CommandSpecification
See FrameSpecification for information on how the data to and from the FET tool is framed. All the following pieces of information do not include any of the framing header or footer.
Write Memory (DONE)
Write some data to a block of memory.
Command
0E 04 01 00
AL AH 00 00
LL LH 00 00
... DATA ...
Response
0E 00 00 00
Where:
- A[LH] is the address to write to.
- L[LH] is the length of the data to write.
- “DATA” is a block of data L long.
Read Memory (DONE)
Read a region of memory.
Command
0D 02 XX 00
AL AH 00 00
LL LH 00 00
Response
0D 03 00 00
LL LH 00 00
... DATA ...
Where:
- A[LH] is the address to read from.
- L[LH] is the number of bytes to read.
- “DATA” is a block of data L long.
- XX is either 02 (older msp430-gdbproxy/chip) or 03 (recent driver/chip), their semantics are not known.
Read Registers (DONE)
Read CPU registers.
Command
08 01
Response
08 03 00 00
40 00 00 00
[rnL rnH 00 00] * 16
Where rn[LH] is the value of register n.
Write Registers (DONE)
Write CPU registers
Command
09 04 01 00
FF FF 00 00
40 00 00 00
[rnL rnH 00 00] * 16
Response
09 00 00 00
Where rn[LH] is the value of register n.
Continue
Resume execution.
With tests on the MSP430F1611, this command has been seen to contain breakpoint information.
Command
11 02 02 00
U 00 00 00
AL AH 00 00
Response
11 00 00 00
Where:
- U has been seen with the following values:
- 0: Breakpoint information was conveyed: A[LH] was a breakpoint address (MSP430F1611).
- 2: Seen in step request (single step).
- 3: Seen in step request (step out) and at continue.
- 0: Breakpoint information was conveyed: A[LH] was a breakpoint address (MSP430F1611).
Step
Breakpoints
It appears that there are two breakpoint mechanisms, using two different command mechanisms. It is currently assumed that one is a software driven system and the other hardware.
There are two types of hardware breakpoints: memory access and register write breakpoints. Regular — memory access — breakpoints can be configured to trigger either on the Memory Address Bus (MAB) or the Memory Data Bus (MDB). A MAB breakpoint is typically used to break at a specific program address or when a specific RAM address is accessed. A MDB on the other hand can be configured e.g. to break whenever the value “7381” is accessed in RAM, or whenever a specific instruction is read.
Whether a breakpoint triggers is also influenced by a number of per-breakpoint configurable settings: a mask, an operator and an access flag. For example, a MAB breakpoint with value 0x0016, mask 0x00FF and operator == will trigger at all addresses ending with 0x16.
Register breakpoints are not yet understood and documented.
Set Breakpoint Value (DONE)
Set the breakpoint value.
Command
1A 02 02 00
XX 00 00 00
VL VH 00 00
Response
1A 00 00 00
Where:
- XX = 8*bp_no, where the breakpoint number bp_no starts at 0, e.g. 0x08 for the second breakpoint (bp_no=1).
- V[LH] is the breakpoint value.
Set Breakpoint Parameters (DONE)
Set the breakpoint type, access pattern and operator.
Command
1A 02 02 00
XX 00 00 00
FL 00 00 00
Response
1A 00 00 00
Where:
- XX = 2 + 8*bp_no, where the breakpoint number bp_no starts at 0, e.g. 0A for the second breakpoint (bp_no=1).
- FL = OP | ACCESS | BUS.
- BUS is 1 for MDB and 0 for MAB.
- OP is 0x00 for ==, 0x08 for >=, 0x10 for <= and 0x18 for !=.
- ACCESS is 0x00 for “Instruction fetch”, 0x02 for “Instruction fetch & Hold trigger”, 0x04 for “No instruction fetch” and 0x06 for “Don’t care”.
Set Breakpoint Mask (DONE)
Set the breakpoint mask.
Command
1A 02 02 00
XX 00 00 00
ML MH 00 00
Response
1A 00 00 00
Where:
- XX = 4 + 8*bp_no, where the breakpoint number bp_no starts at 0, e.g. 0C for the second breakpoint (bp_no=1).
- M[LH] is the bit inverse of the mask.
Set Breakpoint Combination (DONE)
This command controls how breakpoints are combined into more complex breakpoints. For example, you can use a combined breakpoint to detect when a specific value is written at a specific address.
Command
1A 02 02 00
XX 00 00 00
CM 00 00 00
Response
1A 00 00 00
Where:
- XX = 6 + 8*bp_no, where the breakpoint number bp_no starts at 0, e.g. 0E for the second breakpoint (bp_no=1).
- The i:th bit is set in CM to include breakpoint i in the combined trigger. E.g. 03 is a combined breakpoint of breakpoint 0 and 1. It is not yet known how register breakpoints are combined.
Toggle Breakpoints (DONE)
Set which breakpoints are enabled.
Command
1A 02 02 00
80 00 00 00
EN 00 00 00
Response
1A 00 00 00
Where:
- EN controls which breakpoints are enabled. Setting bit 0 high enables the first breakpoint, setting bit 1 high enables the second breakpoint, etc.
Open
First thing that’s sent to the FET tool.
The last 4 bytes of the response vary; they likely include information about the firmware version.
Command
01 01
Response
01 02 00 00
01 00 F8 CE
32 01
Configure
Configures whether to use spy-bi-wire or 4-wire.
Command
05 02 02 00
08 00 00 00
N 00 00 00
Response
05 00 00 00
Where:
- N is:
- 0 for 4-wire
- 1 for spy-bi-wire
- 2 for an unknown mode (observed on CC430F6137, where only N=2 appears to work).
- 0 for 4-wire
VCC (DONE)
Set VCC supply from fet tool.
Command
06 02 01 00
NL NH 00 00
Response
06 00 00 00
Where:
- N[LH] is VCC in mV
Identify
Read information about target device.
Command
03 02 02 00
50 00 00 00
U 00 00 00
Response
03 03 EE EE
50 00 00 00
55 AA TT 00
SS SS SS SS
SS SS SS SS
SS SS SS SS
SS SS SS SS
SS SS SS SS
SS SS SS SS
SS SS SS SS
SS SS SS SS
ML MH IL IH
RL RH EL EH
01 00 01 00
00 00 00 00
VL VH XL XH
01 00 00 02
00 00 00 00
PL PH QL QH
00 00 00 00
00 00 00 00
00 00 00 00
Where:
- EE EE error code 0 and FF 04 seen
- SS: Null-terminated ASCII string of part name e.g. 4D 53 50 34 33 30 46 32 32 37 34 00 = m s p 4 3 0 f 2 2 7 4. Padded with zeroes to 32 characters.
- M[LH] Main memory start address
- I[LH] Info memory start address
- P[LH] Info memory end address
- Q[LH] Main memory end address
- R[LH] Ram end
- E[LH] Ram start
- TT Chip “type” ?
- V[LH] Vmin
- X[LH] Vmax
- U has an unknown function. During initialisation, it’s 0x00. When this command is sent after halting the CPU, it’s 0x34.
Identify 2
Read information about target device. In recent versions of the driver or for recent devices, this command seems to fully or partially replace of the Identify command described above. Observed with both CCS and msp430-gdbproxy.exe (where the “06 02” command is not seen).
Command
28 02 03 00
00 00 00 00
00 00 00 00
YY 00 00 00
Response
28 03 XX XX
1A 00 00 00
SS SS 10 10
08 0A FF FF
FF FF FF FF
FF FF FF FF
00 9C 91 01
11 00 1A 00
04 05 FB 08
Where:
- XX XX is an error code. 00 00 = Success, FF 04 = Device not found or not supported.
- SS SS is (probably) the family specific model number (e.g. 61 37 for a CC430F6137 chip).
- YY varies. 00 and 01 seen.
Set Chip Parameters
Inform the FET about the attached chip’s memory mapping and other relevant parameters. In recent FET firmware, this data no longer appears to be stored in the firmware itself, but is stored in the driver and uploaded during configuration.
Command
29 04 03 00
00 00 00 00
TT 00 00 00
6F 00 00 00
4A 00 00 00
ML MH QL QH
00 00 IL IH
PL PH 80 00
RL RH EL EH
00 00 00 00
03 00 02 00
02 00 07 24
00 00 00 00
VL VH XL XH
C4 09 70 17
58 1B 01 00
03 00 00 00
00 00 00 00
01 00 01 00
01 00 00 00
00 00 00 00
00 00 00 00
FF FF FF FF
Reponse:
29 00 00 00
Where:
- TT Chip type
- M[LH] Main memory start address
- Q[LH] Main memory end address
- I[LH] Info memory start address
- P[LH] Info memory end address
- R[LH] Ram end
- E[LH] Ram start
- V[LH] Vmin, mV
- X[LH] Vmax, mV
Reset
Reset the chip.
Command
07 02 03 00
N 00 00 00
A 00 00 00
B 00 00 00
Response:
07 00 00 00
Where:
- N is the following values ORed together:
- 1: PUC
- 2: RST
- 4: VCC
- 1: PUC
- A and B seem to be set differently when some weird conditions (explosions/failures) are afoot.
In normal operations, A and B are both 0. In failure situations, they are both 1.
Erase Flash
Erase blocks of flash
Command
0C 02 03 00
TT 00 00 00
AL AH 00 00
ML MH 00 00
Response
0c 00 00 00
Where:
- TT Erase type:
- 02 All
- 01 Main
- 00 Specified address
- 02 All
- A[LH] address within block, 0xFFE0 if erasing main or all
- M[LH]
- 0x0100 when erasing info memory
- 0x0002 all other times
- 0x0100 when erasing info memory
Poll State
Polls for the state of the processor.
Command
12 02 01 00
N 00 00 00
Response
12 02 00 00
02 00 A 00
00 00 YY ZZ
FF FF
Where:
- N is either 0 or 1. N being 1 may halt the processor.
- A varies. 01, 03 and 00 (when stopped by the debugger) seen.
- YY and ZZ varies.
Stop
Initialise
This command is sent after the “open” command. No idea yet what it does.
Command
27 02 01 00
04 00 00 00
Response
27 03 00 00
04 00 00 00
55 FF 40 01
2D
This command affects the response behaviour of the next (and only the next) command. The command issued after the 2D command has the following sequence inserted prior to its size header:
XX 00
XX 10
...
XX 10
XX FF
where “XX 10” occurs 0 or more times. XX is an arbitrary value, but CCS uses the ID of the following command exclusively.
Command
2D 02 01 00
XX 00 00 00
Response
2D 00 00 00
2C
2C appears to be some kind of flash writing command. It’s been observed when using software breakpoints in CCS. The 2C command always appears in conjunction with a second transmission that is unframed, i.e. contains no frame delimiters or CRC; the response is framed with a size header and CRC, however.
Command
2C 02 04 00
01 00 00 00
00 02 00 00
00 80 00 00 // 00 80 is probably an address
00 02 00 00
Second command (unframed):
01 00 00 80
00 00 00 02
00 00 .. ..
.. DATA ..
Response
2C 00 00 00
Second response:
2C 00 00 00
Un-diagnosed
- EEM register write breakpoints.
- EEM clock control.
- EEM breakpoint sequencing.
These commands have been observed but are not understood sufficiently to use.
Command
1e 01 in the ccs init routine (yes only 2!)
2e 01
2b 03 4a 00 ccs init
14 02 04 00
0f 02 06 00 ccs close up send data
02 02 01 00 last ccs transmission - release pins?
