-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for cs800d #233
Comments
as an update to above the cs750 also appears to use the same coms method. |
cs800d write.CSV |
The process monitor just captures calls to the windows API, I actually need some wireshark captures of the USB traffic to inspect the protocol used by the CPS to talk to the radio. If it is a serial over USB (USB-ACM) type of protocol, the chances are good that I can implement it without having the radio in my hands. However, it will still take some time to do it. An introduction can be found under https://wiki.wireshark.org/CaptureSetup/USB#windows I usually run windows as a virtual machine and then capture the USB traffic at the Linux host. However, you should be able to capture it directly on the windows machine. |
The initial message has Wireshark captures in a zip file. I can redo it separately. if that would help |
Oh, sorry I haven't looked into it. However, it only contains capures of a USB mass-storage device. Does the radio appear as a usb flash drive? If not, try to select the specific device to capture in wireshark. |
here is a lsusb new captures for the radio |
USBMS is the protocol |
for the write the filter device is for the read the filter device is |
Oh, weird. They use the flash-drive protocol to write to and read from the device. This is kind of interesting. To this end, I may only need to read/write files on that drive. Lets see. |
is there anything I could try on my end. I happen to have the radio and my laptop with me at work today. |
Thanks a lot, it somewhat makes sense to misuse the USB mass storage protocol. It is actually less weird then some other protocols I've seen. I.e., Radioddity uses something like a HID protocol, usually for USB keyboards and mouses. I'll have a look at it. |
thanks. if there is anything I can do to help just let me know. |
I've had a look at it and I can see how the codeplug is written into the device, reading however still is a mystery. I do not see any significant data being read from the device using the USBMS proto. |
Oh, yes sorry. Looked at the wrong USBMS device. |
No problem. I did that when trying to get the message written yesterday. |
I have been messing with pyusb and the radio haven't figured out how the message is arcitected. |
From my poking around it looks like it is sending the radio something then the radio is responding with information about the requested data |
I've created a branch cs800d, where I document my reverse engineering. |
Wow looks like you made a lot of progress |
would having remote access to a radio connected to my laptop help. we could set that up if you were interested. |
i was messing with sg_raw in terminal if i send ff 28 00 00 00 00 00 00 00 00 00 00 00 00 47 50 i get 1024 bytes of data all 0 |
You have to send an actual command to the device as a request payload. I do not know sg_raw, but there is likely some means to do that. E.g., send SCSI raw: ff 2a 00 00 00 00 00 00 00 00 00 00 00 00 47 50 and then send The device should then return some information about itself. Btw, I've implemented a python script filtering and decoding the packets in the pcap files. |
sudo sg_raw -r 1k /dev/sg1 ff 2a 00 00 00 00 00 00 00 00 00 00 00 00 47 50 1 ✘ Sense Information: Error 9 occurred, no data received |
The first command does not trigger the device to send any data. You have to send the mentioned payload using the -i option. The second command then queries the result from the device. There some data is send back. |
sudo sg_raw -r 1k /dev/sg1 ff 2a 00 00 00 00 47 50 -i a1 00 03 00 00 00 00 a4 ✔ |
Usage: sg_raw [OPTION]* DEVICE [CDB0 CDB1 ...] Options: Between 6 and 260 command bytes (two hex digits each) can be specified |
Create a binary file containing the payload
The file should not contain the hex string but its binary form. Lets call that file request.bin Then
The second call should receive some data. |
a1 00 03 00 00 00 00 a4
SCSI Status: Good |
Ok, then it appears to be much harder to talk to the radio. However, after extracting the codeplug from the captures, it appears like the saved archive files are just one-to-one binary dumps of what is written to the device. So I can reverse engineer the codeplug without needing the device in my hands. |
a1 00 03 00 00 00 00 a4 |
Oh, yes. You have to generate a binary file from that hex string. Try
|
request.bin.zip
SCSI Status: Good |
cs test comm.zip |
I've looked at the capture and the command payload is missing. Maybe sg_raw cannot be used to send those commands. |
got it this morning have to tell it the length of the data packet. and i am telling it that the command is scsi not nvme by the -C1 filter for usb |
on the request message No data received but if i add a few more bytes i get data. sg_raw -r 260 /dev/sg1 ff 28 00 00 00 00 00 00 00 00 00 00 00 00 47 50 Received 260 bytes of data: |
same command works on the cs750 g_raw -C1 -s 8 -i request.bin /dev/sg1 ff 2a 00 00 00 00 00 00 00 00 00 00 00 00 47 50 ~ sg_raw -r 260 /dev/sg1 ff 28 00 00 00 00 00 00 00 00 00 00 00 00 47 50 Received 260 bytes of data: |
got it to work in a bash script. |
Ok, this is a good sign. Now we only need to get it working using libusb. |
i found some code on git-hub. it at least seams to be a start on making this work not sure how to modify it to do what we want but shows it is possible. |
i forgot to include the usb cap. |
cs750 cap 9.zip |
Looks almost good. Just the length. |
i am not sure how that is set i have been editing the function |
to me the command response data looks the same. |
I forgot to say USB id 9 |
read first block.zip |
another new radio issue
i am willing to learn but haven't touched c++ at all.
i attached a code plug and some wireshark captures from a windows vm to the radio.
cps radio read and write.zip
cs800d.rdb.zip
The text was updated successfully, but these errors were encountered: