Tuesday, January 12, 2010

KillerBee on a budget

At ToorCon 11, Joshua Wright handed out a pre-release version of his KillerBee framework, a set of tools for analysis of 802.15.4 and ZigBee wireless networks.

KillerBee requires a particular hardware device, Atmel's AVR RZUSBSTICK, an inexpensive USB dongle with a programmable microcontroller. Many of the KillerBee functions require custom firmware (written by Joshua) to be flashed onto the stick. While most Atmel products feature In-System Programming (ISP) which can be done with a low-cost programming device, the RZUSBSTICK unfortunately only provides a JTAG header for programming, and the JTAG debugger/programmer costs about $300.

The good news is that ISP can be used to program the RZUSBSTICK. The bad news is that it requires some tricky soldering to get it working. With a little guidance from those who have gone before me and SparkFun's excellent surface mount soldering tutorials under my belt, I was able to attach a 10-pin ISP header to my RZUSBSTICK and successfully flash it with the KillerBee firmware.

There are two kinds of AVR ISP headers, a 6-pin and a 10-pin version. I chose the 10-pin variety because my programmer has a 10-pin connector, but a simple adapter can allow you to use either. Both varieties use the same 6 signals: GND, VCC, RESET, SCK, MISO, and MOSI. I connected them with colored wire (28 or 30 AWG wirewrap wire) as follows:

signalcolorheader pinsource
GNDblack4,6,8,10JTAG header pin 2
VCCred2JTAG header pin 4
RESETwhite5JTAG header pin 6
SCKpurple7AT90USB1287 pin 11
MISObrown9AT90USB1287 pin 13
MOSIorange1AT86RF230 pin 22

I ran all six wires through the unused holes of the (unpopulated) JTAG header in order to provide some strain relief. Those connections to the individual chip pins are fragile! From there I ran them across the back of the board to a 10-pin header glued to the end of the stick.

My serial programmer works great when connected to an on-board serial port on an old PC, but its bit-banging technique is incredibly slow (about 3 bits per second) and unreliable when connected to a USB/serial adapter. I believe that trying to use it via USB was the cause of death of an ATtiny85 while working on a previous project. Anyway, with a good serial port, AVRDUDE does a fine job programming the RZUSBSTICK over ISP:

avrdude -c ponyser -p usb1287 -P /dev/ttyS0 -U flash:w:kb-rzusbstick1.hex

Now to find some target devices. . .

11 comments:

Shadyman said...

Hey :)

The BusPirate just got added to the list of hardware usable by OpenOCD, the open source jtag flashing program. It should be possible for pretty much anyone to flash JTAG now :)

See also: http://michaldemin.wordpress.com/2010/02/27/how-to-buspirate-and-openocd/

Joby Taffey said...

The BusPirate supports OpenOCD, yes. But OpenOCD doesn't support the AVR. So, no.

Adam86 said...

Is it possible to program these devices using a parallel cable?

Lance2010 said...

good work, I'd soldered the jtag an now I need the hex file to program the rzusbstick. can you please help me out.

Anonymous said...

avrdude currently supports the BusPirate and can be used to flash the chip.

wicker said...

Extremely helpful. thanks much :)

Anonymous said...

Thank you, my rzusbstick accessable again it works... I used my JTAG MKII with 10 pin ISP adapter

Anonymous said...

Thank you!!!

Daniel Badowski said...

Easier places to solder:
The stick in the post has a sticker but mine didn't. Under the sticker in the pictures, by the AT86RF230 you'll find 3 vias in a straight line. they are the SCLK, MOSI, and MISO signals. scrape the solder mask off and it should be a lot easier to solder to than the QFN pads.

ralf said...

Thank you!
But you should not use the pictures. On my RZUSB the JTAG header is different.
To determine were pin 1 is look for pin 57 (TCK) on the AT90USB1287 and follow the wire (under the solder mask) to the JTAG header. This is pin 1.

arun said...

1 Soldered pins and connected to my USBasp and it shows error as

avrdude: warning: cannot set sck period. please check for usbasp firmware update.
avrdude: error: program enable: target doesn't answer. 1
avrdude: initialization failed, rc=-1
Double check connections and try again, or use -F to override
this check.


avrdude done. Thank you.


Help me