diff --git a/USB-protocol.md b/USB-protocol.md index 53a6b46..4804266 100644 --- a/USB-protocol.md +++ b/USB-protocol.md @@ -69,10 +69,79 @@ Note: the serial number matches the one on the sticker on the bottom of the plas ### Protocol -The device operates in two (or three, depending on how you count) operting modes: bootloader mode (and authenticated bootloader mode), and application mode. +The device operates in two (or three, depending on how you count) operting modes: bootloader mode (and authenticated bootloader mode), and application mode. By default, the device starts in 'unauthenticated' bootloader mode. In bootloader mode, you first have to send a magic number for the device (stored in the FT240X' EEPROM) to enable some functionality: when authenticated, in bootloader mode, you can access the Spartan-3AN's internal SPI flash, as well as maybe a few extra bits. You can switch to application mode (and back to bootloader mode) at any time, however, allegedly (this is the behavior of the [ScanaPLUS](https://sigrok.org/wiki/IKALOGIC_ScanaPLUS) device, which has a similar setup) capturing samples (in application mode) will not work when not authenticated in bootloader mode. (TODO: does switching to bootloader mode from application mode bring you into authenticated mode when already authenticated before switching to application mode?) -TODO: document the commands of every mode \ No newline at end of file +A log of libftd2xx function calls from ScanaStudio, in various scenarios, is available [here](https://cloud.lain.faith/s/RpcBp89MA2LDqqY). + +Commands are typically a one-byte command ID, followed by a variable amount of data bytes. + +#### Mode-independent + +* **`0xfd`: Get status/mode** + * Arguments: *fixed* `0x00 0x01 0x02 0xfe` + * Response: + * Unauthenticated bootloader mode: `0x09 0x09 0x09 0x09` + * Authenticated bootloader mode: `0x01 0x01 0x01 0x01` + * Application mode: `0x22 0x22 0x22 0x22` +* **`0x93`: Reset to application mode** + * No arguments + * No response +* **`0x94`: Reset to bootloader mode** + * No arguments + * No response + +#### Bootloader mode + +* **`0xf1`: Send unlock/authentication code** + * Arguments: 3 bytes from [FT240X EEPROM](FT240X-EEPROM) word locations `0x12:0x13`, followed by a *fixed* 23 zero bytes + * No response +* **`0x90`: Spartan-3AN internal SPI flash chip select** + * Arguments: *fixed* `0x00` + * No response +* **`0x91`: Spartan-3AN internal SPI flash chip deselect** + * Arguments: *fixed* `0x00` + * No response +* **`0x92`: Spartan-3AN internal SPI flash chip data transfer** + * Arguments: single byte to send (`0xff` for SPI read operations) + * Response: single byte result of the SPI operation (garbage if the byte transferred was meant as a write) + * Yes, SPI transfers are done byte-by-byte this way. For details on how to communicate with the Spartan-3AN internal flash, see [Xilinx docs (UG333)](https://www.xilinx.com/support/documentation/user_guides/ug333.pdf). See the "Example transfers" section below. + +#### Application mode + +TODO lol + +#### Example transfers + +##### Spartan-3AN internal SPI flash read ID and status + +``` +Flash ID: + Send 0x90,0x00, no read data + Send 0x92,0x9f, read 1 byte and discard it + Send 0x92,0xff, read 1 data byte + Send 0x92,0xff, read 1 data byte + Send 0x91,0x00, no read data +Status: + Send 0x90,0x00, no read data + Send 0x92,0xd7, read 1 byte and discard it + Send 0x92,0xff, read 1 data byte + Send 0x91,0x00, no read data +``` + +##### Spartan-3AN internal SPI flash dump + +``` +Send 0x90,0x00, no read data +Send 0x92,0x0b, read 1 byte and discard it +Send 0x92,0x00, read 1 byte and discard it +Send 0x92,0x00, read 1 byte and discard it +Send 0x92,0x00, read 1 byte and discard it +Send 0x92,0xff, read 1 byte and discard it +Repeat 135168 times: + Send 0x92,0xff, read 1 data byte +Send 0x91,0x00, no read data +``` \ No newline at end of file