Philips_IEEE802.15.4_RF_Dongle_Documentation

eartoaster

General structure

The lspci-name of the dongle already suggests it: we are dealing with a transceiver in some way adhering to the IEEE 802.15.4 standard. More detailed analysis of the usb interrupt transfers reveals that the dongle implements the 802.15.4 MAC layer; however, due to the limited vocabulary observed in the communication between philips driver and the device, not every 802.15.4 MAC primitive can be documented.

USB Interrupt Output Submission

0 1 2 ...
length primitive_id data...

length counts the length of prinitive_id+data.

Fragmentation

In case data does not fit within the 64 Byte of data allowed in USB interrupt output submissions (indicated simply by length>63), the remaining data is sent in subsequent interrupt output submissions, while only the first carries the length and primitive_id.

USB Interrupt Input Callback

0 1 2 3 4 5 ...
time length primitive_id data...

length counts the length of primitive_id+data.

At first, I was not sure if the first 4 bytes contained a kind of index/counter or a real time. However, interpreting them as big-endian 32bit number and plotting against the URB time gathered by usbmon reveals linear behaviour:

Therefore, we are dealing with a timestamp here, with roughly 1.3x10^-8 seconds per tick.

Fragmentation

In case data does not fit within the 64 Byte of data allowed in USB interrupt input callbacks (indicated simply by length>59), the remaining data is received in subsequent interrupt input callbacks, while only the first carries the time, length and primitive_id.

Initialization of the Dongle

  1. Before sending the first MAC primitives as interrupt transfers, there is a long list of [Philips_IEEE802.15.4_RF_Dongle_initialization_usb_control_transfers].
  2. dongle answers after the last control transfer with MLME_SET.confirm(SUCCESS, macExtendedAddress)
  3. host sends MLME_RESET.request(0x01)
  4. host sets up the MAC stack using MLME_SET.request, receiving the corresponding MLME_SET.confirm

    1. MLME_SET.request(macBeaconPayloadLength, 0x0e);
    2. MLME_SET.request(macCoordShortAddress, 0x4a, 0x61);
    3. MLME_SET.request(macPANId, 0xb5, 0x9e);
    4. MLME_SET.request(macShortAddress, 0x4a, 0x61);
    5. MLME_SET.request(macAssociationPermit, 0x01);
    6. MLME_SET.request(macRxOnWhenIdle, 0x01);
    7. MLME_SET.request(macBeaconPayload, 0x50, 0x48, 0x49, 0x4c, 0x49, 0x50, 0x53, 0x56, 0x49, 0x52, 0x54, 0x57, 0x49, 0x4e);

    Payload is ASCII chars: "PHILIPS<hostname>", in this case "PHILIPSVIRTWIN", as my vitual windows box was called "virtwin"

  5. MLME_START.request(0x9eb5,0x19,HG_CHANNELPAGE,HG_STARTTIME,0x0f,0x0f,0x01);

MAC primitives

MLME-RESET.request

0 1 2
2 0x54 SetDefaultPIB (boolean)

MLME-RESET.confirm

0 1 2 3 4 5 6
time 2 0x55 status

MLME-SCAN.request

0 1 2 3 4 5 6 7
7 0x58 ScanType ScanChannels ScanDuration

MLME-SCAN.confirm

Performing ED scan (ScanType 0)

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 ...
time length 0x59 status ScanType UnscannedChannels ResultListSize Energy1 Energy2 ...

MLME-SET.request

0 1 2 3...
length 0x5b PIBAttribute PIBAttributeValue

MLME-SET.confirm

0 1 2 3 4 5 6 7
time 3 0x5c status PIBAttribute

MLME-START.request

PANCoordinator

0 1 2 3 4 5 6
6 0x5d PANId LogicalChannel BeaconOrder,SuperframeOrder PANCoordinator

StartTime is missing, this value is ignored if PANCoordinator==TRUE

MLME-START.confirm

0 1 2 3 4 5 6
time 2 0x5e status

MLME-ASSOCIATE.indication

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
time length 0x47 DeviceAddress CapabilityInformation SecurityLevel,KeyIdMode

MLME-ASSOCIATE.response

0 1 2 3 4 5 6 7 8 9 10 11 12 13
13 0x48 DeviceAddress AssocShortAddress status SecurityLevel,KeyIdMode

MLME-ORPHAN.indication

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
time 10 0x52 OrphanAddress SecurityLevel,KeyIdMode

MLME-ORPHAN.response

0 1 2 3 4 5 6 7 8 9 10 11 12
12 0x53 OrphanAddress ShortAddress AssociatedMember

MCPS-DATA.request

0 1 2 3 4 5 6 7 8 9 10 11 12 13 ... -3 -2 -1
length 0x40 SrcAddrMode SrcPANId SrcAddr DstAddrMode DstPANId DstAddr msduLength msdu msduHandle TxOptions

MCPS-DATA.confirm

0 1 2 3 4 5 6 7
time 3 0x41 msduHandle status

MCPS_DATA.indication

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ... -3 -2 -1
time length 0x42 SrcAddrMode SrcPANId SrcAddr DstAddrMode DstPANId DstAddr msduLength msdu mpduLinkQuality SecurityLevel,KeyIdMode

seems like the DSN is omitted

MLME-COMM-STATUS.indication

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
time length 0x5a PANId SrcAddrMode=0x03 SrcAddr DstAddrMode=0x03 DstAddr status

Related

Wiki: Interpret_the_data_gathered_from_Philips_IEEE802.15.4_RF_Dongle
Wiki: Main_Page
Wiki: Philips_IEEE802.15.4_RF_Dongle_initialization_usb_control_transfers