PM3 Wiki

User Tools

Site Tools

Trace: pic32
pic32

This is an old revision of the document!

Table of Contents

PIC32

- the pic32 programming connector (labeled PIC32) matches the PICkit pinout exactly - readback protection is off :) firmware can be trivially extracted.

iMX to PIC comms

Watchdog initialization and feeding: kibble.sal

Stopping the watchdog (with NxExe watchdog 0): euthasol.sal

Stopping is as simple as 

echo -ne "\xBC\x01\0\x04\0\x04H@\x03\0\0" > /dev/ttymxc2

Communication uses the same IPP protocol as cVEND.

IPP message types

msgType dir name description
0x02 ValueRead accepts a 2-byte key, returns a variable-length value
0x03 ValueReadReply
0x04 ValueWrite accepts a 2-byte key followed by a variable-length value, assigns value to key
0x05 ValueWriteReply
0x0a 10000000000080 reads external EEPROM, 18000000000080 reads internal EEPROM
0x0c empty payload immediately powers the device off
0x0e empty payload immediately powers the device off
0x12 SetLogLevel 0000 enables some kind of logging behavior, 8000 disables it

→ - iMX to PIC
← - PIC to iMX

Types 0x80-0xff mirror 0x00-0x7f, but with CRC32 enabled.

nx strings also suggest the existence of:

  • ValueAttribRead
  • ValueAttribWrite
  • DeviceRead (0x0a?)
  • DeviceWrite
  • DeviceIoCtl
  • AppRequest

Keys

id type description
0000 u8
0001 u8
0002 u8
0003 u8
0004 u8
000a u8
0100 u8 internal power button (0/1)
03e8 u8
03e9 u8
03ea u8
03f0 u8
03f3 u8
03fb u8 ignition state (0/1)
0428 u8
0429 u8
042a u8
042b u8
042c u8
0433 u8
0434 u8
0436 u8
0437 u8
0438 u8
07d0 u8
07d1 u8
07d2 u8
07d3 u8
07d4 u8
07d5 u8
07d6 u8
07d7 u8
07d8 u8
07d9 u8
07da u8
07db u8
07dc u8
07dd u8
07de u8
07df u8
07e0 u8
07e1 u8
07e2 u8
07e3 u8
07e4 u8
07e5 u8
07e6 u8
07e7 u8
07e8 u8
07e9 u8
07ea u8
07eb u8
07ec u8
07ed u8
07ee u8
07ef u8
07f0 u8
07f1 u8
07f2 u8
07f3 u8
07f4 u8
07f5 u8
07f6 u8
4000 u16
4001 u16
4002 u16 watchdog residual (seconds)
4003 u16 watchdog timeout (seconds), 0 to disable
4004 u16 boot watchdog timeout (seconds)
4005 u16
400a u16
400b u16
400c u16
400d u16
400e u16
400f u16
4010 u16
4011 u16
4030 u16
4031 u16
4032 u16
4033 u16
4034 u16
4035 u16
4036 u16
403d u16
403e u16
403f u16
5000 u16
5001 u16
5002 u16
5008 u16
500b u16 ambient light sensor
5013 u16
5040 u16 input voltage (mV)
5041 u16
5042 u16
5043 u16
5044 u16
504b u16
504c u16
504e u16
504f u16
5050 u16
5100 u16
5101 u16
5102 u16
5108 u16
510b u16
5113 u16
5140 u16
5141 u16
5142 u16
5143 u16
5144 u16
514b u16
514c u16
514e u16
514f u16
5150 u16
5200 u16
5201 u16
5202 u16
5208 u16
520b u16
5213 u16
5240 u16
5241 u16
5242 u16
5243 u16
5244 u16
524b u16
524c u16
524e u16
524f u16
5250 u16
6100 u16
6101 u16
6102 u16
8012 u32
8020 u32
8030 u32
8100 u32
8102 u32
8103 u32
8104 u32
8105 u32
8106 u32
8107 u32
8108 u32
8109 u32
810a u32
8110 u32
8111 u32
8112 u32
8114 u32
8115 u32
8116 u32
8117 u32
8118 u32
8119 u32
c000 string pic32 version
c001 string bootloader version
c010 string
c011 string
c0c0 string timer statistics
d000 string
d001 string
d002 string
d008 string
d00b string
d013 string
d040 string
d041 string
d042 string
d043 string
d044 string
d04b string
d04c string
d04e string
d04f string
d050 string
d100 string
d101 string
d102 string
d108 string
d10b string
d113 string
d140 string
d141 string
d142 string
d143 string
d144 string
d14b string
d14c string
d14e string
d14f string
d150 string
d200 string
d201 string
d202 string
d208 string
d20b string
d213 string
d240 string
d241 string
d242 string
d243 string
d244 string
d24b string
d24c string
d24e string
d24f string
d250 string
pic32.1772662308.txt.gz · Last modified: by doof