FET protocol
This page documents some aspects of the newer FET protocol (>= 20300000) which are not well understood.
Disassembling the FET firmware
A symbol table containing some symbols for FET firmware version 20401004 is available here. Unfortunately, the firmware itself is not freely distributable. You may be able to extract it from Texas Instruments software, or from the FET itself.
The USB FET contains an MSP430F1612. The firmware for a FET device can be extracted using MSPDebug:
mspdebug uif-bsl -d /dev/ttyUSBx "hexout 0x2500 0xdb00 fet-firmware.hex"After extraction, the firmware can be inspected and disassembled without hardware using MSPDebug’s simulation mode. Use sym import to import a symbol table (type help sym for more information on editing, manipulating and exporting symbol tables):
dlbeer@soma:~/work/mspdebug.git$ ./mspdebug sim
MSPDebug version 0.8 - debugging tool for MSP430 MCUs
Copyright (C) 2009, 2010 Daniel Beer <daniel@tortek.co.nz>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Simulation started, 0x10000 bytes of RAM
Available commands:
= erase hexout mw read run sym
cgraph gdb isearch opt regs set
dis help md prog reset step
Available options:
color
Type "help <topic>" for more information.
Press Ctrl+D to quit.
(mspdebug) prog ../fet-fw/20401004.hex
Erasing...
Writing 128 bytes to 2500...
Writing 128 bytes to 2580...
Writing 128 bytes to 2600...
... snip ...
Writing 80 bytes to fd60...
Writing 32 bytes to ffe0...
(mspdebug) sym import ../fet-fw/20401004.mapA command which may be useful for disassembly is cgraph, used to find callers and callees of a function. For example:
(mspdebug) cgraph 0x2500 0xdb00 write_reply_data
0xd7a0 write_reply_data:
Callees:
set_reply_char
Callers:
send_reply
fet_reset.continueAnother useful command is isearch. One application of this command is to identify the places where data is manipulated or referenced:
(mspdebug) isearch 0x2500 0xdb00 dst tick_counter
start_wdt_timer+0x4:
5b52: 82 43 8e 13 CLR &tick_counter
wdt_irq_handler+0x2:
5b74: 92 53 8e 13 INC &tick_counter
wdt_irq_handler+0x6:
5b78: b2 90 2c 00 8e 13 CMP #0x2c, &tick_counter
wdt_irq_handler+0x1c:
5b8e: b2 90 2d 00 8e 13 CMP #0x2d, &tick_counterMessage 0x28
This message is sent with no arguments or payload. The FET returns a payload containing a structure which can be used to identify the chip under test. Little is known about the format of this message, except that the first two bytes are the Chip ID quoted in the device datasheet. This alone can not be used to identify the chip, however.
Message 0x29
This message is sent to the firmware and contains parameters specific to the debugged chip. Here’s what’s known so far about the format of this message’s payload:
| Offset | Length | Description |
|---|---|---|
| 0x00 | 2 | Start of code mem |
| 0x02 | 4 | End of code mem |
| 0x06 | 2 | Start of info mem |
| 0x08 | 2 | End of info mem |
| 0x0a | 2 | Info mem segment size? |
| 0x0c | 2 | Start of RAM |
| 0x0e | 2 | End of RAM |
| 0x10 | 2 | Start of RAM2 |
| 0x12 | 2 | End of RAM2 |
| 0x14 | 2 | Number of breakpoints |
| 0x16 | 2 | Emulation level |
| 0x18 | 2 | Clock control level |
| 0x1a | 2 | MCLK_CONTROL param (?) |
| 0x1c | 2 | Start of LCD |
| 0x1e | 2 | End of LCD |
| 0x20 | 2 | VCC min (mV) |
| 0x22 | 2 | VCC max (mV) |
| 0x24 | 2 | |
| 0x26 | 2 | |
| 0x28 | 2 | |
| 0x2a | 2 | Has TEST/VPP |
| 0x2c | 2 | Not used in 20401004 |
| 0x2e | 2 | |
| 0x30 | 2 | |
| 0x32 | 2 | |
| 0x34 | 2 | |
| 0x36 | 2 | |
| 0x38 | 2 | Used by firmware timer IRQ |
| 0x3a | 2 | |
| 0x3c | 2 | |
| 0x3e | 2 | |
| 0x40 | 2 | |
| 0x42 | 2 | |
| 0x44 | 6 | Some kind of byte array |
There are three numeric arguments to this message, which appear to be bytes, and are chip specific.
Message 0x2b
This message is sent to the firmware and contains parameters specific to the debugged chip. It is not implemented by all versions of the firmware.
The payload format is as follows:
| Offset | Length | Description |
|---|---|---|
| 0x00 | 2 | Start of boot mem |
| 0x02 | 2 | End of boot mem |
| 0x04 | 2 | |
| 0x06 | 2 | |
| 0x08 | 2 | |
| 0x0a | 2 | |
| 0x0c | 0x3e | Some kind of byte array |
No numeric arguments are sent with this message.