1 /* flasher for HomeMatic-devices supporting OTA updates
3 * Copyright (c) 2014 Michael Gernoth <michael@gernoth.net>
5 * Permission is hereby granted, free of charge, to any person obtaining a copy
6 * of this software and associated documentation files (the "Software"), to
7 * deal in the Software without restriction, including without limitation the
8 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
9 * sell copies of the Software, and to permit persons to whom the Software is
10 * furnished to do so, subject to the following conditions:
12 * The above copyright notice and this permission notice shall be included in
13 * all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
32 #include <sys/types.h>
36 #include <libusb-1.0/libusb.h>
60 struct hmcfgusb_dev
*hmcfgusb
;
61 struct culfw_dev
*culfw
;
71 enum message_type message_type
;
74 uint16_t hmcfgusb_version
;
77 static int parse_hmcfgusb(uint8_t *buf
, int buf_len
, void *data
)
79 struct recv_data
*rdata
= data
;
87 ((buf
[0x11] == ((hmid
>> 16) & 0xff)) &&
88 (buf
[0x12] == ((hmid
>> 8) & 0xff)) &&
89 (buf
[0x13] == (hmid
& 0xff)))) {
90 memset(rdata
->message
, 0, sizeof(rdata
->message
));
91 memcpy(rdata
->message
, buf
+ 0x0d, buf
[0x0d] + 1);
92 rdata
->message_type
= MESSAGE_TYPE_E
;
96 memset(rdata
->message
, 0, sizeof(rdata
->message
));
97 memcpy(rdata
->message
, buf
+ 0x0e, buf
[0x0e] + 1);
98 rdata
->status
= (buf
[5] << 8) | buf
[6];
99 rdata
->message_type
= MESSAGE_TYPE_R
;
102 rdata
->speed
= buf
[1];
105 rdata
->hmcfgusb_version
= (buf
[11] << 8) | buf
[12];
106 my_hmid
= (buf
[0x1b] << 16) | (buf
[0x1c] << 8) | buf
[0x1d];
118 static int parse_culfw(uint8_t *buf
, int buf_len
, void *data
)
120 struct recv_data
*rdata
= data
;
123 memset(rdata
, 0, sizeof(struct recv_data
));
134 while(validate_nibble(buf
[(pos
* 2) + 1]) &&
135 validate_nibble(buf
[(pos
* 2) + 2]) &&
136 (pos
+ 1 < buf_len
)) {
137 rdata
->message
[pos
] = ascii_to_nibble(buf
[(pos
* 2) + 1]) << 4;
138 rdata
->message
[pos
] |= ascii_to_nibble(buf
[(pos
* 2) + 2]);
142 if (hmid
&& (SRC(rdata
->message
) != hmid
))
145 rdata
->message_type
= MESSAGE_TYPE_E
;
150 int send_hm_message(struct ota_dev
*dev
, struct recv_data
*rdata
, uint8_t *msg
)
152 static uint32_t id
= 1;
158 case DEVICE_TYPE_HMCFGUSB
:
159 if (gettimeofday(&tv
, NULL
) == -1) {
160 perror("gettimeofay");
164 memset(out
, 0, sizeof(out
));
167 out
[1] = (id
>> 24) & 0xff;
168 out
[2] = (id
>> 16) & 0xff;
169 out
[3] = (id
>> 8) & 0xff;
172 out
[11] = (tv
.tv_usec
>> 24) & 0xff;
173 out
[12] = (tv
.tv_usec
>> 16) & 0xff;
174 out
[13] = (tv
.tv_usec
>> 8) & 0xff;
175 out
[14] = tv
.tv_usec
& 0xff;
177 memcpy(&out
[0x0f], msg
, msg
[0] + 1);
179 memset(rdata
, 0, sizeof(struct recv_data
));
180 hmcfgusb_send(dev
->hmcfgusb
, out
, sizeof(out
), 1);
183 if (rdata
->message_type
== MESSAGE_TYPE_R
) {
184 if (((rdata
->status
& 0xff) == 0x01) ||
185 ((rdata
->status
& 0xff) == 0x02)) {
188 if ((rdata
->status
& 0xff00) == 0x0400) {
189 fprintf(stderr
, "\nOut of credits!\n");
190 } else if ((rdata
->status
& 0xff) == 0x08) {
191 fprintf(stderr
, "\nMissing ACK!\n");
193 fprintf(stderr
, "\nInvalid status: %04x\n", rdata
->status
);
199 pfd
= hmcfgusb_poll(dev
->hmcfgusb
, 1);
200 if ((pfd
< 0) && errno
) {
201 if (errno
!= ETIMEDOUT
) {
202 perror("\n\nhmcfgusb_poll");
208 case DEVICE_TYPE_CULFW
:
213 memset(buf
, 0, sizeof(buf
));
216 for (i
= 0; i
< msg
[0] + 1; i
++) {
217 buf
[2 + (i
* 2)] = nibble_to_ascii((msg
[i
] >> 4) & 0xf);
218 buf
[2 + (i
* 2) + 1] = nibble_to_ascii(msg
[i
] & 0xf);
220 buf
[2 + (i
* 2) ] = '\r';
221 buf
[2 + (i
* 2) + 1] = '\n';
223 memset(rdata
, 0, sizeof(struct recv_data
));
224 if (culfw_send(dev
->culfw
, buf
, 2 + (i
* 2) + 1) == 0) {
225 fprintf(stderr
, "culfw_send failed!\n");
229 if (msg
[CTL
] & 0x20) {
234 pfd
= culfw_poll(dev
->culfw
, 1);
235 if ((pfd
< 0) && errno
) {
236 if (errno
!= ETIMEDOUT
) {
237 perror("\n\nhmcfgusb_poll");
241 if (rdata
->message_type
== MESSAGE_TYPE_E
) {
247 fprintf(stderr
, "\nMissing ACK!\n");
259 static int switch_speed(struct ota_dev
*dev
, struct recv_data
*rdata
, uint8_t speed
)
264 printf("Entering %uk-mode\n", speed
);
267 case DEVICE_TYPE_HMCFGUSB
:
268 memset(out
, 0, sizeof(out
));
272 hmcfgusb_send(dev
->hmcfgusb
, out
, sizeof(out
), 1);
276 pfd
= hmcfgusb_poll(dev
->hmcfgusb
, 1);
277 if ((pfd
< 0) && errno
) {
278 if (errno
!= ETIMEDOUT
) {
279 perror("\n\nhmcfgusb_poll");
283 if (rdata
->speed
== speed
)
287 case DEVICE_TYPE_CULFW
:
289 return culfw_send(dev
->culfw
, "AR\r\n", 4);
291 return culfw_send(dev
->culfw
, "Ar\r\n", 4);
299 void flash_ota_syntax(char *prog
)
301 fprintf(stderr
, "Syntax: %s parameters options\n\n", prog
);
302 fprintf(stderr
, "Mandatory parameters:\n");
303 fprintf(stderr
, "\t-f firmware.eq3\tfirmware file to flash\n");
304 fprintf(stderr
, "\t-s SERIAL\tserial of device to flash\n");
305 fprintf(stderr
, "\nPossible options:\n");
306 fprintf(stderr
, "\t-c device\tenable CUL-mode with CUL at path \"device\"\n");
307 fprintf(stderr
, "\t-b bps\t\tuse CUL with speed \"bps\" (default: %u)\n", DEFAULT_CUL_BPS
);
308 fprintf(stderr
, "\t-h\t\tthis help\n");
311 int main(int argc
, char **argv
)
313 const char twiddlie
[] = { '-', '\\', '|', '/' };
314 const uint8_t cc1101_regs
[] = { 0x10, 0x5B, 0x11, 0xF8, 0x15, 0x47 };
315 char *fw_file
= NULL
;
317 char *culfw_dev
= NULL
;
318 unsigned int bps
= DEFAULT_CUL_BPS
;
320 struct recv_data rdata
;
335 printf("HomeMatic OTA flasher version " VERSION
"\n\n");
337 while((opt
= getopt(argc
, argv
, "b:c:f:hs:")) != -1) {
355 flash_ota_syntax(argv
[0]);
362 if (!fw_file
|| !serial
) {
363 flash_ota_syntax(argv
[0]);
367 fw
= firmware_read_firmware(fw_file
, debug
);
371 memset(&rdata
, 0, sizeof(rdata
));
372 memset(&dev
, 0, sizeof(struct ota_dev
));
375 dev
.culfw
= culfw_init(culfw_dev
, bps
, parse_culfw
, &rdata
);
377 fprintf(stderr
, "Can't initialize CUL at %s with rate %u\n", culfw_dev
, bps
);
380 dev
.type
= DEVICE_TYPE_CULFW
;
382 hmcfgusb_set_debug(debug
);
384 dev
.hmcfgusb
= hmcfgusb_init(parse_hmcfgusb
, &rdata
);
386 fprintf(stderr
, "Can't initialize HM-CFG-USB\n");
389 dev
.type
= DEVICE_TYPE_HMCFGUSB
;
391 printf("\nRebooting HM-CFG-USB to avoid running out of credits\n\n");
393 if (!dev
.hmcfgusb
->bootloader
) {
394 printf("HM-CFG-USB not in bootloader mode, entering bootloader.\n");
395 hmcfgusb_enter_bootloader(dev
.hmcfgusb
);
396 printf("Waiting for device to reappear...\n");
400 hmcfgusb_close(dev
.hmcfgusb
);
403 } while (((dev
.hmcfgusb
= hmcfgusb_init(parse_hmcfgusb
, &rdata
)) == NULL
) || (!dev
.hmcfgusb
->bootloader
));
406 if (dev
.hmcfgusb
->bootloader
) {
407 printf("HM-CFG-USB in bootloader mode, rebooting\n");
408 hmcfgusb_leave_bootloader(dev
.hmcfgusb
);
412 hmcfgusb_close(dev
.hmcfgusb
);
415 } while (((dev
.hmcfgusb
= hmcfgusb_init(parse_hmcfgusb
, &rdata
)) == NULL
) || (dev
.hmcfgusb
->bootloader
));
418 printf("\n\nHM-CFG-USB opened\n\n");
420 memset(out
, 0, sizeof(out
));
422 hmcfgusb_send(dev
.hmcfgusb
, out
, sizeof(out
), 1);
426 pfd
= hmcfgusb_poll(dev
.hmcfgusb
, 1);
427 if ((pfd
< 0) && errno
) {
428 if (errno
!= ETIMEDOUT
) {
429 perror("\n\nhmcfgusb_poll");
433 if (rdata
.hmcfgusb_version
)
437 if (rdata
.hmcfgusb_version
< 0x3c7) {
438 fprintf(stderr
, "HM-CFG-USB firmware too low: %u < 967\n", rdata
.hmcfgusb_version
);
442 printf("HM-CFG-USB firmware version: %u\n", rdata
.hmcfgusb_version
);
445 if (!switch_speed(&dev
, &rdata
, 10)) {
446 fprintf(stderr
, "Can't switch speed!\n");
450 printf("Waiting for device with serial %s\n", serial
);
455 case DEVICE_TYPE_CULFW
:
456 pfd
= culfw_poll(dev
.culfw
, 1);
458 case DEVICE_TYPE_HMCFGUSB
:
460 pfd
= hmcfgusb_poll(dev
.hmcfgusb
, 1);
464 if ((pfd
< 0) && errno
) {
465 if (errno
!= ETIMEDOUT
) {
471 if ((rdata
.message
[LEN
] == 0x14) && /* Length */
472 (rdata
.message
[MSGID
] == 0x00) && /* Message ID */
473 (rdata
.message
[CTL
] == 0x00) && /* Control Byte */
474 (rdata
.message
[TYPE
] == 0x10) && /* Messagte type: Information */
475 (DST(rdata
.message
) == 0x000000) && /* Broadcast */
476 (rdata
.message
[PAYLOAD
] == 0x00)) { /* FUP? */
477 if (!strncmp((char*)&(rdata
.message
[0x0b]), serial
, 10)) {
478 hmid
= SRC(rdata
.message
);
484 printf("Device with serial %s (hmid: %06x) entered firmware-update-mode\n", serial
, hmid
);
486 if (dev
.type
== DEVICE_TYPE_HMCFGUSB
) {
487 printf("Adding HMID\n");
489 memset(out
, 0, sizeof(out
));
491 out
[1] = (hmid
>> 16) & 0xff;
492 out
[2] = (hmid
>> 8) & 0xff;
493 out
[3] = hmid
& 0xff;
495 hmcfgusb_send(dev
.hmcfgusb
, out
, sizeof(out
), 1);
500 printf("Initiating remote switch to 100k\n");
502 memset(out
, 0, sizeof(out
));
504 out
[MSGID
] = msgid
++;
507 SET_SRC(out
, my_hmid
);
510 memcpy(&out
[PAYLOAD
], cc1101_regs
, sizeof(cc1101_regs
));
511 SET_LEN_FROM_PAYLOADLEN(out
, sizeof(cc1101_regs
));
513 if (!send_hm_message(&dev
, &rdata
, out
)) {
517 if (!switch_speed(&dev
, &rdata
, 100)) {
518 fprintf(stderr
, "Can't switch speed!\n");
522 printf("Has the device switched?\n");
524 memset(out
, 0, sizeof(out
));
526 out
[MSGID
] = msgid
++;
529 SET_SRC(out
, my_hmid
);
532 memcpy(&out
[PAYLOAD
], cc1101_regs
, sizeof(cc1101_regs
));
533 SET_LEN_FROM_PAYLOADLEN(out
, sizeof(cc1101_regs
));
537 if (send_hm_message(&dev
, &rdata
, out
)) {
538 /* A0A02000221B9AD00000000 */
547 if (!switch_speed(&dev
, &rdata
, 10)) {
548 fprintf(stderr
, "Can't switch speed!\n");
552 } while ((!switched
) && (switchcnt
--));
555 fprintf(stderr
, "Too many errors, giving up!\n");
561 printf("Flashing %d blocks", fw
->fw_blocks
);
565 printf(": %04u/%04u %c", 0, fw
->fw_blocks
, twiddlie
[0]);
569 for (block
= 0; block
< fw
->fw_blocks
; block
++) {
572 len
= fw
->fw
[block
][2] << 8;
573 len
|= fw
->fw
[block
][3];
575 pos
= &(fw
->fw
[block
][2]);
577 len
+= 2; /* length */
580 hexdump(pos
, len
, "F> ");
593 if ((len
- (pos
- &(fw
->fw
[block
][2]))) < payloadlen
)
594 payloadlen
= (len
- (pos
- &(fw
->fw
[block
][2])));
596 if (((pos
+ payloadlen
) - &(fw
->fw
[block
][2])) == len
)
599 memset(&rdata
, 0, sizeof(rdata
));
601 memset(out
, 0, sizeof(out
));
607 SET_SRC(out
, my_hmid
);
610 memcpy(&out
[PAYLOAD
], pos
, payloadlen
);
611 SET_LEN_FROM_PAYLOADLEN(out
, payloadlen
);
613 if (send_hm_message(&dev
, &rdata
, out
)) {
616 pos
= &(fw
->fw
[block
][2]);
618 if (cnt
== MAX_RETRIES
) {
619 fprintf(stderr
, "\nToo many errors, giving up!\n");
622 printf("Flashing %d blocks: %04u/%04u %c", fw
->fw_blocks
, block
+ 1, fw
->fw_blocks
, twiddlie
[msgnum
% sizeof(twiddlie
)]);
629 printf("\b\b\b\b\b\b\b\b\b\b\b%04u/%04u %c",
630 block
+ 1, fw
->fw_blocks
, twiddlie
[msgnum
% sizeof(twiddlie
)]);
633 } while((pos
- &(fw
->fw
[block
][2])) < len
);
641 if (!switch_speed(&dev
, &rdata
, 10)) {
642 fprintf(stderr
, "Can't switch speed!\n");
646 printf("Waiting for device to reboot\n");
652 case DEVICE_TYPE_CULFW
:
653 pfd
= culfw_poll(dev
.culfw
, 1);
655 case DEVICE_TYPE_HMCFGUSB
:
657 pfd
= hmcfgusb_poll(dev
.hmcfgusb
, 1);
660 if ((pfd
< 0) && errno
) {
661 if (errno
!= ETIMEDOUT
) {
662 perror("\n\nhmcfgusb_poll");
666 if (rdata
.message_type
== MESSAGE_TYPE_E
) {
671 if (rdata
.message_type
== MESSAGE_TYPE_E
) {
672 printf("Device rebooted\n");
676 case DEVICE_TYPE_HMCFGUSB
:
677 hmcfgusb_close(dev
.hmcfgusb
);
679 case DEVICE_TYPE_CULFW
:
680 culfw_close(dev
.culfw
);