changing the code in the MR-C3024
by i-Bot
Fri Jun 16, 2006 4:42 pm
I documented more of the HSR-8498HB servo here:
http://robosavvy.com/Builders/i-Bot/web ... 0Servo.pdf
To share some of what I learnt of the position feedback, and motion.
Please send any comments/additions and I will add them.
http://robosavvy.com/Builders/i-Bot/web ... 0Servo.pdf
To share some of what I learnt of the position feedback, and motion.
Please send any comments/additions and I will add them.
Last edited by i-Bot on Fri Sep 23, 2011 7:10 pm, edited 1 time in total.
by roycepipkins
Fri Jun 23, 2006 1:49 am
I haven't taken apart any of my servos yet and was much looking forward to it. Thanks for this doc!
I'm surprised to read that the feed back is a pot. I thought digital servos all used some sort of optical encoding. Do all digital servos feedback through a pot? Is the main quailty advantage over analog just in the microprocessor controller for the servo?
I'm surprised to read that the feed back is a pot. I thought digital servos all used some sort of optical encoding. Do all digital servos feedback through a pot? Is the main quailty advantage over analog just in the microprocessor controller for the servo?
by DanAlbert
Sun Sep 03, 2006 3:59 am
BearClaw,
Can you post (or send it to me directly) the code you used to control the servos.
I am rewriting a control OS for the ATMEL ATMEGA128.
Using an OLIMEX board with the same processor that brings out all the pins.
So far I've got some ISRs for Timers, LEDs and USARTs working.
Not bad for the first day.
I'd like to erase the C3024 and load my new program.
My JTAG doesnt work(JTAGEN issue) but I didn't try the SPI.
I have a SMD rework station and may just yank the chip.
However it occured to me that we may be able to use the bootloader.
Has anyone tried to peek() the boatloader code?
Dan
Can you post (or send it to me directly) the code you used to control the servos.
I am rewriting a control OS for the ATMEL ATMEGA128.
Using an OLIMEX board with the same processor that brings out all the pins.
So far I've got some ISRs for Timers, LEDs and USARTs working.
Not bad for the first day.
I'd like to erase the C3024 and load my new program.
My JTAG doesnt work(JTAGEN issue) but I didn't try the SPI.
I have a SMD rework station and may just yank the chip.
However it occured to me that we may be able to use the bootloader.
Has anyone tried to peek() the boatloader code?
Dan
by limor
Sun Sep 03, 2006 11:40 am
Hi Dan,
These Olimex boards are great!
How are you planning to connect the "naked" Atmega128 to servos? wont you need to power the servos separately and isolate the MCU from them in some way?
I've just placed an order for a Robostix (gumstix.com). It is also an Atmega128 that exposes pins (albeit not all the 32 pins that can be used to drive servos) but seems to have some circuitry to support servos running at different voltage.
Haven't peeked yet into the RN1 bootloader but do you expect to find something other than simple loading of code through the serial line? i'd imagine that all the interpreter functions and compiled meta-code comes from the PC.
Limor
These Olimex boards are great!
How are you planning to connect the "naked" Atmega128 to servos? wont you need to power the servos separately and isolate the MCU from them in some way?
I've just placed an order for a Robostix (gumstix.com). It is also an Atmega128 that exposes pins (albeit not all the 32 pins that can be used to drive servos) but seems to have some circuitry to support servos running at different voltage.
Haven't peeked yet into the RN1 bootloader but do you expect to find something other than simple loading of code through the serial line? i'd imagine that all the interpreter functions and compiled meta-code comes from the PC.
Limor
by DanAlbert
Sun Sep 03, 2006 2:54 pm
I am using the OLIMEX just to develop the code.
I have a Digiview logic analyzer to look at the signals.
When the code is good enough I'll transfer it to the C3024.
ATMEL gives a pretty good demo example on the boot loader.
Since RoboBasic is so trashy, I doubt that they spent the time to write their own special boot loader. That's why I wanted to peek() at the boot loader locations.
Even though I'm a newbie with AVRs,I suspect the boot loader is located in the upper memory boot loader section and they most likely set the fuse bits to prevent boot loader modification. But maybe not.
Even so I think I could use it to reload my program.
Will the Gumstix board mount properly on the RN?
I have a Digiview logic analyzer to look at the signals.
When the code is good enough I'll transfer it to the C3024.
ATMEL gives a pretty good demo example on the boot loader.
Since RoboBasic is so trashy, I doubt that they spent the time to write their own special boot loader. That's why I wanted to peek() at the boot loader locations.
Even though I'm a newbie with AVRs,I suspect the boot loader is located in the upper memory boot loader section and they most likely set the fuse bits to prevent boot loader modification. But maybe not.
Even so I think I could use it to reload my program.
Will the Gumstix board mount properly on the RN?
by i-Bot
Sun Sep 03, 2006 6:43 pm
Sorry to have been silent on this topic, very busy !
The following is my understanding of how the boot loader works, based on a number of factors.
The bootloader resides at location 0xf000 in AtMega128 Flash. (when the command 0xAF boot is sent from the PC, the C3024 code jumps to 0xf000)
The fuses are set to jump to 0xf000 on reset to enter the bootloader. The bootloader sends the ">" char, waits for a response for a given period, then jumps to start the main code at location 0x0000. ( the main code does not send the ">" char.
The fuses have the LPM instruction set disabled on the boot area. (programming a blank Atmega128 with the main code, gives the same checksum as the C3024, though the checksum is done over the entire 64K words. Not sure about SPM, but this does not help us yet.
The Robobasic executable v2.5e, does contain the C3024 main code in un encryted form, so it is intended to download this to the C3204 (I have extracted the code and run in a virgin AtMeag128.)
I have tried in vain to get robobasic to invoke the loader. I have emulated the C3204, told it the wrong version, checksum, etc. No sign of access to the loader.
As soon as Robobasic invokes the loader it is cracked, since we know what code will be downloaded. However Hitec and Minirobots never update the code !
If anyone get an idea of when the loader is invoked, many points, since the fuses are set to disable the SPI and JTAG. I had to change the chip. I use a Jtag, but any freeware serial bootloader can be then used.
For a replacement board a direct copy of the C3024 would be fine, then it could run either Robobasic, or anything else. I can offer a code version which works at constant 115K which I use with bluetooth, but it is rather slow due to the bluetooth delays. The only real requirement is for the repalcement borad is for the servo pins to be in about the same place, and to have the EEPROM on the SPI. I have an Olimex in this configuration, with a bluetooth instead of the RS232 interface and this works fine.
The following is my understanding of how the boot loader works, based on a number of factors.
The bootloader resides at location 0xf000 in AtMega128 Flash. (when the command 0xAF boot is sent from the PC, the C3024 code jumps to 0xf000)
The fuses are set to jump to 0xf000 on reset to enter the bootloader. The bootloader sends the ">" char, waits for a response for a given period, then jumps to start the main code at location 0x0000. ( the main code does not send the ">" char.
The fuses have the LPM instruction set disabled on the boot area. (programming a blank Atmega128 with the main code, gives the same checksum as the C3024, though the checksum is done over the entire 64K words. Not sure about SPM, but this does not help us yet.
The Robobasic executable v2.5e, does contain the C3024 main code in un encryted form, so it is intended to download this to the C3204 (I have extracted the code and run in a virgin AtMeag128.)
I have tried in vain to get robobasic to invoke the loader. I have emulated the C3204, told it the wrong version, checksum, etc. No sign of access to the loader.
As soon as Robobasic invokes the loader it is cracked, since we know what code will be downloaded. However Hitec and Minirobots never update the code !
If anyone get an idea of when the loader is invoked, many points, since the fuses are set to disable the SPI and JTAG. I had to change the chip. I use a Jtag, but any freeware serial bootloader can be then used.
For a replacement board a direct copy of the C3024 would be fine, then it could run either Robobasic, or anything else. I can offer a code version which works at constant 115K which I use with bluetooth, but it is rather slow due to the bluetooth delays. The only real requirement is for the repalcement borad is for the servo pins to be in about the same place, and to have the EEPROM on the SPI. I have an Olimex in this configuration, with a bluetooth instead of the RS232 interface and this works fine.
by limor
Sun Sep 03, 2006 7:21 pm
i-Bot, looking at the Atmega128 reference, it says on page 278 that "The Boot Lock bits can be set in software and in Serial or Parallel programming mode, but they can be cleared by a chip erase command only". So i'm not sure we'll be able to peek() into the boot loader without Hitec wanting it.
However, the bootloader->PC protocol can probably be hacked and alternative code can replace that of the robobasic.
Either that or a "chip erase" which means no need to take the original chip off the board but somehow to access the appropriate pins for programming the mcu while it is on board the pcb.
However, the bootloader->PC protocol can probably be hacked and alternative code can replace that of the robobasic.
Either that or a "chip erase" which means no need to take the original chip off the board but somehow to access the appropriate pins for programming the mcu while it is on board the pcb.
by DanAlbert
Sun Sep 03, 2006 7:29 pm
I agree,
Why don't we just use the bootloader code as is?
If it works as you described than all is good.
I guess we need a non-robobasic program to load the code up.
I can whip something up in Visual C++ if I can get the Bootloader's protocol.
I thought I saw it somewhere in this forum. Please remind me where it Tiz.
8>)
Dan
Why don't we just use the bootloader code as is?
If it works as you described than all is good.
I guess we need a non-robobasic program to load the code up.
I can whip something up in Visual C++ if I can get the Bootloader's protocol.
I thought I saw it somewhere in this forum. Please remind me where it Tiz.
8>)
Dan
by i-Bot
Sun Sep 03, 2006 7:34 pm
Exactly, I see no way to view the bootloader code in the C3024.
However if anyone can invoke the loader, we will see it on the serial port monitor, and will know what characters are required to respond to the ">". Also we will see the download protocol, and the payload is not encrypted. Then we can swap code when we want with a simple PC program.
If only Hitec/Minirobots would release some info, or distribute another code version. (some hope !)
As I said, big points to anyone who can invoke the download, since RN-1 will then be an open platform, and still able to run Robobasick.
However if anyone can invoke the loader, we will see it on the serial port monitor, and will know what characters are required to respond to the ">". Also we will see the download protocol, and the payload is not encrypted. Then we can swap code when we want with a simple PC program.
If only Hitec/Minirobots would release some info, or distribute another code version. (some hope !)
As I said, big points to anyone who can invoke the download, since RN-1 will then be an open platform, and still able to run Robobasick.
by limor
Sun Sep 03, 2006 8:40 pm
Exactly!As I said, big points to anyone who can invoke the download, since RN-1 will then be an open platform, and still able to run Robobasick.
It was Michael Thompson who had analyzed the runtime serial interface before. (I try to maintain these links onthe FAQ page, use the word aibo to add/modify)
by limor
Mon Sep 04, 2006 10:35 am
I've seen the updated document(s).. Thats a lot of work you did with http://www.serial-port-monitor.com/
Any luck with analyzing the PC->Bootloader protocol?
Any luck with analyzing the PC->Bootloader protocol?
by DanAlbert
Mon Sep 04, 2006 2:19 pm
I-bot,
I would like to see if I can write a program on my pc to act as a bootloader.
Let's see if understand what is going on.
The fuses are set to jump to the bootloader where it sends out a ">".
Some response is expected either via the serial port or maybe even some other port depending on how tricky they were.
I expect that if the response does not reply within a timeout value then the vector table gets reset to the application section and the program restarts at 0.
Do we know anything about what is expected from the ">"?
Has anyone tried to send back a character in response?
Dan
I would like to see if I can write a program on my pc to act as a bootloader.
Let's see if understand what is going on.
The fuses are set to jump to the bootloader where it sends out a ">".
Some response is expected either via the serial port or maybe even some other port depending on how tricky they were.
I expect that if the response does not reply within a timeout value then the vector table gets reset to the application section and the program restarts at 0.
Do we know anything about what is expected from the ">"?
Has anyone tried to send back a character in response?
Dan