Difference between revisions of "Whirlybird"
(init re-direct) |
(→Firmware: REPL) |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | [EXPERIMENTAL] | ||
Direction Finding (DF) | Direction Finding (DF) | ||
| + | |||
| + | This is an exercise that started with up-cycling some e-waste that contains 32 RGBW LEDs and an ESP32-S3-WROOM2. There is a myriad of other components presumably intended to interface with other control circuits. | ||
| + | |||
| + | The primary objective here is not to reverse engineer its previously intended purpose, rather invent a new purpose. The objective is to utilize the outer ring of 24 blinkies as a 360 degree direction indicator. The ESP32 module, which appears to never have been flashed with functioning firmware, is erased and flashed with a current Octal SPI build of Micropython. | ||
| + | |||
| + | For the most part the components on the PCB are not directly connected to the ESP32. Rather there is a number of connectors they are wired to for an alternative "main" processor. This includes the addressable RGBWs that are some variant of [https://cdn-shop.adafruit.com/product-files/2757/p2757_SK6812RGBW_REV01.pdf SK6812RGBW]. Additionally for some reason even though these are individually addressable in series of over a hundred, they are broken in to two independent chains of 24 spaced in an outer circular pattern and 8 more arranged inside that circle. | ||
| + | |||
| + | The board is likely designed as some sort of prototype of an evolution of a production product. It is unknown if it was intended to be a technical evaluation of various features, in ongoing development or a one off experiment. I have ended up with several dozen of these, there are many unknown and some number of issues. The majority of them have thus far had an issue with enabling "Boot Mode" and power on only to continually restart themselves. | ||
| + | |||
| + | == ESP32-S3-WROOM2 == | ||
| + | |||
| + | === Pin Layout === | ||
| + | |||
| + | [[File:ESP32-S3-WROOM2 Pin Layout.png]] | ||
| + | |||
| + | |||
| + | === Firmware === | ||
| + | |||
| + | When connecting to a linux machine, the following can be seen via <code>dmesg | tail</code>. | ||
| + | <pre> | ||
| + | new full-speed USB device number 99 using xhci_hcd | ||
| + | New USB device found, idVendor=303a, idProduct=1001, bcdDevice= 1.01 | ||
| + | New USB device strings: Mfr=1, Product=2, SerialNumber=3 | ||
| + | Product: USB JTAG/serial debug unit | ||
| + | Manufacturer: Espressif | ||
| + | SerialNumber: 68:B6:B3:##:##:## | ||
| + | cdc_acm 3-2:1.0: ttyACM0: USB ACM device | ||
| + | </pre> | ||
| + | |||
| + | While the device enumerates as USB and has capacity to facilitate serial communications, it is not really feasible with the constant reboot cycle. However connecting to the <code>TXD0</code> pin to the <code>Rx</code> of a USB/Serial UART converter the following can be captured. Additionally holding the ESP32 in reset and monitoring the UART you can capture the following by briefly releasing the reset and then re-enabling reset, othrewise you will get a continuous flood of the same messages at <code>115200 baud</code>. | ||
| + | <pre> | ||
| + | ESP-ROM:esp32s3-20210327 | ||
| + | Build:Mar 27 2021 | ||
| + | rst:0x1 (POWERON),boot:0x8 (SPI_FAST_FLASH_BOOT) | ||
| + | invalid header: 0xa5ff005a | ||
| + | invalid header: 0xa5ff005a | ||
| + | invalid header: 0xa5ff005a | ||
| + | invalid header: 0xa5ff005a | ||
| + | </pre> | ||
| + | |||
| + | Some of the boards do properly enter "Boot Mode" which is done by connected <code>GPIO0</code> to ground. This can easily be done by using a jumper wire from a through hole header that exposes both <code>GPIO0</code> and ground and pressing a reset button immediately below it. Alternatively this can be achieved by using a wired to pressed to the bottom right most module pin and the metal RF shield on top of the module while connecting to USB to power on. | ||
| + | |||
| + | <pre> | ||
| + | esptool.py -p /dev/ttyACM0 -b 115200 erase_flash | ||
| + | esptool.py v4.8.0 | ||
| + | Serial port /dev/ttyACM0 | ||
| + | Connecting... | ||
| + | Detecting chip type... ESP32-S3 | ||
| + | Chip is ESP32-S3 (QFN56) (revision v0.1) | ||
| + | Features: WiFi, BLE, Embedded PSRAM 8MB (AP_1v8) | ||
| + | Crystal is 40MHz | ||
| + | MAC: 68:b6:b3:3c:f4:24 | ||
| + | Uploading stub... | ||
| + | Running stub... | ||
| + | Stub running... | ||
| + | Erasing flash (this may take a while)... | ||
| + | Chip erase completed successfully in 70.8s | ||
| + | Hard resetting via RTS pin... | ||
| + | </pre> | ||
| + | |||
| + | Note in this instance RTS is not connected, however the device remains in "Boot Mode" and the following action can be performed. | ||
| + | |||
| + | <pre> | ||
| + | esptool.py -p /dev/ttyACM0 -b 1500000 write_flash -z 0 ESP32_GENERIC_S3-SPIRAM_OCT-20240920-v1.24.0-preview.335.gb08ddbba5.bin | ||
| + | esptool.py v4.8.0 | ||
| + | Serial port /dev/ttyACM0 | ||
| + | Connecting... | ||
| + | Detecting chip type... ESP32-S3 | ||
| + | Chip is ESP32-S3 (QFN56) (revision v0.1) | ||
| + | Features: WiFi, BLE, Embedded PSRAM 8MB (AP_1v8) | ||
| + | Crystal is 40MHz | ||
| + | MAC: 68:b6:b3:3c:f4:24 | ||
| + | Uploading stub... | ||
| + | Running stub... | ||
| + | Stub running... | ||
| + | Changing baud rate to 1500000 | ||
| + | Changed. | ||
| + | Configuring flash size... | ||
| + | Flash will be erased from 0x00000000 to 0x00197fff... | ||
| + | Compressed 1668096 bytes to 1089606... | ||
| + | Wrote 1668096 bytes (1089606 compressed) at 0x00000000 in 18.7 seconds (effective 714.0 kbit/s)... | ||
| + | Hash of data verified. | ||
| + | |||
| + | Leaving... | ||
| + | Hard resetting via RTS pin... | ||
| + | </pre> | ||
| + | |||
| + | Note that in this case without <code>RTS</code> the device must be manually power cycled or reset to load the new firmware. Now you should see a different enumeration via <code>dmesg</code>. | ||
| + | |||
| + | <pre> | ||
| + | new full-speed USB device number 41 using xhci_hcd | ||
| + | New USB device found, idVendor=303a, idProduct=4001, bcdDevice= 1.00 | ||
| + | New USB device strings: Mfr=1, Product=2, SerialNumber=3 | ||
| + | Product: Espressif Device | ||
| + | Manufacturer: Espressif Systems | ||
| + | SerialNumber: 123456 | ||
| + | cdc_acm 3-2:1.0: ttyACM0: USB ACM device | ||
| + | </pre> | ||
| + | |||
| + | Monitoring <code>TXD0</code> the following is received. | ||
| + | |||
| + | <pre> | ||
| + | ESP-ROM:esp32s3-20210327 | ||
| + | Build:Mar 27 2021 | ||
| + | rst:0x1 (POWERON),boot:0x2a (SPI_FAST_FLASH_BOOT) | ||
| + | SPIWP:0xee | ||
| + | Octal Flash Mode Enabled | ||
| + | For OPI Flash, Use Default Flash Boot Mode | ||
| + | mode:SLOW_RD, clock div:1 | ||
| + | load:0x3fce3820,len:0x105c | ||
| + | load:0x403c9700,len:0x4 | ||
| + | load:0x403c9704,len:0xbd8 | ||
| + | load:0x403cc700,len:0x2e34 | ||
| + | entry 0x403c989c | ||
| + | MicroPython v1.24.0-preview.335.gb08ddbba5 on 2024-09-20; Generic ESP32S3 module with Octal-SPIRAM with ESP32S3 | ||
| + | Type "help()" for more information. | ||
| + | >>> | ||
| + | </pre> | ||
| + | |||
| + | You can also now use the USB interface, with something like <code>screen /dev/ttyACM0 115200</code>. If successful you should be greeted with blank output. Pressing <code>Enter</code> should generate a Micropython prompt <code>>>></code> and pressing <code>Ctrl+D</code> generates the following. | ||
| + | |||
| + | <pre> | ||
| + | MPY: soft reboot | ||
| + | MicroPython v1.24.0-preview.335.gb08ddbba5 on 2024-09-20; Generic ESP32S3 module with Octal-SPIRAM with ESP32S3 | ||
| + | Type "help()" for more information. | ||
| + | >>> | ||
| + | </pre> | ||
| + | |||
| + | There's various ways you can now access the device, including over WiFi once configured. I highly recommend <code>rshell</code> which provides ability to copy and move files as well as directly write and debug code using REPL. If you don't pass any arguments it will automatically attempt to connect, if you have multiple devices you can also specify the connection parameters. Here the built in USB/Serial interface connected via <code>D+/D-</code> is being used. | ||
| + | |||
| + | <pre> | ||
| + | rshell -p /dev/ttyACM0 -b 115200 | ||
| + | Using buffer-size of 256 | ||
| + | Connecting to /dev/ttyACM0 (buffer-size 256)... | ||
| + | Trying to connect to REPL connected | ||
| + | Retrieving sysname ... esp32 | ||
| + | Testing if ubinascii.unhexlify exists ... Y | ||
| + | Retrieving root directories ... /boot.py/ /main.py/ | ||
| + | Setting time ... Sep 26, 2024 09:42:01 | ||
| + | Evaluating board_name ... pyboard | ||
| + | Retrieving time epoch ... Jan 01, 2000 | ||
| + | Welcome to rshell. Use Control-D (or the exit command) to exit rshell. | ||
| + | </pre> | ||
| + | |||
| + | Once launched, any running code may be halted, entering <code>repl</code> will give an interactive Micropython prompt. Entering <code>Ctrl+D</code> will do a soft reset and any code configured to automatically start such as <code>main.py</code> will then run and you will see any output such as from <code>print()</code> in the terminal. | ||
Latest revision as of 16:48, 26 September 2024
[EXPERIMENTAL] Direction Finding (DF)
This is an exercise that started with up-cycling some e-waste that contains 32 RGBW LEDs and an ESP32-S3-WROOM2. There is a myriad of other components presumably intended to interface with other control circuits.
The primary objective here is not to reverse engineer its previously intended purpose, rather invent a new purpose. The objective is to utilize the outer ring of 24 blinkies as a 360 degree direction indicator. The ESP32 module, which appears to never have been flashed with functioning firmware, is erased and flashed with a current Octal SPI build of Micropython.
For the most part the components on the PCB are not directly connected to the ESP32. Rather there is a number of connectors they are wired to for an alternative "main" processor. This includes the addressable RGBWs that are some variant of SK6812RGBW. Additionally for some reason even though these are individually addressable in series of over a hundred, they are broken in to two independent chains of 24 spaced in an outer circular pattern and 8 more arranged inside that circle.
The board is likely designed as some sort of prototype of an evolution of a production product. It is unknown if it was intended to be a technical evaluation of various features, in ongoing development or a one off experiment. I have ended up with several dozen of these, there are many unknown and some number of issues. The majority of them have thus far had an issue with enabling "Boot Mode" and power on only to continually restart themselves.
ESP32-S3-WROOM2
Pin Layout
Firmware
When connecting to a linux machine, the following can be seen via dmesg | tail.
new full-speed USB device number 99 using xhci_hcd New USB device found, idVendor=303a, idProduct=1001, bcdDevice= 1.01 New USB device strings: Mfr=1, Product=2, SerialNumber=3 Product: USB JTAG/serial debug unit Manufacturer: Espressif SerialNumber: 68:B6:B3:##:##:## cdc_acm 3-2:1.0: ttyACM0: USB ACM device
While the device enumerates as USB and has capacity to facilitate serial communications, it is not really feasible with the constant reboot cycle. However connecting to the TXD0 pin to the Rx of a USB/Serial UART converter the following can be captured. Additionally holding the ESP32 in reset and monitoring the UART you can capture the following by briefly releasing the reset and then re-enabling reset, othrewise you will get a continuous flood of the same messages at 115200 baud.
ESP-ROM:esp32s3-20210327 Build:Mar 27 2021 rst:0x1 (POWERON),boot:0x8 (SPI_FAST_FLASH_BOOT) invalid header: 0xa5ff005a invalid header: 0xa5ff005a invalid header: 0xa5ff005a invalid header: 0xa5ff005a
Some of the boards do properly enter "Boot Mode" which is done by connected GPIO0 to ground. This can easily be done by using a jumper wire from a through hole header that exposes both GPIO0 and ground and pressing a reset button immediately below it. Alternatively this can be achieved by using a wired to pressed to the bottom right most module pin and the metal RF shield on top of the module while connecting to USB to power on.
esptool.py -p /dev/ttyACM0 -b 115200 erase_flash esptool.py v4.8.0 Serial port /dev/ttyACM0 Connecting... Detecting chip type... ESP32-S3 Chip is ESP32-S3 (QFN56) (revision v0.1) Features: WiFi, BLE, Embedded PSRAM 8MB (AP_1v8) Crystal is 40MHz MAC: 68:b6:b3:3c:f4:24 Uploading stub... Running stub... Stub running... Erasing flash (this may take a while)... Chip erase completed successfully in 70.8s Hard resetting via RTS pin...
Note in this instance RTS is not connected, however the device remains in "Boot Mode" and the following action can be performed.
esptool.py -p /dev/ttyACM0 -b 1500000 write_flash -z 0 ESP32_GENERIC_S3-SPIRAM_OCT-20240920-v1.24.0-preview.335.gb08ddbba5.bin esptool.py v4.8.0 Serial port /dev/ttyACM0 Connecting... Detecting chip type... ESP32-S3 Chip is ESP32-S3 (QFN56) (revision v0.1) Features: WiFi, BLE, Embedded PSRAM 8MB (AP_1v8) Crystal is 40MHz MAC: 68:b6:b3:3c:f4:24 Uploading stub... Running stub... Stub running... Changing baud rate to 1500000 Changed. Configuring flash size... Flash will be erased from 0x00000000 to 0x00197fff... Compressed 1668096 bytes to 1089606... Wrote 1668096 bytes (1089606 compressed) at 0x00000000 in 18.7 seconds (effective 714.0 kbit/s)... Hash of data verified. Leaving... Hard resetting via RTS pin...
Note that in this case without RTS the device must be manually power cycled or reset to load the new firmware. Now you should see a different enumeration via dmesg.
new full-speed USB device number 41 using xhci_hcd New USB device found, idVendor=303a, idProduct=4001, bcdDevice= 1.00 New USB device strings: Mfr=1, Product=2, SerialNumber=3 Product: Espressif Device Manufacturer: Espressif Systems SerialNumber: 123456 cdc_acm 3-2:1.0: ttyACM0: USB ACM device
Monitoring TXD0 the following is received.
ESP-ROM:esp32s3-20210327 Build:Mar 27 2021 rst:0x1 (POWERON),boot:0x2a (SPI_FAST_FLASH_BOOT) SPIWP:0xee Octal Flash Mode Enabled For OPI Flash, Use Default Flash Boot Mode mode:SLOW_RD, clock div:1 load:0x3fce3820,len:0x105c load:0x403c9700,len:0x4 load:0x403c9704,len:0xbd8 load:0x403cc700,len:0x2e34 entry 0x403c989c MicroPython v1.24.0-preview.335.gb08ddbba5 on 2024-09-20; Generic ESP32S3 module with Octal-SPIRAM with ESP32S3 Type "help()" for more information. >>>
You can also now use the USB interface, with something like screen /dev/ttyACM0 115200. If successful you should be greeted with blank output. Pressing Enter should generate a Micropython prompt >>> and pressing Ctrl+D generates the following.
MPY: soft reboot MicroPython v1.24.0-preview.335.gb08ddbba5 on 2024-09-20; Generic ESP32S3 module with Octal-SPIRAM with ESP32S3 Type "help()" for more information. >>>
There's various ways you can now access the device, including over WiFi once configured. I highly recommend rshell which provides ability to copy and move files as well as directly write and debug code using REPL. If you don't pass any arguments it will automatically attempt to connect, if you have multiple devices you can also specify the connection parameters. Here the built in USB/Serial interface connected via D+/D- is being used.
rshell -p /dev/ttyACM0 -b 115200 Using buffer-size of 256 Connecting to /dev/ttyACM0 (buffer-size 256)... Trying to connect to REPL connected Retrieving sysname ... esp32 Testing if ubinascii.unhexlify exists ... Y Retrieving root directories ... /boot.py/ /main.py/ Setting time ... Sep 26, 2024 09:42:01 Evaluating board_name ... pyboard Retrieving time epoch ... Jan 01, 2000 Welcome to rshell. Use Control-D (or the exit command) to exit rshell.
Once launched, any running code may be halted, entering repl will give an interactive Micropython prompt. Entering Ctrl+D will do a soft reset and any code configured to automatically start such as main.py will then run and you will see any output such as from print() in the terminal.
