-
Notifications
You must be signed in to change notification settings - Fork 92
HydraFW Binary SPI mode guide
This guide is updated towards firmware release HydraFW v0.9 Beta
Once the SPI mode has been selected, the following commands are available :
-
0b00000000
Return to main mode. ReturnsBBIO1
-
0b00000010
Mode identification. ReturnsSPI1
-
0b00000010
Puts the CS pin low. Returns0x01
-
0b00000011
Puts the CS pin high. Returns0x01
-
0b00000100
Write-then-read (see below) -
0b00000101
Write-then-read with no chip select (see below) -
0b00001101
Sniff all SPI trafic (see below) -
0b00001110
Sniff SPI data when CS is low -
0b00001111
Sniff SPI data when CS is high -
0b0001xxxx
Bulk SPI transfer -
0b01000000
configure peripherals -
0b01100xxx
Set SPI speed -
0b10000xyz
Configure SPI port -
0b00000001
Displays mode string. Responds with "SPI1" -
0b00000110
AVR commands -
0b0100000x
Configure SPI peripheral
This command is used to send at most 4096 bytes and will read at most 4096 bytes of data. Format :
Byte 1 2 3 4 5 6 ...
|----------|----------|----------|----------|----------|----------|------...
[command] [Bytes to write] [Bytes to read] [Data to write
The bytes to read/write are in big-endian format.
All data will be buffered before being sent to the SPI bus. Read data will also be buffered on the Hydrabus before being sent back to the user.
In normal mode (0b00000100
), CS is pulled low before sending the data. In no CS mode (0b00000101
), the CS pin is not driven at all.
More information can be found here : http://dangerousprototypes.com/docs/SPI_(binary)#00000100_-_Write_then_read
To be done
In this mode, the last 4 bits of the command define the number of bytes to write (from 1 to 16) (Command 0b00010000
will send 1 byte). The same number of bytes will be read and sent back to the user.
Hydrabus will wait for the defined number of bytes, send a 0x01
(acknowledge) then the read bytes.
Since 9c9bd6d1f6923133470917bde1e2337d5cbaf45b, the ACK byte will be sent before accepting data.
This command sets the SPI device bitrate. The three last bits will select the speed (int bits/sec) within the following list :
-
0b000
=> 320kHz SPI1 / 160kHz SPI2 -
0b001
=> 650kHz SPI1 / 320kHz SPI2 -
0b010
=> 1.31MHz SPI1 / 650kHz SPI2 -
0b011
=> 2.62MHz SPI1 / 1.31MHz SPI2 -
0b100
=> 5.25MHz SPI1 / 2.62MHz SPI2 -
0b101
=> 10.5MHz SPI1 / 5.25MHz SPI2 -
0b110
=> 21MHz SPI1 / 10.5MHz SPI2 -
0b111
=> 42MHz SPI1 / 21MHz SPI2
This commands returns 0x01
if successful, 0x00
in case of error.
This allows to set the following parameters :
-
x
sets the polarity value -
y
sets the clock phase -
z
sets the SPI device (0=SPI2 or 1=SPI1)
Since 2f3aecbca7e619e4b20d13694c992d8c5f2dc64f, the order has changed. It is now (0=SPI2 or 1=SPI1)
See https://github.com/hydrabus/hydrafw/wiki/HydraFW-SPI-guide for explanation.
This command returns 0x01
if successful, 0x00
in case of error.
This commands allows to select or unselect the SPI slave. (0=unselect, 1=select)
Hydrabus can be used as an AVR ISP programmer with the help of AVRDude.
Once this command has been issued, Hydrabus will send a 0x01
then wait for a subcommand.
The following subcommands are available :
Returns 0x01
Returns 0x01 0x00 0x01
(Protocol version 1)
This command is a wrapper around the ISP "Read from flash" commands. After sending this command, Hydrabus will wait for :
- 2 bytes representing the address to read
- 2 bytes for the number of bytes to read from this address.
Once these additional bytes were sent, Hydrabus will respond with the read bytes.
- Example AVRDude ISP programming for Arduino/AVR MCU
avrdude -c buspirate -P <hydrabus comm port> -p <chipname> ...
See http://dangerousprototypes.com/docs/Bus_Pirate_AVR_Programming for more details as this mode if fully compatible with Bus Pirate AVR Programming and tested with success with ATMEGA328P/Nano board
-
Example bbio_hydranfc_init.py for HydraNFC init using Console mode + switch to bbIO mode for SPI2 Init & communication with TRF7970A (HydraNFC shield)
-
The following python script can be used to read 4096 bytes from a SPI EEPROM :
import hexdump
import serial
import struct
#Open serial port
ser = serial.Serial('/dev/ttyACM0', 115200)
#Open binary mode
for i in xrange(20):
ser.write("\x00")
if "BBIO1" not in ser.read(5):
print "Could not get into binary mode"
quit()
# Switching to SPI mode
ser.write('\x01')
if "SPI1" not in ser.read(4):
print "Cannot set SPI mode"
quit()
# Reading information
while (addr < 4096*size):
#Write-then-read. 4 bytes to write, 4096 bytes to read
ser.write('\x04\x00\x04\x10\x00')
#Read command(\x03) and starting address (\x00\x00\x00)
ser.write('\x03\x00\x00\x00')
#Hydrabus will send \x01 in case of success...
ser.read(1)
#...followed by 4096 read bytes
buff += ser.read(4096)
print hexdump.hexdump(buff)
#Return to main binary mode
ser.write('\x00')
#reset to console mode
ser.write('\x0F\n')
- CHANGELOG
- Console commands
- Binary mode guide
-
NFC/HydraNFC v1 guide
- Read UID of an ISO/IEC_14443 Tag
- Read UID and data of a MIFARE Ultralight Tag
- Read UID of an ISO/IEC 15693 Tag
- Emul ISO14443a Tag
- Emul MIFARE Ultralight Tag
- Emul Mifare Classic Tag
- Unique NFC sniffer design
- Launch NFC sniffer from console
- Sniffer ISO14443A wireshark pcap
- Autonomous/stand-alone sniffer mode
- Sniffer ISO14443A real-time infinite trace mode
- HydraFW-HydraNFC-v1.x-TRF7970A-Tutorial