IM-me USB dongle hacking
At £10, the IM-me is a great device. Much work has been done to turn the handheld console into a general purpose device.
I’ve been doing the same for the USB dongle.
The dongle has two chips, a Chipcon CC1110 SoC radio (on the left) and a Cypress CY7C63803 USB microcontroller (on the right). The CY7C63803 handles USB data transfers and communicates with the CC1110 over a SPI interface. Each chip drives an attention line, used to notify the other. This is raised to signal willingness to receive then lowered to acknowledge reception of a valid header.
With the stock firmware, the application protocol looks like this:
{ 0xFA, 0xFB, LEN, PART-N, NUM-PARTS, LEN2, PAYLOAD[LEN2], CHKSUM }
So far as I can tell, the CY7C63803 is only looking for the three byte header, everything after that including the chksum is just opaque payload to it:
{ 0xFA, 0xFB, LEN, PAYLOAD[LEN] }
Reprogramming the CC1110 is straightforward enough, it can be done with a GoodFET and SDCC. But, the CY7C63803 is a black box - even if I could reflash it, I doubt I could make USB work again.
So, I’ve built a custom CC1110 firmware which can communicate over USB to a PC via the unmodified CY7C63803.
After some protocol investigation using an Open Logic Sniffer, I now have a working proof of concept.
From a PC, commands can be sent to the dongle and responses received.
So far, you can control the LED, read registers and transmit modulated carriers. The dongle is controlled from a small interactive shell using libusb (based on the GPL drivers for the stock unit).
Obligatory PC driven blinkenlights demo:
There are bugs, but it works.
If anyone wants to give me a logic analyser capable of recording long transactions (Open Logic Sniffer only allows for keyhole surgery), it would be appreciated…
Download the source for CC1110 and PC.
(This is a hack. It may not work for you. If you want a reliable CC1110 system with USB, buy a CC1111 or wire in a GoodFET)
If you find a use for this - let me know.