Saturday, October 17, 2009

CC2430 Debug Protocol, First Notes

by Travis Goodspeed <travis at>
with thanks to Peter Kuhar

CC2430 Node

The following are my notes on the debugging mechanism of the CC2430 and other chips (such as the CC2530) from Chipcon using an 8051 core. These notes do not apply to the upcoming CC430. As most of this was written before I implemented the protocol, plenty of errata are likely to exist.

These notes are intended for those who wish to understand how the device is programmed, not for those who merely want a device programmer. See CCFlasher or the GoodFET for that.

Be sure to have a copy of SWRA124, which is the official documentation for this protocol.

Concerning pins, there are three related to debugging. Debug Data (DATA) is a synchronous, bidirectional data line. Debug Clock (DCLK) is its clock, but its edges also control when commands are interpreted, and it is crucial to initializing the chip's debugging unit. The third pin, !RST, puts the chip into a reset state when pulled low, but is also used to start the chip with the debugger enabled. The clock idles low, while !RST idles high. Data is posted during the rising edge, sampled during the falling edge. As there is no equivalent of the SPI !SS pin, it is necessary to dead-reckon commands; a command of incorrect length will cause unneighborly consequences.

To initialize the debugger, pull !RST low while sending two clock pulses on DCLK. It will look something like this,
CC2430 Debug Initialization

The command byte 0x34 looks something like this,
CC2430 Data

Concerning commands, once the debugger has been initialized, the chip will accept a command byte, optionally followed by up to three additional parameter bytes. It will then reply with at least one byte, which might be discarded. Some commands reply with two bytes rather than one.

A command byte is composed of 8 bits. Bits 1 and 0--the least significant--contain the number of data bytes following the command. Bit 2 is labeled "return input byte to host", but it doesn't appear to be observed regularly by the documented examples. The remaining five bits specify the command itself.

Only twelve commands are described in the documentation, but either 16 or 32 commands are possible, depending upon whether the MSBit is variable or fixed to 0 as a sort of start bit.

These commands were chosen to be easy to implement in hardware. They include CHIP_ERASE, RD_CONFIG, WR_CONFIG, HALT, RESUME, GET_PC, and DEBUG_INSTR. There are no primitive commands for peeking or poking memory, nor for managing flash. Instead, macro commands are built up by using DEBUG_INSTR.

Concerning command execution, it is clear from the documentation that a command with no parameters begins to execute at the instant of the eighth falling debug clock edge. Multi-byte commands likely execute on multiple clock edges, each being the last falling edge of an instruction.

In any case, to debug a command, you simply send DEBUG_INSTR (0x54) summed with the length of the instruction, up to 3 bytes, then read a single byte reply. So to execute "NOP", send {0x55, 0x00}. Except for a jump, this will not affect the program counter.

Concerning memory access, there are no debugging commands to read or write memory. Instead, DEBUG_INSTR (0x54) is used to do the same. For example, to fetch from Data memory, first debug {0x90, AH, AL} to move the address into the data pointer. Then debug {0xE0, 0, 0} to MOVX from the data pointer into A. The 0's aren't part of the instruction, but they are necessary to give the device time to fetch the target of the pointer.

The is the code that fetches a byte from Data memory,

Concerning the writing of Flash, it is necessary to load a RAM buffer, then to copy that buffer into Flash by use of a short assembly script. Flash may only be erased in 2kB pages, and it may only be written as 32-bit words. The code that performs this is found on page 11 of SWRA124, and you'll find it in Data memory if you look hard enough after a programmer that doesn't cover its tracks.

You will find this code in the GoodFET source.
CC2430 Flash Routine

You will find the same code in RAM after programming.
CC2430 Flash Routine

Concerning the protection of Code memory, there is a lock bit in a hidden page of Flash memory. By setting the lowest configuration bit (by WR_CONFIG), the lowest 2kB of flash memory will be mapped to a special information region. Clearing the least significant bit of the first byte will lock the chip, causing it to refuse debugging after a full-power reset. Access to debugging instructions can only be regained after executing a CHIP_ERASE, which erases all of Flash memory.

At Black Hat USA in August of 2009, I presented a paper entitled Extracting Keys from Second Generation Zigbee Chips. The vulnerability, demonstrated in the image below, is that Data memory is not cleared along with Flash memory during a CHIP_ERASE. By booting a wireless sensor, then erasing it, then dumping RAM, the attacker can find any keys which are stored within the unit. This works even for constant keys, as 8051 compilers will copy them into RAM in order to make C pointers consistent.
CC2430 Vulnerability Test

In implementing a debugger, it's also necessary to watch out for a minor bug. Upon connecting, be sure to DEBUG_INSTR a NOP so as to have the lock bit checked. Failure to do so might cause the lock bit to be misrepresented when checking the device's status.

In conclusion, the protocol is blessedly simple and the 16 pages of documentation are quite complete when supplemented with the CC2430 datasheet. I hope that these notes might allow you to implement the protocol with less of a headache than I have.


Unknown said...

Nicely written. I have a new custom board where CC2430 is set to communicate with another CC2430 through the debug interface. The basic idea is that I will be able (hope so) to send .hex -file from PC like TI's Flash Programmer does with Chipcons(TI's) development board. I am just little worry about the coding?!? How long it took from you to code the interface?

Travis Goodspeed said...

Howdy Tinho,

I didn't take too terribly long for me to write the library, but you can grab my code and port it to your board. (BSD License, just leave the copyright statements intact and buy me a beer if we should ever meet.)


svn co

Travis Goodspeed said...

Thanks to a neighbor for pointing out that CC2530 and CC2531 extensions are in SWRU191.

andre said...
This comment has been removed by the author.
Unknown said...

Hi Travis,

Took me a little time to check this page again. Many thanks for sharing your library. At least your name is easy to remember so I'll by you a beer if we meet:)

Anonymous said...

Fantastic post! Tank you!

Travis Goodspeed said...

For a practical target of this, check out Dave's post on IM-ME Hacking. The CC1110 in the IM-ME is compatible with this protocol.


Unknown said...

Do you know whether the Data memory is still not cleared after CHIP_ERASE? TI have released several updates to the CC2430.

Angel Claudia said...

We are among the best online companies providing affordable custom research paper writing services. When you purchase custom research paper, you get the services of experts and specialists in your field.

Taylor Bara said...

Well, here is a good example of position paper. You need to read it carefully!

onlineAssignmenthelp said...

Gone are the days when relying on the tutors was the only option. With the changing times, you need to adopt the modern and necessary ways to complete your assignment. Contact The Tutors Help and avail all the assignment services at lower rates. , assignment helps Sydney Level 5,121 Castlereagh Street Sydney, NSW 2000 whatsapp +61-280-062-221 Seemore-

onlineAssignmenthelp said...

Assignment forms the base of academics. They are the task given to the student to make them self responsible as a part of the educational system. The assignments are provided to strengthen the creativeness as a student grasps more by studying practically. The assignments develop the skills that prepare the students for exams and helps them to attain impressive ideas to significant limits. Assignment Help in Sydney Level 5,121 Castlereagh Street Sydney, NSW 2000 whatsapp +61- 280-062-221 Vistes-

Unknown said...

scar removal cream in pakistan

scar removal cream in pakistan

Unknown said...

anti pimple soap

anti pimple soap

Unknown said...

Cat 3 Combinaison Type 5/6 blanche
COMBINAISON avec coutures couvertes
Housse de protection en SMS non tissé avec chevilles, visage, poignets et taille élastiqués pour ajuster la taille. Egalement avec rabat auto-adhésif pour une meilleure fermeture par l’avant.
Type 5 & 6 avec conformité totale à la classification selon EN 14325
Matériel: SMS 100% Polypropylène 50 g / m2
Couleurs disponibles: Blanche
Taille: XL-XXL
Emballage: 50 Pièces Combinaison jetable

نوال الخطيب said...

تتعرض اغلب المكيفات فى المنازل الى تراكم الاتربة والغبار عليها وذلك غالبا بسبب كثرة التشغيل او تعرض المكيف للهواء بسبب فتح النوافذ

شركه تنظيف مكيفات بخميس مشيط
ولكن تعتبر هذه الاتربة والغبار من اكثر الاشياء ضررا على المكيف حيث ان تراكم الغبار على المكيف يؤدى الى حدوث العديد من الاعطال به ومن هذه الاعطال تسريب المكيف للمياه

شركه تنظيف مكيفات بالجبيل
بسبب انسداد المبخرة بالاتربة والغبار وضعف كفاءة المكيف وعدم قدرته على التبريد واعطال اخرى كثيرة ونظرا لاهمية المكيف فى المنزل فإنه لابد من المحافظة عليه والاهتمام بتنظيفه وذلك ايضا لان تنظيف المنزل يعكس ايضا منظر جمالى على المنزل
بأكمله وقد يصعب على الافراد القيام بتنظيف المكيف بأنفسهم ولابد لهم من ان يستعينوا بشركة متخصصة فى تنظيف المكيفات الموجودة بالمنازل وتعد شركة تنظيف مكيفات بخميس مشيط اكثر شركة مناسبة للقيام بعملية التنظيف وذلك لخدماتها العديدة التى تقدمها وتميزها فى مجال تنظيف المكيفات عن باقى الشركات .

شركه تنظيف مكيفات بخميس مشيط

شركه تنظيف مكيفات بالجبيل

Unknown said...



Mobile app development company said...

Wonderful post. Thanks for sharing this amazing article. I would like to share information about appconsultio, our mobile application development company is more than just lines of code; we are the architects of innovation. Partner with us to embark on a journey where your concepts transcend limitations and become vibrant, intuitive, and indispensable mobile realities.

Jewel Galore said...

Jewelgalore presents an enchanting collection of necklace set . Explore our range of elegantly crafted pieces, each designed to add a touch of sophistication and charm to your style.


Navigate the academic landscape of osh state medical university, home to the esteemed osuimf. Aspiring medical practitioners converge in Osh to absorb the institution's wealth of knowledge and expertise.

Shalamar Hospital said...

If you're seeking the best cancer care, Shalamar Hospital stands out as a dedicated cancer hospital , providing comprehensive oncology services and support for those in need.

Georgetown Fitness said...

Georgetown, Texas offers a wide range of fitness centers that cater to the diverse needs and preferences of its residents. These fitness centers provide state-of-the-art facilities and equipment, ensuring that individuals can achieve their fitness goals in a safe and comfortable environment. Whether you are a beginner looking to kickstart your fitness journey or a seasoned athlete seeking to enhance your performance, there is a Gyms in georgetown tx that suits your needs.

The fitness centers in Georgetown boast a variety of amenities to enhance your workout experience. From spacious workout areas equipped with the latest cardio and strength training machines to dedicated spaces for group exercise classes, these gyms have it all.

Jewel Galore said...

Explore the exquisite collection of earrings online Pakistan at Jewelgalore. Find the perfect pair to adorn yourself with elegance and style, all conveniently available for purchase from the comfort of your home.