F2: BB-dbgport reader framework + dead-end documentation (DEVOURER_RX_DUMP_CSI)#92
Merged
Conversation
…_DUMP_CSI)
Ships the *framework* for per-subcarrier IQ capture via the BB debug port,
but NOT the capture itself — the per-subcarrier selector is missing from
the vendored sources. Documents the dead-end and the path that would
unblock it.
What works:
src/BbDbgportReader.{h,cpp} wraps the canonical dbgport pattern that
the only in-tree user (hal/rtl8814a/rtl8814a_phycfg.c:460-545,
phy_ADC_CLK_8814A on A-cut 8814A) follows:
save = rtw_read32(0x8FC)
rtw_write32(0x8FC, selector)
value = rtw_read32(0xFA0)
rtw_write32(0x8FC, save)
if !is_chip_alive(): wedge
is_chip_alive() reads REG_SYS_CFG and bails if the chip is poisoned.
Once wedged, the reader refuses further writes — loud failure rather
than silently corrupting samples. RtlJaguarDevice exposes
read_bb_dbgport(selector) and bb_dbgport_wedged().
DEVOURER_RX_DUMP_CSI=hex,hex,... drives a selector sweep on the first
8 canonical-SA RX frames in demo/main.cpp; output:
<devourer-csi>hit=N selector=0x.... value=0x........
<devourer-csi-wedged>after selector=0x....
tools/precoder/csi_dump.py parses the log and classifies each
selector as STATIC / SINGLE-BIT (flag) / PARTIAL (counter) / DYNAMIC
(wide-bit bus — IQ candidate).
What doesn't work, and why:
The selector that routes post-FFT per-subcarrier IQ to 0xFA0 is in
Realtek's phydm source (phydm_dbgport_sel and friends), which is NOT
vendored in this tree — hal/phydm/ carries only BB/AGC/RF init tables.
Without the selector catalogue, sweeping random selectors gives raw
BB internals (status flags, clock-domain bits, MAC_Active markers)
but not the IQ samples the precoder README "Tier 4" wants.
The 0x95C ADC-DMA path (rDMA_trigger_Jaguar2) stays on the to-do
list — it gives raw ADC samples but needs an FW-mailbox dance and
DMA-buffer readout that's also not in-tree.
Hardware verification:
TX = RTL8812AU, RX = TP-Link RTL8821AU, channel 6.
DEVOURER_RX_DUMP_CSI=0x0,0x1,0x10,0x40,0xa0 produced 40
<devourer-csi> lines across 8 canonical-SA frames * 5 selectors.
No wedge events; the chip received 300 additional RX frames after
the sweep completed (save/restore on 0x8FC kept the RX path intact).
csi_dump.py classified all 5 selectors as STATIC or SINGLE-BIT —
no wide-bit IQ bus among them, exactly the framework-in-tree-but-
IQ-out-of-reach state the plan called the "acceptable case".
What would unblock real capture (separate, future work):
1. Vendoring (or rediscovering) Realtek's phydm dbgport selector
catalogue — typically dumped via rtwpriv on a reference platform.
2. Or: implementing the 0x95C ADC-DMA path. Raw ADC samples at full
bandwidth + off-chip 64-point FFT recovers per-subcarrier IQ.
Until one of those lands, this tier stays "framework in tree, capture
out of reach." Both BbDbgportReader.h and tools/precoder/README.md
carry the same warning.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Ships the framework for per-subcarrier IQ capture via the BB debug port — but not the capture itself, because the per-subcarrier selector is missing from the vendored sources. Documents the dead-end and the path that would unblock it.
This is the "acceptable case" the plan called out for F2:
What works
src/BbDbgportReader.{h,cpp}wraps the canonical dbgport pattern from the only in-tree user (hal/rtl8814a/rtl8814a_phycfg.c:460-545,phy_ADC_CLK_8814Aon A-cut 8814A):is_chip_alive()readsREG_SYS_CFGand bails if poisoned. Once wedged, the reader refuses further writes — loud failure rather than silently corrupting samples.DEVOURER_RX_DUMP_CSI=hex,hex,...drives a selector sweep on the first 8 canonical-SA RX frames indemo/main.cpp:tools/precoder/csi_dump.pyparses the log and classifies each selector as STATIC / SINGLE-BIT (flag) / PARTIAL (counter) / DYNAMIC (wide-bit bus — IQ candidate).What doesn't work, and why
The selector that routes post-FFT per-subcarrier IQ to
0xFA0is in Realtek's phydm source (phydm_dbgport_seland friends), which is NOT vendored in this tree —hal/phydm/carries only BB/AGC/RF init tables.Without the selector catalogue, sweeping random selectors gives raw BB internals (status flags, clock-domain bits, MAC_Active markers) but not IQ samples.
Hardware verification (chip survives, framework live, no IQ found)
TX = RTL8812AU (0bda:8812), RX = TP-Link RTL8821AU (2357:0120), channel 6.
DEVOURER_RX_DUMP_CSI=0x0,0x1,0x10,0x40,0xa0.csi_dump.pyclassification:All 5 selectors return values dominated by a static
0x7c008000pattern with just one bit toggling — classic status-flag signal. No wide-bit bus among them. Exactly the framework-in-tree-but-IQ-out-of-reach state the plan called the "acceptable case".What would unblock real capture (separate, future work)
rtwprivon a reference platform.0x95CADC-DMA path (rDMA_trigger_Jaguar2). Raw ADC samples at full bandwidth + off-chip 64-point FFT recovers per-subcarrier IQ. Bigger scope (FW mailbox + DMA buffer readout), separate PR.Until one of those lands, this tier stays framework in tree, capture out of reach. Both
BbDbgportReader.hand the newtools/precoder/README.md"Tier 4 — current status" section carry the same warning.What ships
src/BbDbgportReader.{h,cpp}— save/restore wrapper + chip-alive check + self-wedging.src/RtlJaguarDevice.{h,cpp}—read_bb_dbgport(selector)+bb_dbgport_wedged()accessors.demo/main.cpp—DEVOURER_RX_DUMP_CSI=hex,hex,...selector-sweep on first 8 canonical-SA frames.tools/precoder/csi_dump.py— log parser + classifier.tools/precoder/README.md— "Tier 4 — current status" section documenting the dead-end and the unblocking paths.CMakeLists.txt—WiFiDriverincludesBbDbgportReader.cpp.Brick-risk caveats (in PR description for visibility)
0x8FCwhile RX is live can stall demod state machines (cf.MAC_Activebusy-wait atrtl8814a_phycfg.c:475-479). The save/restore wrapper is the safest pattern but not a guarantee. On hardware, the 8821AU survived a 5-selector sweep cleanly — but treat new chips/selectors as destructive until proven otherwise.DEVOURER_RX_DUMP_CSIis unset.libusb_reset_device→usbreset→ power-cycle.Test plan
cmake --build build -jclean across all 5 demo binaries<devourer-csi>lines, 0 wedge events, 300 follow-up RX frames (chip survived)csi_dump.pyreports the captured selectors honestly as STATIC / SINGLE-BIT (no IQ candidate among them, confirming the dead-end)🤖 Generated with Claude Code