Add additional reverse-engineering notes

2021-01-03 14:09:50 +01:00 · 2021-01-03 14:09:50 +01:00 · d0597578de
commit d0597578de
parent eaeab65044
4 changed files with 232 additions and 0 deletions
--- a/doc/reverse-engineering/mcudb_flags.txt
+++ b/doc/reverse-engineering/mcudb_flags.txt
@ -0,0 +1,57 @@
+STC15F103
+00064F50   63 C3 08 00  2C FC 47 00  9B F2 00 00  00 0C 00 00  c...,.G.........
+00064F60   00 08 00 00  00 00 00 00  00 20 00 00  07 03 00 00  ......... ......
+
+STC15L103
+00065110   61 C3 08 00  90 FB 47 00  DB F2 00 00  00 0C 00 00  a.....G.........
+00065120   00 08 00 00  00 00 00 00  00 20 00 00  07 03 00 00  ......... ......
+
+STC15F104E
+00065190   E3 02 08 00  AC B1 47 00  94 F2 00 00  00 10 00 00  ......G.........
+000651A0   00 04 00 00  00 00 00 00  00 20 00 00  07 00 00 00  ......... ......
+
+STC15L104W
+            X  Y  Z
+00065050   E1 C3 08 00  B8 B1 47 00  D4 F2 00 00  00 10 00 00  ......G.........
+00065060   00 04 00 00  00 00 00 00  00 20 00 00  07 03 00 00  ......... ......
+
+STC15L104E
+000651B0   E1 02 08 00  94 B1 47 00  D4 F2 00 00  00 10 00 00  ......G.........
+000651C0   00 04 00 00  00 00 00 00  00 20 00 00  07 00 00 00  ......... ......
+
+
+byte X bit 1: F vs L? low => L part, high => F part
+byte Z: protocol/model generation number?
+
+IAP15F2K61S2
+00063750   AF 0B 09 00  08 06 48 00  49 F4 00 00  00 F4 00 00  ......H.I.......
+00063760   00 00 00 00  00 00 00 00  00 00 01 00  07 00 00 00  ................
+
+STC15F2K08S2
+00063650   A3 0B 09 00  78 06 48 00  01 F4 00 00  00 20 00 00  ....x.H...... ..
+00063660   00 D4 00 00  00 00 00 00  00 00 01 00  07 00 00 00  ................
+
+STC15F2K32S2
+000636B0   A3 0B 09 00  48 06 48 00  04 F4 00 00  00 80 00 00  ....H.H.........
+000636C0   00 74 00 00  00 00 00 00  00 00 01 00  07 00 00 00  .t..............
+
+STC15F2K60S2
+00063730   A3 0B 09 00  64 B2 47 00  08 F4 00 00  00 F0 00 00  ....d.G.........
+00063740   00 04 00 00  00 00 00 00  00 00 01 00  07 00 00 00  ................
+
+IRC15F2K63S2
+00063770   BF 0C 09 00  F8 05 48 00  4A F4 00 00  00 FE 00 00  ......H.J.......
+00063780   00 00 00 00  00 00 00 00  00 00 01 00  07 00 00 00  ................
+
+IRC15F1K63S
+00064470   BE 8C 09 00  20 00 48 00  20 F4 00 00  00 FE 00 00  .... .H. .......
+00064480   00 00 00 00  00 00 00 00  00 00 01 00  07 00 00 00  ................
+
+IRC15W207S
+000648B0   B7 CC 0A 00  AC FE 47 00  56 F5 00 00  00 1E 00 00  ......G.V.......
+000648C0   00 00 00 00  00 00 00 00  00 20 00 00  07 00 00 00  ......... ......
+
+STC15H4K56S4
+00063610   AF 8B 0E 00  98 06 48 00  07 F6 00 00  00 E0 00 00  ......H.........
+00063620   00 00 00 00  00 00 00 00  00 00 01 00  07 00 00 00  ................
+
--- a/doc/reverse-engineering/stc15w4.txt
+++ b/doc/reverse-engineering/stc15w4.txt
@ -0,0 +1,108 @@
+fresh chip, RC frequency untuned, caught with stcgal
+
+2015-12-10 23:39:46.886233: PC
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+7F 7F 7F 7F 7F 7F 7F 7F 7F 7F 7F
+2015-12-10 23:39:50.989044: MCU
+46 B9 68 00 34 50 8D FF 73 96 F5 7B 9F FF FF FF
+FF FF 25 EF 00 00 73 54 00 F5 28 04 06 70 96 02
+15 19 1C 1E 23 00 EC E0 04 D7 F8 73 BF FF FF 15
+09 25 60 16 92 16
+2015-12-10 23:39:51.231028: PC
+46 B9 6A 00 07 82 00 F3 16
+
+Checking target MCU ... 
+  MCU type: STC15W4K56S4
+  F/W version: 7.3.4T
+
+Current H/W Option:
+  . Current system clock source is internal IRC oscillator
+  . IRC is unadjusted
+  . Oscillator gain is HIGH
+  . Wakeup Timer frequency: 36.351KHz
+  . Do not detect the level of P3.2 and P3.3 next download
+  . Power-on reset, use the extra power-on delay
+  . RESET pin behaves as I/O pin
+  . Interrupt while detect a Low-Voltage
+  . Thresh voltage level of the built-in LVD : 2.78 V
+  . Permit EEPROM operation under Low-Voltag
+  . CPU-Core supply level : 3.38 V
+  . Hardware do not enable Watch-Dog-Timer
+  . Watch-Dog-Timer pre-scalar : 64
+  . Watch-Dog-Timer stop count in idle mode
+  . Program can modify the Watch-Dog-Timer scalar
+  . Erase user EEPROM area at next download
+  . Do not control 485 at next download
+  . Do not check user password next download
+  . TXD is independent IO
+  . TXD pin as quasi-bidirectional mode after reset
+  . P2.0 output HIGH level after reset
+
+  . MCU type: STC15W4K56S4
+  F/W version: 7.3.4T
+
+  Complete !
+
+Waiting for MCU, please cycle power: done
+Target model:
+  Name: STC15W4K56S4
+  Magic: F528
+  Code flash: 56.0 KB
+  EEPROM flash: 3.0 KB
+Target frequency: 0.000 MHz
+Target BSL version: 7.3.4T
+Target wakeup frequency: 36.351 KHz
+Target options:
+  reset_pin_enabled=False
+  clock_source=internal
+  clock_gain=high
+  watchdog_por_enabled=False
+  watchdog_stop_idle=True
+  watchdog_prescale=64
+  low_voltage_reset=False
+  low_voltage_threshold=3
+  eeprom_lvd_inhibit=False
+  eeprom_erase_enabled=True
+  bsl_pindetect_enabled=False
+  por_reset_delay=long
+  rstout_por_state=high
+  uart2_passthrough=False
+  uart2_pin_mode=normal
+Disconnected!
+
+
+cpu core supply level
+
+2.68v
+46 B9 68 00 34 50 8D FF 73 96 F7 BC 9F 00 5B 7A C0 FD 27 ED 00 00 73 54 00 F5 28 04 06 70 96 02 15 19 1C 1E 23 00 EC E0 04 D7 EA 92 FF FF FF 15 09 25 60 14 BD 16
+
+3.33v
+46 B9 68 00 34 50 8D FF 73 96 F7 BC 9F 00 5B 92 30 FD 25 EA 00 FC 73 54 00 F5 28 04 06 70 96 02 15 19 1C 1E 23 00 EC E0 04 D7 F7 92 FF FF FF 15 09 25 60 15 49 16
+
+3.63v
+46 B9 68 00 34 50 8D FF 73 96 F7 BC 9F 00 5B 7A C0 FD 25 EF 00 00 73 54 00 F5 28 04 06 70 96 02 15 19 1C 1E 23 00 EC E0 04 D7 FD 92 FF FF FF 15 09 25 60 14 D0 16
+
+3.73v
+46 B9 68 00 34 50 8D FF 73 96 F7 BC 9F 00 5B 92 30 FD 25 EA 00 00 73 54 00 F5 28 04 06 70 96 02 15 19 1C 1E 23 00 EC E0 04 D7 FF 92 FF FF FF 15 09 25 60 14 55 16
+                                                                                                                              ^^
+                                                                                                                              core voltage
+voltage: ff -> 3.73v
+         fd -> 3.63v
+         f7 -> 3.33v
+         ea -> 2.68v                                                                                               
+
--- a/doc/reverse-engineering/stc8-new.txt
+++ b/doc/reverse-engineering/stc8-new.txt
@ -0,0 +1,32 @@
+Cycling power: done
+Waiting for MCU: <- Packet data: 46 B9 68 00 30 50 FF FF FF FF 8F 00 04 FF FF 8B FD FF 27 3E F5 73 73 55 00 F6 41 0A 88 86 6F 8F 08 20 20 20 01 00 00 20 05 3C 18 05 22 32 FF 12 18 16
+-> Packet data: 46 B9 6A 00 07 FF 01 70 16
+done
+Target model:
+  Name: STC8F2K08S2
+  Magic: F641
+  Code flash: 8.0 KB
+  EEPROM flash: 56.0 KB
+Target frequency: 0.000 MHz
+Target BSL version: 7.3.10U
+Target wakeup frequency: 34.950 KHz
+Target ref. voltage: 1340 mV
+Target mfg. date: 2018-05-22
+Target options:
+  reset_pin_enabled=False
+  clock_gain=high
+  watchdog_por_enabled=False
+  watchdog_stop_idle=True
+  watchdog_prescale=64
+  low_voltage_reset=False
+  low_voltage_threshold=2
+  eeprom_erase_enabled=True
+  bsl_pindetect_enabled=False
+  por_reset_delay=long
+  rstout_por_state=high
+  uart1_remap=False
+  uart2_passthrough=False
+  uart2_pin_mode=normal
+  epwm_open_drain=False
+  program_eeprom_split=29440
+Disconnected!
--- a/doc/reverse-engineering/untrimmed.txt
+++ b/doc/reverse-engineering/untrimmed.txt
@ -0,0 +1,35 @@
+Cycling power: done
+Waiting for MCU: done
+Protocol detected: stc8
+Target model:
+  Name: STC8F2K08S2
+  Magic: F641
+  Code flash: 8.0 KB
+  EEPROM flash: 56.0 KB
+Target frequency: 0.000 MHz
+Target BSL version: 7.3.10U
+Target wakeup frequency: 34.950 KHz
+Target ref. voltage: 1340 mV
+Target mfg. date: 2018-05-22
+Target options:
+  reset_pin_enabled=False
+  clock_gain=high
+  watchdog_por_enabled=False
+  watchdog_stop_idle=True
+  watchdog_prescale=64
+  low_voltage_reset=False
+  low_voltage_threshold=2
+  eeprom_erase_enabled=True
+  bsl_pindetect_enabled=False
+  por_reset_delay=long
+  rstout_por_state=high
+  uart1_remap=False
+  uart2_passthrough=False
+  uart2_pin_mode=normal
+  epwm_open_drain=False
+  program_eeprom_split=29440
+Loading flash: 80 bytes (Intel HEX)
+<- Packet data: 46 B9 68 00 30 50 FF FF FF FF 8F 00 04 FF FF 8B FD FF 27 38 F5 73 73 55 00 F6 41 0A 88 86 6F 8F 08 20 20 20 01 00 00 20 05 3C 18 05 22 32 FF 12 12 16
+Protocol error: uncalibrated, please provide a trim value
+-> Packet data: 46 B9 6A 00 07 FF 01 70 16
+Disconnected!