Difference between revisions of "Protocol decoder:Nrf24l01"

From sigrok
Jump to navigation Jump to search
m
 
(19 intermediate revisions by 2 users not shown)
Line 3: Line 3:
| name            = nRF24L01(+)
| name            = nRF24L01(+)
| description    = 2.4GHz transceiver chip
| description    = 2.4GHz transceiver chip
| status          = <span style="background-color: lime">supported</span>
| status          = supported
| license        = GPLv2+
| license        = GPLv2+
| source_code_dir = nrf24l01
| source_code_dir = nrf24l01
| image          = [[File:NRF24L01_plus_module.jpg|250px]]
| image          = [[File:NRF24L01_plus_module.jpg|250px]]
| input          = spi
| input          = [[Protocol decoder:spi|spi]]
| output          = nrf24l01
| output          = nrf24l01
| probes          = &mdash;
| probes          = &mdash;
| optional_probes = &mdash;
| optional_probes = &mdash;
| options        = chip
}}
}}


The '''nrf24l01''' protocol decoder supports the protocol spoken by the Nordic Semiconductor
The '''nrf24l01''' protocol decoder supports the protocol spoken by the Nordic Semiconductor [http://www.nordicsemi.com/eng/Products/2.4GHz-RF/nRF24L01 nRF24L01] and [http://www.nordicsemi.com/eng/Products/2.4GHz-RF/nRF24L01P nRF24L01+] 2.4GHz transceiver chips.
[http://www.nordicsemi.com/eng/Products/2.4GHz-RF/nRF24L01   nRF24L01] and
[http://www.nordicsemi.com/eng/Products/2.4GHz-RF/nRF24L01P nRF24L01+] 2.4GHz transceiver chips.


== Hardware ==
== Hardware ==


Modules with these chips can be purchased fairly inexpensive from various online marketplaces.
Modules with these chips can be purchased fairly inexpensive from various online marketplaces. Most (all?) have an 8-pin header with the following pinout:
Most (all?) use the following pinout:
 
{| border="0" style="font-size: smaller" class="alternategrey sigroktable"
{| border="0" style="font-size: smaller; text-align: center" class="alternategrey sigroktable"
|-
  ! Function
  ! Pin
  ! style="border-left:2px solid gray" | Pin
  ! Function
|-
  | GND
  | 1
  | style="border-left:2px solid gray" | 2
  | VCC
|-
  | CE
  | 3
  | style="border-left:2px solid gray" | 4
  | CSN
|-
  | SCK
  | 5
  | style="border-left:2px solid gray" | 6
  | MOSI
|-
|-
!Pin
  | MISO
!Function
  | 7
  | style="border-left:2px solid gray" | 8
  | IRQ
|}
 
The chip has two chip select pins, "CE" used to control the standby mode, and "CSN" used for SPI communication.
 
== Protocol ==
 
The chip uses the standard SPI protocol and pins (CSN, SCK, MOSI, MISO), with the additional CE (used to control the RX/TX and standby modes) and IRQ (used to inform the SPI master about the completion of a packet reception/transmission) signals. If the number of available pins of the master are scarce, the CE pin can be tied to VCC and the IRQ pin can be left open. Polling over SPI can be used instead.
 
SPI commands can have variable length, the CSN signal has to stay low during the whole command, and then go high after the last byte. The first byte of a command defines the type of the command, the chip always outputs its internal status register at the beginning. The following bytes are dependent on the command type, can be register values to write into the chip or payload data to send, or empty bytes that are ignored if the command only reads the output of the chip.


== Variants and clones of the chip ==
{| class="wikitable"
| rowspan="2" style="text-align: center" | Nordic<br>Semiconductor
|nRF24L01
|First chip of the family.
Supports data rates of 1 Mbps and 2 Mbps.
Some features of the chip
(dynamic payload length, suppression of ACK packets)
and their corresponding SPI commands have to be enabled using the
<tt>ACTIVATE</tt>+0x73 command before they can be used.
|-
|nRF24L01+
|Drop-in replacement for the nRF24L01 with the following additions:
* In addition to the 1 and 2 Mbps data rates, the chip also supports 250 kbps with a higher sensitivity as for the other data rates.
* No need to <tt>ACTIVATE</tt> certain features.
|-
| rowspan="4" style="text-align: center" | Beken<br>Corporation
| BK2401
| nRF24L01 clone that only supports a data rate of 1 Mbps.
Contains a second register bank that can be switched to with the <tt>ACTIVATE</tt>+0x53 command.
The registers in this bank have to be written with certain magic values
(specified in the datasheet)
before the chip can be used.
|-
| BK2421
| Same as the BK2401, but also supports a data rate of 2 Mbps.
|-
|-
| 1
| BK2423
| GND
| A clone that supports the three data rates of the nRF24L01+. Also has the second register bank.
 
|-
| BK2491
| Another clone that only supports 1 and 2 Mbps. Also has the second register bank.<br>
(There is no data sheet available for this chip, but one can find the datasheet of a ''Wenshing Electronics TRW-24G2'' module that contains the chip. When searching online for ''BK2491 datasheet'' one does however find various datasheets for other (even completely unrelated) Beken chips because the PDF title of these document is ''BK2491 Specification''; apparently the unreleased datasheet for this chip was used as a template for other datasheets without changing the title.)
|-
| rowspan="2" style="text-align: center" | Hope Microelectronics
| RFM70
| A RF module containing a COB. The PDF title of the datasheet says ''BK2491 Specification''.
|-
| RFM73
| A RF module containing a COB. The PDF title of the datasheet says ''BK2423 Specification''.
|-
|-
| 2  
| style="text-align: center" | Panchip<br>Microelectronics
| VCC
| [http://www.panchip.com/en/products_show.aspx?cid=63&id=333 XN297]
 
| nRF24L01 clone: Supports 1 and 2 Mbps data rates and also needs the <tt>ACTIVATE+0x73</tt> command.
Contains three additional registers (<tt>DEMOD_CAL</tt>, <tt>RF_CAL</tt>, <tt>BB_CAL</tt>).
Found on some [http://www.deviationtx.com/forum/protocol-development/3213-moontop-m9911-with-panchip-xn297 toy quadcopters];
datasheet is only available in Chinese.
|-
|-
| 3
| rowspan="2" style="text-align: center" | ?
| CE
| [http://www.dn-ic.com/ic_2/Nordic/SI24R1.html SI24R1]
 
| nRF24L01+ clone: Support three data rates and no <tt>ACTIVATE</tt> command.
Often advertised as ''power enhanced'' or similar because the chip can [https://github.com/solarkennedy/equail/tree/master/Libraries/RF24 transmit with 7dBm].
The modules containing this chip are often described as "''compatible nRF24L01(+)''" and many sellers directly link to the nRF24L01(+) datasheets (the SI24R1 datasheet is only available in Chinese).
|-
|-
| 4
| colspan="2" | Some forum posts name Silicon Labs as the manufacturer, however the datasheet contains no evidence for this, and DN-IC (linked above) seems to be a distributor and not a manufacturer.
| CSN
 
|-
|-
| 5
| style="text-align: center" | Semitek
| SCK
| SE8R01
 
| Incompatible clone that uses a [http://nerdralph.blogspot.co.at/2014/11/se8r01-24ghz-wireless-modules.html slightly different on-air format].
Supports 500 kbps (not 250 kbps), 1 and 2 Mbps data rates and also has a second register bank (even though it's not documented in the datasheet, see the blog post linked above).
|-
|-
| 6
| rowspan="3" style="text-align: center; border-top:2px solid gray" | NST Techsemic
| MOSI
| style="border-top:2px solid gray" | LT8900
 
| style="border-top:2px solid gray" | Modules with this chip are sold as "''nRF24L01 compatible''" (and even as "''BK2423 compatible''", showing how popular that clone is), however this compatibility can only refer to the on-air format, because the SPI commands and the registers are totally different, and the chip also supports I²C communication. Therefore, the sigrok '''nrf24l01''' protocol decoder can't decode this chip's protocol.
|-
|-
| 7
| LT8901, LT8910
| MISO
| Datasheets only available in Chinese, these chips look very similar to the LT8900.
 
|-
|-
| 8
| colspan="2" | The homepage of the manufacturer lists a [http://www.nst-ic.com/en/products.aspx?cateId=12 whole range] of similar 2.4 GHz chips that may be (on-air) compatible with the nRF24L01(+).
| IRQ
|}
|}


The chip has two chip select pins,
It's not known if the on-air format of the clones is compatible with the original chips (except for the SE8R01, where it's clear that it doesn't work), the datasheets of the clones don't go into so much detail. The Nordic datasheets describe their "''Enhanced ShockBurst™''" mode and frame format, the Beken datasheets only briefly mention a "''burst mode''".
"CE" used to control the standby mode,
and "CSN" used for SPI communication.


== Protocol ==
A
[http://hackaday.com/2015/02/23/nordic-nrf24l01-real-vs-fake/#comment-2474764 comment]
by a Nordic employee under a hackaday.com article titled
[http://hackaday.com/2015/02/23/nordic-nrf24l01-real-vs-fake "Nordic NRF24L01+ - real vs. fake"]
says that some clones interpret a flag different than the original chip,
resulting in problems
(quote: "''When EN_DPL is activated, the NO_ACK bit get reversed in the real nRF-devices. They did such a good job of cloning they cloned the datasheet error into the device!!!''").
The comment doesn't say which clone is meant, but from the article and the other comments it's most probably the SI24R1.


The chip uses the standard SPI protocol and pins (CSN, SCK, MOSI, MISO), with the additional CE (used to control the RX/TX and standby modes) and IRQ (used to inform the SPI master about the completion of a packet reception/transmission) signals. If the number of available pins of the master are scare, the CE pin can be tied to VCC and the IRQ ping can be left open, instead of it polling over SPI can be used.
== Decoder ==


SPI commands can have variable length, the CSN signal has to stay low during the whole command, and then go high after the last byte. The first byte of a command defines the type of the command, the chip always outputs its internal status register at the beginning. The following bytes are dependent on the command type, can be register values to write into the chip or payload data to send, or empty bytes that are ignored if the command only reads the output of the chip.
The <tt>nrf24l01</tt> decoder stacks on top of the [[Protocol decoder:spi|SPI decoder]] and decodes the commands to the chip and the responses of the chip, and also issues warnings for wrong/incomplete commands.


== Decoder ==
Some decoded commands in [[PulseView]]:


The <tt>nrf24l01</tt> decoder stacks on top of the SPI decoder and decodes the commands to the chip and the responses of the chip, and also issues warnings for wrong/incomplete commands.
<gallery>
<gallery>
File:NRF24L01 PD write register.png|<small>Decoded "Write Register" command.</small>
File:NRF24L01 PD write register.png|<small>Decoded "Write Register" command.</small>
Line 77: Line 150:
File:NRF24L01 PD rx payload.png|<small>The payload on the receiver side.</small>
File:NRF24L01 PD rx payload.png|<small>The payload on the receiver side.</small>
</gallery>
</gallery>
[[sigrok-cli]] can be used to decode the capture in the following way:
<small>
$ '''sigrok-cli -i sigrok-dumps/spi/nrf24l01/nrf24l01-communication.sr \'''
              '''-P spi:cs=rpi_CSN:clk=rpi_CLK:mosi=rpi_MOSI:miso=rpi_MISO,nrf24l01'''
Cmd R_REGISTER "CONFIG"
Reg STATUS = "0E"
Reg CONFIG = "08"
Reg STATUS = "0E"
Cmd W_REGISTER: CONFIG = "08"
Reg STATUS = "0E"
Cmd W_REGISTER: RF_CH = "3E"
Reg STATUS = "0E"
Cmd W_REGISTER: RX_ADDR_P0 = "376774367E"
Reg STATUS = "0E"
...
Cmd R_RX_PAYLOAD
Reg STATUS = "40"
RX payload = "message #0"
</small>
It can be seen that the register values are hex encoded, while the payload data is, if possible, represented as ASCII characters.
If only the payload is of interest, the '''<tt>tx-data</tt>''' and '''<tt>rx-data</tt>''' annotation classes can be selected using the '''<tt>-A|--protocol-decoder-annotations</tt>''' option:
<small>
$ '''sigrok-cli -i sigrok-dumps/spi/nrf24l01/nrf24l01-communication.sr \'''
              '''-P spi:cs=uc_CSN:clk=uc_CLK:mosi=uc_MOSI:miso=uc_MISO,nrf24l01 \'''
              '''-A nrf24l01=tx-data'''
TX payload = "message #0"
TX payload = "message #1"
TX payload = "message #2"
TX payload = "message #3"
TX payload = "message #4"
TX payload = "message #5"
TX payload = "message #6"
TX payload = "message #7"
TX payload = "message #8"
TX payload = "message #9"
$ '''sigrok-cli -i sigrok-dumps/spi/nrf24l01/nrf24l01-communication.sr \'''
              '''-P spi:cs=rpi_CSN:clk=rpi_CLK:mosi=rpi_MOSI:miso=rpi_MISO,nrf24l01 \'''
              '''-A nrf24l01=rx-data'''
RX payload = "message #0"
RX payload = "message #1"
RX payload = "message #2"
RX payload = "message #3"
RX payload = "message #4"
RX payload = "message #5"
</small>
Warnings issued for erroneous commands:
<small>
$ '''sigrok-cli -i sigrok-dumps/spi/nrf24l01/nrf24l01-test-missing-bytes.sr \'''
              '''-P spi:cs=CS:clk=CLK:mosi=MOSI:miso=MISO,nrf24l01'''
Cmd R_REGISTER "CONFIG"
Reg STATUS = "00"
missing data bytes
Cmd W_TX_PAYLOAD_NOACK
Reg STATUS = "00"
missing data bytes
</small>
== Resources ==
* [http://www.nordicsemi.com/eng/Products/2.4GHz-RF/nRF24L01 Nordic Semiconductor nRF24L01] ([http://www.nordicsemi.com/eng/nordic/download_resource/8041/1/64576247 datasheet])
* [http://www.nordicsemi.com/eng/Products/2.4GHz-RF/nRF24L01P/ Nordic Semiconductor nRF24L01+] ([http://www.nordicsemi.com/eng/nordic/download_resource/8765/2/88509159 datasheet])
* [https://github.com/search?q=nrf24l01&type=Repositories github.com: nrf24l01] (various nRF24L01(+) projects and examples)
* [http://travisgoodspeed.blogspot.co.at/2011/02/promiscuity-is-nrf24l01s-duty.html Travis Goodspeed: Promiscuity is the nRF24L01+'s Duty] (using the nRF24L01 in a pseudo-promiscous mode)
* [http://blog.cyberexplorer.me/2014/01/sniffing-and-decoding-nrf24l01-and.html Cyber Explorer: Sniffing and decoding NRF24L01+ and Bluetooth LE packets for under $30] (contains information about the modulation used by the nRF24L01)
* [http://dmitry.gr/index.php?r=05.Projects&proj=11.%20Bluetooth%20LE%20fakery Faking Bluetooth LE] (using the nRF24L01+ to send Bluetooth LE broadcasts)
* [https://www.dropbox.com/sh/kdenpdg60v5hzbd/AAB4uiuU94HJGxOw1jckb4Nqa Mirror of the datasheets]
* [http://zeptobars.ru/en/read/Nordic-NRF24L01P-SI24R1-real-fake-copy Die shots of a real and a fake chip]


[[Category:Protocol decoder]]
[[Category:Protocol decoder]]
[[Category:SPI]]
[[Category:SPI]]

Latest revision as of 23:02, 2 April 2015

nrf24l01
NRF24L01 plus module.jpg
Name nRF24L01(+)
Description 2.4GHz transceiver chip
Status supported
License GPLv2+
Source code decoders/nrf24l01
Input spi
Output nrf24l01
Probes
Optional probes
Options chip

The nrf24l01 protocol decoder supports the protocol spoken by the Nordic Semiconductor nRF24L01 and nRF24L01+ 2.4GHz transceiver chips.

Hardware

Modules with these chips can be purchased fairly inexpensive from various online marketplaces. Most (all?) have an 8-pin header with the following pinout:

Function Pin Pin Function
GND 1 2 VCC
CE 3 4 CSN
SCK 5 6 MOSI
MISO 7 8 IRQ

The chip has two chip select pins, "CE" used to control the standby mode, and "CSN" used for SPI communication.

Protocol

The chip uses the standard SPI protocol and pins (CSN, SCK, MOSI, MISO), with the additional CE (used to control the RX/TX and standby modes) and IRQ (used to inform the SPI master about the completion of a packet reception/transmission) signals. If the number of available pins of the master are scarce, the CE pin can be tied to VCC and the IRQ pin can be left open. Polling over SPI can be used instead.

SPI commands can have variable length, the CSN signal has to stay low during the whole command, and then go high after the last byte. The first byte of a command defines the type of the command, the chip always outputs its internal status register at the beginning. The following bytes are dependent on the command type, can be register values to write into the chip or payload data to send, or empty bytes that are ignored if the command only reads the output of the chip.

Variants and clones of the chip

Nordic
Semiconductor
nRF24L01 First chip of the family.

Supports data rates of 1 Mbps and 2 Mbps. Some features of the chip (dynamic payload length, suppression of ACK packets) and their corresponding SPI commands have to be enabled using the ACTIVATE+0x73 command before they can be used.

nRF24L01+ Drop-in replacement for the nRF24L01 with the following additions:
  • In addition to the 1 and 2 Mbps data rates, the chip also supports 250 kbps with a higher sensitivity as for the other data rates.
  • No need to ACTIVATE certain features.
Beken
Corporation
BK2401 nRF24L01 clone that only supports a data rate of 1 Mbps.

Contains a second register bank that can be switched to with the ACTIVATE+0x53 command. The registers in this bank have to be written with certain magic values (specified in the datasheet) before the chip can be used.

BK2421 Same as the BK2401, but also supports a data rate of 2 Mbps.
BK2423 A clone that supports the three data rates of the nRF24L01+. Also has the second register bank.
BK2491 Another clone that only supports 1 and 2 Mbps. Also has the second register bank.

(There is no data sheet available for this chip, but one can find the datasheet of a Wenshing Electronics TRW-24G2 module that contains the chip. When searching online for BK2491 datasheet one does however find various datasheets for other (even completely unrelated) Beken chips because the PDF title of these document is BK2491 Specification; apparently the unreleased datasheet for this chip was used as a template for other datasheets without changing the title.)

Hope Microelectronics RFM70 A RF module containing a COB. The PDF title of the datasheet says BK2491 Specification.
RFM73 A RF module containing a COB. The PDF title of the datasheet says BK2423 Specification.
Panchip
Microelectronics
XN297 nRF24L01 clone: Supports 1 and 2 Mbps data rates and also needs the ACTIVATE+0x73 command.

Contains three additional registers (DEMOD_CAL, RF_CAL, BB_CAL). Found on some toy quadcopters; datasheet is only available in Chinese.

? SI24R1 nRF24L01+ clone: Support three data rates and no ACTIVATE command.

Often advertised as power enhanced or similar because the chip can transmit with 7dBm. The modules containing this chip are often described as "compatible nRF24L01(+)" and many sellers directly link to the nRF24L01(+) datasheets (the SI24R1 datasheet is only available in Chinese).

Some forum posts name Silicon Labs as the manufacturer, however the datasheet contains no evidence for this, and DN-IC (linked above) seems to be a distributor and not a manufacturer.
Semitek SE8R01 Incompatible clone that uses a slightly different on-air format.

Supports 500 kbps (not 250 kbps), 1 and 2 Mbps data rates and also has a second register bank (even though it's not documented in the datasheet, see the blog post linked above).

NST Techsemic LT8900 Modules with this chip are sold as "nRF24L01 compatible" (and even as "BK2423 compatible", showing how popular that clone is), however this compatibility can only refer to the on-air format, because the SPI commands and the registers are totally different, and the chip also supports I²C communication. Therefore, the sigrok nrf24l01 protocol decoder can't decode this chip's protocol.
LT8901, LT8910 Datasheets only available in Chinese, these chips look very similar to the LT8900.
The homepage of the manufacturer lists a whole range of similar 2.4 GHz chips that may be (on-air) compatible with the nRF24L01(+).

It's not known if the on-air format of the clones is compatible with the original chips (except for the SE8R01, where it's clear that it doesn't work), the datasheets of the clones don't go into so much detail. The Nordic datasheets describe their "Enhanced ShockBurst™" mode and frame format, the Beken datasheets only briefly mention a "burst mode".

A comment by a Nordic employee under a hackaday.com article titled "Nordic NRF24L01+ - real vs. fake" says that some clones interpret a flag different than the original chip, resulting in problems (quote: "When EN_DPL is activated, the NO_ACK bit get reversed in the real nRF-devices. They did such a good job of cloning they cloned the datasheet error into the device!!!"). The comment doesn't say which clone is meant, but from the article and the other comments it's most probably the SI24R1.

Decoder

The nrf24l01 decoder stacks on top of the SPI decoder and decodes the commands to the chip and the responses of the chip, and also issues warnings for wrong/incomplete commands.

Some decoded commands in PulseView:

sigrok-cli can be used to decode the capture in the following way:

$ sigrok-cli -i sigrok-dumps/spi/nrf24l01/nrf24l01-communication.sr \
             -P spi:cs=rpi_CSN:clk=rpi_CLK:mosi=rpi_MOSI:miso=rpi_MISO,nrf24l01
Cmd R_REGISTER "CONFIG"
Reg STATUS = "0E"
Reg CONFIG = "08"
Reg STATUS = "0E"
Cmd W_REGISTER: CONFIG = "08"
Reg STATUS = "0E"
Cmd W_REGISTER: RF_CH = "3E"
Reg STATUS = "0E"
Cmd W_REGISTER: RX_ADDR_P0 = "376774367E"
Reg STATUS = "0E"
...
Cmd R_RX_PAYLOAD
Reg STATUS = "40"
RX payload = "message #0"

It can be seen that the register values are hex encoded, while the payload data is, if possible, represented as ASCII characters.

If only the payload is of interest, the tx-data and rx-data annotation classes can be selected using the -A|--protocol-decoder-annotations option:

$ sigrok-cli -i sigrok-dumps/spi/nrf24l01/nrf24l01-communication.sr \
             -P spi:cs=uc_CSN:clk=uc_CLK:mosi=uc_MOSI:miso=uc_MISO,nrf24l01 \
             -A nrf24l01=tx-data
TX payload = "message #0"
TX payload = "message #1"
TX payload = "message #2"
TX payload = "message #3"
TX payload = "message #4"
TX payload = "message #5"
TX payload = "message #6"
TX payload = "message #7"
TX payload = "message #8"
TX payload = "message #9"
$ sigrok-cli -i sigrok-dumps/spi/nrf24l01/nrf24l01-communication.sr \
             -P spi:cs=rpi_CSN:clk=rpi_CLK:mosi=rpi_MOSI:miso=rpi_MISO,nrf24l01 \
             -A nrf24l01=rx-data
RX payload = "message #0"
RX payload = "message #1"
RX payload = "message #2"
RX payload = "message #3"
RX payload = "message #4"
RX payload = "message #5"

Warnings issued for erroneous commands:

$ sigrok-cli -i sigrok-dumps/spi/nrf24l01/nrf24l01-test-missing-bytes.sr \
             -P spi:cs=CS:clk=CLK:mosi=MOSI:miso=MISO,nrf24l01
Cmd R_REGISTER "CONFIG"
Reg STATUS = "00"
missing data bytes
Cmd W_TX_PAYLOAD_NOACK
Reg STATUS = "00"
missing data bytes

Resources