Difference between revisions of "Protocol decoder:Nrf24l01"
Uwe Hermann (talk | contribs) m |
Uwe Hermann (talk | contribs) m |
||
(2 intermediate revisions by one other user not shown) | |||
Line 7: | Line 7: | ||
| source_code_dir = nrf24l01 | | source_code_dir = nrf24l01 | ||
| image = [[File:NRF24L01_plus_module.jpg|250px]] | | image = [[File:NRF24L01_plus_module.jpg|250px]] | ||
| input = spi | | input = [[Protocol decoder:spi|spi]] | ||
| output = nrf24l01 | | output = nrf24l01 | ||
| probes = — | | probes = — | ||
| optional_probes = — | | optional_probes = — | ||
| options = chip | |||
}} | }} | ||
Line 128: | Line 129: | ||
It's not known if the on-air format of the clones is compatible with the original chips (except for the SE8R01, where it's clear that it doesn't work), the datasheets of the clones don't go into so much detail. The Nordic datasheets describe their "''Enhanced ShockBurst™''" mode and frame format, the Beken datasheets only briefly mention a "''burst mode''". | It's not known if the on-air format of the clones is compatible with the original chips (except for the SE8R01, where it's clear that it doesn't work), the datasheets of the clones don't go into so much detail. The Nordic datasheets describe their "''Enhanced ShockBurst™''" mode and frame format, the Beken datasheets only briefly mention a "''burst mode''". | ||
A | |||
[http://hackaday.com/2015/02/23/nordic-nrf24l01-real-vs-fake/#comment-2474764 comment] | |||
by a Nordic employee under a hackaday.com article titled | |||
[http://hackaday.com/2015/02/23/nordic-nrf24l01-real-vs-fake "Nordic NRF24L01+ - real vs. fake"] | |||
says that some clones interpret a flag different than the original chip, | |||
resulting in problems | |||
(quote: "''When EN_DPL is activated, the NO_ACK bit get reversed in the real nRF-devices. They did such a good job of cloning they cloned the datasheet error into the device!!!''"). | |||
The comment doesn't say which clone is meant, but from the article and the other comments it's most probably the SI24R1. | |||
== Decoder == | == Decoder == | ||
Line 214: | Line 224: | ||
* [http://dmitry.gr/index.php?r=05.Projects&proj=11.%20Bluetooth%20LE%20fakery Faking Bluetooth LE] (using the nRF24L01+ to send Bluetooth LE broadcasts) | * [http://dmitry.gr/index.php?r=05.Projects&proj=11.%20Bluetooth%20LE%20fakery Faking Bluetooth LE] (using the nRF24L01+ to send Bluetooth LE broadcasts) | ||
* [https://www.dropbox.com/sh/kdenpdg60v5hzbd/AAB4uiuU94HJGxOw1jckb4Nqa Mirror of the datasheets] | * [https://www.dropbox.com/sh/kdenpdg60v5hzbd/AAB4uiuU94HJGxOw1jckb4Nqa Mirror of the datasheets] | ||
* [http://zeptobars.ru/en/read/Nordic-NRF24L01P-SI24R1-real-fake-copy Die shots of a real and a fake chip] | |||
[[Category:Protocol decoder]] | [[Category:Protocol decoder]] | ||
[[Category:SPI]] | [[Category:SPI]] |
Latest revision as of 23:02, 2 April 2015
Name | nRF24L01(+) |
---|---|
Description | 2.4GHz transceiver chip |
Status | supported |
License | GPLv2+ |
Source code | decoders/nrf24l01 |
Input | spi |
Output | nrf24l01 |
Probes | — |
Optional probes | — |
Options | chip |
The nrf24l01 protocol decoder supports the protocol spoken by the Nordic Semiconductor nRF24L01 and nRF24L01+ 2.4GHz transceiver chips.
Hardware
Modules with these chips can be purchased fairly inexpensive from various online marketplaces. Most (all?) have an 8-pin header with the following pinout:
Function | Pin | Pin | Function |
---|---|---|---|
GND | 1 | 2 | VCC |
CE | 3 | 4 | CSN |
SCK | 5 | 6 | MOSI |
MISO | 7 | 8 | IRQ |
The chip has two chip select pins, "CE" used to control the standby mode, and "CSN" used for SPI communication.
Protocol
The chip uses the standard SPI protocol and pins (CSN, SCK, MOSI, MISO), with the additional CE (used to control the RX/TX and standby modes) and IRQ (used to inform the SPI master about the completion of a packet reception/transmission) signals. If the number of available pins of the master are scarce, the CE pin can be tied to VCC and the IRQ pin can be left open. Polling over SPI can be used instead.
SPI commands can have variable length, the CSN signal has to stay low during the whole command, and then go high after the last byte. The first byte of a command defines the type of the command, the chip always outputs its internal status register at the beginning. The following bytes are dependent on the command type, can be register values to write into the chip or payload data to send, or empty bytes that are ignored if the command only reads the output of the chip.
Variants and clones of the chip
Nordic Semiconductor |
nRF24L01 | First chip of the family.
Supports data rates of 1 Mbps and 2 Mbps. Some features of the chip (dynamic payload length, suppression of ACK packets) and their corresponding SPI commands have to be enabled using the ACTIVATE+0x73 command before they can be used. |
nRF24L01+ | Drop-in replacement for the nRF24L01 with the following additions:
| |
Beken Corporation |
BK2401 | nRF24L01 clone that only supports a data rate of 1 Mbps.
Contains a second register bank that can be switched to with the ACTIVATE+0x53 command. The registers in this bank have to be written with certain magic values (specified in the datasheet) before the chip can be used. |
BK2421 | Same as the BK2401, but also supports a data rate of 2 Mbps. | |
BK2423 | A clone that supports the three data rates of the nRF24L01+. Also has the second register bank. | |
BK2491 | Another clone that only supports 1 and 2 Mbps. Also has the second register bank. (There is no data sheet available for this chip, but one can find the datasheet of a Wenshing Electronics TRW-24G2 module that contains the chip. When searching online for BK2491 datasheet one does however find various datasheets for other (even completely unrelated) Beken chips because the PDF title of these document is BK2491 Specification; apparently the unreleased datasheet for this chip was used as a template for other datasheets without changing the title.) | |
Hope Microelectronics | RFM70 | A RF module containing a COB. The PDF title of the datasheet says BK2491 Specification. |
RFM73 | A RF module containing a COB. The PDF title of the datasheet says BK2423 Specification. | |
Panchip Microelectronics |
XN297 | nRF24L01 clone: Supports 1 and 2 Mbps data rates and also needs the ACTIVATE+0x73 command.
Contains three additional registers (DEMOD_CAL, RF_CAL, BB_CAL). Found on some toy quadcopters; datasheet is only available in Chinese. |
? | SI24R1 | nRF24L01+ clone: Support three data rates and no ACTIVATE command.
Often advertised as power enhanced or similar because the chip can transmit with 7dBm. The modules containing this chip are often described as "compatible nRF24L01(+)" and many sellers directly link to the nRF24L01(+) datasheets (the SI24R1 datasheet is only available in Chinese). |
Some forum posts name Silicon Labs as the manufacturer, however the datasheet contains no evidence for this, and DN-IC (linked above) seems to be a distributor and not a manufacturer. | ||
Semitek | SE8R01 | Incompatible clone that uses a slightly different on-air format.
Supports 500 kbps (not 250 kbps), 1 and 2 Mbps data rates and also has a second register bank (even though it's not documented in the datasheet, see the blog post linked above). |
NST Techsemic | LT8900 | Modules with this chip are sold as "nRF24L01 compatible" (and even as "BK2423 compatible", showing how popular that clone is), however this compatibility can only refer to the on-air format, because the SPI commands and the registers are totally different, and the chip also supports I²C communication. Therefore, the sigrok nrf24l01 protocol decoder can't decode this chip's protocol. |
LT8901, LT8910 | Datasheets only available in Chinese, these chips look very similar to the LT8900. | |
The homepage of the manufacturer lists a whole range of similar 2.4 GHz chips that may be (on-air) compatible with the nRF24L01(+). |
It's not known if the on-air format of the clones is compatible with the original chips (except for the SE8R01, where it's clear that it doesn't work), the datasheets of the clones don't go into so much detail. The Nordic datasheets describe their "Enhanced ShockBurst™" mode and frame format, the Beken datasheets only briefly mention a "burst mode".
A comment by a Nordic employee under a hackaday.com article titled "Nordic NRF24L01+ - real vs. fake" says that some clones interpret a flag different than the original chip, resulting in problems (quote: "When EN_DPL is activated, the NO_ACK bit get reversed in the real nRF-devices. They did such a good job of cloning they cloned the datasheet error into the device!!!"). The comment doesn't say which clone is meant, but from the article and the other comments it's most probably the SI24R1.
Decoder
The nrf24l01 decoder stacks on top of the SPI decoder and decodes the commands to the chip and the responses of the chip, and also issues warnings for wrong/incomplete commands.
Some decoded commands in PulseView:
sigrok-cli can be used to decode the capture in the following way:
$ sigrok-cli -i sigrok-dumps/spi/nrf24l01/nrf24l01-communication.sr \ -P spi:cs=rpi_CSN:clk=rpi_CLK:mosi=rpi_MOSI:miso=rpi_MISO,nrf24l01 Cmd R_REGISTER "CONFIG" Reg STATUS = "0E" Reg CONFIG = "08" Reg STATUS = "0E" Cmd W_REGISTER: CONFIG = "08" Reg STATUS = "0E" Cmd W_REGISTER: RF_CH = "3E" Reg STATUS = "0E" Cmd W_REGISTER: RX_ADDR_P0 = "376774367E" Reg STATUS = "0E" ... Cmd R_RX_PAYLOAD Reg STATUS = "40" RX payload = "message #0"
It can be seen that the register values are hex encoded, while the payload data is, if possible, represented as ASCII characters.
If only the payload is of interest, the tx-data and rx-data annotation classes can be selected using the -A|--protocol-decoder-annotations option:
$ sigrok-cli -i sigrok-dumps/spi/nrf24l01/nrf24l01-communication.sr \ -P spi:cs=uc_CSN:clk=uc_CLK:mosi=uc_MOSI:miso=uc_MISO,nrf24l01 \ -A nrf24l01=tx-data TX payload = "message #0" TX payload = "message #1" TX payload = "message #2" TX payload = "message #3" TX payload = "message #4" TX payload = "message #5" TX payload = "message #6" TX payload = "message #7" TX payload = "message #8" TX payload = "message #9"
$ sigrok-cli -i sigrok-dumps/spi/nrf24l01/nrf24l01-communication.sr \ -P spi:cs=rpi_CSN:clk=rpi_CLK:mosi=rpi_MOSI:miso=rpi_MISO,nrf24l01 \ -A nrf24l01=rx-data RX payload = "message #0" RX payload = "message #1" RX payload = "message #2" RX payload = "message #3" RX payload = "message #4" RX payload = "message #5"
Warnings issued for erroneous commands:
$ sigrok-cli -i sigrok-dumps/spi/nrf24l01/nrf24l01-test-missing-bytes.sr \ -P spi:cs=CS:clk=CLK:mosi=MOSI:miso=MISO,nrf24l01 Cmd R_REGISTER "CONFIG" Reg STATUS = "00" missing data bytes Cmd W_TX_PAYLOAD_NOACK Reg STATUS = "00" missing data bytes
Resources
- Nordic Semiconductor nRF24L01 (datasheet)
- Nordic Semiconductor nRF24L01+ (datasheet)
- github.com: nrf24l01 (various nRF24L01(+) projects and examples)
- Travis Goodspeed: Promiscuity is the nRF24L01+'s Duty (using the nRF24L01 in a pseudo-promiscous mode)
- Cyber Explorer: Sniffing and decoding NRF24L01+ and Bluetooth LE packets for under $30 (contains information about the modulation used by the nRF24L01)
- Faking Bluetooth LE (using the nRF24L01+ to send Bluetooth LE broadcasts)
- Mirror of the datasheets
- Die shots of a real and a fake chip