Spi Data

Hello everyone,
I’m allowing myself to create this post because I’m new to this field and need a bit of help. I have a Saleae logic analyzer, the 100Ms model, and using the Saleae software, I connected it to the SPI bus (MISO/MOSI/CLK and CS) on a Silicon Labs IC, the SI4463.

My problem is that I can’t see the HEX values that I know are being sent through the SPI bus. The HEX data are 98 C7 36 01, CD 03 D6 61, and DA D7 78 71. All three blocks of data are in different files attached here. The data are in these files, but I don’t understand why the HEX values don’t follow one another, for example, why DA D7 78 71 isn’t grouped in the same block. Instead, they’re all scattered among other data, and I can’t figure out the logic.

I’d like to know if anyone has a bit of time to take a look at these files and tell me if they understand the logic behind how the data are scattered. Or at least let me know if the CLK is configured correctly or if I’m making some mistake in the settings. Thank you very much in advance!

Wang .
Second Sniff CD 03 D6 61.sal (12.5 KB)
CD 03 D6 61.sal (11.6 KB)
98 C7 36 01.sal (11.0 KB)
Second Sniff 98 C7 36 01.sal (11.0 KB)
Second Sniff DA D7 78 71.sal (11.1 KB)
DA D7 78 71.sal (12.2 KB)

First off your sample rate (40 MS/s) is too low. I’d suggest at least 100MS/s. Otherwise your configuration seems to be correct.

It’s not clear that the SPI clock rate is correct. The data sheet suggests the maximum clock rate is 10MHz, but the actual rate seems to be 12MHz.

To help determine what might be going wrong it would help if you told us where in the collected data the data of interest is. You could do that by putting timing markers in your data files so it is easy for us to find your problematic data.

Hello, thank you very much for your response. I apologize for the delay, as I had a terrible flu. I recently purchased a Saleae 8Pro, which helped me capture data at 500ms, but I’m still having trouble understanding how the hex data I’m looking for is organized. If you could help me understand it, I would greatly appreciate it. I’ve uploaded some files here—if anyone has time to assist me, it would mean a lot.
CD.sal (10.7 KB)
Hex value.txt (7.5 KB)
DA.sal (6.6 KB)

To understand the SPI communications, you’ll need to study the datasheet and/or the API documentation from the supplier.

FYI, I found:

• An application note AN633: PROGRAMMING GUIDE FOR EZRADIOPRO® Si4X6X DEVICES
  (See Section 7. Application Programming Interface for SPI commands)
• An online community post about Si4x6x API documentation
  (See links in this post for more details on APIs based on specific silicon version: Rev B1 or C2)
  • Direct link to the newer revision: EZRadioPRO REVC2 API documentation (ZIP file)
• The Si446x datasheet (Si4464/63/61/60)
  (See Section 3.1. Serial Peripheral Interface (SPI) for details on SPI signals)
• An Arduino Library on GitHub for Si446x Radios

So, hopefully one or more of these links will provide the details you need to decode the SPI messages in your capture files. Difficult to provide specific details without knowing more about exactly what you’re trying to decode/debug and what information you might be expecting to find within the SPI data stream.

Finally, you could also create your own High-Level Analyzer in Python based on the datasheet/documentation above to provide a nicer decode of the SPI traffic than just the raw hex data.

Thank you for your reply. Unfortunately, I don’t understand much of the information in the datasheets. Sometimes the hex values are missing, and other times the register values are different. Creating an HLA is even harder. In the past, I tried to contact some people to create an HLA for this, but they asked for 8,000 USD, which is a fortune for me. I need at least to try to understand the power-up function to see the frequency in MHz, as right now I only have the hex values…
PowerUp.sal (59.2 KB)
PowerUp1.sal (69.0 KB)

More details on your project is key:

• What device has the Si4463 chip, and what silicon revision is it?
  (What is full part #/markings on IC?)
• What data/info is being communicated?
  (Do you have access to protocol/data on either end of communication channel before/after after RF encode/decode?)

Finally, you could use an SDR (software defined radio) to sniff the RF data, but it would help to know more about the RF protocol to ‘tune in’ to the right spot (frequency, modulation, protocol, etc.) You might get this info from end product datasheets and/or FCC registration/test data (if a registered product).

Hi @wangrayanwang –

I was a little curious this weekend, so I looked at your PowerUp.sal capture file attached earlier and observed the following:

• It begins with a command 0x04, which wasn’t documented in the latest documentation
  • I found the older AN633: Si446x Programming Guide and Sample Codes Rev 0.1 PDF indicating 0x04 is PATCH_IMAGE command
  • I assume the first several SPI transactions after power-up are just uploading a ‘firmware patch’ to the Si446x device
• At timestamp 23.481 942 890 s there is the POWER_UP (0x02) command:
  • BOOT_OPTIONS set to:
    • PATCH = 1
    • FUNC[5:0] = 0x01 (boot to main application image)
  • XTAL_OPTIONS set to:
    • TCXO = 1
  • XO_FREQ set to 0x018CBA80 = 26,000,000 Hz = 26 MHz
    • XO_FREQ[31:24] = 0x01
    • XO_FREQ[23:16] = 0x8C
    • XO_FREQ[15: 8] = 0xBA
    • XO_FREQ[ 7: 0] = 0x80
• At timestamp 23.490 515 916 s is the first SET_PROPERTY (0x11) command
  • Several SET_PROPERTY (0x11) commands to configure IC settings
  • See datasheet for details & decoding

Ultimately, you’ll need to study the API documentation (linked previously) to understand all the settings and how to interpret the various commands. Without knowing the silicon device markings and more about the devices communicating, it isn’t practical to try to decipher everything from the SPI hex data alone.

Also, depending on your actual use case – it might be easier to decode at the RF protocol level, rather than trying to decode at the IC SPI communication level (if you know the details about the RF protocol). This assumes that the data is unencrypted and uses a standard RF modulation scheme. Otherwise, you’ll have a lot more effort to figure out the encryption & demodulation scheme, etc.

Anyway, just wanted to share my findings as a possible ‘hint’ to help you out.
Good luck!

Hello, thank you very much for your help, the AN633 document: Si446x Programming Guide and Sample Codes Rev 0.1 PDF really helped me, I couldn’t find it before, now I understand more, but even so, it’s too complex for me, I’ll try to find someone to hire to solve the problem, thank you very much, it was really helpful.

Hi @wangrayanwang –

I am curious about exactly what problem are you trying to solve? Your original post talked about hex data you expected to see in the SPI capture, but never explained the bigger picture of what you are doing. It looks like the Si446x is an RF chip that can encode/decode a lot of things, so its behavior really depends on the end use case(s).

Basic questions, like:

• How do you ‘know’ this hex data is supposed to be on SPI bus? What is it?
• What device has the Si446x chip?
• Is this device monitoring communication between other devices, or one of the actual communication endpoints?
• What are the other device(s) communicating?
  • What is the RF communication protocol being used between devices?
• What is your end goal with this project?
  • Monitor/log/decode other communication?
  • Develop an endpoint device (receive only?)
  • or … ?

Even with a full Si446x HLA, you may not be able to answer your original question (“where is my expected hex data”) without understanding the details above. For example, data that is transcoded into Manchester encoding scheme at the RF/physical layer may have different hex values than the original binary/hex data being sent at an application layer.

For example, see: bitbench (explore how hex data can be recoded in some coding schemes).

Good luck!

Hi,

What I am trying to create is a sniffer, a device that intercepts the radio communication between two devices and displays the hex values on a serial monitor. This would greatly facilitate debugging for devices using the Si4463 radio chip.

How do I "know" that these hex data should be on the SPI bus? What do they represent?
    Since the hex values are printed on the transceiver.
What device uses the Si446x chip?
    It's a home automation gateway that measures the temperature of outdoor plants, etc.
Does this device monitor communication between other devices, or is it one of the communication endpoints?
    The system includes 3 transmitters and 1 receiver, which records and stores the received data.
What do the other devices communicate?
    They all communicate via radio.
What RF communication protocol is used between the devices?
    2 FSK.

Technical Details and Steps:

Current Configuration:
I have a transmitter using a FG32 radio chip from Silicon Labs to send radio messages to a receiver using the Si4463 chip.

What I have done so far:
To create a sniffer that intercepts the communications between the transmitter and receiver, I need certain parameters (registers and their configuration) to replicate the radio settings. For this, I used a Saleae logic analyzer to intercept the data sent and received between the FG32 and Si4463 over the SPI bus to the microcontroller. I connected to the SPI bus, powered the receiver, and recorded all commands.

What needs to be done now:
    Extract all the commands, check them in the datasheet, and identify only the necessary registers, such as: the frequency used (I know it's 868 MHz), modulation (I suspect it's 2FSK), synchronization (sync word), and other essential parameters.

Write code that uses these registers and configures a Si4463 Breakout module (e.g., Si4463 Breakout) connected to an Arduino (or similar) to intercept and display the data sent from the transmitter to the receiver.

Current Issue:
The transmitted and received data seems to be encrypted, but I don’t need to decrypt it – I just want to visualize the communication. Currently, I use a logic analyzer to see the communication, but it is extremely difficult to connect to the SPI bus because the Si4463 is a 4x4 mm radio module and there are no other contact points besides its pins. A sniffer would help me enormously to intercept and debug communications in real time.

Functional Example:
I already have a CC1101 module connected to an Arduino, which does exactly what I described above: it intercepts the "over-the-air" communication between two devices using CC1101 and displays the necessary information on the serial monitor. I would like the same thing for Si4463.

Final Objective:

I need to decode the SPI communication to create a sniffer based on the Si4463 registers, then develop code that can be used with a Si4463 Breakout (or something similar) connected to an Arduino or an equivalent device. This should display the communication between the two devices on the serial monitor.

Do you have the brand & model # for this system? Is it still being sold online? Is it registered with an FCC ID? You can often get FCC reports on RF used through FCC test reports, or find other people that have reverse engineered protocols/technical details of a given system or sensors.

Does this setup already work with the same RF system described above? Do you have the source code for the Arduino / CC1101 interface and config? Having this reference can help match how the Si4463 is setup for doing the same thing as the CC1101. It should also have all the details on RF protocol, modulation scheme, and data packets/encoding of application data as well as any encryption (if used).

Thus, I think you could setup the Si4463 directly from ‘copying’ how the CC1101 is configured, if it (the CC1101) can already do exactly what you want with the home automation gateway & RF sensors.