IM-me USB dongle hacking

At £10, the IM-me is a great device. Much work has been done to turn the handheld console into a general purpose device.

I’ve been doing the same for the USB dongle.



The dongle has two chips, a Chipcon CC1110 SoC radio (on the left) and a Cypress CY7C63803 USB microcontroller (on the right). The CY7C63803 handles USB data transfers and communicates with the CC1110 over a SPI interface. Each chip drives an attention line, used to notify the other. This is raised to signal willingness to receive then lowered to acknowledge reception of a valid header.

With the stock firmware, the application protocol looks like this:

{ 0xFA, 0xFB, LEN, PART-N, NUM-PARTS, LEN2, PAYLOAD[LEN2], CHKSUM }

So far as I can tell, the CY7C63803 is only looking for the three byte header, everything after that including the chksum is just opaque payload to it:

{ 0xFA, 0xFB, LEN, PAYLOAD[LEN] }

Reprogramming the CC1110 is straightforward enough, it can be done with a GoodFET and SDCC. But, the CY7C63803 is a black box - even if I could reflash it, I doubt I could make USB work again.

So, I’ve built a custom CC1110 firmware which can communicate over USB to a PC via the unmodified CY7C63803.



After some protocol investigation using an Open Logic Sniffer, I now have a working proof of concept.
From a PC, commands can be sent to the dongle and responses received.

So far, you can control the LED, read registers and transmit modulated carriers. The dongle is controlled from a small interactive shell using libusb (based on the GPL drivers for the stock unit).

Obligatory PC driven blinkenlights demo:

There are bugs, but it works.

If anyone wants to give me a logic analyser capable of recording long transactions (Open Logic Sniffer only allows for keyhole surgery), it would be appreciated…

Download the source for CC1110 and PC.

(This is a hack. It may not work for you. If you want a reliable CC1110 system with USB, buy a CC1111 or wire in a GoodFET)

If you find a use for this - let me know.