kavaler writes:
> I found that newer versions of the usb protocol have 4 extra bytes embedded
> in the receive (reply) packets. Basically if the type is set to 0xFF then
> there are an extra short (status of some sort) followed by a reiteration of
> the command followed by the actual type. Here is some code that I use to
> parse that piece:
>
> type = buf[n++];
> if(type == 0xFF) {
> u->replyStatus = extractShort(&buf[n]);
> n += 2;
> if(buf[n++] != command) {
> return u->errNo;
> }
> if(crc16(0xFFFF, buf+6, nBuf-4) != 0xf0b8) {
> return u->errNo;
> }
> type = buf[n++];
> } else {
> if(crc16(0xFFFF, buf+2, nBuf) != 0xf0b8) {
> return u->errNo;
> }
> }
I noticed this too. I've partially disassembled the 20401004 firmware
and there's a function that's called twice before echoing the reply to
several commands:
send_2d_param:
2ad4: 4e 4c MOV.B R12, R14
2ad6: c2 93 48 1a TST.B &2d_param
2ada: 0b 24 JZ send_2d_param.exit
2adc: 5c 42 48 1a MOV.B &2d_param, R12
2ae0: b0 12 2a 2d CALL #send_char
2ae4: 4c 4e MOV.B R14, R12
2ae6: b0 12 2a 2d CALL #send_char
2aea: 7e 93 CMP.B #0xff, R14
2aec: 02 20 JNZ send_2d_param.exit
2aee: c2 43 48 1a CLR.B &2d_param
send_2d_param.exit:
2af2: 30 41 RET
This is responsible for the 4 extra bytes:
xx 00 xx FF
Where xx is the parameter originally sent to the 0x2d command. I'm not
sure what the purpose is, but I have a suspicion that it's used to
detect/recover after crashes during lengthy operations.
For example, it's called before and after handling the reset command,
which involves calling a function pointer which may not be initialized
On a related note, I think the lengthy init messages I mentioned
earlier might have something to do with this.
I've attached my (partial) symbol table for this firmware. It's probably
not a good idea to post the actual firmware binary, but you can extract
it from the FET using:
mspdebug -u /dev/ttyUSB0 "hexout 0x2500 0xdb00 20401004.hex"
> Also, some chips (the msp430f5437A for example) require a different
> configuration either JTAG or spy-bi-wire. You have so select configuration
> 8, 2. It seems to be a version of JTAG that requires the TEST pin of the
> JTAG to be connected to the TEST pin of the chip.
Excellent, thanks for the info!
- Daniel
0000 t IE1
0001 t IE2
0002 t IFG1
0003 t IFG2
0004 t ME1
0005 t ME2
0019 t P3OUT
001a t P3DIR
001b t P3SEL
001d t P4OUT
001e t P4DIR
001f t P4SEL
0021 t P1OUT
0022 t P1DIR
0026 t P1SEL
0029 t P2OUT
002a t P2DIR
002e t P2SEL
0031 t P5OUT
0032 t P5DIR
0033 t P5SEL
0035 t P6OUT
0036 t P6DIR
0037 t P6SEL
0056 t DCOCTL
0057 t BCSCTL1
0058 t BCSCTL2
0070 t U0CTL
0071 t U0TCTL
0072 t U0RCTL
0073 t U0MCTL
0074 t U0BR0
0075 t U0BR1
0076 t U0RXBUF
0077 t U0TXBUF
0078 t U1CTL
0079 t U1TCTL
007b t U1MCTL
007c t U1BR0
007d t U1BR1
0080 t ADC12MCTL0
0120 t WDTCTL
0122 t DMACTL0
0124 t DMACTL1
0140 t ADC12MEM0
0160 t TACTL
0166 t TACCTL2
0170 t TAR
0172 t TACCR0
0174 t TACCR1
0176 t TACCR2
0180 t TBCTL
01a0 t ADC12CTL0
01a2 t ADC12CTL1
01a4 t ADC12IFG
01c0 t DAC12_0CTL
01c8 t DAC12_0DAT
01e0 t DMA0CTL
01e2 t DMA0SA
01e8 t DMA1CTL
01ea t DMA1SA
01ec t DMA1DA
01ee t DMA1SZ
01f0 t DMA2CTL
01f2 t DMA2SA
01f4 t DMA2DA
01f6 t DMA2SZ
12d4 t msg_start_indices
12d6 t msg_lengths
12e4 t rx_char_count
140a t last_error
141a t reg_values
141c t reg_values.plus2
15da t msg_cmd
15db t msg_flags
15de t param_count
15e0 t param_array
15f8 t exdata_len
15fe t reply_cmd
15ff t reply_type
1600 t reply_state
1601 t reply_error
1622 t data_xbuf
1832 t reply_buffer
183a t exdata_buf
1a42 t data_xbuf_head
1a44 t msg_index_tail
1a45 t msg_index_head
1a46 t last_char_was_escape
1a47 t rx_msg_count
1a48 t 2d_param
2500 t _text_start
2a7c t calc_checksum
2a8c t calc_checksum.loop
2aac t calc_checksum.loop_end
2abc t rx_state_reset
2ad4 t send_2d_param
2af2 t send_2d_param.exit
2af4 t handle_received_char
2b00 t handle_received_char.is_delimeter
2b06 t handle_received_char.process_buffer
2b46 t handle_received_char.is_escape
2b4c t handle_received_char.is_regular_char
2b5a t handle_received_char.is_data
2b62 t handle_received_char.exit
2b64 t fetch_message
2bb6 t fetch_message.crc_ok
2bda t fetch_message.copy_params
2bee t fetch_message.copy_params_loop
2c0a t fetch_message.copy_params_loopend
2c10 t fetch_message.no_params
2c1e t fetch_message.copy_data
2c3e t fetch_message.dec_count
2c46 t fetch_message.exit0
2c48 t fetch_message.exit
2c4e t send_reply
2d16 t send_reply.reply_loop
2d20 t send_reply.reply_loopend
2d2a t send_char
2d36 t usart0_rx
2f20 t get_1302
5b62 t disable_wdt
7abc t configure_many_things
7bbc t configure_many_things.exit
7bec t do_configure
7bfc t do_configure.case_table
7c14 t do_configure.case_00
7c18 t do_configure.case_04
7c18 t do_configure.case_06
7c22 t do_configure.case_01
7c40 t do_configure.case_02
7c46 t do_configure.case_03
7c4c t do_configure.case_05
7c52 t do_configure.case_08
7c86 t do_configure.case_09
7ca4 t do_configure.case_0a
7caa t do_configure.case_0b
7cb0 t do_configure.case_07
7cb0 t do_configure.is_invalid
7cbc t set_voltage
7cf4 t set_voltage.exit
835a t copy_regs
8360 t copy_regs.copy_to_buf
837a t copy_regs.loop_end
837c t copy_regs.loop_start
838e t copy_regs.copy_from_buf
83ac t copy_regs.exit
9bc2 t get_last_error
c846 t save_restore_pin_state
c958 t fet_reset.continue
cbe6 t fet_reset
cd38 t init_io_pins
cd7c t init_tdi_capture
cdee t adc_reset
ce92 t delay_loop
cef0 t dispatch_message
cf06 t dispatch_message.is_not_2e
cf1a t dispatch_message.is_under_2e
cf20 t dispatch_message.case_table
cf7c t dispatch_message.handle_01
cfae t dispatch_message.handle_02
cfd0 t dispatch_message.handle_25
cfe2 t dispatch_message.handle_03
cff2 t dispatch_message.handle_05
d012 t dispatch_message.handle_06
d02a t dispatch_message.handle_07
d060 t dispatch_message.handle_08
d08a t dispatch_message.handle_09
d0ac t dispatch_message.handle_0a
d0ac t dispatch_message.handle_0b
d0be t dispatch_message.handle_0c
d0f4 t dispatch_message.handle_0d
d174 t dispatch_message.handle_0e
d19e t dispatch_message.handle_10
d1be t dispatch_message.handle_11
d1de t dispatch_message.handle_12
d204 t dispatch_message.handle_13
d214 t dispatch_message.handle_14
d24a t dispatch_message.handle_17
d25a t dispatch_message.handle_18
d28a t dispatch_message.handle_19
d2b8 t dispatch_message.handle_1a
d2d8 t dispatch_message.handle_1b
d2e6 t dispatch_message.handle_0f
d362 t dispatch_message.handle_1d
d378 t dispatch_message.handle_1e
d39a t dispatch_message.handle_1f
d3aa t dispatch_message.handle_20
d3c8 t dispatch_message.handle_21
d3d6 t dispatch_message.handle_23
d402 t dispatch_message.handle_22
d43c t dispatch_message.handle_24
d44c t dispatch_message.handle_26
d544 t dispatch_message.handle_27
d572 t dispatch_message.handle_28
d5ee t dispatch_message.handle_29
d650 t dispatch_message.handle_2b
d68c t dispatch_message.handle_2c
d6c8 t dispatch_message.handle_2d
d6d8 t dispatch_message.handle_00
d6d8 t dispatch_message.handle_15
d6d8 t dispatch_message.handle_16
d6d8 t dispatch_message.handle_1c
d6d8 t dispatch_message.handle_2a
d6d8 t dispatch_message.handle_over_2e
d6e4 t dispatch_message.finish
d6e4 t dispatch_message.handle_04
d704 t dispatch_message.handle_2e
d710 t gen_checksum
d718 t gen_checksum.loop
d734 t gen_checksum.loop_end
d742 t get_xbuf_head
d74c t add_data_to_buffer
d768 t set_reply_char
d778 t get_buffer_char
d782 t copy_message
d78a t copy_message.loop
d79a t copy_message.loop_end
d7a0 t write_reply_data
d7ae t write_reply_data.loop
d7bc t write_reply_data.loop_end
d902 t calc_checksum.return
dd8c t shift_by_4
dd9e t memcpy
f3c8 t crc_table
f7f2 t usart0_rx_funcptr
fb3a t start
fb8e t usart0_tx_vector
fb92 t usart0_rx_vector
fba6 t nmi_vector
fda0 t reset_vector
fdae t reset_vector.halt
