Reverse Engineering TODO
For the most part the Reverse Engineering subtask has served its purpose. At this point a developer should be able to continue onto firmware tasks based on previous work and datasheets. There are two reasons why the Reverse Engineering effort might be further continued at this point:
- In hopes of finding other unused or hidden features (i.e. USB communications protocol that could allow for adding custom Jingles without needing to update firmware).
- For the sake of completeness (i.e. mapping out all functions, IRQs, callbacks, etc.). Might be educational to see how all of this was implemented.
I am considering both of these to be low priority and most likely will not put much effort into further Reverse Engineering.
Below are less verbose notes on items I would like to dig into. These are a bit terse and may not be worded well. Please ask if you have any questions:
-
Jingle Sim related
- Details on CT32B0 ISR based on simulation results?
- Details on each function call
-
Clean, clean, clean
- gdbCmdFile, gdbCustomCmds, gdbOldRef
- PINT3 dump
- Cleaning other ISRs and looping paths so that they make sense when I come back after I have forgotten everything.
- Make sure all known functions have details in .h file
-
Is AD6 battery gauge/power?
- Try putting dead (or nearly dead) battery in and checking
- But maybe GPIOs, etc. need to be set differently?
- Try putting dead (or nearly dead) battery in and checking
-
Make TODOs for maybe in the future getting more details on following IRQs
- PINT0
- PINT1
- I2C0
- USART0
-
Dev Board comms with Radio Chip via UART
- Monitor PIO1_5 and (anything else we can watch?) to check for change after sending same messages?
-
Monitor GPIO1_5 when RF dongle is plugged in or not
- Scope with official FW?
-
Consider latest firmware update from Valve (new firmware to enable BLE for new Steam Link app)
- Look at what has changed?
- Will new tooling help to decompose the new firmware faster?
- Is this a distraction not worth digging into right now?
- Majority of functional behavior from vcf_wired_controller_d0g_57bf5c10.bin should remain unchanged (even if underlying assembly changes).
- Once functionality is fully understood, applying that understanding to newer firmware may be quicker than "starting over" with new firmware?
-
Understand USART/Radio communications protocol?
- Try to reverse engineer protocol to leverage comms with dongle??
-
List more details about hardware Luna_maiboard_V000456-00_rev3.md
- Add links to datasheets
- Other processors (i.e. wireless comms chip, gyro, haptics chip)
- See if we can get information on each pin (focus on LPC chip)
- What is ADC connected to (specifically Channel 6)
- This may help with understanding some of these GPIOs...
- Find out more on these GPIOs (i.e. Ohm it out, test using custom firmware)
- PIO1_10
- PIO1_7
- PIO0_19
- PIO0_2
- PIO1_28
- PIO0_7
- PIO0_22 (AD6) What does this read...?
- PIO1_28 and PIO1_4 (USART/Radio chip related?)
- PIO1_5 (USART/Radio chip related. PINT2).
- What is state of this? Changes if we send messages via UART?
- What does trace lead to (ohm it out...)
- Add Chart/Table to label how hardware peripherals are used?
- CT16B1 = driving Steam Controller LED
- CT16B0 = used as timer for a delay during init. (That it?)
- SSP0 = CS ?? = Left Haptics, CS ?? = Right Haptics
-
Decompose EEPROM dumps
- Captured from two different controllers to isolate some differences
- Change settings to isolate other differences
-
Can we (continue to) make pinkySim logging better
- More automation or second steps for cleaning .c log file?
-
Look into wireless chip
- Is same one on dongle?
- If so can I use dongle as dev board?
- If not should I order a dev board (https://www.nordicsemi.com/eng/Products/nRF51-Dongle)
- If so can I use dongle as dev board?
- Is same one on dongle?