FreeCalypso > hg > freecalypso-hwlab
view doc/FTDI-EEPROM-tools @ 55:db9adb7a1529
eeproms/dumps/FT232BM-RS232-cable: another read-out specimen
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Thu, 09 May 2019 23:16:20 +0000 |
parents | 311c800268b8 |
children | 0514e3520be3 |
line wrap: on
line source
Mother Mychaela has developed a set of Linux command line tools for manipulating configuration EEPROMs that are attached to FT2232x devices and accessed in-band via USB. This document describes these tools. Supported FTDI chips and EEPROMs ================================ The present tools work with 93C46, 93C56 and 93C66 EEPROMs attached behind FT2232x dual-channel UART/FIFO/MPSSE/etc chips, both FT2232C/D and FT2232H. We can read these EEPROMs for examination or backup, and we can program them with new bits, either restoring a previously saved backup or creating a new from-scratch configuration. These EEPROM configurations (which we can save, restore or create from scratch) set the USB VID:PID and the textual strings naming the manufacturer, the product model and an optional serial number, select whether each FT2232x channel will come up in the default UART mode or one of the other EEPROM-configurable modes (245 FIFO, CPU-style FIFO or fast opto-isolated serial), and allow a few other obscure chip settings to be tweaked. Some work has also been done toward the goal of being able to program the internal EEPROM in FT232R chips (a very popular single-channel USB to UART converter needing no external components), but this work has not been finished yet, and the present tools should NOT be used to attempt an EEPROM write on that chip - the risking of bricking the chip is too high. More generally, our fteeprom-read tool should be able to read out the EEPROM content from just about any FTDI chip including FT232R, whereas our fteeprom-prog tool should be able to program a user-supplied set of bits into any FTDI+EEPROM combo where the EEPROM is a separate chip - but it is NOT safe to use on FTDI chips like FT232R or FT-X that have their EEPROM built in. Furthermore, if the goal is to generate a new EEPROM config from scratch, as opposed to restoring a saved backup, we currently have generators only for FT2232C/D and for FT2232H. (We also have a generator program for FT232R, but it is of no use for as long as fteeprom-prog is not safe to use on FT232R chips.) libftdi dependency ================== We use libftdi (which is in turn layered on libusb) to issue the special USB control pipe commands to FTDI chips which are needed to read and write their EEPROMs. We use old-style libftdi-0.x (-lftdi on the link line) as opposed to libftdi1 (-lftdi1) because the new versions took away the ability to write to the EEPROM directly with ftdi_write_eeprom_location() calls, forcing users to go through libftdi1's own EEPROM smarts, which we don't want to do - our tools are all about more direct user empowerment at the lowest level. Selecting the device to operate on ================================== Our fteeprom-read, fteeprom-prog and fteeprom-erase tools take a device selector argument, selecting the device to operate on. This required argument is the string to be passed to the ftdi_usb_open_string() function in libftdi, allowing the device to be operated on to be selected in one of several ways. Copying from libftdi documentation, the available formats are: d:<devicenode> - path of bus and device-node (e.g. "003/001") within usb device tree (usually at /proc/bus/usb/) i:<vendor>:<product> - first device with given vendor and product id, ids can be decimal, octal (preceded by "0") or hex (preceded by "0x") i:<vendor>:<product>:<index> - as above with index being the number of the device (starting with 0) if there are more than one s:<vendor>:<product>:<serial> - first device with given vendor id, product id and serial string If you have only one FTDI device connected to your PC or laptop at the time of your EEPROM manipulation session (generally a good idea to avoid hitting the wrong device by mistake) and if that FTDI device has some sensible starting USB VID:PID (either from the previous EEPROM config or the chip's sans-EEPROM default) that doesn't clash with anything else, then the i: form will probably be the most convenient, e.g.: i:0x0403:0x6001 for single-channel FT232x devices running with the default ID i:0x0403:0x6010 for dual-channel FT2232x devices running with the default ID i:0x0403:0xPPPP for custom PIDs assigned out of FTDI's VID range i:0xVVVV:0xPPPP for totally custom USB IDs Or if the current device config is totally hosed (the EEPROM has a passing checksum, but sets some completely bogus USB ID), then the d: form will probably be required for recovery. Reading the EEPROM ================== The basic EEPROM read command is as follows: fteeprom-read <device-selector> See the previous section for the device selector argument. In this default form the tool will read the first 64 EEPROM words, which is appropriate for 93C46 external EEPROMs or for the internal 1024-bit EEPROM in the FT232R chip. However, if you are working with an FT2232x board with an external EEPROM and that EEPROM is of a larger variety (93C56 or 93C66), this basic form with give you an incomplete (truncated) read, and you will need one of the following extended forms to read the complete EEPROM: fteeprom-read -b <device-selector> -- read 128 EEPROM words (93C56) fteeprom-read -B <device-selector> -- read 256 EEPROM words (93C66) (If you use one of the extended forms on a smaller EEPROM, you will get 2 or 4 copies of the same bits.) The output of fteeprom-read is in the same format as the input to fteeprom-prog, thus you can redirect the output to a file and get a restorable backup copy of your EEPROM. It also needs to be noted that if the FTDI device has the kernel's ftdi_sio driver attached to it (ttyUSB device present) when you run fteeprom-read (same for fteeprom-prog and fteeprom-erase), the act of running any of our EEPROM tools will cause it to unbind, i.e., the ttyUSB device will disappear. If the device being operated on is a dual-channel FT2232x, then only the ttyUSB device corresponding to Channel A will disappear, while the Channel B ttyUSB device will stay. Programming the EEPROM ====================== In terms of the primitives provided over USB, writing to EEPROMs sitting behind FTDI chips is accomplished by writing one 16-bit word at a time: the SIO_WRITE_EEPROM_REQUEST command writes a user-supplied word at a user-supplied EEPROM address. However, our fteeprom-prog tool currently supports only writing complete EEPROMs (64 or 128 or 256 16-bit words starting at address 0) and we do not currently provide any kind of "random access write" utility; the primary reason for this design decision is practical usefulness: FTDI's EEPROM structure includes a checksum over the first 64 words for 1024-bit EEPROMs or over the first 128 words for larger ones, and if this checksum fails to match, the entire structure is deemed to be invalid - hence there is no practical use case for selectively rewriting individual words. The only exception may be with 93C66 EEPROMs: on these giants only the first half would be subject to the checksum, and the second half could be used arbitrarily. However, we have not yet encountered any boards out in the wild with such big EEPROMs, and we have no plans to use such in any of our own hardware designs either, hence there is no business case at the present moment to develop tooling support for them. There are two primary modes of usage for our fteeprom-prog tool: restoring a saved EEPROM backup or writing a new EEPROM config which you generate yourself. To restore a saved EEPROM backup, run the tool as follows: fteeprom-prog <device-selector> <eeprom-image-file> To program a new EEPROM config of your own, run a pipeline of this form: <generator-tool> | fteeprom-prog <device-selector> fteeprom-prog reads the EEPROM image from stdin if no image file is named on the command line; the image format is the same in both cases, and the length of this EEPROM image tells the tool how many words need to be programmed - there are no -b or -B options to fteeprom-prog. Generator tools =============== Unfortunately FTDI never documented the format of their EEPROM configuration structure - apparently they consider it a proprietary trade secret just like the wire protocol spoken over USB between their chips and their closed-source proprietary drivers. All FOSS community support for these chips is based on reverse engineering, and that includes the EEPROM format. The present suite of tools includes ftee-gen2232c and ftee-gen2232h EEPROM image generators, meant for use with FT2232C/D and FT2232H chips, respectively. These tools are based on the knowledge extracted from other (pre-existing) community tools, primarily the EEPROM config code built into various libftdi versions - we haven't done any FTDI RE of our own, instead the goal of this project has been to create a set of tools that are better fit for production use. Our ftee-gen2232c and ftee-gen2232h tools are invoked as follows: ftee-gen2232[ch] [-b|-B] <config-file> [serial-num] The output of these generator tools is meant to be piped directly into fteeprom-prog. The philosophy of which settings are given in the config file vs. which ones are given on the command line reflects configuration management and factory production line operations. In the envisioned usage there would be a config file for each product, giving the USB VID:PID, textual manufacturer and product ID strings and possibly other config settings which need to be changed from the defaults, but the optional serial number string is given on the command line because it would be different for each individual unit being programmed. The EEPROM size selection is also made on the command line, so that the same config can be programmed into a smaller EEPROM or a bigger one. By default our tools generate an image suitable for a 93C46 EEPROM: the generated image is 64 words long, with a checksum in word 63, and the EEPROM type byte in FTDI's structure is set to 0x46. Running with -b produces an image for a 93C56 EEPROM: the EEPROM type byte is set to 0x56, and the checksum-covered image length is extended to 128 words. Finally, -B sets things up for a 93C66 EEPROM: the EEPROM type byte is set to 0x66, but the generated checksum-covered image is still 128 words long just like with -b, as that is what FT2232x chips apparently expect. I said "apparently" because I don't have any FT2232x hardware with 93C66 EEPROMs and I don't plan on acquiring or building any, hence this minimal 93C66 support is completely untested - use at your own risk. It also needs to be noted that with our current RE-based understanding of FTDI's undocumented EEPROM structure, using a bigger EEPROM does NOT provide more room for strings: all that happens with -b and -B options is that a gap of 64 unused EEPROM words is inserted between the end of the fixed structure and the beginning of strings. The exact same arrangement has been observed in all 93C56 EEPROM images found in the wild, presumably produced with FTDI's official tools, including FTDI's own USB-COM232-PLUS2 board - thus it is not clear at all if FT2232x chips actually support longer strings with bigger EEPROMs, and if not, what does one need a bigger EEPROM for... For the format of config files read by our ftee-gen2232[ch] tools and what settings can be tweaked, read the source code. Erasing the EEPROM (making it blank) ==================================== If you are playing with a "generic" FT2232x breakout board that is made for tinkering, as opposed to a more finished product, such boards are typically shipped with their EEPROMs completely blank. In that case restoring the EEPROM to its "pristine" state after playing around would mean erasing it, i.e., bringing it into a blank (all ones) state. FT2232x chips provide two ways to do so: one can explicitly write 0xFFFF into each individual EEPROM word with SIO_WRITE_EEPROM_REQUEST, or one can send a SIO_ERASE_EEPROM_REQUEST command to the chip, and the chip then erases the entire EEPROM. But we don't know how the latter SIO_ERASE_EEPROM_REQUEST operation is implemented by FT2232x chips: does the FT2232x chip go through and erase each word individually, or does it issue an "erase full chip" opcode to the serial EEPROM? If the latter, then according to some EEPROM datasheets that operation may not work if the EEPROM is powered from a 3.3V rail rather than the full USB 5V - may be an issue in FT2232H-based designs. In any case our tools provide both ways. To perform the "automatic full chip erase" operation, run the following command: fteeprom-erase <device-selector> To blank the EEPROM by writing 0xFFFF into each word, run one of the following pipelines: ftee-mkblank | fteeprom-prog <device-selector> -- blank a 93C46 EEPROM ftee-mkblank -b | fteeprom-prog <device-selector> -- blank a 93C56 EEPROM ftee-mkblank -B | fteeprom-prog <device-selector> -- blank a 93C66 EEPROM