-
Notifications
You must be signed in to change notification settings - Fork 30
GreenPAK Universal Dev Board 1
This page describes the USB protocol used by the GreenPAK Universal Dev Board 1, as shipped in all GreenPAK Development Kits except the GreenPAK1 one. Protocol RE is done by @whitequark with board revision v1.3.1 and firmware v2.4.
The board speaks two protocols, both of which are based on USBHID. They use interrupt URBs, always with a 64 byte payload. All numbers below are in hexadecimal.
After plugging in, the board lights up a white LED and enumerates as 0f0f:8006. In this state it is not operational, and it is necessary to send it a command to make it so. The Silego tool will proceed to chat a bit with it in a protocol that is not readily identifiable, but most of it does not appear to be necessary.
Overall payload format:
| Offset | Length | Meaning |
|---|---|---|
00 |
3c |
Unknown |
3c |
01 |
Command |
3d |
03 |
Unknown |
The command 09, with the rest of the packet being zeroed, switches the board into operational mode. All other commands are not understood.
After switching mode, the board lights up an orange LED and enumerates as 0f0f:0006.
Overall payload format:
| Offset | Length | Meaning |
|---|---|---|
00 |
01 |
Sequence number A (SEQA) |
01 |
01 |
Packet type |
02 |
01 |
Packet length |
03 |
01 |
Sequence number B (SEQB) |
The function of sequence numbers A and B is not fully understood. Under most circumstances sequence number A is 01 and sequence number B is 00.
The packet length is offset by one. I.e. it is the index of the last meaningful byte in the URB payload.
Every byte not specified in the individual packet format was always observed as 00.
"Read back command for ..." means that the returned payload for this READ command is exactly the same as what was provided for the WRITE command it refers to.
This command flashes the bitstream to the device.
With SEQA=01, SEQB=04:
| Offset | Length | Meaning |
|---|---|---|
04 |
01 |
Unknown; observed as 80
|
05 |
02 |
Unknown; observed as 0000
|
07 |
02 |
The number of SCL cycles to use (0828) |
09 |
37 |
reg<0:439> |
With SEQA=02, SEQB=03:
| Offset | Length | Meaning |
|---|---|---|
04 |
3c |
reg<440:919> |
With SEQA=03, SEQB=02:
| Offset | Length | Meaning |
|---|---|---|
04 |
3c |
reg<920:1399> |
With SEQA=04, SEQB=01:
| Offset | Length | Meaning |
|---|---|---|
04 |
3c |
reg<1400:1879> |
With SEQA=05, SEQB=00:
| Offset | Length | Meaning |
|---|---|---|
04 |
15 |
reg<1880:2047> |
This command starts transferring the bitstream out of the device.
| Offset | Length | Meaning |
|---|---|---|
04 |
03 |
Unknown; observed as c007d0
|
07 |
02 |
The total number of SCL cycles to use (0828) |
This command transfers the bitstream to the device.
With SEQA=01, SEQB=04:
| Offset | Length | Meaning |
|---|---|---|
04 |
01 |
Unknown; observed as 80 normally and 87 when trimming oscillators |
05 |
02 |
Unknown; observed as 0000
|
07 |
02 |
The number of SCL cycles to use (0828) |
09 |
37 |
reg<0:439> |
With SEQA=02, SEQB=03:
| Offset | Length | Meaning |
|---|---|---|
04 |
3c |
reg<440:919> |
With SEQA=03, SEQB=02:
| Offset | Length | Meaning |
|---|---|---|
04 |
3c |
reg<920:1399> |
With SEQA=04, SEQB=01:
| Offset | Length | Meaning |
|---|---|---|
04 |
3c |
reg<1400:1879> |
With SEQA=05, SEQB=00:
| Offset | Length | Meaning |
|---|---|---|
04 |
15 |
reg<1880:2047> |
This packet configures the I/O buffers, LEDs, and the expansion connector.
Format:
| Offset | Length | Meaning |
|---|---|---|
04 |
02 |
TP2 output configuration |
06 |
02 |
TP3 output configuration |
08 |
02 |
TP4 output configuration |
0a |
02 |
TP5 output configuration |
0c |
02 |
TP6 output configuration |
0e |
02 |
TP7 output configuration |
10 |
02 |
TP8 output configuration |
12 |
02 |
TP9 output configuration |
14 |
02 |
TP10 output configuration |
16 |
02 |
TP12 output configuration |
18 |
02 |
TP13 output configuration |
1a |
02 |
TP14 output configuration |
1c |
02 |
TP15 output configuration |
1e |
02 |
TP16 output configuration |
20 |
02 |
TP17 output configuration |
22 |
02 |
TP18 output configuration |
24 |
02 |
TP19 output configuration |
26 |
02 |
TP20 output configuration |
2f |
03 |
Expansion connector configuration |
32 |
01 |
TP3..TP6 LED configuration |
33 |
01 |
TP7..TP10 LED configuration |
34 |
01 |
TP12..TP15 LED configuration |
35 |
02 |
TP16..TP20 LED configuration |
37 |
01 |
Internal VDD configuration |
38 |
02 |
Unknown; observed as 0000
|
TPx output configuration:
| Value | Meaning |
|---|---|
0001 |
Reset |
0200 |
N/C |
0c01 |
VDD |
0c00 |
GND |
0e01 |
Pull-up |
0e00 |
Pull-down |
0001 |
Weak pull-up |
0000 |
Weak pull-down |
0c03 |
Logic generator, push-pull |
0403 |
Logic generator, open-drain + pull-up |
0603 |
Logic generator, open-drain + pull-down |
0a03 |
Logic generator, open-drain, drives HI |
0803 |
Logic generator, open-drain, drives LO |
0e03 |
Logic generator, pull-up/down |
It is necessary to issue a reset, at least, after SRAM download, or else programmable outputs and indicator LEDs won't work.
TP3..TP6, TP7..TP10 and TP12..TP15 LED configuration (a bit mask):
| Value | Meaning |
|---|---|
01 |
TP(n+0) LED enabled |
02 |
TP(n+1) LED enabled |
04 |
TP(n+2) LED enabled |
08 |
TP(n+3) LED enabled |
10 |
TP(n+0) LED inverted |
20 |
TP(n+1) LED inverted |
40 |
TP(n+2) LED inverted |
80 |
TP(n+3) LED inverted |
TP16..TP20 LED configuration (a bit mask):
| Value | Meaning |
|---|---|
0100 |
TP(n+0) LED enabled |
0200 |
TP(n+1) LED enabled |
0400 |
TP(n+2) LED enabled |
0800 |
TP(n+3) LED enabled |
1000 |
TP(n+4) LED enabled |
0001 |
TP(n+0) LED inverted |
0002 |
TP(n+1) LED inverted |
0004 |
TP(n+2) LED inverted |
0008 |
TP(n+3) LED inverted |
0010 |
TP(n+4) LED inverted |
Expansion connector configuration (a bit mask):
| Value | Meaning |
|---|---|
000100 |
VDD |
000004 |
TP2 |
000001 |
TP3 |
000010 |
TP4 |
000040 |
TP5 |
010000 |
TP6 |
040000 |
TP7 |
100000 |
TP8 |
400000 |
TP9 |
800000 |
TP10 |
200000 |
TP12 |
000008 |
TP13 |
000002 |
TP14 |
008000 |
TP15 |
000020 |
TP16 |
020000 |
TP17 |
002000 |
TP18 |
000800 |
TP19 |
080000 |
TP20 |
Internal VDD configuration:
| Value | Meaning |
|---|---|
00 |
Disabled |
01 |
Enabled |
This packet (likely) resets the board controller.
Response to WRITE 05; reset acknowledgement.
This command continues transferring the bitstream out of the device.
| Offset | Length | Meaning |
|---|---|---|
04 |
03 |
Unknown; observed as c007d0
|
07 |
02 |
The total number of SCL cycles to use (see WRITE 03) |
Response to WRITE 03; bitstream acknowledgement, more data required.
This command confgiures a signal generator.
| Offset | Length | Meaning |
|---|---|---|
04 |
01 |
Generator type; 01=logic generator, 02=signal generator |
05 |
01 |
Test point index; 01=VDD, 02=TP2, ..., 0a=TP10, 0c=TP12, ..., 14=TP20 |
06 |
01 |
Pre-start state; 00=low, 01=start point, 02=hi-Z |
07 |
01 |
Repeat count; 00=forever, 01=once, 02=twice, ... |
08 |
01 |
End state; 00=pre-start state, 01=keep last state |
09 |
02 |
Initial voltage |
11 |
02 |
Point 1: ramp delay |
13 |
02 |
Point 1: ramp voltage, integral step part |
15 |
02 |
Point 1: ramp voltage, step sign and fractional step part |
17 |
02 |
Point 2: ramp delay |
19 |
02 |
Point 2: ramp voltage, integral step part |
1b |
02 |
Point 2: ramp voltage, step sign and fractional step part |
| ... | ... | ... |
Voltages are specified with 1LSB corresponding to 1.362mV. Tolerance is ±30mV on VCC and ±7mV on all other outputs.
Delays are specified with 1LSB corresponding to 0.1ms, with 0000 corresponding to the delay of 0.1ms.
Ramping is specified as follows. Every 0.1ms, the voltage is increased by a 16.15 fixed point number comprised by the entire integral and low 15 bits of the fractional ramp voltage parts. The sign of this number is specified by bit 15 of the fractional ramp voltage part.
This command starts or stops one or more signal generators at once.
| Offset | Length | Meaning |
|---|---|---|
04 |
01 |
VDD generator command |
05 |
01 |
TP2 generator command |
06 |
01 |
TP3 generator command |
07 |
01 |
TP4 generator command |
08 |
01 |
TP5 generator command |
09 |
01 |
TP6 generator command |
0a |
01 |
TP7 generator command |
0b |
01 |
TP8 generator command |
0c |
01 |
TP9 generator command |
0d |
01 |
TP10 generator command |
0e |
01 |
TP12 generator command |
0f |
01 |
TP13 generator command |
10 |
01 |
TP14 generator command |
11 |
01 |
TP15 generator command |
12 |
01 |
TP16 generator command |
13 |
01 |
TP17 generator command |
14 |
01 |
TP18 generator command |
15 |
01 |
TP19 generator command |
16 |
01 |
TP20 generator command |
Generator command:
| Value | Meaning |
|---|---|
00 |
Pause |
01 |
Start |
02 |
Stop |
03 |
NOP |
07 |
Reset |
This command requests board status.
Response to WRITE 0a; board status.
| Offset | Length | Meaning |
|---|---|---|
04 |
03 |
Unknown; observed as 142400
|
07 |
01 |
First octet of part identifier (same as in WRITE 25) |
08 |
03 |
Unknown; together with 07 reads as ffffffff with no IC present |
0b |
01 |
01 if external supply overcurrent is detected; 00 otherwise |
0c |
01 |
01 if supply undervoltage is detected; 00 otherwise |
0d |
01 |
02 if internal supply overcurrent is detected; 00 otherwise |
0e |
02 |
Measured supply current |
10 |
02 |
Measured supply voltage #1 |
12 |
02 |
Measured supply voltage #2 |
14 |
10 |
Unknown; observed as 065e059c05d7063a00b200b100b90102
|
The supply voltage #1 is slightly lower than supply voltage #2. Their units are exactly 1/2 of units used for WRITE 08.
The units for supply current are unknown, as I can't be arsed to use a meter. The idle current for an empty SLG46620V is 0026.
Response to WRITE 02 and WRITE 07.
With SEQB=04:
| Offset | Length | Meaning |
|---|---|---|
04 |
3c |
reg<0:479> |
With SEQB=03:
| Offset | Length | Meaning |
|---|---|---|
04 |
3c |
reg<480:959> |
With SEQB=02:
| Offset | Length | Meaning |
|---|---|---|
04 |
3c |
reg<960:1439> |
With SEQB=01:
| Offset | Length | Meaning |
|---|---|---|
04 |
3c |
reg<1440:1919> |
With SEQB=00:
| Offset | Length | Meaning |
|---|---|---|
04 |
10 |
reg<1920:2047> |
Response to WRITE 03; bitstream acknowledgement, no more data required.
This command turns the STATUS LED on and off.
| Offset | Length | Meaning |
|---|---|---|
04 |
01 |
STATUS LED enabled |
Response to WRITE 21; STATUS LED change acknowledgement.
This command chooses the part that the board will interface with.
| Offset | Length | Meaning |
|---|---|---|
04 |
04 |
Part ID |
Part IDs:
| Value | Meaning |
|---|---|
11000000 |
Unknown |
14000000 |
SLG46140V |
62000000 |
SLG46620V |
72000000 |
Unknown |
Response to WRITE 25; part change acknowledgement.
This command chooses the pin that the ADC will measure. See WRITE 47.
| Offset | Length | Meaning |
|---|---|---|
04 |
01 |
Unknown; observed as 00
|
05 |
01 |
Pin selection |
06 |
01 |
Unknown; observed as 00
|
Pins are represented as follows:
| Value | Meaning |
|---|---|
01 |
TP2 |
02 |
TP3 |
03 |
TP4 |
04 |
TP5 |
05 |
TP6 |
06 |
TP7 |
07 |
TP8 |
08 |
TP9 |
09 |
TP10 |
0a |
TP12 |
0b |
TP13 |
0c |
TP14 |
0d |
TP15 |
0e |
TP16 |
0f |
TP17 |
10 |
TP18 |
11 |
TP19 |
12 |
TP20 |
This command measures the oscillator frequency.
| Offset | Length | Meaning |
|---|---|---|
04 |
01 |
Unknown; observed as 00
|
Response to WRITE 42; measured oscillator frequency.
| Offset | Length | Meaning |
|---|---|---|
04 |
02 |
Unknown; observed as 0000
|
06 |
02 |
Oscillator frequency |
This command measures the voltage at pin selected with WRITE 33.
| Offset | Length | Meaning |
|---|---|---|
04 |
01 |
Conversion time |
The conversion time field is a non-zero unsigned integer. The higher it is, the longer the conversion takes. On constant input, precision increases marginally. GP4 software uses 0a for socket testing.
Response to WRITE 47; ADC measured value.
| Offset | Length | Meaning |
|---|---|---|
04 |
03 |
Signed voltage |
Note that the voltage can and will go below zero. The full scale, with GND and VDD used as ADC rails, is 090000; values from ffff00 to 090100 are observed.
This command trims the oscillator.
| Offset | Length | Meaning |
|---|---|---|
04 |
01 |
Unknown; observed as 00
|
05 |
01 |
Trim value |
06 |
06 |
Unknown; observed as 05040a110201
|
Response to WRITE 49; oscillator trimming acknowledgement.
| Offset | Length | Meaning |
|---|---|---|
04 |
02 |
Unknown; observed as 0000
|
06 |
06 |
Unknown; observed as 05040a110201
|
To clean up logs from known commands, use regex (R|W.. .._(01|02|03|04|05|07|08|09|0a|21|25|33|42|47|49)).*$
-
32: some sort of ADC mode selection; used before47 -
39: always follows32, some sort of reset or commit -
0f: some kind of scan from00to3d, possibly ADC, but49may also be used to trim ADC
-
30: some sort of trimming-related setup; used before49 -
32and39also present;0fis not (without any used ADC at least)
-
51: performed at the end before26 -
26: scanned 16 times at the end, after setting P2=float, P8,P9=OD+PU, rest PD; looks like I2C, so detection of GP5
In a loop, searching by changing the trim value between ff to 00:
- WRITE
49 - READ
49 - WRITE
42 - READ
42
- WRITE
03SEQA=01SEQB=04 - READ
07 - WRITE
03SEQA=02SEQB=03 - READ
07 - WRITE
03SEQA=03SEQB=02 - READ
07 - WRITE
03SEQA=04SEQB=01 - READ
07 - WRITE
03SEQA=05SEQB=00 - READ
1a
- WRITE
01SEQA=01SEQB=04 - READ
07 - WRITE
01SEQA=02SEQB=03 - READ
07 - WRITE
01SEQA=03SEQB=02 - READ
07 - WRITE
01SEQA=04SEQB=01 - READ
07 - WRITE
01SEQA=05SEQB=00 - READ
11
- WRITE
02 - READ
13SEQB=04 - WRITE
07 - READ
13SEQB=03 - WRITE
07 - READ
13SEQB=02 - WRITE
07 - READ
13SEQB=01 - WRITE
07 - READ
13SEQB=00