Saturday, January 2, 2010

im-me hacking

I came across this blog describing hacking the im-me, a small wireless console. It looked interesting, so I went ahead and bought a couple.  For £8 you get a console and a USB radio dongle. It turns out that they are a bargain for what they contain, provided you can discover how to "re-purpose" the hardware.

I became much more interested when I discovered Travis Goodspeed's blog describing how to implement the debug port on a related processor.

The console

The console is really simple but powerful, containing:
  • A CC1110F32 radio/processor: 32k flash, 4k ram, 900MHz transceiver, with a debug port exposed.
  • An 8x24 LCD display, with backlight. The LCD has an SPI interface.
  • A full qwerty keyboard.
  • A piezoelectric sounder.
  • A voltage regulator, and a small number of sundry SMD parts - transistors, Rs, and Cs.
The Wireless USB Dongle

The dongle contains:
  • A CC1110 radio/processor identical to that in the console.
  • A CY7C63803 processor with USB interface.
The FCC ID is Grantee code: PIY, product code: L7281D1

The Console Debug Port

The debug port on the CC1110 is conveniently wired out to some test pads that are accessible via holes in the bottom of the battery tray. Connections are (from left to right):
  • (square pad) RESET_N
  • P2_1 = debug data
  • P2_2 = debug clock
  • +2.5 volts
  • Gnd
Here's a photo showing the wires I've soldered to the test pads that connect to the Arduino via a breadboard.  (I don't use the 2.5v connection as I supply power via the battery compartment, and rely on the on-board regulator to generate 2.5v.)


I wanted to drive this port via an Arduino, but couldn't drive it directly since the CC1110 runs off 2.5v as compared to the Arduino's +5volts.  The CC1110 is also intolerant of voltages more than 0.3v above VDD.  The solution was simple - the outputs from the Arduino are fed into voltage dividers (The DATA pin on the CC1110 is both an input and output so I decided to use relatively high value 3.3K resistors to present minimal load when it is an output).  To read the data line back into the Arduino, I wired the debug data pin to the Arduino's positive comparator input too, and set the comparator's negative input to about 1.7 volts.


(A word of warning - keep the lead lengths short - I had variable results when I initially just used test leads to connect everything.)

I wrote some Arduino interfacing code, using Travis's blog, the official documentation for the debug port, and CCFlasher (another implementation) for inspiration.  By executing the "READ_STATUS" command it became evident that the "DEBUG_LOCKED" bit is set.  This bit prevents the firmware from being read out, so it's not surprising that it is set.  However, a "CHIP_ERASE" can be executed, which erases the entire flash memory, and enables the full debug port capability, which is what I've done on one of my consoles.  I'm now able to download data to the chip and to execute programs in RAM or in flash.  The full hardware capabilities of the console are now at my disposal.

The Arduino code is still very much work in progress, but provides some basic facilities to allow me to experiment via the Serial Monitor interface of the Arduino IDE.  I'm now working on some facilities to allow me to download and flash programs more easily.  More later...

Console CC1110 Processor Development

Software development for the processor can be carried via this tool: http://supp.iar.com/Download/SW/?item=EW8051-KS4 This "kickstart" free version of the commercial tool can have its code size limits increased if you follow the guidelines in Section 9.1 of http://focus.ti.com/lit/ug/swru236a/swru236a.pdf.


The IDE can be configured to generate it's output in the simple Intel format, which is ideal for me to download to the processor with via the Arduino.


Console Keyboard


The 40 odd keyboard buttons are wired as a matrix, but the designers use some tricks to minimise the number of i/o pins.  The i/o pins used are:

  • "row" pins: P0_1, P1_2, P1_3, P1_4, P1_5, P1_6, P1_7 - input and output.  Normally high, regular very short pulses to 0v.
  • P0_6, P0_7 - input only.
The key connections are shown in the table below.

One keyboard sensing algorithm would be:
  • Set all keyboard i/o pins to inputs, with pullups to Vcc.  Read all inputs, and if any pin is zero, it is because one of the keys connected to Gnd is pressed.  For instance, if P1_2 is zero, it means the "O" key is pressed.
  • Set P0_1 as an output, and 0v.  Read all inputs (except P0_1 of course), and if any any pin is zero, it is because one of the keys on the "P0_1" row is pressed.  For instance, if P0_6 is zero, it means the "Menu" key is pressed.  Return the P0_1 to an input.
  • In a similar manner, take each of P1_2, P1_3, P1_4, P1_6, P1_7 low in turn, checking each time for a key press.
  • Add bebounce logic - e.g. repeatedly go through the steps above, and only report a key-press if the same key is pressed on 2 consecutive loops. 

Console Radio

Some information about the radio can be gathered from the FFC submission.  FCC submission details are found by searching for PIY/L7281H1 on the FCC site. There are internal photos, radio frequency details, and transmission spectra.

The standard unit transmits/receives on up to 16 different frequencies between 908.45MHz and 920.6MHz.

I've been using my trusty Tektronix 7L14 Spectrum Analyser to see how the units currently communicate.  On startup the console polls on all 16 channels to make contact with the wireless USB dongle.

Once communication has been established on one of the channels, the console and dongle continue to use just that channel thereafter.  The console polls the dongle about every 0.2 seconds.  Here's a typical sequence:


The console polls the dongle, and the dongle responds about 10 milliseconds later (the dongle is physically further away from the SA input and sothe signal is weaker).  The dongle then sends a message (a poll?) about 3 milliseconds later.  Finally the console replies to the poll after about 10 milliseconds.  This sequence repeats every 0.2 seconds, but the total transmission time for the console is 4 milliseconds, so the portion of time spent transmitting (and therefore consuming battery power) is just 2%.

If each poll/ack message is about minimal length, it corresponds to around 96 bits by the time you take into account the preamble, sync, length, address, data, and CRC.  96 bits transmitted in 2 ms is 50kbps.  So the minimum radio tx/rx data rate is 50 kbps, but could easily be higher.

The photo above also gives us a clue to the type of modulation being used.  The fact that the signal strength remains the same during the transmission period indicates that the amplitude modulation options supported by the CC1110 - On-Off Keying (OOK) and Amplitude Shift Keying (ASK) - aren't being used.

A plot of the transmission spectrum shows that transmission is on two frequencies 300kHz apart:


Zooming x10 into the twin peaks reveals this spectrum:




The smaller peaks at 50kHz intervals between the two main peaks are likely the result of the data rate setting, and gives further evidence that the data rate is 50kbps.  The very narrow peaks also hint that there is no modulation smoothing, which rules out the chip's Minimum Shift Keying (MSK) and the Gaussian filtering option available with  Frequency Shirt Keying (FSK).  This leaves just the 2-FSK modulation option, with the deviation set at +/- 150kHz.

LCD Interface

The LCD is connected via a 20 way ribbon cable.  The connector is on the left ofn the photo below:



The connections (from the top of the connector to the bottom) are, using ST7565S terminology:
  • P0_4 - /CS -- hold low while transferring data (SSN in SPI terminology).
  • P1_1 - /RESET (I think) -- Pulse low at power up, keep high all the time otherwise
  • P0_2 - A0 -- Low for a command byte, high for a data byte
  • P0_5 - SCL -- SPI clock (SCK in SPI terminology)
  • P0_3 - SI -- Serial Data (MOSI in SPI terminology)
  • +2.5v
  • Gnd
  • (the remaining 13 pins are connected via capacitors either together or to ground, and are part of a high voltage generator circuit in the LCD)
All the data connections are easily accessible via the test points between the connector and the processor.

Other Processor Connections

The only remaining i/o port connections on the processor are:
  • P0_0 - decoupled voltage divider input (to measure 2.5v to detect battery low condition?)
  • P1_0 - digital output to transducer
  • P2_0 - digital input/output to backlight circuit?
  • P2_3 - digital output to status LED (red?)
  • P2_4 - digital output to status LED (green?)


Posted by at
Labels:

33 comments:

  1. AnonymousJanuary 6, 2010 at 9:34 AM

    excelent work! congratulations

    ReplyDelete
  2. AnonymousJanuary 6, 2010 at 10:26 AM

    you should be able to make that interact with this:
    http://wiki.msp430.com/index.php/EZ430-Chronos?DCMP=Chronos&HQS=Other+OT+chronoswiki

    it seems it works on the same frequence and the USB dongle provided with it use a CC1111f32... it would be a great way to improve the watch interface :)

    ReplyDelete
  3. Travis GoodspeedJanuary 6, 2010 at 1:00 PM

    Excellent work! I've just ordered three of these, and I'll happily spend the next few weeks playing with them. Be sure to email me if you'd like a GoodFET board for debugging them.

    --Travis

    ReplyDelete
  4. Matthew CarpenterJanuary 6, 2010 at 4:28 PM

    Awesome Dave.
    Glad you indicated the freq info, as I'm looking for a toy in just this range using this exact chipset :)

    I just ordered two "collectables" through Amazon.

    Travis' GoodFET is a very powerful option for playing with this chip, I'd take him up on that offer.

    Matt

    ReplyDelete
  5. nrpJanuary 6, 2010 at 7:29 PM

    Nice. I bought one too when I saw Hunter Davis's post. Any plans on posting your Arduino code?

    ReplyDelete
  6. pelrunJanuary 6, 2010 at 9:35 PM

    Too bad I'm in Australia and so have to get the 433MHz version of the Chronos watch, it means I don't get to join in the fun :(

    ReplyDelete
  7. AnonymousJanuary 6, 2010 at 10:21 PM

    yes pelrun, the 433MHz version as diferent software AND hardware... from the wiki it seems that both 868 and 915MHz version share the same hardware and that the difference is only software, however, their USB access point is slightly different (seems there's an additional 0Ohm resistor on one of the version...)

    ReplyDelete
  8. richmsJanuary 7, 2010 at 2:32 AM

    868 should be available to Aussie? Its a valid band in NZ at least, so to be forced to go for the crowded 433 band would suck.

    ReplyDelete
  9. james wilsonJanuary 7, 2010 at 5:34 AM

    I noticed that TI uses the same micro on there new chronos watch development system that they sell for fifty bucks. It would be cool to use the wireless-terminal to display accelerometer hart rate etc info from the chronos watch. here is a link to the product web site. http://wiki.msp430.com/index.php/EZ430-Chronos?DCMP=Chronos&HQS=Other+PR+chronoswiki-pr

    cheers

    ReplyDelete
  10. AnonymousJanuary 7, 2010 at 5:36 AM

    you're a little late and you don't read other people posts, don't you? :)

    ReplyDelete
  11. AnonymousJanuary 7, 2010 at 6:35 AM

    how fo you use the FCC website? i tried the ID you provided and got a list of documents, but there's nothing to download. how do you get the information?

    ReplyDelete
  12. DaveJanuary 8, 2010 at 2:32 AM

    To get the documents from the FCC website, click on the word "Detail" in the "Display Exhibits" column. Good luck

    ReplyDelete
  13. AnonymousJanuary 8, 2010 at 12:14 PM

    woot, received my UZ430 chronos... i'll try to go through datasheets to see if it is possible to make it interact with an IM-ME... and I might invest in one...
    now i'll watch closely your progress with that :)

    ReplyDelete
  14. AnonymousJanuary 12, 2010 at 6:48 AM

    the CC1110F32 is globally the same as the CC1111F32 found in the TI chronos watch USB dongle, without the USB controller but with a bit more I/O... in fact, both theses microcontroller and the CC430fXXXX found in the watch all integrate the same RF "chip", the CC1101...

    now i'm interested and i'll prolly get one... I just hope it can be configured to use 863Mhz band (the chip can, the real question is related to the antenna)

    ReplyDelete
  15. MittensFebruary 23, 2010 at 5:48 AM

    Hey Dave, do you know if there's a mechanism for uploading new firmware into that Cypress Encore USB controller? I would like to port ccflasher to it if possible to save needing to buy an AVR board to make the programmer. I think this would make the dongle a fairly nice CC1110 development board in it's own right.

    I've read through the Cypress datasheet but it's a bit light on details. I get the impression they ship with a flashing utility in the flash which uses some serial protocol other than USB (but uses the USB pins). I don't know if there's any way of telling if that's still in there, how you would activate it if it was or whether they replaced it with something else.

    I did think of downloading the latest software update from im-me and smiffing the USB traffic to see if it might do a firmware update but I realise I've only got one shot at it if it does so I'm a bit reluctant to go ahead and try.

    Any thoughts?

    ReplyDelete
  16. FerdinandMarch 23, 2010 at 1:36 PM

    @Mittens

    It seems that for uploading firmware to the Cypress controller you have to use a special programmer. The one needed for the CY7C63803 would be the MiniProg1 (CY3217) which connects to the controller via the USB bus lines.

    Cypress also offers a tool to create a new firmware free of charge, but I don't think it's worth the effort. You could reverse engineer the communication between the CY7C63803 und the CC1110 on the stick and then just reprogram the CC1110.

    There already is a driver to speak to the usb dongle (http://sourceforge.net/projects/im-megpldrivers/) - using it together with a new firmware on the CC1110 gets you a decent development platform.

    ReplyDelete
  17. AnonymousApril 14, 2010 at 1:45 AM

    whats the possibility of using this as exactly what it's website says it can't do, which is connect to MSN? obviously there would need to be some method of connecting to msn's servers, or catching the MSN/WLM incoming messages, and a way to send them. so an application or plugin would obviously be a must on the pc-side, but I'm curious as to how hard it might be to run a custom script like this on the device itself?
    I'd personally like to have the ability to go away from my PC, in another room, or out in my yard, and be able to send/receive msn messages. this device seems to me like it would be perfect for that use, cheaper, and much less complex than getting a netbook or a PDA.

    ReplyDelete
  18. MikeApril 22, 2010 at 11:15 AM

    Hi - Any update on the Arduino code for this? I'd like to use one to hack around a few ideas...

    ReplyDelete
  19. jal2June 14, 2010 at 7:21 AM

    I've ordered four IM-ME from different vendors at Amazon U.K. and got one device with a CC1110F16 and a slightly different PCB layout marked IM-ME-HH-M1. The case is a darker pink (violet?). goodfet.cc doesn't work out of the box :-(

    See linked picture.

    ReplyDelete
  20. jal2June 14, 2010 at 7:26 AM

    a picture of the PCB of the device with CC1110F16

    ReplyDelete
  21. UnknownAugust 29, 2010 at 7:44 AM

    Have you guys tried to make two IM-ME communicate with eachother?

    ReplyDelete
  22. Joby TaffeyOctober 22, 2010 at 12:40 PM

    Inspired by this, I've been turning the IM-me dongle into a general purpose USB connected CC1110. Proof of concept working:

    http://blog.hodgepig.org/2010/10/22/im-me-usb-dongle-hacking/

    ReplyDelete
  23. AlexDecember 14, 2010 at 5:25 PM

    Great work on the reverse engineering! This is a great find.

    ReplyDelete
  24. AnonymousDecember 17, 2010 at 4:34 AM

    this sucks i ment my toy im me text mesenger

    ReplyDelete
  25. UnknownFebruary 12, 2011 at 2:06 PM

    Hi,

    First, great job! I read all about you and Travis.. You're both so crazy!
    I'm also interested by the source code of the Arduino in order to try it!

    Thanks a lot

    ReplyDelete
  26. YaBaAugust 21, 2011 at 12:39 PM

    Dave, great work.
    Will it be available the arduino code?
    I don't own a GoodFET (yet) and would like to do some tinkering ;)
    Thanks.

    ReplyDelete
  27. AndyJuly 19, 2012 at 2:52 AM

    Hi Dave,

    Any chance of posting some of your Arduino interface code? I'm stuck in a rut and don't have a GoodFET :(

    ReplyDelete
  28. PeterJuly 21, 2012 at 3:46 AM

    Hi group,
    since I found that great blog I'm desperately
    looking for a Im-me here in germany or
    elsewhere. What I found are some ebay offers in U.K. but non of them want to ship to germany.
    Anybody out there who can help?

    Thanks in advance
    Peter

    ReplyDelete
  29. AnonymousJuly 21, 2012 at 5:53 AM

    Hallo Peter,

    ich hab ein IM-ME das ich nicht mehr brauche. Original Firmware ist auch noch drauf. Einen passenden Programmieradapter auf Basis des ccflasher-Projekts liegt auch noch irgendwo rum. Meld dich wenn du Interesse hast.

    Grüße

    ReplyDelete
  30. pelrunMay 1, 2013 at 10:48 PM

    The im-me will take 3.3v on the '2.5v' line without a problem, which makes the other pins 3.3v tolerant. You *must* ensure that the batteries are removed before doing this.

    I successfully programmed mine using a raspberry pi and ccpil from https://github.com/jobytaffey/cctl - no level conversion needed, just wires direct from the debug pads to pins on the rpi gpio header, which is 3.3v.

    ReplyDelete
  31. Toby JaffeyMay 7, 2013 at 9:10 AM

    pelrun,

    Excellent, glad it worked. You may be the first other person to have tried CCPIL.

    ReplyDelete
  32. seditious deliciousAugust 11, 2013 at 4:00 PM

    https://www.youtube.com/watch?v=hxm-LO-KFa8

    ReplyDelete
  33. AnonymousJuly 2, 2018 at 5:07 AM

    Hey ! Is there any way to flash the firmware on CC1110 using raspberry pi over the debug pins of CC1110 (not uart).

    ReplyDelete

Subscribe to: Post Comments (Atom)