Difference between revisions of "Protocol decoder:Nrf24l01"

From sigrok
Jump to navigation Jump to search
Line 197: Line 197:
* [http://blog.cyberexplorer.me/2014/01/sniffing-and-decoding-nrf24l01-and.html Cyber Explorer: Sniffing and decoding NRF24L01+ and Bluetooth LE packets for under $30] (contains information about the modulation used by the nRF24L01)
* [http://blog.cyberexplorer.me/2014/01/sniffing-and-decoding-nrf24l01-and.html Cyber Explorer: Sniffing and decoding NRF24L01+ and Bluetooth LE packets for under $30] (contains information about the modulation used by the nRF24L01)
* [http://dmitry.gr/index.php?r=05.Projects&proj=11.%20Bluetooth%20LE%20fakery Faking Bluetooth LE] (using the nRF24L01+ to send Bluetooth LE broadcasts)
* [http://dmitry.gr/index.php?r=05.Projects&proj=11.%20Bluetooth%20LE%20fakery Faking Bluetooth LE] (using the nRF24L01+ to send Bluetooth LE broadcasts)
* [https://www.dropbox.com/sh/kdenpdg60v5hzbd/AAB4uiuU94HJGxOw1jckb4Nqa Mirror of the datasheets]


[[Category:Protocol decoder]]
[[Category:Protocol decoder]]
[[Category:SPI]]
[[Category:SPI]]

Revision as of 06:54, 13 February 2015

nrf24l01
NRF24L01 plus module.jpg
Name nRF24L01(+)
Description 2.4GHz transceiver chip
Status supported
License GPLv2+
Source code decoders/nrf24l01
Input spi
Output nrf24l01
Probes
Optional probes

The nrf24l01 protocol decoder supports the protocol spoken by the Nordic Semiconductor nRF24L01 and nRF24L01+ 2.4GHz transceiver chips.

Hardware

Modules with these chips can be purchased fairly inexpensive from various online marketplaces. Most (all?) have an 8-pin header with the following pinout:

Function Pin Pin Function
GND 1 2 VCC
CE 3 4 CSN
SCK 5 6 MOSI
MISO 7 8 IRQ

The chip has two chip select pins, "CE" used to control the standby mode, and "CSN" used for SPI communication.

Protocol

The chip uses the standard SPI protocol and pins (CSN, SCK, MOSI, MISO), with the additional CE (used to control the RX/TX and standby modes) and IRQ (used to inform the SPI master about the completion of a packet reception/transmission) signals. If the number of available pins of the master are scarce, the CE pin can be tied to VCC and the IRQ pin can be left open. Polling over SPI can be used instead.

SPI commands can have variable length, the CSN signal has to stay low during the whole command, and then go high after the last byte. The first byte of a command defines the type of the command, the chip always outputs its internal status register at the beginning. The following bytes are dependent on the command type, can be register values to write into the chip or payload data to send, or empty bytes that are ignored if the command only reads the output of the chip.

Variants and Clones of the Chip

Nordic
Semiconductor
nRF24L01 First chip of the family.

Supports data rates of 1 Mbps and 2 Mbps. Some features of the chip (dynamic payload length, suppression of ACK packets) and their corresponding SPI commands have to be enabled using the ACTIVATE+0x73 command before they can be used.

nRF24L01+ Drop-in replacement for the nRF24L01 with the following additions:
  • In addition to the 1 and 2 Mbps data rates, the chip also supports 250 kbps with a higher sensitivity as for the other data rates.
  • No need to ACTIVATE certain features.
Beken
Corporation
BK2401 nRF24L01 clone that only supports a data rate of 1 Mbps.

Contains a second register bank that can be switched to with the ACTIVATE+0x53 command. The registers in this bank have to be written with certain magic values (specified in the datasheet) before the chip can be used.

BK2421 Same as the BK2401, but also supports a data rate of 2 Mbps.
BK2423 A clone that supports the three data rates of the nRF24L01+. Also has the second register bank.
BK2491 Another clone that only supports 1 and 2 Mbps. Also has the second register bank.

(There is no data sheet available for this chip, but one can find the datasheet of a Wenshing Electronics TRW-24G2 module that contains the chip. When searching online for BK2491 datasheet one does however find various datasheets for other (even completely unrelated) Beken chips because the PDF title of these document is BK2491 Specification; apparently the unreleased datasheet for this chip was used as a template for other datasheets without changing the title.)

Hope Microelectronics RFM70 A RF module containing a COB. The PDF title says BK2491 Specification.
RFM73 A RF module containing a COB. The PDF title says BK2423 Specification.
Panchip
Microelectronics
XN297 nRF24L01 clone: Supports 1 and 2 Mbps data rates and also needs the ACTIVATE+0x73 command.

Contains three additional registers (DEMOD_CAL, RF_CAL, BB_CAL). Found on some toy quadcopters; datasheet is only available in chinese.

SI
Semiconductors
SI24R1 nRF24L01+ clone: Support three data rates and no ACTIVATE command.

Often advertised as power enhanced or similar because the chip can transmit with 7dBm. The modules containing this chip are often described as "compatible nRF24L01(+)" and many sellers directly link to the nRF24L01(+) datasheets (the SI24R1 datasheet is only available in chinese).

It's not known if the on-air format of the clones is compatible with the original chips, the datasheets of the clones don't go into so much detail. The Nordic datasheets describe their "Enhanced ShockBurst™" mode and frame format, the Beken datasheets only briefly mention a "burst mode".

Decoder

The nrf24l01 decoder stacks on top of the SPI decoder and decodes the commands to the chip and the responses of the chip, and also issues warnings for wrong/incomplete commands.

Some decoded commands in PulseView:

sigrok-cli can be used to decode the capture in the following way:

$ sigrok-cli -i sigrok-dumps/spi/nrf24l01/nrf24l01-communication.sr \
             -P spi:cs=rpi_CSN:clk=rpi_CLK:mosi=rpi_MOSI:miso=rpi_MISO,nrf24l01
Cmd R_REGISTER "CONFIG"
Reg STATUS = "0E"
Reg CONFIG = "08"
Reg STATUS = "0E"
Cmd W_REGISTER: CONFIG = "08"
Reg STATUS = "0E"
Cmd W_REGISTER: RF_CH = "3E"
Reg STATUS = "0E"
Cmd W_REGISTER: RX_ADDR_P0 = "376774367E"
Reg STATUS = "0E"
...
Cmd R_RX_PAYLOAD
Reg STATUS = "40"
RX payload = "message #0"

It can be seen that the register values are hex encoded, while the payload data is, if possible, represented as ASCII characters.

If only the payload is of interest, the tx-data and rx-data annotation classes can be selected using the -A|--protocol-decoder-annotations option:

$ sigrok-cli -i sigrok-dumps/spi/nrf24l01/nrf24l01-communication.sr \
             -P spi:cs=uc_CSN:clk=uc_CLK:mosi=uc_MOSI:miso=uc_MISO,nrf24l01 \
             -A nrf24l01=tx-data
TX payload = "message #0"
TX payload = "message #1"
TX payload = "message #2"
TX payload = "message #3"
TX payload = "message #4"
TX payload = "message #5"
TX payload = "message #6"
TX payload = "message #7"
TX payload = "message #8"
TX payload = "message #9"
$ sigrok-cli -i sigrok-dumps/spi/nrf24l01/nrf24l01-communication.sr \
             -P spi:cs=rpi_CSN:clk=rpi_CLK:mosi=rpi_MOSI:miso=rpi_MISO,nrf24l01 \
             -A nrf24l01=rx-data
RX payload = "message #0"
RX payload = "message #1"
RX payload = "message #2"
RX payload = "message #3"
RX payload = "message #4"
RX payload = "message #5"

Warnings issued for erroneous commands:

$ sigrok-cli -i sigrok-dumps/spi/nrf24l01/nrf24l01-test-missing-bytes.sr \
             -P spi:cs=CS:clk=CLK:mosi=MOSI:miso=MISO,nrf24l01
Cmd R_REGISTER "CONFIG"
Reg STATUS = "00"
missing data bytes
Cmd W_TX_PAYLOAD_NOACK
Reg STATUS = "00"
missing data bytes

Resources