首頁 探索 說明
登入
noah
/
tibasicc
1
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
目錄樹: bdadf7a774
分支列表 標籤列表
tibasicc
/
doc
/
tixx_guide
/
linkguide
/
direct-usb-protocol.txt

direct-usb-protocol.txt 10 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423 
  1. 					*****************************
    2. 

  2. 					* Direct Cable(tm) protocol *
    3. 

  3. 					* by roms 2006				*
    4. 

  4. 					*****************************
    5. 

  5. 

  6. 

  7. Based on preliminary work made by "Drake Wilson" <drake@libcom.com>. Thanks !
    8. 

  8. 

  9. 

  10. The initialization sequence for the direct USB cable seems to always
    11. 

  11. be setting the alternate interface to 0 and the configuration to 1.
    12. 

  12. The endpoints used are 0x02 (for computer to calculator messages) and
    13. 

  13. 0x81 (for calculator to computer messages).  All messages are sent via
    14. 

  14. bulk transfer.
    15. 

  15. 

  16. Data are sent on a per-block basis (URB = Usb Request Block).
    17. 

  17. Block length is 256 bytes for TI84+ and Titanium.
    18. 

  18. 

  19. Please note this is different of packets below because URBs are managed by driver
    20. 

  20. or lower layers (at least for Titanium).
    21. 

  21. Packet length (chunck) is:
    22. 

  22. - 255 bytes on TI84+,
    23. 

  23. - 1023 bytes on Titanium.
    24. 

  24. 

  25. Clearly: 
    26. 

  26. - on TI84+, a packet is always contained in an URBs (255 < 256),
    27. 

  27. - on Titanium, a packet may be contained in one or more URBs (1023 > 256).
    28. 

  28. 

  29. If this is not clear for you, take a look at screenshot.log (SniffUsb) and screenshot.pkt.
    30. 

  30. 

  31. 

  32. 0°) Introduction
    33. 

  33. ----------------
    34. 

  34. 

  35. The generic format for packets is below:
    36. 

  36. 

  37. 	| packet header    | data (250/1018 bytes max)							 |
    38. 

  38. 	|				   |  or												 |
    39. 

  39. 	| size		  | ty | size		 | code	 | data	(246/1012 bytes)		 |
    40. 

  40. 	|			  |    |			 |		 |								 |
    41. 

  41. 	| 00 00 00 10 | 04 | 00 00 00 0A | 00 01 | 00 03 00 01 00 00 00 00 07 D0 |	
    42. 

  42. 

  43. The following notation will be used in this doc: 
    44. 

  44. 

  45. 	aabbccdd (type) xxyyzztt {code} [pure data]
    46. 

  46. 

  47. Note: on Titanium, the data part usually follows the packet header but it may be sent in
    48. 

  48. another URB (fragmented) when the data part is huge (> 1012). In this case, the packet
    49. 

  49. header is sent alone in URB and is next followed by a 1023-bytes chunk of data in a second URB.
    50. 

  50. TI seems not to like easy things :-(
    51. 

  51. 

  52. 

  53. 1°) Packet Header (5 bytes)
    54. 

  54. ---------------------------
    55. 

  55. 

  56. Each packet starts with the following header (packet header):
    57. 

  57. 

  58.   HH HL LH LL	= four-byte big-endian length of non-header part
    59. 

  59. 					of packet (after opcode)
    60. 

  60.   OO			= one-byte packet type
    61. 

  61.   ...
    62. 

  62. 

  63. Packets will be represented as "(opcode) data" in the following text.
    64. 

  64. 

  65. Types of packets include:
    66. 

  66.   01 = handshake (HSK)
    67. 

  67.   02 = handshake response (ANS)
    68. 

  68.   03 = data packet (DATA)
    69. 

  69.   04 = last data packet (LAST)
    70. 

  70.   05 = acknowledgement (ACK)
    71. 

  71. 

  72. The handshake consists of:
    73. 

  73. 

  74.   -> 00000004 (01) [00 00 04 00]
    75. 

  75.   <- 00000004 (02) [00 00 00 fa] TI84+
    76. 

  76.   <- 00000004 (02) [00 00 03 ff] Titanium
    77. 

  77.   
    78. 

  78. The acknowledgment (ACK) packet is packet type 05.  The data of the
    79. 

  79. ACK packet is always E0 00 (if successful):
    80. 

  80. 

  81. 	-> 00000002 (05) [E0 00]
    82. 

  82. 

  83. Types 01,02 have 4 bytes of data, type 05 has 2 bytes only.
    84. 

  84. 

  85. 

  86. 2°) Data header (6 bytes)
    87. 

  87. -------------------------
    88. 

  88. 

  89. When sending any piece of data, the following header (data header) is 
    90. 

  90. prepended on the _first_ data packet:
    91. 

  91. 

  92.   HH HL LH LL	= four-byte big-endian length of non-header part
    93. 

  93. 			  of data (after opcode)
    94. 

  94.   OO OO			= two-byte opcode
    95. 

  95.   ...
    96. 

  96. 

  97. On TI84+, the data is sent in 245-bytes chunks for the first packet or in 250-bytes
    98. 

  98. chunks for the others. If data is greater than 245 bytes, then data is sent in several 
    99. 

  99. packets (several data/ack steps).
    100. 

  100. 

  101. On Titanium, the data is sent in 1012-bytes chunks for the first packet or in 1018-bytes
    102. 

  102. chunks for the others. If data is greater than 1012 bytes, then data is sent in several 
    103. 

  103. packets (several data/ack steps).
    104. 

  104. 

  105. Packet type 03 is used for each of the packet except the last, and packet
    106. 

  106. type 04 is used for the last packet.  Each data packet is acknowledged
    107. 

  107. with packet type 05.  Thus, you have, for short data:
    108. 

  108. 

  109.   -> (04) header, data... 
    110. 

  110.   <- ACK
    111. 

  111. 

  112. And for longer data, you might have:
    113. 

  113. 

  114.   -> (03) header, data...
    115. 

  115.   <- ACK
    116. 

  116.   -> (03) data...
    117. 

  117.   <- ACK
    118. 

  118.   -> (04) last part of data...
    119. 

  119.   <- ACK
    120. 

  120. 

  121. Note: usually, the data header size is 7 bytes greater than the size of real data because
    122. 

  122. 7 bytes are prepended to data (4 bytes of request and 3 bytes of data size).
    123. 

  123. 

  124. 3°) Type IDs (tid)
    125. 

  125. ------------------
    126. 

  126. 

  127. - 0022: screen
    128. 

  128. - 0024: related to clock (???)
    129. 

  129. - 0025: clock value
    130. 

  130. - 0027: date format
    131. 

  131. - 0028: time format (am/pm or 24h)
    132. 

  132. 

  133. 

  134. 4°) Op-codes (opc)
    135. 

  135. ------------------
    136. 

  136. 

  137. Data opcodes include:
    138. 

  138. 

  139. 	0001 = unknown request (data = 00 03 00 01 00 00 00 00 07 D0)
    140. 

  140. 		Reply with opcode 0012 and data = 00 00 07 D0
    141. 

  141. 

  142. 		Same for all calcs. Is an echo ?
    143. 

  143. 

  144. 	0012 = ???
    145. 

  145. 		Answer of 0001
    146. 

  146. 		
    147. 

  147. 	0007 = request (REQ)
    148. 

  148. 

  149. 		The format seems to be the following:
    150. 

  150. 		00 NN tid1 tid2 ... tidN	where NN is the number of requests and tidI the request on 2 bytes)
    151. 

  151. 		Replied with opcode 0008 below.
    152. 

  152. 

  153. 		- screenshot with data = 00 01  00 22
    154. 

  154. 

  155. 		- clock with data = 00 04  00 25  00 27  00 28  00 24		
    156. 

  156. 

  157. 	0008 = request answer (VAR)
    158. 

  158. 

  159. 		The format seems to be the following:
    160. 

  160. 		00 NN [tid1 size1 data1] [tid2 size2 data2] ... [tidN sizeN dataN]
    161. 

  161. 

  162. 		where:
    163. 

  163. 		- NN is the number of request 
    164. 

  164. 		- tidI is the previous request tidI (2 bytes)
    165. 

  165. 		- sizeI is the size of data following (3 bytes)
    166. 

  166. 		- dataI is the data request by tidI (sizeI bytes)
    167. 

  167. 		and so on...
    168. 

  168. 

  169. 	000e = request to send (RTS)
    170. 

  170. 	
    171. 

  171. 		The format is the following: tid size data
    172. 

  172. 		where tid is the type id, size is the size of data
    173. 

  173. 

  174. 	aa00 = clear to send (CTS)
    175. 

  175. 		01
    176. 

  176. 

  177. 	bb00 = clear to receive (CTR)
    178. 

  178.   		00 01 d4 c0
    179. 

  179. 

  180. 	dd00 = end of transmission (EOT)
    181. 

  181. 		no data
    182. 

  182. 

  183. 	ee00 = error
    184. 

  184. 

  185. 	    data = CC CC		where CCCC is a two-byte error code
    186. 

  186. 

  187. 		Error codes include:
    188. 

  188. 		00 08 = transmission error or invalid code?
    189. 

  189. 		00 0c = out of memory?
    190. 

  190. 		00 0e = invalid name?
    191. 

  191. 

  192. ////
    193. 

  193. 

  194.   0009 = Request directory from calculator
    195. 

  195.     00 00 00 06 00 02 00 03 00 05 00 01 00 41 00 42
    196. 

  196.     00 01 00 01 00 01 01
    197. 

  197. 

  198.   000a = Directory entry
    199. 

  199.     LL LL name...	= big-endian length of name, followed by name
    200. 

  200. 

  201.     00 00 06 00 02 00
    202. 

  202.     00 04 f0 07 00
    203. 

  203.     TT			= type of variable
    204. 

  204.     00 03 00 00 01
    205. 

  205.     FF			= some kind of flags?
    206. 

  206.                             bit 0 (0x01) = archived
    207. 

  207.     00 05
    208. 

  208.     GG			= more flags?
    209. 

  209. 			    bit 0 (0x01) = auxiliary data present
    210. 

  210. 

  211.     If auxiliary data present:
    212. 

  212.       LL LL data...     = big-endian length of data, followed by data
    213. 

  213. 

  214.     00 01 00 00 04
    215. 

  215.     SS SS SS SS		= big-endian size of variable in bytes
    216. 

  216.     00 04 01 00 42 01
    217. 

  217. 

  218.   000b = Send variable to calculator
    219. 

  219.     LL LL name...	= big-endian length of name, followed by name
    220. 

  220.     00
    221. 

  221.     SS SS SS SS		= big-endian size of variable in bytes
    222. 

  222.     01 00
    223. 

  223.     FF			= not sure what this is...
    224. 

  224. 			    FF = 0x03 for lists and programs
    225. 

  225.                                  0x02 for flash applications
    226. 

  226.     00 02 00 04 f0 07
    227. 

  227.     00
    228. 

  228.     TT			= type of variable
    229. 

  229.     00 03 00 01 00
    230. 

  230. 

  231.     00 08 00 04 00	= don't know what this means?
    232. 

  232.     00 00 00
    233. 

  233.       ( The last 8 bytes did not appear during flash application
    234. 

  234.         transfer, but they did during list and program transfer. )
    235. 

  235. 

  236.   000c = Request variable from calculator
    237. 

  237.     LL LL name...	= big-endian length of name, followed by name
    238. 

  238.     00 01 ff ff ff ff
    239. 

  239.     00 02 00 03 00 08
    240. 

  240.     00 01 00 11 00 04
    241. 

  241.     f0 07 00
    242. 

  242.     TT			= type of variable
    243. 

  243.     00 00
    244. 

  244. 

  245.   000d = Variable data being transferred
    246. 

  246.     (Format depends on type of variable; seems to be related to the
    247. 

  247.      .8x? file types)
    248. 

  248.     Programs:
    249. 

  249.       SS SS		= little-endian size of data in bytes
    250. 

  250.       ...		= tokenized data
    251. 

  251.     Lists:
    252. 

  252.       LL LL		= little-endian length of list in elements
    253. 

  253.       ...		= packed real numbers in TI-83+ BCD format
    254. 

  254.       
    255. 

  255.   0010 = Delete variable from calculator
    256. 

  256.     LL LL name...	= big-endian length of name, followed by name
    257. 

  257.     00 00 02 00 01 00
    258. 

  258.     f0 07 00
    259. 

  259.     TT			= type of variable?
    260. 

  260.     00 13 00 01 00 01
    261. 

  261.     00 00 00 00
    262. 

  262.     
    263. 

  263.   0011 = ?
    264. 

  264.   
    265. 

  265.   0012 = ?
    266. 

  266.   	00 00 07 D0 
    267. 

  267.   	Answer of opcode 0001 (data contains the last 4 bytes of opcode 0001 ?!)
    268. 

  268.     
    269. 

  269.   dd00 = End of transmission (EOT)
    270. 

  270.     (no data)
    271. 

  271. 

  272. 

  273. 4°) Communication Flow
    274. 

  274. ----------------------
    275. 

  275. 

  276. Communication flow for requesting directory from calculator:
    277. 

  277.   -> Request directory
    278. 

  278.   <- ACK
    279. 

  279.   (
    280. 

  280.     <- Directory entry | EOT
    281. 

  281.     -> ACK
    282. 

  282.   )*
    283. 

  283. 

  284. Communication flow for sending variable to calculator:
    285. 

  285.   -> Send variable
    286. 

  286.     <- ACK
    287. 

  287.   <- CTS | Error
    288. 

  288.     -> ACK
    289. 

  289.   -> Variable data
    290. 

  290.     <- ACK
    291. 

  291.   <- CTS
    292. 

  292.     -> ACK
    293. 

  293.   ( Maybe jump back to earlier stage here if sending more
    294. 

  294.     than one variable simultaneously? )
    295. 

  295.   -> EOT
    296. 

  296.     <- ACK
    297. 

  297. 

  298. Communication flow for requesting variable from calculator:
    299. 

  299.   -> Request variable
    300. 

  300.     <- ACK
    301. 

  301.   <- Directory entry
    302. 

  302.     -> ACK
    303. 

  303.   <- Variable data
    304. 

  304.     -> ACK
    305. 

  305.   ( The USB endpoints were always reset after this transction, so
    306. 

  306.     it's hard to tell whether there was supposed to be anything else
    307. 

  307.     after this. )
    308. 

  308. 

  309. Communication flow for deleting variable from calculator:
    310. 

  310.   -> Delete variable
    311. 

  311.     <- ACK
    312. 

  312.   <- CTS
    313. 

  313.     -> ACK
    314. 

  314.   ( USB endpoints reset after this... ? )
    315. 

  315. 

  316. 

  317. 10°) Unknown (all calcs)
    318. 

  318. -----------------------
    319. 

  319. 

  320. This step is systematically done at startup after the HSK/RES.
    321. 

  321. Moreover, it's needed for TI84+ else any other commands is rejected with error code 0008.
    322. 

  322. 

  323. 	PC: Data	{0001} 00 03 00 01 00 00 00 00 07 D0
    324. 

  324. 	TI: Ack
    325. 

  325. 	
    326. 

  326. 	TI: Data	{0012} 00 00 07 D0
    327. 

  327. 	PC:	Ack
    328. 

  328. 

  329. 

  330. 5°) Screenshot (on Titanium)
    331. 

  331. ----------------------------
    332. 

  332. 

  333. Communication flow for requesting a screenshot (TI <-/-> PC):
    334. 

  334. 

  335. 	PC: Handshake
    336. 

  336. 	TI: Response
    337. 

  337. 	
    338. 

  338. 	PC: Data	{0007} 00 01 00 22   
    339. 

  339. 	TI: Ack	
    340. 

  340. 

  341. ---- 84+ ----
    342. 

  342. 	TI: Data	{bb00} 00 01 D4 C0
    343. 

  343. 	PC: Ack
    344. 

  344. ---- 84+ ----
    345. 

  345. 

  346. 	TI: Data	{0008} 00 01 00 22 00 0F 00 [3840 bytes of screen] (*)
    347. 

  347. 	PC:	Ack
    348. 

  348. 

  349. 	TI: Data	[3840 bytes of screen]
    350. 

  350. 	PC:	Ack
    351. 

  351. 

  352. 	TI: Data	[3840 bytes of screen]
    353. 

  353. 	PC:	Ack
    354. 

  354. 

  355. 	TI: Last	[3840 bytes of screen]
    356. 

  356. 	PC:	Ack
    357. 

  357. 

  358. (*) 00 0F = 3840 bytes -> size of screen
    359. 

  359. 

  360. 

  361. 6°) Getting clock (on TI84+)
    362. 

  362. ----------------------------
    363. 

  363. 

  364. Communication flow for requesting a screenshot (TI <-/-> PC):
    365. 

  365. 

  366. 	PC: Handshake
    367. 

  367. 	TI: Response
    368. 

  368. 	
    369. 

  369. 	PC: Data	{0007} 00 04 00 25 00 27 00 28 00 24
    370. 

  370. 	TI: Ack	
    371. 

  371. 

  372. ---- 84+ ----
    373. 

  373. 	TI: Data	{bb00} 00 01 D4 C0
    374. 

  374. 	PC: Ack
    375. 

  375. ---- 84+ ----
    376. 

  376. 

  377. 	TI: Last	{0008} 00 04 00 25 00 00 04 10 15 16 74 00 27 00 00 01 01 00 28 00 00 01 00 00 24 00 00 01 01 (*)
    378. 

  378. 	PC:	Ack
    379. 

  379. 

  380. (*) 
    381. 

  381. 24 is followed by ???
    382. 

  382. 25 is followed by the the clock value
    383. 

  383. 27 is followed by the date formatting (1: MDY, 2: DMY, 0:YMD)
    384. 

  384. 28 is followed by the clock mode (0: am/pm or 1: 24h)
    385. 

  385. 

  386. 

  387. 7°) Setting clock (on TI84+)
    388. 

  388. ----------------------------
    389. 

  389. 

  390. 	PC: Handshake
    391. 

  391. 	TI: Response
    392. 

  392. 	
    393. 

  393. 	PC: Data	{000e} 00 25 00 04 10 15 17 01 
    394. 

  394. 	TI: Ack	
    395. 

  395. 

  396. ---- 84+ ----
    397. 

  397. 	TI: Data	{aa00} 01
    398. 

  398. 	PC: Ack
    399. 

  399. ---- 84+ ----
    400. 

  400. 

  401. 	PC: Data	{000e} 00 27 00 01 01
    402. 

  402. 	TI: Ack	
    403. 

  403. 

  404. ---- 84+ ----
    405. 

  405. 	TI: Data	{aa00} 01
    406. 

  406. 	PC: Ack
    407. 

  407. ---- 84+ ----
    408. 

  408. 

  409. 	PC: Data	{000e} 00 28 00 01 00
    410. 

  410. 	TI: Ack	
    411. 

  411. 

  412. ---- 84+ ----
    413. 

  413. 	TI: Data	{aa00} 01
    414. 

  414. 	PC: Ack
    415. 

  415. ---- 84+ ----
    416. 

  416. 

  417. 	PC: Data	{000e} 00 24 00 01 01
    418. 

  418. 	TI: Ack	
    419. 

  419. 

  420. ---- 84+ ----
    421. 

  421. 	TI: Data	{aa00} 01
    422. 

  422. 	PC: Ack
    423. 

  423. ---- 84+ ----
    424.