Author Topic: micro-usb on radon detector (Read 32415 times)

djnebs · « **Reply #25 on:** December 06, 2023, 07:38:29 pm »

Great! I was hoping someone else would have a look at reversing it. I'm very new to this.
Attached 3 memory dumps from 0-0xffff.
First value in the filename is the long term average and second number is the short term average, as read from LCD when I took the dump.

Let us know what you find.

Added my latest ghidra archive. I never pulled in the new RAM contents, still just working off the flash dump.

ChrisE · « **Reply #26 on:** December 06, 2023, 10:46:07 pm »

This is some great work!

I managed to spend some time on one weekend poking through the dissassembly from scratch to see if I came up with similar conclusions. I got a reasonable way in (not as much useful info as has been provided here) but have hit a very busy spell and haven't had a chance to get back into it; hopefully I'll get some time over Christmas.

On the plus side, I've actually ended up working on a project with an MSP430, so hopefully I'll be getting some helpful insights from that =D

djnebs · « **Reply #27 on:** December 06, 2023, 11:00:28 pm »

I also found my past experience with MSP430 came in handy when digging into this. You really gotta know how to engineer before you can reverse engineer.

I just realized that the short term average value (0x3e4) IS in fact dumped as part of the 'm'/0x6D command.
It "should" be byte 116 out of 128 - havent actually tested it.

Here is the relevant section where it memcopies 128 bytes from 0x370 to the UART buffer (same buffer is used for tx and rx it seems):

Code: [Select]

void m_command_handler(void)

{
  if ((short)DAT_0370 < 0) {
    if (((ushort)DAT_0370 & 0x4000) == 0) {
      if (((ushort)DAT_0370 & 0x1200) == 0) {
        if (((ushort)DAT_0370 & 0x2000) != 0) {
          set_RTC_clock();
        }
        goto LAB_ddb4;
      }
      if (((ushort)DAT_0370 & 0x1000) == 0) {
        DAT_0370 = (uint16_t *)((ushort)DAT_0370 & 0x280);
      }
      else {
        DAT_0370 = (uint16_t *)((ushort)DAT_0370 & 0x1080);
      }
    }
    else if (DAT_0370 < &DAT_f000) {
      DAT_0370 = (uint16_t *)&DAT_1080;
    }
    else {
      DAT_0370 = (uint16_t *)((ushort)DAT_0370 & 0xff80);
    }
    memcopy(&bidirectional_tx_rx_buffer_02e0.adc_reading,DAT_0370,128);
  }
LAB_ddb4:
  length_bytes = crc16((byte *)&bidirectional_tx_rx_buffer_02e0,0x80);
  return;
}

cb831a · « **Reply #28 on:** December 07, 2023, 02:43:42 pm »

Thanks @djnebs

This was exactly one of the things I dissagreed on :-)

djnebs · « **Reply #29 on:** December 08, 2023, 05:06:12 am »

I'm just gonna keep dumping my daily progress here to stay motivated.

Earlier I said that the 'm' command was memcopying 128 bytes from 0x370. Turns out, 0x370 holds a pointer to the data, its not a fixed location.
Lets name 0x370 as "UART_PTR".

There's this little bit shifting interface to set the address of UART_PTR, one bit at a time using ascii characters (which @cb831a also noticed earlier):

Code: [Select]

    if (last_rx_byte == 'i') {
      UART_PTR = (uint16_t *)((short)UART_PTR * 2 + 1);
      goto LAB_d2f8;
    }
    if (last_rx_byte == 'o') {
      UART_PTR = (uint16_t *)((short)UART_PTR * 2);
      goto LAB_d2f8;
    }

'i' represents a 1
'o' represent a 0
Seems we are to take whatever address that we want to read, encode it into binary, program it in using these 'i's and 'o's and then the 'm' command should dump out 128 bytes starting from it.
I see some address sanitization which could be blacklisting certain address ranges.
Similarly, 'w' looks to be the equivalent write command which includes a crc check, but otherwise writes the to the same address.
I strongly suspect '!' and ';' are either some kind of terminator or preamble character, but so far I could not make sense of it in practice.

The 'X' command lets you execute code from certain specified addresses. First checks the crc for a magic key 0x281e, then sets a flag to the main loop.

Code: [Select]

    if (last_rx_byte == 'X') {
      if ((((uint16_t *)0xf7ff < UART_PTR) && (UART_PTR < s_bU5OYI_C_>~9_490_+_'_$[_s_z_q_fe00)) &&
         (crc_to_test == (uint16_t *)0x281e)) {
        DAT_037a = DAT_037a | 0x800;
      }
      delay2(1);
      goto LAB_d2f8;
    }

The main loop detects the flag and executes instructions from that location:

Code: [Select]

void main(void)

{
  byte bVar1;
  
  init();
  do {
    bVar1 = IE1;
    IE1 = bVar1 | 0x32;
    if ((DAT_037a & 0x800) != 0) {
      IE1 = 0;
      IE2 = 0;
      FUN_ec8e(8);
      (*(code *)((ushort)UART_PTR & 0xfffe))();
    }
    delay2(500);
  } while( true );
}

I guess it could be a bootloader.

cb831a · « **Reply #30 on:** December 08, 2023, 01:31:17 pm »

Just a quick comment: The specs for the device says

Radon specifications
Radon sampling: Passive diffusion chamber
Detection method: Alpha spectrometry
Measurement range:
0 – 500 pCi/L
0 - 9999 Bq/m³
Accuracy/precision at 5.4 pCi/L / 200 Bq/m3:
After 7 days ~ 10 %
After 2 months ~ 5%

indicating that the radon reading must be at least a 2 byte short.

djnebs · « **Reply #31 on:** December 09, 2023, 09:57:18 am »

Thankfully, I don't have enough radon in my room to fill the upper byte of that short

I got the m command (memory dumper) working.

1. Start with a ';' character to reset the pointer.
2. For example to read from address 0xff00 (flash), convert to bin: 1111111100000000. Translate 1s/0s into 'i's/'o's and send the characters
3. Send the 'm' character to execute the read command
4. It will return 128bytes from your requested 0xff00 address. plus an additional 16 bytes from a constant address 0x370

So the full string looks like:
;iiiiiiiioooooooom

I compared the output and it matches with my JTAG ram dump.

The only trouble it seems is that we cannot read from just any address. There are these range limits which restrict access. The ram addresses that hold the short term average (0x36c, 0x3e4) look to be in a restricted region.

Code: [Select]

void m_command_handler(void)

{
  if ((short)UART_PTR < 0) {
    if (((ushort)UART_PTR & 0x4000) == 0) {
      if (((ushort)UART_PTR & 0x1200) == 0) {
        if (((ushort)UART_PTR & 0x2000) != 0) {
          set_RTC_clock();
        }
        goto LAB_ddb4;
      }
      if (((ushort)UART_PTR & 0x1000) == 0) {
        UART_PTR = (uint16_t *)((ushort)UART_PTR & 0x280);
      }
      else {
        UART_PTR = (uint16_t *)((ushort)UART_PTR & 0x1080);
      }
    }
    else if (UART_PTR < &DAT_f000) {
      UART_PTR = (uint16_t *)&DAT_1080;
    }
    else {
      UART_PTR = (uint16_t *)((ushort)UART_PTR & 0xff80);
    }
    memcopy((uint16_t *)&bidirectional_tx_rx_buffer_02e0,UART_PTR,128);
  }
LAB_ddb4:
  crc = crc16(&bidirectional_tx_rx_buffer_02e0.field0_0x0,0x80);
  return;
}

cb831a · « **Reply #32 on:** December 10, 2023, 01:33:18 am »

@djnebs

Could you post some of your 128+16 bytes m-commands. I don't see the same as you but it may because my io; is different - I don't seem to get anything consistent out of changing the number.

Here are some of my readings - _____ is instead of e3 73 which seems to be some kind of filler.

Code: [Select]

Debug:  4800 8N1 <-  [86 25 65 25 2e 28 95 29 09 2b 7a 2c 56 2e b4 2f fd 30 40 32 7f 33 2c 35 bc 36 c5 37 4a 39 40 3a c6 3b ed 3c 47 3e 50 3f c2 40 ec 41 4a 43 99 44 2a 46 68 47 a6 48 fa 49 2d 4b 40 4c d3 4d 3b 4f 0b 50 5e 51 dc 52 03 54 2a 55 b6 56 00 58 41 59 17 5a 09 5b 93 5c d2 5d 9a 5e 25 60 af 61 42 63 b2 64 67 65 87 66 ac 67 d4 68 0a 6a 87 6b a8 6c ba 6d 21 6f 6d 70 ab 71 ad 72 db 73 _____ _____ 00 00 39 c1 82 0d 35 10 6d 00 00 50 00 00 80 a5 ]
Debug:  4800 8N1 <-  [63 1d 17 1e 93 20 e6 21 97 23 1b 25 ea 26 d0 27 fa 28 0f 2b 46 2c 87 2d 2b 2f 10 30 e0 31 0e 33 9a 34 c9 35 b9 36 f6 37 b3 39 c7 3a 54 3c 85 3d 84 3e ea 3f 59 41 8f 42 ec 43 1f 45 45 46 92 47 be 48 de 49 80 4b 9e 4c f1 4d 25 4f 64 50 07 52 17 53 5e 54 a2 55 cb 56 9d 57 98 58 20 5a 4a 5b 6f 5c e2 5d f6 5e 31 60 84 61 b3 62 19 64 5a 65 44 66 13 67 ec 68 25 6a 56 6b 79 6c 88 6d 0c 6f 00 00 4e af 82 0e 35 10 6d 00 00 50 00 00 80 a5 ]
Debug:  4800 8N1 <-  [30 19 40 1a 88 1c 87 1d 1d 1f 90 20 35 22 9f 23 a5 24 2e 26 69 27 35 29 45 2a ce 2b f8 2c b1 2e 04 30 5d 31 9d 32 e5 33 45 35 99 36 f0 37 80 39 4f 3a 9e 3b 14 3d 90 3e e9 3f 17 41 5d 42 3c 43 94 44 aa 45 30 47 54 48 db 49 84 4a e7 4b 97 4c 58 4e 83 4f 33 50 c5 51 3a 53 a0 54 35 56 1d 57 36 58 2f 59 ca 5a 40 5c 90 5d 4b 5e 9b 5f ca 60 f0 61 f8 62 56 64 54 65 fe 66 04 68 3d 69 67 6a 00 00 9e 73 _____ _____ _____ _____ _____ _____ ]
Debug:  4800 8N1 <-  [_____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 d1 db 82 11 35 10 6d 00 00 54 00 00 80 a5 ]
Debug:  4800 8N1 <-  [00 00 d1 db 82 11 35 10 6d 00 00 54 00 00 80 a5 _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 71 53 82 12 35 10 6d 00 00 50 00 00 80 a5 ]
Debug:  4800 8N1 <-  [2e 45 ba 46 28 48 18 49 31 4a 89 4b a0 4c 26 4e 71 4f 5b 50 a0 51 1c 53 81 54 d3 55 3c 56 91 57 04 59 32 5a 65 5b 7a 5c 05 5e 99 5e cd 5f 0a 61 bc 62 9f 63 02 65 54 66 1c 67 a0 68 ab 69 1a 6b 36 6c 0b 6d 47 6e 96 6f e7 70 4c 72 7b 73 _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 f0 8c 82 14 35 10 6d 00 00 54 00 00 80 a5 ]
Debug:  4800 8N1 <-  [_____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 d1 db 82 15 35 10 6d 00 00 54 00 00 80 a5 ]
Debug:  4800 8N1 <-  [00 00 d1 db 82 15 35 10 6d 00 00 54 00 00 80 a5 _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 ed e5 82 17 35 10 6d 00 00 50 40 2d 86 2e ]
Debug:  4800 8N1 <-  [9d 37 04 36 f4 37 b9 3a 9e 3b 36 3d 9e 3e 23 40 86 41 fb 42 32 44 bc 45 6a 47 7c 48 b6 49 75 4b 24 4c 7d 4d 59 4f 5e 50 c3 51 c2 52 27 54 0b 55 d0 56 b3 57 f5 58 45 5a 6b 5b e6 5c 61 5e 3e 5f c2 60 a6 61 50 63 6b 64 36 65 4f 66 0d 68 1c 69 6b 6a 58 6b 70 6c f9 6d 6d 6f 43 70 26 71 de 72 _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 32 52 82 18 35 10 6d 00 00 54 00 00 80 a5 ]
Debug:  4800 8N1 <-  [53 23 d9 22 5b 25 22 27 4f 28 e1 29 49 2b b0 2c 35 2e 90 2f 4a 31 b5 32 9d 33 00 35 9c 36 f7 37 7b 39 73 3a 82 3b 39 3d 6c 3e e8 3f 28 41 fa 41 91 43 aa 44 f7 45 77 47 93 48 b3 49 10 4b 34 4c e3 4d 52 4f 71 50 24 51 e9 52 d1 53 83 55 98 56 46 58 07 59 0a 5a 6f 5b 6d 5c _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 48 af 82 1a 35 10 6d 00 00 54 00 00 80 a5 ]
Debug:  4800 8N1 <-  [25 69 93 6a bb 6b f0 6c 8e 6e 88 6f a4 70 b1 71 e9 72 e2 73 _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 c3 df 82 1b 35 10 6d 00 00 54 00 00 80 a5 ]
Debug:  4800 8N1 <-  [00 00 c3 df 82 1b 35 10 6d 00 00 54 00 00 80 a5 e9 72 e2 73 _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 80 9f 82 1d 35 10 6d 00 00 50 00 00 80 a5 ]
Debug:  4800 8N1 <-  [00 00 80 9f 82 1d 35 10 6d 43 7c 44 aa 45 3a 47 9c 48 34 4a 55 4b b6 4c 37 4e 64 4f 5e 50 c2 51 21 53 45 54 c5 55 fa 56 22 58 91 59 c0 5a 2f 5c 56 5d 80 5e c9 5f 87 61 48 62 32 63 fc 64 0f 66 35 67 40 68 95 69 a4 6a 44 6c 08 6d 2e 6e 7f 6f c1 70 31 72 7d 73 _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 bb 82 82 1e 35 10 6d 00 00 54 00 00 80 a5 ]
Debug:  4800 8N1 <-  [40 17 54 17 79 1a f3 1b 58 1d e7 1e 32 20 6a 21 1f 23 9d 24 18 26 81 27 ac 28 35 2a 8a 2b b9 2c 22 2e 4f 2f a0 30 ee 31 4c 33 ea 34 0a 36 3b 37 d3 38 f7 39 25 3b d4 3c c1 3d 2d 3f 1d 40 53 41 c5 42 1b 44 83 45 94 46 f3 47 17 49 2d 4a 43 4b 81 4c 15 4e 3b 4f 88 50 8e 51 d5 52 e1 53 4c 55 64 56 71 57 fc 58 49 5a 62 5b 7c 5c 01 5e d6 5e 82 60 71 61 98 62 31 64 42 65 68 66 bf 67 16 69 00 00 cb 02 82 1f 35 10 6d 00 00 54 00 00 80 a5 ]
Debug:  4800 8N1 <-  [00 00 cb 02 82 1f 35 10 6d 00 00 54 00 00 80 a5 1f 23 9d 24 18 26 81 27 ac 28 35 2a 8a 2b b9 2c 22 2e 4f 2f a0 30 ee 31 4c 33 ea 34 0a 36 3b 37 d3 38 f7 39 25 3b d4 3c c1 3d 2d 3f 1d 40 53 41 c5 42 1b 44 83 45 94 46 f3 47 17 49 2d 4a 43 4b 81 4c 15 4e 3b 4f 88 50 8e 51 d5 52 e1 53 4c 55 64 56 71 57 fc 58 49 5a 62 5b 7c 5c 01 5e d6 5e 82 60 71 61 98 62 31 64 42 65 68 66 bf 67 16 69 00 00 8c a4 82 21 35 10 6d 00 00 50 00 00 80 a5 ]
Debug:  4800 8N1 <-  [00 00 8c a4 82 21 35 2b 8e 2d 1d 2f ac 30 77 32 2a 33 a9 34 6e 36 7d 37 03 39 31 3a d3 3b d5 3c e6 3d 50 3f b8 40 d8 41 ff 42 bf 44 c3 45 ec 46 39 48 9c 49 d5 4a 04 4c 40 4d 27 4f fc 4f f5 50 30 52 8f 53 e3 54 5e 56 a7 57 e7 58 e5 59 17 5b 90 5c e6 5d e2 5e 00 60 90 61 c1 62 d1 63 b5 64 c3 65 6f 67 86 68 7b 69 ed 6a 3f 6c 61 6d d7 6e fa 6f 05 71 43 72 98 73 _____ _____ _____ _____ 00 00 f6 3a 82 22 35 10 6d 00 00 54 00 00 80 a5 ]
Debug:  4800 8N1 <-  [ba 23 73 24 cf 26 81 28 29 2a 63 2b cc 2c 11 2e 6b 2f 92 31 6e 32 cf 33 2c 35 54 36 fd 37 40 39 8c 3a 9e 3b f5 3c 62 3e 08 40 09 41 d0 41 66 43 c5 44 8c 45 2b 47 74 48 db 49 62 4b 77 4c 11 4e 44 4f 1e 50 9d 51 b8 52 e7 53 25 55 5e 56 87 57 66 58 ad 59 d9 5a 30 5c c2 5d bb 5e 3c 60 8d 61 6e 62 e7 63 30 65 30 66 31 67 87 68 82 69 a0 6a 45 6c 6f 6d 73 6e c0 6f d6 70 59 72 9d 73 _____ 00 00 b8 f8 82 24 35 10 6d 00 00 50 00 00 80 a5 ]
Debug:  4800 8N1 <-  [a3 37 92 39 87 3a 55 3c 57 3d 9c 3e 74 40 69 41 a0 42 ed 43 44 45 63 46 b1 47 12 49 49 4a 60 4b bb 4c f5 4d 56 4f 9b 50 ce 51 e8 52 64 54 cb 55 ba 56 f3 57 30 59 27 5a 59 5b 0f 5d 44 5e 72 5f 7b 60 9a 61 a3 62 fc 63 56 65 2b 66 b4 67 04 69 e9 69 6b 6b 69 6c ca 6d ee 6e 31 70 0c 71 90 72 c5 73 _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 5a 4d 82 25 35 10 6d 00 00 54 00 00 80 a5 ]
Debug:  4800 8N1 <-  [26 3a 4e 38 95 3a 77 3d b4 3e f0 3f 2d 41 94 42 66 44 88 45 2d 47 65 48 03 4a ef 4a 44 4c ce 4d 2c 4f 50 50 dd 51 f5 52 1a 54 67 55 a6 56 ed 57 67 59 80 5a e1 5b b8 5c 36 5e 6d 5f b7 60 09 62 4a 63 9f 64 a9 65 ee 66 44 68 51 69 9c 6a 3b 6c 03 6d 3d 6e 65 6f bc 70 e2 71 d0 72 _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 65 d1 82 27 35 10 6d 00 00 50 00 00 80 a5 ]
Debug:  4800 8N1 <-  [00 00 65 d1 82 27 35 10 6d 00 00 50 00 00 80 a5 66 44 88 45 2d 47 65 48 03 4a ef 4a 44 4c ce 4d 2c 4f 50 50 dd 51 f5 52 1a 54 67 55 a6 56 ed 57 67 59 80 5a e1 5b b8 5c 36 5e 6d 5f b7 60 09 62 4a 63 9f 64 a9 65 ee 66 44 68 51 69 9c 6a 3b 6c 03 6d 3d 6e 65 6f bc 70 e2 71 d0 72 _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 fe 3e 82 28 35 10 6d 00 00 50 00 00 80 a5 ]
Debug:  4800 8N1 <-  [f0 24 cb 24 a8 27 0c 29 80 2a dd 2b 52 2d 09 2f ff 2f 45 31 8a 32 cf 33 6b 35 3a 37 7c 38 d6 39 08 3b 6d 3c a0 3d a0 3e 57 40 96 41 81 42 ac 43 fc 44 44 46 d9 47 bc 48 11 4a 61 4b a4 4c 1c 4e 2a 4f 73 50 d7 51 1b 53 da 53 66 55 b2 56 b7 57 2f 59 3d 5a 87 5b 1c 5d dc 5d 0b 5f 6c 60 aa 61 0e 63 4a 64 6d 65 a4 66 c4 67 fe 68 02 6a 80 6b 80 6c 9d 6d 26 6f 0d 70 40 71 90 72 be 73 _____ 00 00 0c 44 82 2a 35 10 6d 00 00 40 00 00 80 a5 ]
Debug:  4800 8N1 <-  [00 00 0c 44 82 2a 35 10 6d 00 00 40 00 00 80 a5 ff 2f 45 31 8a 32 cf 33 6b 35 3a 37 7c 38 d6 39 08 3b 6d 3c a0 3d a0 3e 57 40 96 41 81 42 ac 43 fc 44 44 46 d9 47 bc 48 11 4a 61 4b a4 4c 1c 4e 2a 4f 73 50 d7 51 1b 53 da 53 66 55 b2 56 b7 57 2f 59 3d 5a 87 5b 1c 5d dc 5d 0b 5f 6c 60 aa 61 0e 63 4a 64 6d 65 a4 66 c4 67 fe 68 02 6a 80 6b 80 6c 9d 6d 26 6f 0d 70 40 71 90 72 be 73 _____ 00 00 fd 0e 82 2b 35 10 6d 00 00 50 00 00 80 a5 ]
Debug:  4800 8N1 <-  [05 2c 65 2c f3 2e 30 30 ba 31 18 33 9f 34 f7 35 98 37 e1 38 10 3a 45 3b 0d 3d 32 3e 41 3f 03 41 27 42 7b 43 8b 44 f2 45 1c 47 a7 48 6e 49 bc 4a 76 4c 29 4d 72 4e e1 4f df 50 6d 52 58 53 9b 54 50 56 55 57 02 58 da 59 05 5b 2e 5c 3d 5d 7b 5e bb 5f c7 60 00 62 0b 63 76 64 8c 65 8f 66 c2 67 09 69 37 6a e8 6b e6 6c d5 6d 18 6f 89 70 8f 71 ef 72 d6 73 _____ _____ _____ _____ _____ _____ 00 00 16 1e 82 2c 35 10 6d 00 00 54 00 00 80 a5 ]
Debug:  4800 8N1 <-  [_____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 d1 db 82 2e 35 10 6d 00 00 54 00 00 80 a5 ]
Debug:  4800 8N1 <-  [aa 3b b8 39 60 3b 27 3e b4 3f 31 41 5a 42 19 44 31 45 fb 46 2a 48 d2 49 c2 4a 08 4c 2a 4d a0 4e ea 4f 27 51 85 52 df 53 0e 55 2a 56 3b 57 5f 58 45 5a 11 5b 69 5c bd 5d ee 5e 0c 60 9d 61 83 62 1c 64 7c 65 4d 66 bc 67 15 69 3a 6a 84 6b bf 6c 93 6d 33 6f 35 70 72 71 87 72 a4 73 _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 90 a8 82 2f 35 10 6d 00 00 54 00 00 80 a5 ]
Debug:  4800 8N1 <-  [00 00 90 a8 82 2f 35 10 6d 00 00 54 00 00 80 a5 31 45 fb 46 2a 48 d2 49 c2 4a 08 4c 2a 4d a0 4e ea 4f 27 51 85 52 df 53 0e 55 2a 56 3b 57 5f 58 45 5a 11 5b 69 5c bd 5d ee 5e 0c 60 9d 61 83 62 1c 64 7c 65 4d 66 bc 67 15 69 3a 6a 84 6b bf 6c 93 6d 33 6f 35 70 72 71 87 72 a4 73 _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 22 78 82 31 35 10 6d 00 00 50 00 00 80 a5 ]
Debug:  4800 8N1 <-  [00 00 22 78 82 31 35 10 6d 00 00 50 00 00 80 a5 31 45 fb 46 2a 48 d2 49 c2 4a 08 4c 2a 4d a0 4e ea 4f 27 51 85 52 df 53 0e 55 2a 56 3b 57 5f 58 45 5a 11 5b 69 5c bd 5d ee 5e 0c 60 9d 61 83 62 1c 64 7c 65 4d 66 bc 67 15 69 3a 6a 84 6b bf 6c 93 6d 33 6f 35 70 72 71 87 72 a4 73 _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 17 b7 82 32 35 10 6d 00 00 50 00 2c 17 2d ]
Debug:  4800 8N1 <-  [cf 2e 61 2d f6 2f b7 31 42 33 c2 34 73 36 d4 37 d7 38 36 3a da 3b 31 3d 2c 3e 98 3f 1e 41 20 42 78 43 cb 44 c3 45 34 47 dd 48 53 4a 84 4b 38 4c d7 4d 26 4f 41 50 c3 51 52 53 20 54 a4 55 df 56 c8 57 4a 59 4d 5a c9 5b 3e 5d 4f 5e 6f 5f 03 61 f4 61 32 63 6d 64 b2 65 3d 66 9d 67 da 68 0e 6a 53 6b b5 6c d2 6d 7f 6f b5 70 b9 71 f3 72 cf 73 _____ _____ _____ _____ _____ _____ _____ _____ 00 00 89 3f 82 34 35 10 6d 00 00 50 00 00 80 a5 ]
Debug:  4800 8N1 <-  [90 30 11 31 76 33 f1 34 4e 36 00 38 ba 38 38 3a ec 3b 9f 3d d2 3e 2f 40 7b 41 c3 42 2d 44 43 45 d5 46 f6 47 28 49 b6 4a 8e 4b b3 4c 3a 4e a6 4f fc 50 59 52 66 53 ad 54 e9 55 0c 57 18 58 ac 59 dc 5a 2b 5c 5a 5d d3 5e 1b 60 63 61 4e 62 79 63 cb 64 cd 65 10 67 6f 68 91 69 a3 6a cd 6b f6 6c 4e 6e a6 6f 84 70 2f 72 55 73 _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 d4 2d 82 35 35 10 6d 00 00 54 00 00 80 a5 ]
Debug:  4800 8N1 <-  [5f 0c a3 0d e2 0e 9b 10 d4 11 4c 13 6c 14 c0 15 f3 16 38 18 c0 19 1f 1b 8d 1c dc 1d 0c 1f 88 20 e1 21 47 23 ca 24 2a 26 50 27 33 28 b9 29 4c 2b 5f 2c b7 2d 16 2f 08 30 86 31 ba 32 2c 34 7b 35 d5 36 2b 38 81 39 86 3a 2d 3c 20 3d 1a 3e e5 3f 00 41 34 42 98 43 b7 44 e5 45 ed 46 69 48 e7 49 e5 4a ed 4b 58 4d b4 4e db 4f b0 50 3e 52 86 53 95 54 05 56 0e 57 53 58 6b 59 d7 5a c1 5b 1b 5d 00 00 96 2b 82 37 35 10 6d 00 00 50 00 00 80 a5 ]
Debug:  4800 8N1 <-  [00 00 96 2b 82 37 35 10 6d 00 00 50 00 00 80 a5 f3 16 38 18 c0 19 1f 1b 8d 1c dc 1d 0c 1f 88 20 e1 21 47 23 ca 24 2a 26 50 27 33 28 b9 29 4c 2b 5f 2c b7 2d 16 2f 08 30 86 31 ba 32 2c 34 7b 35 d5 36 2b 38 81 39 86 3a 2d 3c 20 3d 1a 3e e5 3f 00 41 34 42 98 43 b7 44 e5 45 ed 46 69 48 e7 49 e5 4a ed 4b 58 4d b4 4e db 4f b0 50 3e 52 86 53 95 54 05 56 0e 57 53 58 6b 59 d7 5a c1 5b 1b 5d 00 00 da b4 82 38 35 10 6d 00 00 50 00 00 80 a5 ]
Debug:  4800 8N1 <-  [ac 4d 57 4f 64 50 2c 51 be 52 17 54 2c 55 5f 56 ad 57 c5 58 00 5a 46 5b 74 5c 89 5d a6 5e 56 60 3b 61 40 62 bf 63 d8 64 15 66 13 67 38 68 30 69 7c 6a 7f 6b df 6c 68 6e 6b 6f 63 70 d5 71 0e 73 d8 73 _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 f8 b2 82 39 35 10 6d 00 00 54 00 00 80 a5 ]
Debug:  4800 8N1 <-  [0a 33 af 34 c7 35 1c 37 67 38 cf 39 a1 3a 5b 3c 6a 3d 71 3e 66 3f 0c 41 2d 42 36 43 88 44 bd 45 e9 46 44 48 55 49 c3 4a b9 4b ed 4c fa 4d 47 4f 61 50 8c 51 ff 52 42 54 58 55 ba 56 b7 57 77 58 25 5a 78 5b d7 5c 47 5e 35 5f 80 60 7e 61 6b 62 d0 63 3e 65 0b 66 b2 67 cc 68 d2 69 fd 6a 4b 6c c2 6c 02 6f 28 70 c1 70 4e 72 4f 73 _____ _____ _____ _____ _____ _____ _____ _____ _____ _____ 00 00 46 23 82 3b 35 10 6d 00 00 54 00 00 80 a5 ]
Debug:  4800 8N1 <-  [54 23 67 23 34 26 a9 27 f6 28 8a 2a 05 2c 43 2d a8 2e db 2f 68 31 8b 32 ce 33 5e 35 6b 36 ad 37 76 39 85 3a fd 3b 76 3d 56 3e eb 3f f6 40 30 42 bd 43 d4 44 13 46 70 47 aa 48 b1 49 1e 4b 63 4c 9e 4d 10 4f 11 50 70 51 8c 52 85 53 c7 54 31 56 64 57 1f 59 02 5a 01 5b 3d 5c c4 5d e3 5e 44 60 8e 61 5d 62 d8 63 db 64 eb 65 e3 66 54 68 7b 69 af 6a 25 6c 46 6d ac 6e a7 6f 18 71 ff 71 7c 73 00 00 97 92 82 00 36 10 6d 00 00 54 00 00 80 a5 ]

djnebs · « **Reply #33 on:** December 10, 2023, 04:10:23 am »

Here's my dump from 0xff00. You'll find it matches the same contents as my hex files from before. This region is flash and it seems to be unchanging.
The 16 byte region from 0x370 is quite volatile but you should always find the first 2 bytes are equal to the address you set with the ios.
In all your dumps, 0x370 is reading as zero instead, not sure why.

Python script:

Code: [Select]

import serial
ser = serial.Serial('/dev/ttyACM2', timeout=1, baudrate=4800)

def io_address_write(addr):
    UART_PTR = 0
    addr = int('{:016b}'.format(addr)[::-1], 2) #reverse the order
    for i in range(16):
        if (addr >> i) & 1 == 1:
            ser.write(b'i')
            UART_PTR = UART_PTR * 2 + 1
        else:
            ser.write(b'o')
            UART_PTR = UART_PTR * 2
    #print(hex(UART_PTR))

ser.read(256) #flush any remanents
addr = 0xff00
ser.write(b';')
io_address_write(addr)
ser.write(b'm')

for idx, data in enumerate(ser.read(128)):
    print(hex(idx+addr), hex(data))

for idx, data in enumerate(ser.read(16)):
    print(hex(idx+0x370), hex(data))

Which returns:

Code: [Select]

0xff00 0xb
0xff01 0x1
0xff02 0x9
0xff03 0x20
0xff04 0x9
0xff05 0x1
0xff06 0x9
0xff07 0x4
0xff08 0x9
0xff09 0x40
0xff0a 0xa
0xff0b 0x4
0xff0c 0xa
0xff0d 0x1
0xff0e 0x9
0xff0f 0x10
0xff10 0x8
0xff11 0x2
0xff12 0x7
0xff13 0x10
0xff14 0x7
0xff15 0x40
0xff16 0x8
0xff17 0x4
0xff18 0x8
0xff19 0x40
0xff1a 0x8
0xff1b 0x10
0xff1c 0x8
0xff1d 0x1
0xff1e 0x6
0xff1f 0x20
0xff20 0x6
0xff21 0x1
0xff22 0x6
0xff23 0x4
0xff24 0x6
0xff25 0x40
0xff26 0x7
0xff27 0x4
0xff28 0x7
0xff29 0x1
0xff2a 0x6
0xff2b 0x10
0xff2c 0x1
0xff2d 0x40
0xff2e 0xa
0xff2f 0x20
0xff30 0x9
0xff31 0x2
0xff32 0x2
0xff33 0x40
0xff34 0x3
0xff35 0x4
0xff36 0x4
0xff37 0x4
0xff38 0x5
0xff39 0x40
0xff3a 0x8
0xff3b 0x20
0xff3c 0x7
0xff3d 0x20
0xff3e 0x6
0xff3f 0x2
0xff40 0xb
0xff41 0x20
0xff42 0x4
0xff43 0x40
0xff44 0xff
0xff45 0xff
0xff46 0xff
0xff47 0xff
0xff48 0xff
0xff49 0xff
0xff4a 0xff
0xff4b 0xff
0xff4c 0xff
0xff4d 0xff
0xff4e 0xff
0xff4f 0xff
0xff50 0xc
0xff51 0x0
0xff52 0xd
0xff53 0x10
0xff54 0xe
0xff55 0xb
0xff56 0xa
0xff57 0x1d
0xff58 0xe
0xff59 0xb
0xff5a 0x0
0xff5b 0x1d
0xff5c 0xe
0xff5d 0x5
0xff5e 0x10
0xff5f 0x11
0xff60 0xe
0xff61 0xc
0xff62 0x1e
0xff63 0x1f
0xff64 0xe
0xff65 0x10
0xff66 0x11
0xff67 0x11
0xff68 0xf
0xff69 0xf
0xff6a 0xf
0xff6b 0xf
0xff6c 0xe
0xff6d 0xe
0xff6e 0xe
0xff6f 0xe
0xff70 0xff
0xff71 0xff
0xff72 0xff
0xff73 0xff
0xff74 0xff
0xff75 0xff
0xff76 0xff
0xff77 0xff
0xff78 0xff
0xff79 0xff
0xff7a 0xff
0xff7b 0xff
0xff7c 0xff
0xff7d 0xff
0xff7e 0xff
0xff7f 0xff
0x370 0x0
0x371 0xff
0x372 0x32
0x373 0x0
0x374 0x82
0x375 0x7
0x376 0x34
0x377 0x3
0x378 0x6d
0x379 0x0
0x37a 0x0
0x37b 0x50
0x37c 0x0
0x37d 0x0
0x37e 0x80
0x37f 0xa5

By the way, the very first address check:

Code: [Select]

if ((short)UART_PTR < 0)

makes it so that we cannot read any address below 0x8000 using m command (apart from the 16 bytes from 0x370). So no RAM, only flash.

cb831a · « **Reply #34 on:** December 10, 2023, 08:24:07 pm »

Quote

* msp430_fulldump_21_28.hex (176.01 kB - downloaded 35 times.)
* msp430_fulldump_21_1.hex (176.01 kB - downloaded 32 times.)
* msp430_fulldump_21_22.hex (176.01 kB - downloaded 35 times.)
* corentium2_2023_12_07.zip (229 kB - downloaded 24 times.)

Can anyone hint me to how I get the .zip file into Ghidra. I have tried to unzip the .zip and then unzip the .gar and then try to open the .gpr file inside, but it says project not found selecting it.

I can import and analyze a hex file into a fresh Ghidra project without issues, but then I need to readd all the symbols and comments again.

cb831a · « **Reply #35 on:** December 11, 2023, 12:20:37 am »

I think I can now calculate the short term avg (1 day value) !!!

The code reads the sensor 64 times in this code storing the values in the 2e0 buffer

Code: [Select]

                             **************************************************************
                             *                          FUNCTION                          *
                             **************************************************************
                             void __stdcall FUN_df8e_ReadRadon0x40times(short param_1
             void              <VOID>         <RETURN>
             short             R12:2          param_1
             undefined2        R13:2          param_2
             undefined2        R14:2          param_3
                             FUN_df8e_ReadRadon0x40times                     XREF[4]:     FUN_d304:d324(c), 
                                                                                          FUN_d554:d57a(c), 
                                                                                          FUN_d554:d58a(c), 
                                                                                          FUN_da0a_IntPX:da26(c)  
            df8e 0a 12           PUSH.W     R10
            df90 0a 4c           MOV.W      param_1,R10
            df92 b2 d0 30        BIS.W      #0x30,&DAT_01b0_ADC10CTL0
                 00 b0 01
            df98 b2 d0 03        BIS.W      #0x3,&DAT_01b0_ADC10CTL0
                 00 b0 01
                             LAB_df9e                                        XREF[1]:     dfa2(j)  
            df9e a2 b2 b0 01     BIT.W      #4,&DAT_01b0_ADC10CTL0
            dfa2 fd 27           JEQ        LAB_df9e
            dfa4 1f 42 b4 01     MOV.W      &DAT_01b4_ADC10MEM,R15
            dfa8 3c 40 64 00     MOV.W      #0x64,param_1
            dfac b0 12 66 eb     CALL       #FUN_eb66                                        undefined FUN_eb66()
                             LAB_dfb0                                        XREF[1]:     dfb4(j)  
            dfb0 a2 b2 b0 01     BIT.W      #4,&DAT_01b0_ADC10CTL0
            dfb4 fd 27           JEQ        LAB_dfb0
            dfb6 1f 42 b4 01     MOV.W      &DAT_01b4_ADC10MEM,R15
            dfba 1a 83           DEC.W      R10
            dfbc 3d 40 e0 02     MOV.W      #0x2e0,param_2
            dfc0 3c 40 40 00     MOV.W      #0x40,param_1
                             LAB_dfc4                                        XREF[1]:     dfea(j)  
            dfc4 0e 4a           MOV.W      R10,param_3
                             LAB_dfc6                                        XREF[1]:     dfca(j)  
            dfc6 a2 b2 b0 01     BIT.W      #4,&DAT_01b0_ADC10CTL0
            dfca fd 27           JEQ        LAB_dfc6
            dfcc 1f 42 b4 01     MOV.W      &DAT_01b4_ADC10MEM,R15
            dfd0 0e 93           TST.W      param_3
            dfd2 07 24           JEQ        LAB_dfe2
                             LAB_dfd4                                        XREF[2]:     dfd8(j), dfe0(j)  
            dfd4 a2 b2 b0 01     BIT.W      #4,&DAT_01b0_ADC10CTL0
            dfd8 fd 27           JEQ        LAB_dfd4
            dfda 1f 52 b4 01     ADD.W      &DAT_01b4_ADC10MEM,R15
            dfde 1e 83           DEC.W      param_3
            dfe0 f9 23           JNE        LAB_dfd4
                             LAB_dfe2                                        XREF[1]:     dfd2(j)  
            dfe2 2d 53           INCD.W     param_2
            dfe4 8d 4f fe ff     MOV.W      R15,-0x2(param_2)=>DAT_02e0_uart_tx_byte
            dfe8 1c 83           DEC.W      param_1
            dfea ec 23           JNE        LAB_dfc4
            dfec a2 e3 b0 01     XOR.W      #2,&DAT_01b0_ADC10CTL0
            dff0 b2 f0 cf        AND.W      #0xffcf,&DAT_01b0_ADC10CTL0
                 ff b0 01
            dff6 3a 41           POP.W      R10
            dff8 30 41           RET

If I keep reading the 2e0 buffer and consider the buffer as ushorts I sometimes get lines where the calculated checksum matches the stored ditto and none of the 64 shorts is equal 0x73e3
In that case I assume the buffer is the full result of running the code above and I create the average of the 64 ushorts and divide with 200.
When I average this calculation over several reads the value stabilizes and matches my 1day reading (=88).

Here are the last lines of my test run

Code: [Select]

calc stor                                                                                                                                                                                                                                                                                                                                                                                                     line avg   full avg
csum csum samples in decimal                                                                                                                                                                                                                                                                                                                                                                                  cal   /200 cnt   avg   /200
---- ---- ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------      ---------- -----------------
1d5b 1d5b 07690 07883 08480 08919 09247 09618 10066 10396 10839 11157 11519 11980 12267 12584 12913 13313 13698 13985 14213 14634 15022 15319 15623 15904 16318 16594 16861 17201 17520 17877 18236 18545 18923 19294 19472 19849 20160 20422 20809 21024 21426 21802 22054 22418 22652 23001 23292 23668 24026 24246 24511 24835 25193 25522 25837 26194 26429 26824 27116 27477 27788 28030 28344 28654 avg 18558 92,0 00663 17608 88,00
b227 b227 00320 58000 12674 03865 00109 21504 00000 42368 10687 11073 11389 11716 12052 12362 12855 13097 13502 13857 14211 14638 14907 15282 15607 15923 16230 16635 16822 17182 17576 17891 18245 18589 18924 19131 19561 19879 20304 20534 20810 21135 21419 21718 22106 22376 22760 23017 23251 23537 23934 24269 24615 24897 25204 25634 25936 26185 26476 26845 27151 27457 27823 28030 28420 28665 avg 19580 97,0 00664 17611 88,00
3bd0 3bd0 00320 56273 01154 03866 00109 21504 00000 42368 10041 10303 10668 11019 11145 11522 11917 12145 12480 12873 13133 13477 13762 14056 14431 14703 14884 15317 15682 15961 16325 16566 16838 17133 17475 17758 18156 18442 18623 18947 19338 19603 19914 20229 20515 20818 21179 21472 21724 22109 22324 22598 22877 23270 23607 23861 24141 24527 24848 25047 25374 25685 25990 26284 26637 26852 avg 18159 90,0 00665 17612 88,00
501a 501a 06750 06750 07435 07822 08159 08531 08860 09225 09505 09972 10258 10753 11100 11381 11737 12057 12401 12694 13067 13330 13681 14007 14455 14760 15094 15362 15659 16030 16405 16689 16914 17381 17620 17919 18293 18547 18864 19253 19520 19807 20155 20438 20661 21083 21402 21732 22002 22296 22535 22930 23219 23601 23945 24220 24610 24903 25215 25468 25745 26041 26382 26753 27018 27403 avg 17309 86,0 00666 17611 88,00
f356 f356 06909 07009 07644 08041 08385 08716 09072 09381 09749 10097 10486 10874 11119 11466 11839 12131 12541 12963 13238 13534 13941 14155 14541 14904 15342 15540 15910 16189 16609 16906 17241 17476 17757 18053 18510 18740 18999 19353 19661 19975 20360 20640 21005 21364 21610 21962 22246 22530 22706 23143 23442 23803 24170 24457 24761 25082 25292 25663 25987 26212 26576 26902 27194 27606 avg 17495 87,0 00667 17611 88,00
81fc 81fc 09061 08724 09365 09927 10182 10625 11046 11360 11713 12143 12451 12797 13099 13513 13921 14260 14488 14893 15210 15642 15926 16323 16574 16856 17158 17528 17861 18221 18474 18819 19158 19466 19739 20017 20355 20579 21030 21241 21564 21915 22189 22544 22867 23209 23470 23907 24138 24434 24769 25027 25332 25707 26004 26283 26755 26958 27276 27591 27874 28188 28466 28783 29080 29447 avg 19430 97,0 00668 17614 88,00
caa8 caa8 08719 08734 09360 09892 10189 10637 10850 11222 11647 12036 12361 12710 13080 13361 13782 14118 14483 14807 15056 15396 15739 16034 16309 16643 17005 17411 17696 17980 18229 18538 18855 19177 19530 19834 20172 20477 20763 21132 21413 21711 22124 22364 22688 23018 23294 23637 23889 24143 24460 24846 25112 25467 25853 26040 26390 26800 27065 27423 27673 27975 28271 28628 28857 29155 avg 19254 96,0 00669 17616 88,00
62b7 62b7 09069 09391 09902 10275 10693 11055 11354 11785 12129 12452 12799 13112 13418 13715 14077 14445 14781 15122 15494 15787 16096 16462 16805 17064 17485 17810 18136 18434 18736 18982 19286 19629 19907 20282 20539 20884 21146 21461 21845 22103 22396 22762 23166 23448 23737 24013 24344 24673 24979 25200 25630 25849 26199 26464 26769 26979 27339 27760 27914 28297 28545 28893 29203 29597 avg 19657 98,0 00670 17619 88,00
2d2c 2d2c 08474 08617 09296 09645 10045 10364 10781 11014 11411 11847 12123 12416 12821 13141 13526 13807 14174 14549 14942 15108 15455 15821 16161 16425 16775 17089 17358 17624 17951 18429 18741 18971 19312 19675 20046 20311 20552 20962 21201 21529 21788 22114 22490 22776 23098 23329 23638 23932 24253 24654 24959 25104 25474 25773 26149 26451 26743 26990 27400 27678 27919 28219 28575 28886 avg 19013 95,0 00671 17622 88,00
80c5 80c5 04248 04674 05000 05293 05669 06085 06363 06722 07107 07407 07710 08105 08465 08842 09193 09477 09767 10113 10455 10830 11108 11301 11760 12073 12384 12819 13128 13424 13792 14053 14396 14775 15038 15411 15641 16173 16411 16678 17044 17276 17614 17909 18253 18407 18787 19350 19613 19894 20274 20404 20714 21146 21387 21700 21950 22322 22642 22983 23283 23563 23906 24167 24553 24898 avg 14780 73,0 00672 17617 88,00
10b1 10b1 00320 32965 13698 03866 00109 21504 00000 42368 07107 07407 07710 08105 08465 08842 09193 09477 09767 10113 10455 10830 11108 11301 11760 12073 12384 12819 13128 13424 13792 14053 14396 14775 15038 15411 15641 16173 16411 16678 17044 17276 17614 17909 18253 18407 18787 19350 19613 19894 20274 20404 20714 21146 21387 21700 21950 22322 22642 22983 23283 23563 23906 24167 24553 24898 avg 15886 79,0 00673 17615 88,00
da92 da92 06922 07056 07513 08030 08354 08687 09083 09502 09779 10260 10570 11024 11306 11617 11969 12280 12605 12939 13304 13627 13933 14279 14677 14893 15263 15681 15965 16265 16655 16971 17196 17568 17878 18204 18489 18778 19145 19413 19819 20219 20469 20834 21123 21405 21657 22059 22303 22609 22885 23194 23514 23881 24137 24490 24833 24999 25328 25771 26047 26320 26628 26876 27177 27466 avg 17558 87,0 00674 17615 88,00
c472 c472 08982 09335 09688 10119 10555 10920 11157 11466 11821 12124 12523 12932 13146 13562 13859 14199 14541 14844 15191 15539 15809 16146 16415 16828 17092 17413 17718 17978 18521 18777 19001 19369 19586 20052 20390 20587 20885 21335 21637 22032 22230 22532 22808 23112 23444 23756 24002 24313 24708 25016 25274 25577 25978 26419 26701 26920 27243 27579 27833 28099 28618 28821 29065 29474 avg 19431 97,0 00675 17617 88,00
afa2 afa2 08461 08861 09203 09475 09919 10108 10456 10917 11194 11467 11748 12097 12468 12796 13069 13295 13563 13991 14331 14660 14932 15149 15445 15839 16104 16487 16748 17094 17481 17670 18061 18369 18603 18969 19260 19549 19874 20279 20476 20811 21055 21365 21634 22037 22286 22574 22994 23226 23567 23899 24105 24471 24859 25098 25347 25678 25986 26192 26570 26876 27126 27443 27777 27996 avg 18428 92,0 00676 17619 88,00
3868 3868 00320 44962 03458 03867 00109 21504 00000 42368 11194 11467 11748 12097 12468 12796 13069 13295 13563 13991 14331 14660 14932 15149 15445 15839 16104 16487 16748 17094 17481 17670 18061 18369 18603 18969 19260 19549 19874 20279 20476 20811 21055 21365 21634 22037 22286 22574 22994 23226 23567 23899 24105 24471 24859 25098 25347 25678 25986 26192 26570 26876 27126 27443 27777 27996 avg 19041 95,0 00677 17621 88,00
6282 6282 06681 06835 07448 07852 08239 08673 08968 09324 09717 10098 10423 10712 11065 11471 11845 12179 12502 12821 13129 13463 13846 14085 14514 14852 15134 15418 15788 16211 16481 16797 17187 17449 17707 18091 18471 18713 19127 19383 19702 20062 20374 20691 21057 21303 21602 21984 22257 22590 22926 23256 23492 23869 24114 24456 24738 25077 25377 25749 26061 26320 26699 26960 27221 27549 avg 17471 87,0 00678 17620 88,00
bc30 bc30 07531 07458 08132 08545 08898 09225 09645 10019 10313 10845 11086 11397 11792 12132 12529 12812 13075 13509 13846 14054 14469 14827 15150 15548 15836 16197 16545 16837 17134 17525 17759 18127 18445 18753 19124 19481 19723 20134 20433 20656 21022 21414 21664 21978 22268 22577 22891 23205 23566 23943 24151 24518 24779 25087 25504 25771 26047 26392 26682 26939 27230 27528 27888 28169 avg 18136 90,0 00679 17621 88,00
fa60 fa60 09019 08898 09636 10124 10396 10782 11064 11570 11934 12212 12624 12962 13236 13612 14019 14362 14714 14955 15275 15672 16017 16350 16621 16932 17164 17641 17891 18209 18600 18851 19245 19531 19913 20214 20455 20797 21130 21429 21718 22084 22414 22692 23028 23414 23732 24057 24266 24675 24985 25288 25508 25878 26116 26459 26771 27035 27289 27723 27956 28306 28647 28868 29233 29613 avg 19559 97,0 00680 17624 88,00
388c 388c 04901 05180 05580 05939 06259 06541 06925 07291 07563 07913 08199 08481 08819 09188 09456 09787 10123 10330 10874 11107 11360 11819 12138 12475 12733 13026 13298 13622 13942 14387 14637 14903 15195 15569 15843 16169 16497 16882 17013 17351 17652 18026 18370 18646 19005 19190 19543 19811 20154 20480 20922 21176 21411 21756 22075 22384 22622 22946 23379 23618 23901 24170 24490 24845 avg 14998 74,0 00681 17620 88,00
df4d df4d 08283 08479 09048 09397 09722 10167 10444 10897 11241 11729 12027 12316 12650 13033 13322 13675 14005 14356 14744 15037 15432 15733 16021 16375 16682 16911 17394 17656 17962 18378 18622 18965 19254 19549 19922 20218 20444 20781 21204 21425 21778 22113 22376 22700 23011 23238 23534 23946 24229 24511 24840 25096 25391 25828 26090 26381 26771 26985 27306 27647 27917 28203 28541 28897 avg 18919 94,0 00682 17622 88,00

Why the divider is 200 I don't know, but I think it is a result of self calibrating and the divider is stored somewhere.
If the divider couldn't change the meter would not be able to show higher value than approx. 150 (0x73e3 reading) and it can - I have seen readings of >150 in my house long time ago.

djnebs · « **Reply #36 on:** December 12, 2023, 01:38:24 am »

To import the .gar file, you can go to File->Restore Project in the project window.

I see, so 0x2e0 is the location of the filtered ADC count? How are you reading the 0x2e0 location? I had convinced myself earlier that the m command could never read anything below 0x8000.
Are you saying that the conversion factor to go from raw adc count to bq/m3 units was just 200 in your case? I was expecting some more complicated math there. I agree that it must be applying some calibration factors found during boot.

cb831a · « **Reply #37 on:** December 12, 2023, 10:29:52 am »

Quote from: djnebs on December 12, 2023, 01:38:24 am

To import the .gar file, you can go to File->Restore Project in the project window.

Thanks

The other day everything looked plausible, but not anymore, so I may have jumped the conclusions :-(

Something weird happens the 1-day readings on the LCD on my Airthing. The numbers have dropped to a value I have never seen before (<30) and yesterday while the 1-day average was dropping the 7-day increased

At the same time my serial readings stays almost the same (~80).

It's is almost as if my extensive serial-port-reading (1 per sec) is affecting the operation of the device

Quote from: djnebs on December 12, 2023, 01:38:24 am

I see, so 0x2e0 is the location of the filtered ADC count? How are you reading the 0x2e0 location? I had convinced myself earlier that the m command could never read anything below 0x8000.

I think the serial transfer is always happening from 2e0. And if you set the value < 8000 nothing is copied to 2e0 meaning that you just read what is there which happens to be the working sampling buffer sometimes.

Quote from: djnebs on December 12, 2023, 01:38:24 am

Are you saying that the conversion factor to go from raw adc count to bq/m3 units was just 200 in your case? I was expecting some more complicated math there. I agree that it must be applying some calibration factors found during boot.

I'm not sure - I haven't found the calibration code yet, but there is a lot of mult, div and shifts going on in part of the code. The calibration must happen ongoing so when the readings suddenly rises from 50 to 300 the scale is recalibrated.

Sorry for the short reply, but I'm really pressed for time these days, but I hope I can find more time around XMas.

cb831a · « **Reply #38 on:** December 13, 2023, 01:35:44 am »

It looks like I can find the long time average 91/0x5b in 0x10ba and the 7-day average 120/0x78 in 0x1090 reading flash in 0x1080.
Repeating the command "; iioo oooo oooo oooo m" and verifying checksum and that DAT_0370 is actually 0x1080 in w-buffer I get a stable result

Code: [Select]

Stamp                  checksum    1080 1082 1084 1086 1088 108a 108c 108e 1090 1092 1094 1096 1098 109a 109c 109e 10a0 10a2 10a4 10a6 10a8 10aa 10ac 10ae 10b0 10b2 10b4 10b6 10b8 10ba 10bc 10be 10c0 10c2 10c4 10c6 10c8 10ca 10cc 10ce 10d0 10d2 10d4 10d6 10d8 10da 10dc 10de 10e0 10e2 10e4 10e6 10e8 10ea 10ec 10ee 10f0 10f2 10f4 10f6 10f8 10fa 10fc 10fe   w-buffer
2023-12-13 01:13:39: | 1ca9 1ca9 | 01c0 8bea 015d 0094 7ba4 000d 348b 0000 0078 0a29 cb02 002b 000f 0000 fa41 0000 0ae3 0000 093e 0000 09b0 0000 0964 0000 2b7d 0000 357e 0000 1031 005b 34da 0000 0007 0004 0000 0596 1302 06b5 03a8 2a39 7fce 0004 0000 0000 8796 0001 0f21 0000 173d 0000 1dd7 0000 1619 0000 7636 0000 a16b 0000 2544 000a 27ae 0000 0243 0042 | 80 10 a9 1c 82 26 25 10 6d 00 00 50 00 00 80 a5
2023-12-13 01:13:41: | 1ca9 1ca9 | 01c0 8bea 015d 0094 7ba4 000d 348b 0000 0078 0a29 cb02 002b 000f 0000 fa41 0000 0ae3 0000 093e 0000 09b0 0000 0964 0000 2b7d 0000 357e 0000 1031 005b 34da 0000 0007 0004 0000 0596 1302 06b5 03a8 2a39 7fce 0004 0000 0000 8796 0001 0f21 0000 173d 0000 1dd7 0000 1619 0000 7636 0000 a16b 0000 2544 000a 27ae 0000 0243 0042 | 80 10 a9 1c 82 27 25 10 6d 00 00 50 00 00 80 a5
2023-12-13 01:13:42: | 1ca9 1ca9 | 01c0 8bea 015d 0094 7ba4 000d 348b 0000 0078 0a29 cb02 002b 000f 0000 fa41 0000 0ae3 0000 093e 0000 09b0 0000 0964 0000 2b7d 0000 357e 0000 1031 005b 34da 0000 0007 0004 0000 0596 1302 06b5 03a8 2a39 7fce 0004 0000 0000 8796 0001 0f21 0000 173d 0000 1dd7 0000 1619 0000 7636 0000 a16b 0000 2544 000a 27ae 0000 0243 0042 | 80 10 a9 1c 82 29 25 10 6d 00 00 50 00 00 80 a5
2023-12-13 01:13:47: | 1ca9 1ca9 | 01c0 8bea 015d 0094 7ba4 000d 348b 0000 0078 0a29 cb02 002b 000f 0000 fa41 0000 0ae3 0000 093e 0000 09b0 0000 0964 0000 2b7d 0000 357e 0000 1031 005b 34da 0000 0007 0004 0000 0596 1302 06b5 03a8 2a39 7fce 0004 0000 0000 8796 0001 0f21 0000 173d 0000 1dd7 0000 1619 0000 7636 0000 a16b 0000 2544 000a 27ae 0000 0243 0042 | 80 10 a9 1c 82 2d 25 10 6d 00 00 54 00 00 80 a5
2023-12-13 01:13:51: | 1ca9 1ca9 | 01c0 8bea 015d 0094 7ba4 000d 348b 0000 0078 0a29 cb02 002b 000f 0000 fa41 0000 0ae3 0000 093e 0000 09b0 0000 0964 0000 2b7d 0000 357e 0000 1031 005b 34da 0000 0007 0004 0000 0596 1302 06b5 03a8 2a39 7fce 0004 0000 0000 8796 0001 0f21 0000 173d 0000 1dd7 0000 1619 0000 7636 0000 a16b 0000 2544 000a 27ae 0000 0243 0042 | 80 10 a9 1c 82 32 25 10 6d 00 00 50 00 00 80 a5
2023-12-13 01:13:56: | 1ca9 1ca9 | 01c0 8bea 015d 0094 7ba4 000d 348b 0000 0078 0a29 cb02 002b 000f 0000 fa41 0000 0ae3 0000 093e 0000 09b0 0000 0964 0000 2b7d 0000 357e 0000 1031 005b 34da 0000 0007 0004 0000 0596 1302 06b5 03a8 2a39 7fce 0004 0000 0000 8796 0001 0f21 0000 173d 0000 1dd7 0000 1619 0000 7636 0000 a16b 0000 2544 000a 27ae 0000 0243 0042 | 80 10 a9 1c 82 36 25 10 6d 00 00 50 00 00 80 a5
2023-12-13 01:13:59: | 1ca9 1ca9 | 01c0 8bea 015d 0094 7ba4 000d 348b 0000 0078 0a29 cb02 002b 000f 0000 fa41 0000 0ae3 0000 093e 0000 09b0 0000 0964 0000 2b7d 0000 357e 0000 1031 005b 34da 0000 0007 0004 0000 0596 1302 06b5 03a8 2a39 7fce 0004 0000 0000 8796 0001 0f21 0000 173d 0000 1dd7 0000 1619 0000 7636 0000 a16b 0000 2544 000a 27ae 0000 0243 0042 | 80 10 a9 1c 82 39 25 10 6d 00 00 54 00 00 80 a5
2023-12-13 01:14:02: | 1ca9 1ca9 | 01c0 8bea 015d 0094 7ba4 000d 348b 0000 0078 0a29 cb02 002b 000f 0000 fa41 0000 0ae3 0000 093e 0000 09b0 0000 0964 0000 2b7d 0000 357e 0000 1031 005b 34da 0000 0007 0004 0000 0596 1302 06b5 03a8 2a39 7fce 0004 0000 0000 8796 0001 0f21 0000 173d 0000 1dd7 0000 1619 0000 7636 0000 a16b 0000 2544 000a 27ae 0000 0243 0042 | 80 10 a9 1c 82 00 26 10 6d 00 00 50 00 00 80 a5
2023-12-13 01:14:03: | 1ca9 1ca9 | 01c0 8bea 015d 0094 7ba4 000d 348b 0000 0078 0a29 cb02 002b 000f 0000 fa41 0000 0ae3 0000 093e 0000 09b0 0000 0964 0000 2b7d 0000 357e 0000 1031 005b 34da 0000 0007 0004 0000 0596 1302 06b5 03a8 2a39 7fce 0004 0000 0000 8796 0001 0f21 0000 173d 0000 1dd7 0000 1619 0000 7636 0000 a16b 0000 2544 000a 27ae 0000 0243 0042 | 80 10 a9 1c 82 02 26 10 6d 00 00 50 00 00 80 a5
2023-12-13 01:14:08: | 1ca9 1ca9 | 01c0 8bea 015d 0094 7ba4 000d 348b 0000 0078 0a29 cb02 002b 000f 0000 fa41 0000 0ae3 0000 093e 0000 09b0 0000 0964 0000 2b7d 0000 357e 0000 1031 005b 34da 0000 0007 0004 0000 0596 1302 06b5 03a8 2a39 7fce 0004 0000 0000 8796 0001 0f21 0000 173d 0000 1dd7 0000 1619 0000 7636 0000 a16b 0000 2544 000a 27ae 0000 0243 0042 | 80 10 a9 1c 82 06 26 10 6d 00 00 54 00 00 80 a5
2023-12-13 01:14:14: | 1ca9 1ca9 | 01c0 8bea 015d 0094 7ba4 000d 348b 0000 0078 0a29 cb02 002b 000f 0000 fa41 0000 0ae3 0000 093e 0000 09b0 0000 0964 0000 2b7d 0000 357e 0000 1031 005b 34da 0000 0007 0004 0000 0596 1302 06b5 03a8 2a39 7fce 0004 0000 0000 8796 0001 0f21 0000 173d 0000 1dd7 0000 1619 0000 7636 0000 a16b 0000 2544 000a 27ae 0000 0243 0042 | 80 10 a9 1c 82 0c 26 10 6d 00 00 54 00 00 80 a5

djnebs · « **Reply #39 on:** December 13, 2023, 07:12:07 am »

Quote

I think the serial transfer is always happening from 2e0. And if you set the value < 8000 nothing is copied to 2e0 meaning that you just read what is there which happens to be the working sampling buffer sometimes.

You are right. I understand now. I was focusing so much on the m command which memcopies to the 0x2e0 array, that I forgot there are all these direct writes everywhere to 0x2e0 as well (most look like they come from 0x1080 infoB region)
If the m command fails an address check or if you dont provide it any address at all, it should skip the memcopy step and the contents will retain those direct writes as 0x2e0 gets dumped to UART.

Good find on those values.

Meanwhile, I took off in a side quest.
I was disappointed by the address limitation of m command, I really wanted to read the full memory range so that we can read any good addresses we find later.
I realized with the X (execute) command, there is really no excuse to be limited

I managed to...
-craft a payload to read an arbitrary memory byte to UART
-sorted out the CRC calculations
-found a suitable location in flash to write to
-uploaded it using w command
-executed it with X command

It seems to work! I can read the short term average address from earlier this way over UART.
This is a pretty roundabout way of querying the device, but now there should be no limits.
The code is here:
https://github.com/ncicek/CorentiumHome-Hacking/blob/main/CorentiumHome.py

cb831a · « **Reply #40 on:** December 13, 2023, 11:20:32 am »

Cool work @djnebs

I'm kind of allergic to Python - but I'll manage

I see quite a lot of data errors reading the device.
Also sometimes the 370 address is not set correctly when io'ing data into it.
Do you see the same ?

cb831a · « **Reply #41 on:** December 13, 2023, 02:28:57 pm »

Just tried your code - worked in third attempt

Code: [Select]

C:\workSave\Airthings> python3.8.exe .\CorentiumHome.py
writing to flash
crc: 0xe0af
rx_byte_idx: 129
tx_byte_idx: 16
flags: 0x4000
reading from flash
crc: 0xe0af
rx_byte_idx: 130
tx_byte_idx: 128
flags: 0x7000
0x370
C:\workSave\Airthings> python3.8.exe .\CorentiumHome.py
writing to flash
crc: 0x62ce
rx_byte_idx: 128
tx_byte_idx: 16
flags: 0x4400
Traceback (most recent call last):
  File ".\CorentiumHome.py", line 168, in <module>
    radon.write_to_flash(payload)
  File ".\CorentiumHome.py", line 87, in write_to_flash
    assert address == written_address
AssertionError
C:\workSave\Airthings> python3.8.exe .\CorentiumHome.py
writing to flash
crc: 0xe0af
rx_byte_idx: 129
tx_byte_idx: 16
flags: 0x4000
reading from flash
crc: 0xe0af
rx_byte_idx: 130
tx_byte_idx: 128
flags: 0x4000
0x45
C:\workSave\Airthings>

My reading is 69 decimal, so 0x45 is correct.

Maybe the code can do more tests/repeat to ensure valid value

Is your code returning last sample or avg1day ?

djnebs · « **Reply #42 on:** December 15, 2023, 09:33:02 pm »

Interesting, I'm not sure what went wrong there.
Is it just the payload loading sequence that was finicky? We only have to do that once after device reboot (the device clears this region of flash during init, so payload is not persistent across resets).
After you have the payload loaded, do you get any issues calling read_arbitrary_address_short() repeatedly? I was stressing this with some memory dumps and it was holding up okay.

Sidenote: write_to_flash function only works once, so in order to load a different payload, need to reset the device. I tried to debug this for many hours but could never figure it out.

"Is your code returning last sample or avg1day ?" The 0x3e4 address read by my script is the avg1day value, same as shown on LCD.
I'm still interested in finding the pre-averaged value.

Where should we take this project next?
Any interest in putting a ESP32 in it? Make a MQTT or ESPHome type IOT thing?
I think I just want it to update faster and then log the result to a line graph.

cb831a · « **Reply #43 on:** December 15, 2023, 10:55:13 pm »

Quote from: djnebs on December 15, 2023, 09:33:02 pm

Interesting, I'm not sure what went wrong there.
Is it just the payload loading sequence that was finicky? We only have to do that once after device reboot (the device clears this region of flash during init, so payload is not persistent across resets).
After you have the payload loaded, do you get any issues calling read_arbitrary_address_short() repeatedly? I was stressing this with some memory dumps and it was holding up okay.

No, after first read it seems stable

Code: [Select]

C:\workSave\Airthings> python.exe .\CorentiumHome.
open port
Get radon

writing to flash
crc: 0xe0af
rx_byte_idx: 129
tx_byte_idx: 16
flags: 0x6030
reading from flash
crc: 0xe0af
rx_byte_idx: 130
tx_byte_idx: 128
flags: 0x7030
0x370 0xfd80 64896
0x372 0x281e 10270
0x374 0x3381 13185
0x376 0xe00 3584
0x378 0x58 88
0x37a 0x4830 18480
0x37c 0x0 0
0x37e 0xa510 42256
0x380 0x113 275
0x382 0x1848 6216
0x384 0x221 545
0x386 0x701 1793
0x388 0x151 337
0x38a 0x2008 8200
0x38c 0x3082 12418
0x38e 0x0 0
0x3e0 0x24f 591
0x3e2 0x1 1
0x3e4 0x49 73
0x3e6 0xc27c 49788
0x3e8 0xffff 65535
0x3ea 0xffff 65535
0x3ec 0xffff 65535
0x3ee 0xe80e 59406
0x3f0 0x4 4
0x3f2 0xcade 51934
0x3f4 0xffff 65535
0x3f6 0xffff 65535
0x3f8 0xffff 65535
0x3fa 0xffff 65535
0x3fc 0xe9ea 59882
0x3fe 0xec1a 60442
0x1080 0x1c3 451
0x1082 0x8bea 35818
0x1084 0x15d 349
0x1086 0x94 148
0x1088 0x7ef1 32497
0x108a 0xd 13
0x108c 0x34a3 13475
0x108e 0x0 0
0x1090 0x49 73
0x1092 0xa2a 2602
0x1094 0xcf6a 53098
0x1096 0x2d 45
0x1098 0xf 15
0x109a 0x0 0
0x109c 0xfc2d 64557
0x109e 0x0 0
0x10a0 0xafc 2812
0x10a2 0x0 0
0x10a4 0x949 2377
0x10a6 0x0 0
0x10a8 0x9bb 2491
0x10aa 0x0 0
0x10ac 0x96a 2410
0x10ae 0x0 0
0x10b0 0x2b9a 11162
0x10b2 0x0 0
0x10b4 0x35cc 13772
0x10b6 0x0 0
0x10b8 0x1032 4146
0x10ba 0x59 89
0x10bc 0x33d6 13270
0x10be 0x0 0
0x10c0 0x7 7
0x10c2 0x4 4
0x10c4 0x0 0
0x10c6 0x596 1430
0x10c8 0x1302 4866
0x10ca 0x6b5 1717
0x10cc 0x3a8 936
0x10ce 0x2a39 10809
0x10d0 0x7fce 32718
0x10d2 0x4 4
0x10d4 0x0 0
0x10d6 0x0 0
0x10d8 0x8796 34710
0x10da 0x1 1
0x10dc 0xf21 3873
0x10de 0x0 0
0x10e0 0x173d 5949
0x10e2 0x0 0
0x10e4 0x1dd7 7639
0x10e6 0x0 0
0x10e8 0x1619 5657
0x10ea 0x0 0
0x10ec 0x7636 30262
0x10ee 0x0 0
0x10f0 0xa16b 41323
0x10f2 0x0 0
0x10f4 0x2544 9540
0x10f6 0xa 10
0x10f8 0x27ae 10158
0x10fa 0x0 0
0x10fc 0x243 579
0x10fe 0x42 66
7-day 73
longterm 89

Quote from: djnebs on December 15, 2023, 09:33:02 pm

Sidenote: write_to_flash function only works once, so in order to load a different payload, need to reset the device. I tried to debug this for many hours but could never figure it out.

That's a tricky one...

Quote from: djnebs on December 15, 2023, 09:33:02 pm

I'm still interested in finding the pre-averaged value.

Same.

To do 1-day/7-day averages, it needs to maintain one 24 item rolling average of 24h and another 7 entry rolling avarage for 7 days, but I found none of that.
Long term is just a 64bit sum and a count.

Also, browsing the entire code I find no references to 3e0..3e7, so how did you find that address. 3e8 and higher is heavily referenced ??

Lastly, I still feel that accessing the device through the serial port gives me lower 1-day averages which now also have started to affect my 7-day and longterm averages.
My device has been running 451 days (stored in 0x1080), and I have never seen lower values than 70 and my long time average is 89.
Since I started poking around with it, my 1-day is dropped as low as 18 - which is definitely wrong.

It was my impression from the code that the timer interrupt fired once every 1 sec and the raw radon value was sampled each time.
But even if our heavy serial reading affects some of the reads I'm not sure how that would jeopardize the avarage ??!

I also just noticed running the code to produce the above output made the long term average display alternate between 89 and bOE where the top line in E is removed. Maybe a weird way to write battery, because the battery-low symbol came on while writing this. I would use bAE (without E-topline) to indicate bAttery.
Running 'w' or 'm' command does not provoke the bOt display so it's related to your short-reading-method.

Quote from: djnebs on December 15, 2023, 09:33:02 pm

Where should we take this project next?
Any interest in putting a ESP32 in it? Make a MQTT or ESPHome type IOT thing?
I think I just want it to update faster and then log the result to a line graph.

Good question, I would love higher speed, but on the other hand radon changes slowly so a reading once every 10, 30 or 60 minute is probably fine for me and then this solution is fine. I don't think we can fit a ESP32 inside it.

How would you connect ESP to the device ? Using the serial, it would probably not be much faster ?
ESP also uses power. On the other hand it is wireless.

You could change your code to return e.g. 64 bytes+ checksum.
In that way we could read only once or twice to get the needed information.

cb831a · « **Reply #44 on:** December 15, 2023, 11:07:14 pm »

BTW I tried to keep an eye on the flash in 1080 and it seems to update once a day when the h-m-s in the w-package resets to 0-0-0

This is three readings

Code: [Select]

                                   upti                                                                                                          7day                               long
2023-12-13 01:39:23: | 1ca9 1ca9 | 01c0 8bea 015d 0094 7ba4 000d 348b 0000 0078 0a29 cb02 002b 000f 0000 fa41 0000 0ae3 0000 093e 0000 09b0 0000 0964 0000 2b7d 0000 357e 0000 1031 005b 34da 0000 0007 0004 0000 0596 1302 06b5 03a8 2a39 7fce 0004 0000 0000 8796 0001 0f21 0000 173d 0000 1dd7 0000 1619 0000 7636 0000 a16b 0000 2544 000a 27ae 0000 0243 0042 | 80 10 a9 1c 82 16 03 11 6d 00 00 50 00 00 80 a5
2023-12-13 14:43:57: | 6876 6876 | 01c1 8bea 015d 0094 7d1b 000d 3493 0000 006b 0a29 350d 002c 000f 0000 fae5 0000 0aed 0000 0943 0000 09b4 0000 0968 0000 2b8f 0000 3599 0000 1032 005b 34d9 0000 0007 0004 0000 0596 1302 06b5 03a8 2a39 7fce 0004 0000 0000 8796 0001 0f21 0000 173d 0000 1dd7 0000 1619 0000 7636 0000 a16b 0000 2544 000a 27ae 0000 0243 0042 | 80 10 76 68 82 38 07 06 6d
   +13h/+784m          !=   !=     +1                  +375      +8        -13       !=   +1             +164       +10      +5        +4        +4        +18        +27       +1        -1                                                                                                                                                                            
2023-12-14 09:51:10: | 1f9a 1f9a | 01c2 8bea 015d 0094 7d8e 000d 349b 0000 0053 0a29 2f49 002d 000f 0000 fb89 0000 0af2 0000 0945 0000 09b5 0000 0969 0000 2b91 0000 35aa 0000 1031 005a 33d7 0000 0007 0004 0000 0596 1302 06b5 03a8 2a39 7fce 0004 0000 0000 8796 0001 0f21 0000 173d 0000 1dd7 0000 1619 0000 7636 0000 a16b 0000 2544 000a 27ae 0000 0243 0042 | 80 10 9a 1f 82 0b 0f 01 6d 00 00 50 00 00 80 a5
   +19h/+1147m         !=   !=     +1                  +115      +8        -24       !=   +1             +164       +5       +2        +1        +1        +2         +17       +1   -1   -1                                                                                                                                                                            
2023-12-15 08:37:10: | 43a6 43a6 | 01c3 8bea 015d 0094 7ef1 000d 34a3 0000 0049 0a2a cf6a 002d 000f 0000 fc2d 0000 0afc 0000 0949 0000 09bb 0000 096a 0000 2b9a 0000 35cc 0000 1032 0059 33d6 0000 0007 0004 0000 0596 1302 06b5 03a8 2a39 7fce 0004 0000 0000 8796 0001 0f21 0000 173d 0000 1dd7 0000 1619 0000 7636 0000 a16b 0000 2544 000a 27ae 0000 0243 0042 | 80 10 a6 43 82 0d 01 00 6d 00 30 54 00 00 80 a5
   +23h/+1400m         !=   !=     +1                  +355      +8        -10       !=                  +164       +10      +4        +6        +1        +9         +34       +1   -1   -1

djnebs · « **Reply #45 on:** December 16, 2023, 06:23:07 am »

Quote

Also, browsing the entire code I find no references to 3e0..3e7, so how did you find that address. 3e8 and higher is heavily referenced ??

I found it by diffing a few ram dumps from JTAG earlier and correlating them with the screen reading values. I also do not know the instruction that writes to it. Perhaps the destination of some larger memcopy.

Quote

Lastly, I still feel that accessing the device through the serial port gives me lower 1-day averages which now also have started to affect my 7-day and longterm averages.

That's annoying - I haven't been paying attention to notice this. Maybe some timer or counter is being shared between the UART and periodic running code. Quite unfortunate if true. I'll keep an eye out for it.

Quote

I also just noticed running the code to produce the above output made the long term average display alternate between 89 and bOE where the top line in E is removed. Maybe a weird way to write battery, because the battery-low symbol came on while writing this. I would use bAE (without E-topline) to indicate bAttery.
Running 'w' or 'm' command does not provoke the bOt display so it's related to your short-reading-method.

"bOE" displays whenever you send the X (execute) command (with correct magic key). It's outside of my payload. I was speculating X command could be intended as a bootloader to deploy firmware updates (during development perhaps). bOotloadEr? I dont know.

451 days is seriously impressive!

A small ESP32 board could be fitted inside the unit, sharing the battery for power, wired to the serial port. It could wake up every 10min or so from deepsleep, say the magic words to the meter to get a reading, then connect to wifi and send it so some server for logging/graphing. Seems like the next best thing to having the usb port working.
I'm not caught up with the latest in IOT firmware world - seems ESPHome is popular for this sort of thing. Anyone have suggestions? The simpler, the better imo.

Yes, the payload could be something more clever - anything that fits inside 128 bytes of asm. Currently it uses up 80 bytes.

cb831a · « **Reply #46 on:** December 16, 2023, 10:50:22 am »

Quote from: djnebs on December 16, 2023, 06:23:07 am

That's annoying - I haven't been paying attention to notice this. Maybe some timer or counter is being shared between the UART and periodic running code. Quite unfortunate if true. I'll keep an eye out for it.

Yes, if I can't trust the readings, I can't use it. Unless the error can be limited by only reading it 1-2-4 times a day.

Quote from: djnebs on December 16, 2023, 06:23:07 am

451 days is seriously impressive!

Because of the battery change last night it is now 0 days.
It is now calibrating and I will leave it alone until I got readings to see of the values gets back to "normal" meaning that the communications do affect the measurements.

Quote from: djnebs on December 16, 2023, 06:23:07 am

A small ESP32 board could be fitted inside the unit, sharing the battery for power, wired to the serial port. It could wake up every 10min or so from deepsleep, say the magic words to the meter to get a reading, then connect to wifi and send it so some server for logging/graphing.

True, I was thinking of a prototype board, but a real appliance board doesn't take up more space than the ESP chip itself.
Se still need to bring out some leads to reprogram the esp.

Quote from: djnebs on December 16, 2023, 06:23:07 am

Seems like the next best thing to having the usb port working.

I tried a lot on that on both windows and linux and freebsd, but it seems it either does not adhere to normal USB handshake or it presents itself as an unknown generic device type. I'm 100% sure that it can be used as serial port some way.

cb831a · « **Reply #47 on:** December 16, 2023, 05:37:46 pm »

As I expected:

After reset and recalibrating 18h the 1-day avg is back in the range 80-100 where it was before all the testing.
And my post from December 11, 2023, 12:20:37 seems to be correct again.

That sucks !

As I read

Code: [Select]

                             *************************************************************
                             *                           FUNCTION                          
                             *************************************************************
                             undefined8  __stdcall  FUN_ce7c_IntRTCTick1Sec (void )
             undefined8        R15:2,R14:2,   <RETURN>
                             FUN_ce7c_IntRTCTick1Sec                         XREF[1]:     ffe0 (*)   
            ce7c 0f  12           PUSH.W     R15
            ce7e 0e  12           PUSH.W     R14
            ce80 0d  12           PUSH.W     R13
            ce82 0c  12           PUSH.W     R12
            ce84 0b  12           PUSH.W     R11
            ce86 d2  53  75  03    INC.B      &DAT_0375
            ce8a 5f  42  6f  03    MOV.B      &DAT_036f ,R15
            ce8e 0f  93           TST.W      R15
            ce90 0e  24           JEQ        LAB_ceae
            ce92 3f  80  14  00    SUB.W      #0x14 ,R15
            ce96 28  24           JEQ        LAB_cee8
            ce98 3f  80  eb  00    SUB.W      #0xeb ,R15
            ce9c 2f  24           JEQ        LAB_cefc
            ce9e d2  83  6f  03    DEC.B      &DAT_036f
            cea2 f2  90  80       CMP.B      #0x80 ,&DAT_0374_SerialReadBufferIndex     <------------------------
                 00  74  03
            cea8 65  20           JNE        LAB_cf74
            ceaa 32  d2           EINT
            ceac 27  3c           JMP        LAB_cefc
                             LAB_ceae                                        XREF[1]:     ce90 (j)   
            ceae f2  40  80       MOV.B      #0x80 ,&DAT_0374_SerialReadBufferIndex
                 00  74  03
            ceb4 b2  f0  ff       AND.W      #0xbeff ,&DAT_037a
                 be  7a  03
            ceba b0  12  52  eb    CALL       #FUN_eb52                                        undefined FUN_eb52()
            cebe f2  43  6f  03    MOV.B      #-1,&DAT_036f
            cec2 f2  90  10       CMP.B      #0x10 ,&DAT_0379
                 00  79  03
            cec8 06  28           JNC        LAB_ced6
            ceca 3c  40  0f  00    MOV.W      #0xf ,R12
            cece 5c  f2  79  03    AND.B      &DAT_0379 ,R12
            ced2 b0  12  68  e7    CALL       #FUN_e768                                        undefined FUN_e768()
                             LAB_ced6                                        XREF[1]:     cec8 (j)   
            ced6 c2  43  79  03    MOV.B      #0,&DAT_0379
            ceda 3c  40  19  00    MOV.W      #0x19 ,R12
            cede b0  12  7a  eb    CALL       #FUN_eb7a_Loop1000xVal                           void FUN_eb7a_Loop1000xVal(short
            cee2 b0  12  4c  ec    CALL       #FUN_ec4c                                        undefined FUN_ec4c()
            cee6 0a  3c           JMP        LAB_cefc
                             LAB_cee8                                        XREF[1]:     ce96 (j)   
            cee8 7c  40  80  00    MOV.B      #0x80 ,R12
            ceec b0  12  9a  ec    CALL       #FUN_ec9a                                        undefined FUN_ec9a()
            cef0 5c  43           MOV.B      #1,R12
            cef2 b0  12  9c  e6    CALL       #FUN_e69c                                        undefined FUN_e69c()
            cef6 f2  40  13       MOV.B      #0x13 ,&DAT_036f
                 00  6f  03
                             LAB_cefc                                        XREF[3]:     ce9c (j) , ceac (j) , cee6 (j)   
            cefc d2  b3  20  00    BIT.B      #1,&P1IN
            cf00 02  20           JNE        LAB_cf06
            cf02 92  d3  0e  02    BIS.W      #1,&DAT_020e
                             LAB_cf06                                        XREF[1]:     cf00 (j)   
            cf06 b0  12  94  c5    CALL       #FUN_c594                                        undefined FUN_c594()
            cf0a b2  b0  00       BIT.W      #0x400 ,&DAT_037a
                 04  7a  03
            cf10 02  24           JEQ        LAB_cf16
            cf12 b0  12  be  db    CALL       #FUN_dbbe                                        undefined FUN_dbbe()
                             LAB_cf16                                        XREF[1]:     cf10 (j)   
            cf16 b2  f0  ff       AND.W      #0xfbff ,&DAT_037a
                 fb  7a  03
            cf1c f2  90  3c       CMP.B      #0x3c ,&DAT_0375
                 00  75  03
            cf22 28  28           JNC        LAB_cf74
            cf24 f2  80  3c       SUB.B      #0x3c ,&DAT_0375
                 00  75  03
            cf2a d2  53  76  03    INC.B      &DAT_0376
            cf2e f2  90  3c       CMP.B      #0x3c ,&DAT_0376
                 00  76  03
            cf34 16  28           JNC        LAB_cf62
            cf36 32  c2           DINT
            cf38 4c  43           MOV.B      #0,R12
            cf3a b0  12  9a  ec    CALL       #FUN_ec9a                                        undefined FUN_ec9a()
            cf3e b0  12  c6  e5    CALL       #FUN_e5c6                                        undefined FUN_e5c6()
            cf42 c2  43  76  03    MOV.B      #0,&DAT_0376
            cf46 d2  53  77  03    INC.B      &DAT_0377
            cf4a b0  12  e2  e6    CALL       #FUN_e6e2_RunPerHour                             undefined FUN_e6e2_RunPerHour()
            cf4e f2  90  18       CMP.B      #0x18 ,&DAT_0377
                 00  77  03
            cf54 04  28           JNC        LAB_cf5e
            cf56 b0  12  90  c8    CALL       #FUN_c890_RunPerDay                              undefined FUN_c890_RunPerDay()
            cf5a c2  43  77  03    MOV.B      #0,&DAT_0377
                             LAB_cf5e                                        XREF[1]:     cf54 (j)   
            cf5e b0  12  4c  ec    CALL       #FUN_ec4c                                        undefined FUN_ec4c()
                             LAB_cf62                                        XREF[1]:     cf34 (j)   
            cf62 5f  42  75  03    MOV.B      &DAT_0375 ,R15
            cf66 5e  42  76  03    MOV.B      &DAT_0376 ,R14
            cf6a 0e  5f           ADD.W      R15 ,R14
            cf6c 03  20           JNE        LAB_cf74
            cf6e b1  c0  d0       BIC.W      #0xd0 ,0xa (SP)
                 00  0a  00
                             LAB_cf74                                        XREF[3]:     cea8 (j) , cf22 (j) , cf6c (j)   
            cf74 3b  41           POP.W      R11
            cf76 3c  41           POP.W      R12
            cf78 3d  41           POP.W      R13
            cf7a 3e  41           POP.W      R14
            cf7c 3f  41           POP.W      R15
            cf7e 00  13           RETI

It will simply not count on time (DAT0_375,376,377,1080) if there are pending chars in the 2e0 buffer to be transmitted.
I'm not sure how that impact the radon measurement, but stretching time will lower avg.

ChrisE · « **Reply #48 on:** December 16, 2023, 10:05:51 pm »

Just catching up on the great work going on in this thread, I might actually get some time to do some more exploration myself =D

Quote from: cb831a on December 13, 2023, 01:35:44 am

It looks like I can find the long time average 91/0x5b in 0x10ba and the 7-day average 120/0x78 in 0x1090 reading flash in 0x1080.
Repeating the command "; iioo oooo oooo oooo m" and verifying checksum and that DAT_0370 is actually 0x1080 in w-buffer I get a stable result

Probably something I've missed whilst reading this through, how does the "iioo oooo oooo oooo" get you to 0x01080? That's not quite what I would have expected to send (but I might have just missed something).

I can confirm from my observations what you're seeing in terms of the dropping average. I think I mentioned it in passing on the the first page, but didn't really draw enough attention to it. I had tried record data reasonably often to try and observe changes, and noticed that my average was slowly decreasing; I also did the same thing from startup whilst calibration was in progress, and even after waiting a few hours, I don't think the readings moved from 0.

Going to read the thread a few more times and get my had back into this =D

cb831a · « **Reply #49 on:** December 16, 2023, 10:34:07 pm »

Quote from: ChrisE on December 16, 2023, 10:05:51 pm

Probably something I've missed whilst reading this through, how does the "iioo oooo oooo oooo" get you to 0x01080? That's not quite what I would have expected to send (but I might have just missed something).

You will have to read the m_command_handler code mentioned in December 09, 2023, 09:57:18 am to understand that.
Basically we provide a value that will copy (0x8000 bit set) and 0x4000 makes i select buffer 0x1080.

Quote from: ChrisE on December 16, 2023, 10:05:51 pm

I can confirm from my observations what you're seeing in terms of the dropping average. I think I mentioned it in passing on the the first page, but didn't really draw enough attention to it. I had tried record data reasonably often to try and observe changes, and noticed that my average was slowly decreasing; I also did the same thing from startup whilst calibration was in progress, and even after waiting a few hours, I don't think the readings moved from 0.

Good, that my observations are not crazy.
Not so good, as we cannot trust the readings.
I tried since last post to only read the device once every ½h and yet my average has dropped from 90 to 61 over 3 hours - that makes no sense.
Maybe we leave some state in the device that continues to affect the operation in between our reads ?!??!


EEVblog Main Site	EEVblog on Youtube	EEVblog on Twitter	EEVblog on Facebook	EEVblog on Odysee

Author Topic: micro-usb on radon detector (Read 32415 times)

Share me