FreeCalypso > hg > fc-usbser-tools
view doc/FTDI-EEPROM-tools @ 88:ea7b411aad27
cp2102-decode-ee-desc: decode interface descriptor
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Wed, 27 Sep 2023 19:39:44 +0000 |
parents | 930bd5316d56 |
children |
line wrap: on
line source
Mother Mychaela has developed a set of Linux command line tools for manipulating configuration EEPROMs that are attached to FT2232x devices and accessed in-band via USB. This document describes these tools. Supported FTDI chips and EEPROMs ================================ The present tools work with 93C46, 93C56 and 93C66 EEPROMs attached behind FT2232x dual-channel UART/FIFO/MPSSE/etc chips, both FT2232C/D and FT2232H. We can read these EEPROMs for examination or backup, and we can program them with new bits, either restoring a previously saved backup or creating a new from-scratch configuration. These EEPROM configurations (which we can save, restore or create from scratch) set the USB VID:PID and the textual strings naming the manufacturer, the product model and an optional serial number, select whether each FT2232x channel will come up in the default UART mode or one of the other EEPROM-configurable modes (245 FIFO, CPU-style FIFO or fast opto-isolated serial), and allow a few other obscure chip settings to be tweaked. Some work has also been done toward the goal of being able to program the internal EEPROM in FT232R chips (a very popular single-channel USB to UART converter needing no external components), but this work should be considered experimental: the tools appear to work on an UB232R module from Digi-Key (presumably containing a genuine FT232RQ chip) and on a no-name FT232RL adapter where the chip is uncertain, but because we have no real production use case yet, we are not ready to truly vouch for FT232R support. More generally: * our fteeprom-read tool should be able to read out the EEPROM content from just about any FTDI chip; * our fteeprom-prog tool should be able to program a user-supplied set of bits into any FTDI+EEPROM combo where the EEPROM is a separate chip, or into FT232R internal EEPROM - but it most likely won't work for newer FT-X chips; * if the goal is to generate a new EEPROM config from scratch, as opposed to restoring a saved backup, we currently have generators only for FT2232C/D, for FT2232H and for FT232R, with the last one considered experimental and not proven. No more libftdi dependency! =========================== Our initial implementation of fteeprom-* tools was based on libftdi; more specifically, one had to use an old libftdi-0.x version, as these old versions were the only ones that allowed writing to the EEPROM directly with ftdi_write_eeprom_location() API calls. However, the present version has been reimplemented to NOT use libftdi at all - instead we have our own minilibs, maintained as part of fc-usbser-tools package, that are built on top of libusb-0.x API. (The version of libftdi we used previously was also built on top of the same libusb-0.x API, hence no change in that dependency.) The libusb-0.x API we use consists of <usb.h> include header and -lusb link library pull-in; on "modern" systems these pieces will typically be provided by libusb-compat-0.1 package wrapping around libusb-1.x, but in the spirit of Holy retrocomputing, really old systems can be used with native libusb-0.1. Selecting the device to operate on ================================== Our fteeprom-read, fteeprom-prog and fteeprom-erase tools take a device selector argument, selecting the device to operate on. The design of this device selector mechanism has been copied from libftdi; while we no longer use libftdi, we found its device selector mechanism to be a really good design and we have fully reimplemented it. The device selector argument is a string in one of the following formats (some wording copied from libftdi documentation): d:<devicenode> - path of bus and device-node (e.g. "003/001") within USB device tree as enumerated via libusb-0.x API. Libftdi documentation said /proc/bus/usb, but at least on Mother's Slackware 14.2 system, the observed location of this device tree is /dev/bus/usb. i:<vendor>:<product> - first device with given vendor and product id, ids can be decimal, octal (preceded by "0") or hex (preceded by "0x") i:<vendor>:<product>:<index> - as above with index being the number of the device (starting with 0) if there are more than one s:<vendor>:<product>:<serial> - first device with given vendor id, product id and serial string If you have only one FTDI device connected to your PC or laptop at the time of your EEPROM manipulation session (generally a good idea to avoid hitting the wrong device by mistake) and if that FTDI device has some sensible starting USB VID:PID (either from the previous EEPROM config or the chip's sans-EEPROM default) that doesn't clash with anything else, then the i: form will probably be the most convenient, e.g.: i:0x0403:0x6001 for single-channel FT232x devices running with the default ID i:0x0403:0x6010 for dual-channel FT2232x devices running with the default ID i:0x0403:0xPPPP for custom PIDs assigned out of FTDI's VID range i:0xVVVV:0xPPPP for totally custom USB IDs Or if the current device config is totally hosed (the EEPROM has a passing checksum, but sets some completely bogus USB ID), then the d: form will probably be required for recovery. Reading the EEPROM ================== The basic EEPROM read command is as follows: fteeprom-read <device-selector> See the previous section for the device selector argument. In this default form the tool will read the first 64 EEPROM words, which is appropriate for 93C46 external EEPROMs or for the internal 1024-bit EEPROM in the FT232R chip. However, if you are working with an FT2232x board with an external EEPROM and that EEPROM is of a larger variety (93C56 or 93C66), this basic form with give you an incomplete (truncated) read, and you will need one of the following extended forms to read the complete EEPROM: fteeprom-read -b <device-selector> -- read 128 EEPROM words (93C56) fteeprom-read -B <device-selector> -- read 256 EEPROM words (93C66) (If you use one of the extended forms on a smaller EEPROM, you will get 2 or 4 copies of the same bits.) The output of fteeprom-read is in the same format as the input to fteeprom-prog, thus you can redirect the output to a file and get a restorable backup copy of your EEPROM. Change from previous version ---------------------------- In the original libftdi-based implementation of fteeprom-read, the act of reading the EEPROM was invasive: libftdi's open function would unbind the kernel's ftdi_sio driver (Channel A ttyUSB device disappears) and reset/reinitialize the SIO channel itself. However, it turns out that these invasive steps aren't needed if the goal is only to read the EEPROM - the necessary USB control endpoint transactions can be done while the kernel's ftdi_sio driver remains attached with ttyUSBx devices intact on all channels. The current version of fteeprom-read has been fixed to be non-invasive in this regard: you can now freely read the EEPROM of any connected FTDI device *without* bumping off that device's ttyUSB. Decoding EEPROM dumps ===================== The output of fteeprom-read is a raw hex dump of the EEPROM; a few of these dumps are included in the artifacts directory in the fc-usbser-tools distribution. You can study these dumps directly in hex using the knowledge base gathered in FTDI-EEPROM-format article, but there is also a utility that decodes the most basic EEPROM settings that are common across all known FTDI chips. You can run ftee-decode like this: ftee-decode <eeprom-image-file> or reading from stdin: fteeprom-read <device-selector> | ftee-decode - Programming the EEPROM ====================== In terms of the primitives provided over USB, writing to EEPROMs sitting behind FTDI chips is accomplished by writing one 16-bit word at a time: the SIO_WRITE_EEPROM_REQUEST command writes a user-supplied word at a user-supplied EEPROM address. However, our fteeprom-prog tool currently supports only writing complete EEPROMs (64 or 128 or 256 16-bit words starting at address 0) and we do not currently provide any kind of "random access write" utility; the primary reason for this design decision is practical usefulness: FTDI's EEPROM structure includes a checksum over the first 64 words for 1024-bit EEPROMs or over the first 128 words for larger ones, and if this checksum fails to match, the entire structure is deemed to be invalid - hence there is no practical use case for selectively rewriting individual words. The only exception may be with 93C66 EEPROMs: on these giants only the first half would be subject to the checksum, and the second half could be used arbitrarily. However, we have not yet encountered any boards out in the wild with such big EEPROMs, and we have no plans to use such in any of our own hardware designs either, hence there is no business case at the present moment to develop tooling support for them. There are two primary modes of usage for our fteeprom-prog tool: restoring a saved EEPROM backup or writing a new EEPROM config which you generate yourself. To restore a saved EEPROM backup, run the tool as follows: fteeprom-prog <device-selector> <eeprom-image-file> To program a new EEPROM config of your own, run a pipeline of this form: <generator-tool> | fteeprom-prog <device-selector> fteeprom-prog reads the EEPROM image from stdin if no image file is named on the command line; the image format is the same in both cases, and the length of this EEPROM image tells the tool how many words need to be programmed - there are no -b or -B options to fteeprom-prog. Generator tools =============== Unfortunately FTDI never documented the format of their EEPROM configuration structure - apparently they consider it a proprietary trade secret just like the wire protocol spoken over USB between their chips and their closed-source proprietary drivers. All FOSS community support for these chips is based on reverse engineering, and that includes the EEPROM format. The present suite of tools includes ftee-gen2232c and ftee-gen2232h EEPROM image generators, meant for use with FT2232C/D and FT2232H chips, respectively. These tools are based on the knowledge extracted from other (pre-existing) community tools, primarily the EEPROM config code built into various libftdi versions - we haven't done any FTDI RE of our own, instead the goal of this project has been to create a set of tools that are better fit for production use. The knowledge base we have collected is documented in FTDI-EEPROM-format article. Our ftee-gen2232c and ftee-gen2232h tools are invoked as follows: ftee-gen2232[ch] [size-option] <config-file> [serial-num] The output of these generator tools is meant to be piped directly into fteeprom-prog. The philosophy of which settings are given in the config file vs. which ones are given on the command line reflects configuration management and factory production line operations. In the envisioned usage there would be a config file for each product, giving the USB VID:PID, textual manufacturer and product ID strings and possibly other config settings which need to be changed from the defaults, but the optional serial number string is given on the command line because it would be different for each individual unit being programmed. The detailed format of ftee-gen* input language (config source files) is documented in FTDI-EEPROM-format article. EEPROM size selection --------------------- In the original design of these tools the EEPROM size selection is made on the command line, so that the same config can be programmed into a smaller EEPROM or a bigger one. By default our tools generate an image suitable for a 93C46 EEPROM: the generated image is 64 words long, with a checksum in word 63, and the EEPROM type byte in FTDI's structure is set to 0x46. Running with -b produces an image for a 93C56 EEPROM: the EEPROM type byte is set to 0x56, and the checksum-covered image length is extended to 128 words. Finally, -B sets things up for a 93C66 EEPROM: the EEPROM type byte is set to 0x66, but the generated checksum-covered image is still 128 words long just like with -b, as that is what FT2232x chips apparently expect. I said "apparently" because I don't have any FT2232x hardware with 93C66 EEPROMs and I don't plan on acquiring or building any, hence this minimal 93C66 support is completely untested - use at your own risk. In the current design it is also possible to set the EEPROM size in the config source file - if the EEPROM size is set there, the command line options for it become redundant. If the command line options for EEPROM size conflict with the config source, the result is an error. For symmetry with -b selecting 93C56 and -B selecting 93C66, there is also -s option selecting 93C46 explicitly. It also needs to be noted that with our current RE-based understanding of FTDI's undocumented EEPROM structure, using a bigger EEPROM does NOT provide more room for strings: all that happens with -b and -B options is that a gap of 64 unused EEPROM words is inserted between the end of the fixed structure and the beginning of strings. The exact same arrangement has been observed in all 93C56 EEPROM images found in the wild, presumably produced with FTDI's official tools, including FTDI's own USB-COM232-PLUS2 board - thus it is not clear at all if FT2232x chips actually support longer strings with bigger EEPROMs, and if not, what does one need a bigger EEPROM for... Installation directory for EEPROM config files ---------------------------------------------- If the name of the config file passed to ftee-gen* does not contain any '/' characters, the named file is sought first in an installation directory (/opt/freecalypso/ftdi) and then in the current directory. To suppress this search path and read EEPROM config files only from the current directory, specify your config file as ./name - filenames (pathnames) containing slashes are read as-is. This installation directory and search mechanism have been added in order to allow standard (usually developed at FreeCalypso HQ) FTDI EEPROM configs which end users can then program into their boards by executing a fixed command line given in a manual. FT232R differences ================== The EEPROM generator tool for FT232R is ftee-gen232r; it works on the same principle as ftee-gen2232[ch] for FT2232x. However, when you run fteeprom-prog to program FT232R's internal EEPROM (whether you are restoring a backup or programming the output of ftee-gen232r), you need to add -r option before the device selector string. This option tells fteeprom-prog to execute the FT232R-specific magic sequence (documented in FT232R-notes) before proceeding to actual EEPROM writes - without this option the EEPROM content will be garbage (bitwise AND of old and new EEPROM images), producing the appearance of a bricked chip. In the previous libftdi-based version of fteeprom-prog the magic sequence in question was executed unconditionally - however, because it is needed only for FT232R and because we could simplify our new sans-libftdi code by implementing it in an FT232R-only manner (no support for different "index" values for multichannel FTDI devices), we've changed it from unconditional to -r option. Experiments show that fteeprom-prog -r option appears to be harmless (though unnecessary) on FT2232D and FT2232H - however, Mother's recommendation is to use it only on FT232R devices. Erasing the EEPROM (making it blank) ==================================== If you are playing with a "generic" FT2232x breakout board that is made for tinkering, as opposed to a more finished product, such boards are typically shipped with their EEPROMs completely blank. In that case restoring the EEPROM to its "pristine" state after playing around would mean erasing it, i.e., bringing it into a blank (all ones) state. FT2232x chips provide two ways to do so: one can explicitly write 0xFFFF into each individual EEPROM word with SIO_WRITE_EEPROM_REQUEST, or one can send a SIO_ERASE_EEPROM_REQUEST command to the chip, and the chip then erases the entire EEPROM. But we don't know how the latter SIO_ERASE_EEPROM_REQUEST operation is implemented by FT2232x chips: does the FT2232x chip go through and erase each word individually, or does it issue an "erase full chip" opcode to the serial EEPROM? If the latter, then according to some EEPROM datasheets that operation may not work if the EEPROM is powered from a 3.3V rail rather than the full USB 5V - may be an issue in FT2232H-based designs. In any case our tools provide both ways. To perform the "automatic full chip erase" operation, run the following command: fteeprom-erase <device-selector> To blank the EEPROM by writing 0xFFFF into each word, run one of the following pipelines: ftee-mkblank | fteeprom-prog <device-selector> -- blank a 93C46 EEPROM ftee-mkblank -b | fteeprom-prog <device-selector> -- blank a 93C56 EEPROM ftee-mkblank -B | fteeprom-prog <device-selector> -- blank a 93C66 EEPROM Unbinding of ftdi_sio ttyUSBx devices ===================================== By default, fteeprom-prog and fteeprom-erase utilities command the Linux kernel's ftdi_sio driver to unbind from all interfaces of the target chip, causing all associated ttyUSB devices to disappear. These ttyUSB devices will come back in the new configuration when you unplug and replug the USB device after programming. If you are a hacker and you really know what you are doing, you can suppress this logic with -n option - however, doing so is generally not recommended: * An unplug-replug manipulation is required for the new EEPROM programming to take effect. Removal of ttyUSB devices forces the user to unplug and replug the USB device to get them to come back. * In the case of FT232R, the special magic sequence it requires for EEPROM programming (fteeprom-prog -r) is invasive/disruptive to normal UART operation, hence it isn't really compatible with ttyUSB sticking around. Please refer to Replug-after-EEPROM-write article for additional notes.