-
Notifications
You must be signed in to change notification settings - Fork 3
Feature report 0xF1
Note: This information applies only to the old CECH-ZCM1 models, not the newer CECH-ZCM2 models.
Using this USB/BT feature report, you can read and write certain parts of the MCU's flash memory. Among other things, the current host's Bluetooth device address and the Move's calibration data are stored in this section. Unlike the SRAM, the flash memory keeps the stored data even if the controller is reset or powered down.
What this report actually does is reading and writing inside a range of 1024 bytes inside the MCU's SRAM. This range starts at address 0x20000A40. At startup, this location is copied from a range starting at address 0x0801F800 in flash memory. Writing new values to the SRAM automatically triggers the flash memory to also be updated. So, these portions of SRAM and flash memory are always kept in sync.
Warning: Tinkering with this can break your controller. Make sure you have a backup of the firmware and know how to restore it.
In the descriptions below, note that the first byte (HID Report ID) is only present in the Bluetooth report. Leave it out if you are using USB.
Retrieving data from SRAM/flash memory requires two steps: sending report 0xF1 with the desired read configuration, and then reading report 0xF1 to get the actual data.
| Byte offset | Length (in bytes) | Description |
|---|---|---|
| 0x00 | 1 | HID Report ID (always 0xF1) |
| 0x01 | 2 | Mode selector (stored as little-endian) |
| 0x03 | 2 | Offset (stored as little-endian) |
| 0x05 | 1 | Length |
| 0x06 | 43 | Data |
Setting the Mode selector = 0x0B56 sets up a read operation of 16 bytes starting at address 0x20000A40 + Offset in the MCU's SRAM. The Length and Data fields are ignored in this mode.
| Byte offset | Length (in bytes) | Description |
|---|---|---|
| 0x00 | 1 | HID Report ID (always 0xF1) |
| 0x01 | 2 | Mode selector (stored as little-endian) |
| 0x03 | 2 | Offset (stored as little-endian) |
| 0x05 | 1 | unused |
| 0x06 | 16 | Data |
| 0x16 | 1 | Checksum (sum of all data bytes MOD 256) |
The Mode selector and Offset fields will contain the values specified in the previous sending of this report. Starting at offset 0x06 is the actual data retrieved from SRAM.
Writing data to SRAM/flash memory works by simply sending report 0xF1:
| Byte offset | Length (in bytes) | Description |
|---|---|---|
| 0x00 | 1 | HID Report ID (always 0xF1) |
| 0x01 | 2 | Mode selector (stored as little-endian) |
| 0x03 | 2 | Offset (stored as little-endian) |
| 0x05 | 1 | Length |
| 0x06 | 43 | Data |
Setting the Mode selector = 0x0A56 sets up a write operation of Length bytes of data to the memory range starting at address 0x20000A40 + Offset in SRAM.
Since only a fixed range of 1024 bytes is accessible in SRAM, the sum Length + Offset must never exceed 1024. No write operation is performed otherwise.