Add support for cs800d #233
Comments
|
as an update to above the cs750 also appears to use the same coms method. |
|
cs800d write.CSV |
|
The process monitor just captures calls to the windows API, I actually need some wireshark captures of the USB traffic to inspect the protocol used by the CPS to talk to the radio. If it is a serial over USB (USB-ACM) type of protocol, the chances are good that I can implement it without having the radio in my hands. However, it will still take some time to do it. An introduction can be found under https://wiki.wireshark.org/CaptureSetup/USB#windows I usually run windows as a virtual machine and then capture the USB traffic at the Linux host. However, you should be able to capture it directly on the windows machine. |
|
The initial message has Wireshark captures in a zip file. I can redo it separately. if that would help |
|
Oh, sorry I haven't looked into it. However, it only contains capures of a USB mass-storage device. Does the radio appear as a usb flash drive? If not, try to select the specific device to capture in wireshark. |
|
here is a lsusb new captures for the radio |
|
USBMS is the protocol |
|
for the write the filter device is for the read the filter device is |
|
|
|
Oh, weird. They use the flash-drive protocol to write to and read from the device. This is kind of interesting. To this end, I may only need to read/write files on that drive. Lets see. |
|
is there anything I could try on my end. I happen to have the radio and my laptop with me at work today. |
|
Thanks a lot, it somewhat makes sense to misuse the USB mass storage protocol. It is actually less weird then some other protocols I've seen. I.e., Radioddity uses something like a HID protocol, usually for USB keyboards and mouses. I'll have a look at it. |
|
thanks. if there is anything I can do to help just let me know. |
|
I've had a look at it and I can see how the codeplug is written into the device, reading however still is a mystery. I do not see any significant data being read from the device using the USBMS proto. |
|
|
|
Oh, yes sorry. Looked at the wrong USBMS device. |
|
No problem. I did that when trying to get the message written yesterday. |
|
I have been messing with pyusb and the radio haven't figured out how the message is arcitected. |
|
From my poking around it looks like it is sending the radio something then the radio is responding with information about the requested data |
|
I've created a branch cs800d, where I document my reverse engineering. |
|
Wow looks like you made a lot of progress |
|
would having remote access to a radio connected to my laptop help. we could set that up if you were interested. |
|
i was messing with sg_raw in terminal if i send ff 28 00 00 00 00 00 00 00 00 00 00 00 00 47 50 i get 1024 bytes of data all 0 |
|
You have to send an actual command to the device as a request payload. I do not know sg_raw, but there is likely some means to do that. E.g., send SCSI raw: ff 2a 00 00 00 00 00 00 00 00 00 00 00 00 47 50 and then send The device should then return some information about itself. Btw, I've implemented a python script filtering and decoding the packets in the pcap files. |
|
sudo sg_raw -r 1k /dev/sg1 ff 2a 00 00 00 00 00 00 00 00 00 00 00 00 47 50 1 ✘ Sense Information: Error 9 occurred, no data received |
|
The first command does not trigger the device to send any data. You have to send the mentioned payload using the -i option. The second command then queries the result from the device. There some data is send back. |
|
sudo sg_raw -r 1k /dev/sg1 ff 2a 00 00 00 00 47 50 -i a1 00 03 00 00 00 00 a4 ✔ |
|
Usage: sg_raw [OPTION]* DEVICE [CDB0 CDB1 ...] Options: Between 6 and 260 command bytes (two hex digits each) can be specified |
|
Create a binary file containing the payload The file should not contain the hex string but its binary form. Lets call that file request.bin Then The second call should receive some data. |
|
a1 00 03 00 00 00 00 a4
SCSI Status: Good |
|
Ok, then it appears to be much harder to talk to the radio. However, after extracting the codeplug from the captures, it appears like the saved archive files are just one-to-one binary dumps of what is written to the device. So I can reverse engineer the codeplug without needing the device in my hands. |
|
a1 00 03 00 00 00 00 a4 |
|
Oh, yes. You have to generate a binary file from that hex string. Try |
|
request.bin.zip
SCSI Status: Good |
|
cs test comm.zip |
|
I've looked at the capture and the command payload is missing. Maybe sg_raw cannot be used to send those commands. |
|
got it this morning have to tell it the length of the data packet. and i am telling it that the command is scsi not nvme by the -C1 filter for usb |
|
on the request message No data received but if i add a few more bytes i get data. sg_raw -r 260 /dev/sg1 ff 28 00 00 00 00 00 00 00 00 00 00 00 00 47 50 Received 260 bytes of data: |
|
same command works on the cs750 g_raw -C1 -s 8 -i request.bin /dev/sg1 ff 2a 00 00 00 00 00 00 00 00 00 00 00 00 47 50 ~ sg_raw -r 260 /dev/sg1 ff 28 00 00 00 00 00 00 00 00 00 00 00 00 47 50 Received 260 bytes of data: |
|
got it to work in a bash script. |
|
Ok, this is a good sign. Now we only need to get it working using libusb. |
|
i found some code on git-hub. it at least seams to be a start on making this work not sure how to modify it to do what we want but shows it is possible. |
|
i forgot to include the usb cap. |
|
cs750 cap 9.zip |
|
Looks almost good. Just the length. |
|
i am not sure how that is set i have been editing the function |
|
to me the command response data looks the same. |
|
I forgot to say USB id 9 |
|
read first block.zip |
another new radio issue
i am willing to learn but haven't touched c++ at all.
i attached a code plug and some wireshark captures from a windows vm to the radio.
cps radio read and write.zip
cs800d.rdb.zip
The text was updated successfully, but these errors were encountered: