HydraFW Binary SPI mode guide

Benjamin Vernoux edited this page May 21, 2018 · 19 revisions
Clone this wiki locally

HydraFW binary SPI mode guide

This guide is updated towards firmware release HydraFW v0.7 Beta: HydraFW (HydraBus) v0.7-beta-20

Commands

Once the SPI mode has been selected, the following commands are available :

  • 0b00000000 Return to main mode. Returns BBIO1
  • 0b00000010 Puts the CS pin low. Returns 0x01
  • 0b00000011 Puts the CS pin high. Returns 0x01
  • 0b00000100 Write-then-read (see below)
  • 0b00000101 Write-then-read with no chip select (see below)
  • 0b00001101 Sniff all SPI trafic (see below)
  • 0b00001110 Sniff SPI data when CS is low
  • 0b00001111 Sniff SPI data when CS is high
  • 0b0001xxxx Bulk SPI transfer
  • 0b01000000 configure peripherals
  • 0b01100xxx Set SPI speed
  • 0b10000xyz Configure SPI port

Since 9c9bd6d1f6923133470917bde1e2337d5cbaf45b, the following commands were added :

  • 0b00000001 Displays mode string. Responds with "SPI1"
  • 0b00000110 AVR commands

Since 2f3aecbca7e619e4b20d13694c992d8c5f2dc64f, the following commands were added :

  • 0b0100000x Configure SPI peripheral

Command details

Write-then-read operation (0b00000100 - 0b00000101)

This command is used to send at most 4096 bytes and will read at most 4096 bytes of data. Format :

Byte 1           2          3          4          5         6        ...
|----------|----------|----------|----------|----------|----------|------...
 [command]    [Bytes to write]      [Bytes to read]       [Data to write

The bytes to read/write are in big-endian format. All data will be buffered before being sent to the SPI bus. Read data will also be buffered on the Hydrabus before being sent back to the user. In normal mode (0b00000100), CS is pulled low before sending the data. In no CS mode (0b00000101), the CS pin is not driven at all.

More information can be found here : http://dangerousprototypes.com/docs/SPI_(binary)#00000100_-_Write_then_read

SPI sniffer (0b00001101 - 0b00001110 - 0b00001111)

To be done

Bulk SPI transfer (0b0001xxxx)

In this mode, the last 4 bits of the command define the number of bytes to write (from 1 to 16) (Command 0b00010000 will send 1 byte). The same number of bytes will be read and sent back to the user. Hydrabus will wait for the defined number of bytes, send a 0x01 (acknowledge) then the read bytes.

Since 9c9bd6d1f6923133470917bde1e2337d5cbaf45b, the ACK byte will be sent before accepting data.

Set SPI speed (0b01100xxx)

This command sets the SPI device bitrate. The three last bits will select the speed (int bits/sec) within the following list :

  • 0b000 => 320kHz SPI1 / 160kHz SPI2
  • 0b001 => 650kHz SPI1 / 320kHz SPI2
  • 0b010 => 1.31MHz SPI1 / 650kHz SPI2
  • 0b011 => 2.62MHz SPI1 / 1.31MHz SPI2
  • 0b100 => 5.25MHz SPI1 / 2.62MHz SPI2
  • 0b101 => 10.5MHz SPI1 / 5.25MHz SPI2
  • 0b110 => 21MHz SPI1 / 10.5MHz SPI2
  • 0b111 => 42MHz SPI1 / 21MHz SPI2

This commands returns 0x01 if successful, 0x00 in case of error.

Configure SPI port (0b10000xyz)

This allows to set the following parameters :

  • x sets the polarity value
  • y sets the clock phase
  • z sets the SPI device (0=SPI2 or 1=SPI1)

Since 2f3aecbca7e619e4b20d13694c992d8c5f2dc64f, the order has changed. It is now (0=SPI2 or 1=SPI1)

See https://github.com/bvernoux/hydrafw/wiki/HydraFW-SPI-guide for explanation.

This command returns 0x01 if successful, 0x00 in case of error.

Configure SPI peripheral (0b0100000x)

This commands allows to select or unselect the SPI slave. (0=unselect, 1=select)

AVR commands (0b00000110)

Hydrabus can be used as an AVR ISP programmer with the help of AVRDude. Once this command has been issued, Hydrabus will send a 0x01 then wait for a subcommand.

The following subcommands are available :

NULL operation (0b00000000)

Returns 0x01

SPI AVR protocol version (0b00000001)

Returns 0x01 0x00 0x01 (Protocol version 1)

AVR read from flash

This command is a wrapper around the ISP "Read from flash" commands. After sending this command, Hydrabus will wait for :

  • 2 bytes representing the address to read
  • 2 bytes for the number of bytes to read from this address.

Once these additional bytes were sent, Hydrabus will respond with the read bytes.

Example scripts

  1. Example AVRDude ISP programming for Arduino/AVR MCU

avrdude -c buspirate -P <hydrabus comm port> -p <chipname> ...

See http://dangerousprototypes.com/docs/Bus_Pirate_AVR_Programming for more details as this mode if fully compatible with Bus Pirate AVR Programming and tested with success with ATMEGA328P/Nano board

  1. Example bbio_hydranfc_init.py for HydraNFC init using Console mode + switch to bbIO mode for SPI2 Init & communication with TRF7970A (HydraNFC shield)

  2. The following python script can be used to read 4096 bytes from a SPI EEPROM :

import hexdump
import serial
import struct

#Open serial port
ser = serial.Serial('/dev/ttyACM0', 115200)

#Open binary mode
for i in xrange(20):
    ser.write("\x00")
if "BBIO1" not in ser.read(5):
    print "Could not get into binary mode"
    quit()

# Switching to SPI mode
ser.write('\x01')
if "SPI1" not in  ser.read(4):
    print "Cannot set SPI mode"
    quit()

# Reading information
while (addr < 4096*size):
#Write-then-read. 4 bytes to write, 4096 bytes to read 
ser.write('\x04\x00\x04\x10\x00')
#Read command(\x03) and starting address (\x00\x00\x00)
ser.write('\x03\x00\x00\x00')
#Hydrabus will send \x01 in case of success...
ser.read(1)
#...followed by 4096 read bytes
buff += ser.read(4096)

print hexdump.hexdump(buff)

#Return to main binary mode
ser.write('\x00')
#reset to console mode
ser.write('\x0F\n')