Daniel Beer Atom | RSS | About

FET protocol

This page documents some aspects of the newer FET protocol (>= 20300000) which are not well understood.

Disassembling the FET firmware

A symbol table containing some symbols for FET firmware version 20401004 is available here. Unfortunately, the firmware itself is not freely distributable. You may be able to extract it from Texas Instruments software, or from the FET itself.

The USB FET contains an MSP430F1612. The firmware for a FET device can be extracted using MSPDebug:

mspdebug uif-bsl -d /dev/ttyUSBx "hexout 0x2500 0xdb00 fet-firmware.hex"

After extraction, the firmware can be inspected and disassembled without hardware using MSPDebug’s simulation mode. Use sym import to import a symbol table (type help sym for more information on editing, manipulating and exporting symbol tables):

dlbeer@soma:~/work/mspdebug.git$ ./mspdebug sim
MSPDebug version 0.8 - debugging tool for MSP430 MCUs
Copyright (C) 2009, 2010 Daniel Beer <daniel@tortek.co.nz>
This is free software; see the source for copying conditions.  There is NO

Simulation started, 0x10000 bytes of RAM

Available commands:
    =        erase    hexout   mw       read     run      sym
    cgraph   gdb      isearch  opt      regs     set
    dis      help     md       prog     reset    step

Available options:

Type "help <topic>" for more information.
Press Ctrl+D to quit.

(mspdebug) prog ../fet-fw/20401004.hex
Writing 128 bytes to 2500...
Writing 128 bytes to 2580...
Writing 128 bytes to 2600...
... snip ...
Writing  80 bytes to fd60...
Writing  32 bytes to ffe0...
(mspdebug) sym import ../fet-fw/20401004.map

A command which may be useful for disassembly is cgraph, used to find callers and callees of a function. For example:

(mspdebug) cgraph 0x2500 0xdb00 write_reply_data
0xd7a0 write_reply_data:


Another useful command is isearch. One application of this command is to identify the places where data is manipulated or referenced:

(mspdebug) isearch 0x2500 0xdb00 dst tick_counter
    5b52: 82 43 8e 13         CLR     &tick_counter
    5b74: 92 53 8e 13         INC     &tick_counter
    5b78: b2 90 2c 00 8e 13   CMP     #0x2c,           &tick_counter
    5b8e: b2 90 2d 00 8e 13   CMP     #0x2d,           &tick_counter

Message 0x28

This message is sent with no arguments or payload. The FET returns a payload containing a structure which can be used to identify the chip under test. Little is known about the format of this message, except that the first two bytes are the Chip ID quoted in the device datasheet. This alone can not be used to identify the chip, however.

Message 0x29

This message is sent to the firmware and contains parameters specific to the debugged chip. Here’s what’s known so far about the format of this message’s payload:

Offset Length Description
0x00 2 Start of code mem
0x02 4 End of code mem
0x06 2 Start of info mem
0x08 2 End of info mem
0x0a 2 Info mem segment size?
0x0c 2 Start of RAM
0x0e 2 End of RAM
0x10 2 Start of RAM2
0x12 2 End of RAM2
0x14 2 Number of breakpoints
0x16 2 Emulation level
0x18 2 Clock control level
0x1a 2 MCLK_CONTROL param (?)
0x1c 2 Start of LCD
0x1e 2 End of LCD
0x20 2 VCC min (mV)
0x22 2 VCC max (mV)
0x24 2
0x26 2
0x28 2
0x2a 2 Has TEST/VPP
0x2c 2 Not used in 20401004
0x2e 2
0x30 2
0x32 2
0x34 2
0x36 2
0x38 2 Used by firmware timer IRQ
0x3a 2
0x3c 2
0x3e 2
0x40 2
0x42 2
0x44 6 Some kind of byte array

There are three numeric arguments to this message, which appear to be bytes, and are chip specific.

Message 0x2b

This message is sent to the firmware and contains parameters specific to the debugged chip. It is not implemented by all versions of the firmware.

The payload format is as follows:

Offset Length Description
0x00 2 Start of boot mem
0x02 2 End of boot mem
0x04 2
0x06 2
0x08 2
0x0a 2
0x0c 0x3e Some kind of byte array

No numeric arguments are sent with this message.