The host side was made using a PyQT application that sends the GET_REPORT requests and displays it inside a GUI. On the first try, I implemented it on the USB controller by storing the frame inside an XRAM buffer and reading that into the USB buffer. I’m not sure what exactly it does, but it does not work when skipping it. Getting the frame involves writing some values to a register and then reading 900 bytes from another register, all over SPI.Ī peculiarity about the USB controller is that, in order to set some I/O lines high or low, other bits have to be set or unset. The ADNS-9800 communicates over SPI, but the USB controller doesn’t have any native SPI ports, so it has to bit-bang the frames.Ĭommunication involves registers, which can be read or written to by sending the address over SPI and then reading/writing the byte. Knowing that the hello world works, I could now go on to read frames from the sensor.
#Change byte offset db address step 7 siemens code
This works without problem, and one gets to test both the firmware code and host code for invoking the special mode. MOV R2, #00 FFh at second batch of 8 bytes MOV R1, #(HELLO-PC_VA1) offset to "hello world" string MOV R0, #08 number of bytes in buffer left MOV A, #03 report id, start of get_report MOV DPTR, #USB_OUT init dptr with USB buf address If the new mode is invoked, all interrupts are disabled and it is in a busy-wait loop waiting for USB packets.įirst, of course, I wrote a simple hello world function that returns the string Hello, World!\n on a GET_REPORT: I made minimal modifications to the rest of the firmware (basically replacing one jump address) to invoke it.I copied the existing routines for the recovery USB mode to a separate location.To not risk break existing USB functionality I’m also quite used to 8051 assembly, so writing it poses no problem. When patching binaries, I find doing so in assembly is often advantageous to C (or PL/M-51, which is never advantageous) because it allows to modify existing functions or jump to the middle of a function. Hello World!Īs far as I know, the pre-existing USB controller firmware does not have any built-in function to read the frames, which is not really surprising. When looking into the ADNS-9800 datasheet, one is presented with the possibility of reading 30x30 greyscale images from the device, so I decided to just do that. reverse engineered parts of the sensor firmwareīefore that, I also reverse engineered parts of the USB controller firmware of the mouse.reverse engineered the encryption used in the sensor (ADNS-9800) by staring at it really hard.From this window you can Monitor the Variables shown.← prev Reverse Engineering Firmware (in Mice) The Watch and Force Tables window shown below will open. From the Devices tree add new watch table or open an existing watch table. If you view these Variables in the Watch Table of the TIA Portal (SIMATIC STEP7), they look more like the C-more syntax. Using the Variable #3 as a sample, the Tag Name window from C-more would look as follows: Note: The information provided above for C-more Addressing is used for the C-more PLC Address fields shown below. Note: Please note that there is a space (shown in red on the Address sample) on all the Siemens Addressing ( DB2.DBW 0). STOP = Memory Type: DB.DBX Address: 2.4 Bit: 1.START = Memory Type: DB.DBX Address: 2.4 Bit: 0.SETPOINT_RPM = Memory Type: DB.DBW Address: 2.2.MOTOR_RPM = Memory Type: DB.DBW Address: 2.0.These Four Variables would be Addressed as follows in C-more: If the "Offset" column is not displayed, right-click any column header to Show / Hide Columns. STOP is addressed at byte 4, bit 1 and is a BOOLEAN.START is addressed at byte 4, bit 0 and is a Boolean.SETPOINT_RPM is addressed at byte 2 and is also a 16 bit Integer.MOTOR_RPM is addressed at byte 0 and is a 16 bit Integer.When a specific Data Block is selected, a window like the one shown below will open. To view the Data Block, double click on the specific Data Block you wish to view. To view the Status of the Variables in the PLC, once you are Online with the PLC, from the Devices Tree of the TIA Portal (SIMATIC STEP7), add or open an existing Watch Table.ĭata Block Addressing syntax differs some between what is seen in the TIA Portal (SIMATIC STEP7) and in C-more. Even though the DB is defined as “Int” the offset is still byte not word. Use the Offset column of the Data Block as the byte address for C-more. Note: Data_Blocks must have “ Optimized Block Access” DISABLED in the Simatic Step 7 software. Note: Timers and Counters are System Blocks that are not addressable. Siemens S7-1200/1500 (Ethernet:ISO over TCP/IP) Addressing
0 kommentar(er)
