concerning the Girltech IM ME,
with a million thanks to Dave.
WARNING: Reflashing the CC1110 while batteries are low will permanently lock the chip. Either be damned sure to use fresh batteries or leave the batteries out and power the IMME from your GoodFET.
Howdy y'all,
This brief tutorial describes the process of reflashing the Girltech IM ME with custom firmware, so that it may be used as a development platform for the Chipcon CC1110 sub-GHz ISM System-on-Chip. I assume the reader to have an assembled GoodFET with recent firmware, but other programmers may of course be substituted.
You should also read Dave's first article on IM ME hacking, as it describes his method for reprogramming the device. All the pinouts below were taken from his articles, as well as the keyboard and LCD information that he was so neighborly as to publish.
Wiring
First, you'll need to purchase an IM ME, which can be had for $20 USD on a few toy sites while it remains in stock. You'll also need an assembled GoodFET and basic electronics tools.
The testpoints used for programming the IM ME are located behind the batteries in the rear compartment of the device. Ideally, a bed of nails should be used to clip into it, but failing that, just solder on to the Debug Data (DD), Debug Clock (DC), Reset (!RST), and GND pins. Run these to the GoodFET's 14-pin header as shown below.
From left to right on the IM ME, the pins are !RST, DD, DC, +2.5V, and Ground. Because the GoodFET is a low-voltage device, there's no need for the resistor dividers in Dave's article. Use EITHER the GoodFET OR the batteries for VCC, but not both.
| Name | Pin |
| Name |
|---|---|---|---|
| DD | 1 | 2 | Vcc |
|
| 3 | 4 | Vcc |
| RST | 5 | 6 |
|
| DC | 7 | 8 |
|
| GND | 9 | 10 |
|
|
| 11 | 12 | |
|
| 13 | 14 |
|
Flashing
Once you have the IM ME wired up, you can check its model number and status by running `goodfet.cc status'. This will tell you that the chip is locked, so making a backup of its firmware is non-trivial. If you continue from here, the IM ME will no longer function as an instant messenger.
Erase the chip by 'goodfet.cc erase' then dump an image of RAM as 'goodfet.cc dumpdata immeram.hex' to see if anything neighborly can be found inside.
You now have a blank IM ME, with the LCD most likely showing the last gasping breaths of its firmware. To flash a new firmware image, just grab its ihex file and run 'goodfet.cc flash foo.hex'.
I've placed a few example binaries in the repository of an operating system that I've started for the IM ME called GoodME. To flash Dave's LCD Test, run the following commands.
svn co https://goodfet.svn.sourceforge.net/svnroot/goodme
goodfet.cc flash goodme/bins/dave-lcdtest.hex
For a more functional demo, try bins/term-morse824mhz.hex, an ugly hack of an operating system for the IM ME with a Morse code transmitter and random number generator demo. In the Radio demo, holding any of the letter buttons broadcasts on 824MHz. The PRNG demo, shown below, demonstrates the repetition of strings withing the psuedo-random number generator and counts the number of bytes between them. This is sometimes used for key material.
Custom Development
The SDCC compiler is in the package repositories of most civilized operating systems. You might need a more recent version for the cc1110.h header, though building this compiler is a thousand times simpler than GCC. Compiling an example is as simple as sdcc foo.c; packihx <foo.ihx >foo.hex, which will produce a suitable Intel Hex file for flashing. The 8051 memory model makes specifying a chip model unnecessary, a handy deviation from those of us with a thousand MSP430 linking scripts.
Within the GoodME repository, you'll find my bastard child of an operating system at /branches/rough/. It was used to make the term-morse824mhz.hex, and its keyboard, font, and LCD drivers are ripe for organ transplants. /trunk/ ought to someday contain a proper operating system for the device, but for now, I haven't the time to complete it.
Have fun, and build something neighborly,
--Travis
21 comments:
Care to tell us where we can still get this device? I'm very interested in buying some and trying this. I'm from South Africa so they need to be able to ship internationally
I am really enjoying your postings, you are taking recyling to another level - thank you very much for sharing - looking forward to the next im-me bulletin, I have got a few which needs a real life
Maybe we could get Tetris on this thing? have to turn it sideways, I'd guess. Will the screen do bit-mapped graphics?
tvdbon: Amazon.com could probably supply one (or some) to you...
Howdy y'all,
Feel free to copy any of the hardware interface code from my IMME software in order to write your own. There's no sense re-inventing the wheel.
--Travis
See Mike Ossmann's article, A $16 Pocket Spectrum Analyzer. It is by far the useful application released for the IM ME.
Today I got my im-me and disassembled both the terminal and the usb receiver. It seems that the kind folks over at Mattel also brought out the debug connections on the usb stick. They are accessible through 5 vias - you just have to remove the clipped on cover from the stick.
I have no access to a programmer for the CC1110 right now, so I can't verify my findings. If someone is interested in trying this out please contact me.
Howdy Ferdinand,
You can find the dongle pinouts in this photo. Email me your address and I'll send some GoodFET boards your way.
--Travis
All this is pretty cool! My daughters each have an IM-ME and they love playing with them. But my house is all Macs, so whenever they want to play I have to drag out an old PC laptop just so they can chat (Yes, they are in the same house. Why do they need an IM-ME to chat? I don't know, ask them :-)
It occurs to me that these devices should be able to talk directly to each other, right?
I'm interested in 3 things:
1) Getting the units to talk to each other
2) Getting other kid-stuff running on them (simple games, homework list, etc.)
3) Getting the devices to talk to a Mac
Is there a forum or mailing list for IM-ME hacking? I'd like to have a way to discuss these sorts of things with other.
=[ I hooked up my goodfet but can't get it to erase. Maybe I'm getting my wiring mixed up.
Howdy Ali,
I just patched a bug that prevented Chipcon debugging from working on the GoodFET3x boards. GF2x was unaffected.
Run 'goodfet.bsl --fromweb' to upgrade.
--Travis
Hey Travis,
The new firmware works a treat.
Thanks.
Hi Travis... are you still providing the GoodFET boards? How do I get a couple here in Ireland?
Howdy Gerryk,
Plenty of GoodFET31 boards remain. See the GoodFET Ordering Page for boards, $5/unit for professionals and free for students.
--Travis
Has anybody done this programming with an Arduino or BusPirate? Building up a GoodFET wouldn't be a huge problem, but I've got some other programmer-capable hardware already sitting here...
I posted this to hackaday, but should have posted it here.
Travis:
So, I just read section 4.4 of P25 .pdf (Why Special Agent Johnny Still Can't Encrypt) and I thought. I have to build something like this, but how.
And it looks like I found the precious source.
What a cool use for a purple and pink kids toy. GirlTech’s design and marketing has really annoyed me throughout the years — I put up my brand about the same time they started theirs. I’ve always felt that green+pink on black and lockpicking was a better way to subvert the other girls out there into the computer and hack scene, but I am totally enamored by the hacks that ya’ll have done on this purple quote unquote girly device. And next time I am required to babysit (doesnt happen very often, muahaha.) I think it's going to be mandatory that I have one of these to bring along.
Guess I'm going to get started. . . .
(I'm emailing you about GoodFet now, cheers.)
Mad Props and Mad Love for feeding the fire!
Ivy aka GirlTech$ (The Original Gangster/Original Princess :P )
Greetings Travis and Fellow GoodFET-teers.
I am using GoodFET31 w/ IM-ME. When I run goodfet.cc status I receive the following:
Resyncing.
Resyncing.
Resyncing.
Resyncing.
SmartRF not found for this chip.
Status: erase_busy cpu_halted pm0 locked oscstable
Is this message abnormal, please advice. Thank you.
-LANimosity-
Same message was received when attempting goodfet.cc erase
#goodfet.cc erase
SmartRF not found for this chip.
Status: erase_busy cpu_halted pm0 locked oscstable
Status: cpu_halted pm0 locked oscstable
I am really enjoying your postings, you are taking recycling to another level. That's great. I am looking forward for more good post from your side. Keep posting. Cheers!
medical card scanner
Post a Comment