[E3-hacking] PBL response (wade through the junk, good news at end)
Matt Evans
e3-hacking@earth.li
Mon, 14 Mar 2005 23:33:33 +0000
Hello Ralph,
Thanks for your updated exp! I've just tried it out:
1110839334.812694 o 1b
1110839334.817746 o 1b
1110839334.822813 o 1b
1110839334.824815 i 06
1110839334.825299 e received ack
1110839334.825719 e transitioning to state 1, CS_STOPPED_TX_ESC
1110839334.826307 o 02 00 00 02 00 00 02 02 00 00 02 00 02 04
1110839334.826756 i 06
1110839334.827292 i 06
1110839334.827960 i 06
1110839334.828841 i 06
1110839334.829829 i 06
1110839334.831813 i 06
1110839334.832834 i 06
1110839334.833835 i 06
1110839334.834831 i 06
1110839334.835828 i 06
1110839334.836829 i 06
1110839334.837831 i 06
1110839334.838829 i 06
1110839334.839828 i 06
So it sends the packet... but nothing back.
However it hasn't finished receiving the acks and the E2 is
busy-waiting on the TX queue at this point (it's not the
interrupt-driven "print string" routine IIRC, it's just a spinloop) so
I altered exp to count the acks and move on only when it sees 16 of
them: (which incidentally it didn't always get, sometimes 15..
loss..)
1110839701.916260 o 1b
1110839701.921314 o 1b
1110839701.926360 o 1b
1110839701.931406 o 1b
1110839701.949244 o 1b
1110839701.950278 i 06(14 acks left) 06(13 acks left) 06(12 acks left)
06(11 acks left) 06(10 acks left) 06(9 acks left) 06(8 acks left) 06(7
acks left) 06(6 acks left) 06(5 acks left) 06(4 acks left) 06(3 acks
left)
1110839701.951045 i 06(2 acks left)
1110839701.951959 i 06(1 acks left)
1110839701.952959 i 06(0 acks left)
1110839701.953517 e transitioning to state 2, CS_HAVE_ACK
1110839705.954042 e transitioning to state 1, CS_TX_REQUEST_ONESHOT
1110839705.955233 o 02 00 00 02 00 00 02 02 00 00 02 00 00 02 02 00 00
02 00 00 02 02 00 00 02 00 02 04 02 00 00 02 00 02 04 02 00 00 02 00 02
04
.... Nada.
'Voice' and 'email' LEDs at top alternate rapidly (with every ESC
received? Certainly boots much slower, it watches ESCs for a while
then replies the 06s. After receives the 2nd transmission it sits in a
loop alternating the LEDs at about 2Hz.
***** Scratch that - I've bodged your code wrongly. <quick re-bodge>
RIGHT! It replied! I pruned out the "send the NOP packet 3 times then
the INFO packet(2) 3 times" stuff down to only sending one packet.
Also your description of the protocol quite accurately says the opcode
is the first byte in the payload whereas exp.c had it reversed (i.e. 02
00 not 00 02) - also I found the length field was also being sent
reversed. See below; I altered the endianness of the length field,
and also that of the opcode field so that the LSB was sent first. I
got an acknowlegement!!
...
1110841583.893639 i 06(3 acks left)
1110841583.894640 i 06(2 acks left)
1110841583.895639 i 06(1 acks left)
1110841583.896637 i 06(0 acks left)
1110841583.897060 e transitioning to state 2, CS_HAVE_ACK
1110841587.897492 e transitioning to state 1, CS_TX_REQUEST_ONESHOT
1110841587.898645 o 02 00 02 00 02 00 04
1110841587.907837 i 02
1110841587.908858 i 00
1110841587.909852 i 0e
1110841587.910849 i 00
1110841587.911845 i 82
1110841587.912846 i 00
1110841587.913844 i 72
1110841587.914842 i 00
1110841587.915845 i 03
1110841587.916845 i 01
1110841587.917846 i fd
1110841587.918844 i 04
1110841587.919843 i 10
1110841587.921825 i 20
1110841587.922844 i fe
1110841587.923844 i 7b
1110841587.924842 i 0e
1110841587.925844 i b0
1110841587.926844 i 6e
^C1110841635.489371 e received signal 2, exiting.
:D
I was just getting ready to give up (or at least see which loop it was
spinning in via JTAG).. I'm pretty damn impressed, I have to say, with
the accuracy of your reverse-engineering for the reply! (Especially
because I hit the disassembly again tonight trying to work out if there
was something else necessary before it'd listen - and got nowhere.)
So: 02 00 0e 00 [ 82 00 72 00 03 01 fd 04 10 20 fe 7b 0e b0 ] 63
03 01: Matches, I've v3.1
fd 04: as you predicted, of course, 1277
... etc. as per your packet format spec.
Some notes:
o Once it's in this idle state it still flashes leds at 2Hz as above..
a healthy sign I think?
o Duff packets are NOT acknowleged
o I tried hacking exp to just send a ton of escape chars without a
timeout - this didn't result in a reply! So the gap between them is
good. It seems to watch for a number of these - (I see 20 being
bandied about around 0x324 in the code) and any number pauses boot for
a bit. Stated differently, it boots quicker if you don't send
anything, whereas sending ESCs delay it for a bit even if it doesn't
reply with 06060606.. for a few seconds.
Time to call it a night. But looks like there's potential for a play
with some of the other commands of the protocol! (First step = get
some code into DRAM..) Looks like all your hard work has been pretty
much spot on, so congratulations :) Have you managed to recreate
getting the stream of ACKs back with your setup? I should find a
source of cheap MobilePhone data cables somewhere, for ease of modding
into E2 EXP cables.
Best regards,
Matt