From 4f9dc140bbe0d776a01da6ec1806fd5b26e6d370 Mon Sep 17 00:00:00 2001
From: Steve Markgraf <steve@steve-m.de>
Date: Sun, 20 Nov 2011 15:35:20 +0100
Subject: firmware/dsp: Send framenumber, TSC, checksum and magic via MCSI

In addition to the last commit we now send:
 * a burst start magic
 * the framenumber
 * the Training Sequence Code number
 * 2 simple XOR checksums

The data of a burst now looks like:

struct burst {
	uint8_t  garbage1;
	uint8_t  magic[8];		/* "IQDATAv1" in ASCII */
	uint16_t iq_samples[302];
	uint16_t iq_lrc;
	uint8_t  garbage2;
	uint16_t demod[34];
	uint32_t fn;
	uint16_t tsc;
	uint16_t demod_lrc;
};

Signed-off-by: Steve Markgraf <steve@steve-m.de>
---
 src/target/firmware/calypso/dsp.c           | 14 ++++++
 src/target/firmware/calypso/dsp_sniffcode.c | 61 ++++++++++++++------------
 src/target/firmware/include/calypso/dsp.h   |  1 +
 src/target/firmware/layer1/prim_sniff.c     |  4 ++
 src/target_dsp/calypso/dsp_sniff.S          | 67 ++++++++++++++++++++++-------
 5 files changed, 104 insertions(+), 43 deletions(-)

diff --git a/src/target/firmware/calypso/dsp.c b/src/target/firmware/calypso/dsp.c
index 0ca272ec..ff1a05b5 100644
--- a/src/target/firmware/calypso/dsp.c
+++ b/src/target/firmware/calypso/dsp.c
@@ -230,6 +230,14 @@ static void dsp_set_params(int16_t *param_tab, int param_size)
 
 	dsp_api.param->d_gprs_install_address = DSP_SNIFF_PATCH_START;
 
+	/* Set MCSI burst start magic, stored in unused holes.
+	 * The sniffing task will send those over MCSI at the begin
+	 * of each burst, in this case ASCII "IQDATAv1" */
+	dsp_api.param->d_hole2_param[0] = 0x4951;
+	dsp_api.param->d_hole2_param[1] = 0x4441;
+	dsp_api.param->d_hole2_param[2] = 0x5441;
+	dsp_api.param->d_hole2_param[3] = 0x7631;
+
 	dsp_dump_version();
 
 	dputs("Finishing download phase\n");
@@ -568,6 +576,12 @@ void dsp_load_tch_param(struct gsm_time *next_time,
 	dsp_api.db_w->d_ctrl_tch  = d_ctrl_tch; /* Channel config.     */
 }
 
+void dsp_load_sniff_fn(struct gsm_time *next_time)
+{
+	dsp_api.db_w->a_a5fn[0] = (next_time->fn >> 16);
+	dsp_api.db_w->a_a5fn[1] = (next_time->fn & 0xffff);
+}
+
 void dsp_load_ciph_param(int mode, uint8_t *key)
 {
 	dsp_api.ndb->d_a5mode = mode;
diff --git a/src/target/firmware/calypso/dsp_sniffcode.c b/src/target/firmware/calypso/dsp_sniffcode.c
index 3a4c2381..1be4bf55 100644
--- a/src/target/firmware/calypso/dsp_sniffcode.c
+++ b/src/target/firmware/calypso/dsp_sniffcode.c
@@ -5,7 +5,7 @@
 static const struct dsp_section dsp_sniffcode[] = {
 	{
 		.addr = 0x015c,
-		.size = 0x00a1,
+		.size = 0x00be,
 		.data = _SA_DECL {
 			0x76f8, 0x3f6b, 0x0160, 0xfc00,
 			0x76f8, 0x439e, 0x0164, 0xfc00,
@@ -17,37 +17,44 @@ static const struct dsp_section dsp_sniffcode[] = {
 			0x7211, 0x2114, 0xf495, 0xf495,
 			0x1281, 0xf845, 0x018a, 0xf010,
 			0x0001, 0x8081, 0xf074, 0xb74c,
-			0xf020, 0x01c3, 0xf074, 0xaa9f,
+			0xf020, 0x01c1, 0xf074, 0xaa9f,
 			0xf073, 0x0178, 0xfc00, 0x7681,
 			0x0010, 0x7581, 0x0806, 0xfc00,
 			0x7711, 0x2116, 0x7681, 0x0002,
 			0x7581, 0x0805, 0x7681, 0x004f,
 			0x7581, 0x0801, 0x7681, 0x0001,
-			0x7581, 0x0800, 0xf074, 0x018b,
-			0xfc00, 0x7711, 0x2116, 0xf074,
-			0x018b, 0x7594, 0x0820, 0x7481,
-			0x0806, 0x6181, 0x0010, 0xf820,
-			0x01a7, 0xfc00, 0x1282, 0xf074,
-			0x01a1, 0xf010, 0x0001, 0xf844,
-			0x01af, 0xfc00, 0x7711, 0x2116,
-			0x7481, 0x0806, 0x6181, 0x0020,
-			0xf820, 0x01b8, 0x7681, 0x0002,
-			0x7581, 0x0800, 0xfc00, 0x7714,
-			0x0cce, 0xf074, 0x0190, 0x7712,
-			0x2117, 0x7782, 0x017c, 0xf074,
-			0x01ae, 0xf074, 0x01b6, 0xe834,
-			0xf074, 0xa9ea, 0x7213, 0x2115,
-			0xf495, 0xf495, 0x7093, 0x3fa4,
-			0x7093, 0x3fa5, 0x7093, 0x3fa7,
-			0x7093, 0x3fa6, 0x7093, 0x0cce,
-			0x7712, 0x0ccf, 0x7711, 0x001c,
-			0x47f8, 0x0011, 0xe589, 0x7214,
-			0x2115, 0x7313, 0x2115, 0xf074,
-			0x0190, 0x7712, 0x2117, 0x7782,
-			0x0022, 0xf074, 0x01ae, 0xf074,
-			0x01b6, 0x7211, 0x2114, 0xf495,
-			0xf495, 0x6be1, 0x0001, 0x0001,
-			0xfc00,
+			0x7581, 0x0800, 0xfc00, 0x7711,
+			0x2116, 0xf074, 0x018b, 0x1d84,
+			0x7594, 0x0820, 0x7481, 0x0806,
+			0x6181, 0x0010, 0xf820, 0x01a6,
+			0xfc00, 0xf074, 0x019f, 0xf010,
+			0x0001, 0xf844, 0x01ad, 0xfc00,
+			0x7711, 0x2116, 0x7481, 0x0806,
+			0x6181, 0x0020, 0xf820, 0x01b6,
+			0x7681, 0x0002, 0x7581, 0x0800,
+			0xfc00, 0xf074, 0x0190, 0xe900,
+			0x7714, 0x0c39, 0xe804, 0xf074,
+			0x01ad, 0x7714, 0x0cce, 0xf020,
+			0x012e, 0xf074, 0x01ad, 0x7714,
+			0x2117, 0x8184, 0xf074, 0x019f,
+			0xf074, 0x01b4, 0xe834, 0xf074,
+			0xa9ea, 0x7213, 0x2115, 0xf495,
+			0xf495, 0x7093, 0x3fa4, 0x7093,
+			0x3fa5, 0x7093, 0x3fa7, 0x7093,
+			0x3fa6, 0x7093, 0x0cce, 0x7712,
+			0x0ccf, 0x7711, 0x001c, 0x47f8,
+			0x0011, 0xe589, 0x7214, 0x2115,
+			0x7313, 0x2115, 0xf074, 0x0190,
+			0xe900, 0xe822, 0xf074, 0x01ad,
+			0x7714, 0x2117, 0x7714, 0x080c,
+			0x61f8, 0x3fb0, 0x0001, 0xf820,
+			0x0203, 0x7714, 0x0820, 0xf074,
+			0x019f, 0xf074, 0x019f, 0x6b14,
+			0x0002, 0xf074, 0x019f, 0x7714,
+			0x2117, 0x8184, 0xf074, 0x019f,
+			0xf074, 0x01b4, 0x7211, 0x2114,
+			0xf495, 0xf495, 0x6be1, 0x0001,
+			0x0001, 0xfc00,
 		},
 	},
 	{ /* Guard */
diff --git a/src/target/firmware/include/calypso/dsp.h b/src/target/firmware/include/calypso/dsp.h
index e4801cbf..3cba2545 100644
--- a/src/target/firmware/include/calypso/dsp.h
+++ b/src/target/firmware/include/calypso/dsp.h
@@ -32,6 +32,7 @@ void dsp_load_apc_dac(uint16_t apc);
 void dsp_load_tch_param(struct gsm_time *next_time,
                         uint8_t chan_mode, uint8_t chan_type, uint8_t chan_sub,
                         uint8_t tch_loop, uint8_t sync_tch, uint8_t tn);
+void dsp_load_sniff_fn(struct gsm_time *next_time);
 void dsp_load_ciph_param(int mode, uint8_t *key);
 void dsp_end_scenario(void);
 
diff --git a/src/target/firmware/layer1/prim_sniff.c b/src/target/firmware/layer1/prim_sniff.c
index 37dcd32a..3da2f0ed 100644
--- a/src/target/firmware/layer1/prim_sniff.c
+++ b/src/target/firmware/layer1/prim_sniff.c
@@ -236,6 +236,10 @@ l1s_sniff_cmd(uint8_t ul, __unused uint8_t burst_id, __unused uint16_t p3)
 
 	rfch_get_params(&l1s.next_time, &arfcn, &tsc, &tn);
 
+	/* Load the frame number (which is dumped via MCSI and used for
+	 * MCSI/serial synchronization */
+	dsp_load_sniff_fn(&l1s.next_time);
+
 	dsp_load_rx_task(SNIFF_DSP_TASK, 0, tsc);
 
 		/* enable dummy bursts detection */
diff --git a/src/target_dsp/calypso/dsp_sniff.S b/src/target_dsp/calypso/dsp_sniff.S
index 225e2ebb..d9554243 100644
--- a/src/target_dsp/calypso/dsp_sniff.S
+++ b/src/target_dsp/calypso/dsp_sniff.S
@@ -68,7 +68,7 @@ sniff_burst_ptr		.ds	1
 
 	; Variables for MCSI
 mcsi_tmp			.ds	1
-mcsi_cnt			.ds	1
+mcsi_dat			.ds	1
 
 ; ----------------------------------------------------------------------------
 ; The code itself
@@ -181,8 +181,6 @@ mcsi_init:
 			st	#1, *AR1
 			portw	*AR1, MCSI_CONTROL_REG
 
-			call mcsi_clear_status
-
 			; Done
 			ret
 
@@ -196,6 +194,9 @@ mcsi_send_word:
 			stm	#mcsi_tmp, AR1
 			call	mcsi_clear_status
 
+			; perform XOR LRC
+			xor	*AR4, B
+
 			; Write TX word and increase address
 			portw	*AR4+, MCSI_TX0_REG
 
@@ -212,13 +213,10 @@ mcsi_send_word:
 ;
 ; MCSI send burst
 ;
-;  Sends a burst of *AR2 words, beginning at the address of AR4
-;  Parameters: the number of words to send at *AR2, start-address in AR4
+;  Sends a burst of A words, beginning at the address of AR4
+;  Parameters: the number of words to send in A, start-address in AR4
 ;
 mcsi_send_burst:
-			; Load word-count in A
-			ldu	*AR2, A
-
 			; Loop over all words
 1:
 			call	mcsi_send_word
@@ -257,17 +255,29 @@ mcsi_disable:
 ;  done for us. Only real work goes here.
 ;
 burst_handler:
-			; Store address of I/Q data
-			stm	#0x0CCE, AR4
-
 			; Initialize MCSI
 			call	mcsi_init
 
-			; Send the I/Q data over MCSI
-			stm	#mcsi_cnt, AR2
-			stm	#380, *AR2		; 190 samples, 380 words
+			; Initialize B used for XOR LRC
+			ld	#0, B
+
+			; Send magic string, stored in ndb param section
+			stm	#0x0C39, AR4		; d_hole2_param[1]
+			ld	#4, A			; 4 words
+			call	mcsi_send_burst
+
+			; Store address of I/Q data
+			stm	#0x0CCE, AR4
+
+			; Send the NB I/Q data over MCSI
+			ld	#302, A			; 151 samples, 302 words
 			call	mcsi_send_burst
 
+			; Store and send XOR LRC
+			stm	#mcsi_dat, AR4
+			stl	B, *AR4
+			call	mcsi_send_word
+
 			; Disable MCSI
 			call	mcsi_disable
 
@@ -302,11 +312,36 @@ burst_handler:
 			; Initialize MCSI
 			call	mcsi_init
 
+			; Initialize B used for XOR LRC
+			ld	#0, B
+
 			; Send the demodulated burst data over MCSI
-			stm	#mcsi_cnt, AR2
-			stm	#34, *AR2		; 5 + 29 words
+			ld	#34, A			; 5 + 29 words
 			call	mcsi_send_burst
 
+			stm	#mcsi_dat, AR4
+
+			; Store address of a_a5fn[1] @ DSP page 0
+			stm	#0x080C, AR4
+
+			; Check DSP page
+			bitf	*(dsp_page), #1
+			bc	1f, ntc
+
+			; Store address of a_a5fn[1] @ DSP page 1
+			stm	#0x0820, AR4
+1:
+			; Send FN and d_ctrl_system via MCSI (contains the TSC)
+			call	mcsi_send_word		; send a_a5fn[0]
+			call	mcsi_send_word		; send a_a5fn[1]
+			addm	#2, AR4			; AR4 = 0x0810/0x0824
+			call	mcsi_send_word		; send d_ctrl_system
+
+			; Store and send XOR LRC
+			stm	#mcsi_dat, AR4
+			stl	B, *AR4
+			call	mcsi_send_word
+
 			; Disable MCSI
 			call	mcsi_disable
 
-- 
cgit v1.2.3