge packet
---------------------
two challenges are sent, UART seems to be used as clock reference
33.1 MHz @ 9600 bps:
-> 46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A 12 16 92 92 92 92
4 MHz @ 9600 bps:
-> 46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A 12 16 92 92 92 92
6 MHz @ 9600 bps:
-> 46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A 12 16 92 92 92 92
<- 46 B9 68 00 20 00 0B 03 05 04 4F 05 9E 06 20 08 B9 0B 57 0C 60 11 6A 16 5B 13 5E 1A D4 00 00 05 91 16
-> 46 B9 6A 00 20 00 0C B4 C0 B5 C0 B6 C0 B7 C0 B8 C0 B9 C0 8C 40 8D 40 8E 40 8F 40 90 40 91 40 0E 34 16 92 92 92 92
<- 46 B9 68 00 20 00 0C 04 DB 04 DB 04 DB 04 E0 04 E5 04 E5 11 EC 11 F6 12 05 12 05 12 0F 12 14 08 60 16
12 MHz @ 9600 bps:
-> 46 B9 6A 00 20 00 0B 00 C0 80 C0 FF C0 00 80 80 80 FF 80 00 40 80 40 FF 40 00 00 80 00 00 00 0A 12 16 92 92 92 92
<- 46 B9 68 00 20 00 0B 03 05 04 4F 05 99 06 20 08 B4 0B 52 0C 65 11 6F 16 56 13 5E 1A D4 00 00 05 87 16
-> 46 B9 6A 00 20 00 0C B0 80 B1 80 B2 80 B3 80 B4 80 B5 80 8B 40 8C 40 8D 40 8E 40 8F 40 90 40 0C 96 16 92 92 92 92
<- 46 B9 68 00 20 00 0C 09 B8 09 BD 09 C2 09 C7 09 C7 09 D1 11 DD 11 EC 11 FB 12 00 12 0A 12 0F 08 A6 16
^^^^^
number of challenges used (here: 12)
looks like two byte calibration values are used; second byte is the rough value, first byte is fine adjust
first round selects a rough range
second round refines inside that range and another (for programming speed)
(CLOCK / (BAUD/2)) = COUNTER
=> CLOCK = COUNTER * (BAUD/2)
the first packet always uses a fixed set of challenges.
first calibration byte of chosen frequency is stored in options. the second calibration byte is stored added together
with the value 0x3f in the next option byte.
a factory frequency value (24 MHz) is available in the info packet.
the calibration value for the programming frequency (always range 0x40) is transmitted with the baud change packet.
option packet
-------------
46 B9 6A 00 49 04 00 00 FF FF FF 00 FF FF 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 FF 5B FF 68 FF 00
^^^^^^^^^^^^^^^^^^^^
frequency in hz, with FF bytes inbetween
FF FD FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF B5 FF F7 BB 9F 3A 48 16
^ ^^^^^^^^^^^^^^
MCSX ^^ MCS0-4
MCSY
(STC15W4)
MCS bytes
---------
### MCS0
RC calibration adjust
### MCS1
0x3f + RC calibration range (0x00, 0x40, 0x80, 0xc0)
### MCS2 - MCS4, MCSX and MCSY
See stc15-options.txt