warehack.ing/birdcage
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor probe tool to generic embedded console scanner, document full G2 command inventory

Browse Source 
Rewrote hidden_menu_probe.py from Winegard-hardcoded to auto-discovering:
detects prompt, error string, and submenu structure from any firmware console.
Extracted Winegard-specific candidate words to scripts/wordlists/winegard.txt.

Deep probe of all 12 G2 submenus discovered commands across A3981 (driver
diagnostics), ADC (RSSI monitoring + position sweep), DVB (extended help via
man, transponder selection), EEPROM (read/write), GPIO (pin R/W), LATLON
(calculator), MOT (azscan, sw), PEAK (EchoStar switch), and STEP (raw
stepper control). NVS submenu generates false positives — treats any input
as sequential index reads.

Safety: added q/Q to default blocklist, bare-CR check before navigate_to_root
to prevent accidental shell termination between submenus.
This commit is contained in:
Ryan Malloy 2026-02-12 21:05:33 -07:00
parent 6b94f079aa
commit 7ff91b08ea
4 changed files with 2702 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

212
CLAUDE.md
View File

@ -53,6 +53,8 @@ Five known Winegard dish variants documented by Gabe Emerson (KL1FI) / saveitfor
| **Prompt char** | `>` (likely) | `>` (likely) | undocumented | undocumented | `TRK>` / `MOT>` / `NVS>` (confirmed) |
| **Position format** | `AZ = / EL =` | `AZ = / EL =` | `AZ = / EL =` | raw ints / 100 | `Angle[0] = / Angle[1] =` |
| **DVB tuner** | unknown | unknown | unknown | unknown | BCM4515 (Broadcom) |
| **MCU** | unknown | unknown | unknown | unknown | NXP MK60DN512VLQ10 (Kinetis K60, Cortex-M4, 96MHz, 512KB flash, 128KB RAM) |
| **Motor driver** | unknown | unknown | unknown | unknown | 2× Allegro A3981 (SPI, 1/16 microstep, AUTO mode) |
### Key Variant Differences
@ -189,45 +191,185 @@ For short cable runs (under ~3m between ESP32 and dish), the built-in 120 ohm te
### Firmware Console Commands
Full command inventory from automated deep probe (firmware 02.02.48, 2026-02-12).
Probed with `scripts/hidden_menu_probe.py --deep --wordlist scripts/wordlists/winegard.txt`.
#### Root Menu (TRK>)
```
? — list available commands
motor / mot — enter motor submenu (firmware-dependent)
a — show position (in motor submenu)
a <id> <deg> — move motor to absolute position
h <id> — home motor to reference position (G2, possibly others)
g <az> <el> — go to AZ/EL (aborts on new input)
q — exit current submenu
odu — tunnel to outdoor unit (Trav'ler Pro only)
os — enter OS submenu
tasks — list running tasks
kill <name> — kill a named task (e.g. "kill Search")
ngsearch — enter search submenu (HAL 2.05 only)
s — stop search
? — list available commands (alias: help)
command — undocumented (accepts input, purpose unknown)
a3981 — enter motor driver submenu
adc — enter ADC submenu
dipswitch — enter dipswitch submenu
dvb — enter DVB tuner submenu
eeprom — enter EEPROM submenu
gpio — enter GPIO submenu
latlon — enter lat/lon calculator submenu
mot — enter motor control submenu
nvs — enter non-volatile storage submenu
d — dump all values (confirmed on Pro and G2)
d <idx> — dump single value with name/current/saved/default
e <idx> — read NVS value
e <idx> <v> — write NVS value
s — save changes
dvb — DVB tuner submenu (BCM4515)
config — hardware/firmware version
dis — display channel parameters (frequency, symbol rate, LNB polarity, etc.)
lnbdc odu — enable LNA in ODU mode (13V = V-pol; boot default 18V = H-pol)
lnbv — stream LNB voltage readings (continuous, interrupt with q)
rssi <n> — RSSI averaged over n samples (bounded, returns avg + cur)
snr — SNR level
agc — stream RF/IF AGC + SNR + NID (continuous, interrupt with q)
ls — lock status
qls — quick lock status
t <n> — select transponder
table — generate transponder table
e <n> <v> — edit channel parameter
freqs — tuner frequency list
di2id — DiSEqC read LNB hardware ID
di2stat — DiSEqC read LNB status flags
send <hex> — raw DiSEqC packet (max 6 bytes, space-delimited hex)
os — enter OS submenu
peak — enter peak/DiSEqC switch submenu
step — enter stepper motor submenu
q — terminate shell (WARNING: kills UART, requires power cycle!)
reboot — reboot firmware
stow — fold dish flat (caution: modified feeds may not survive)
odu — tunnel to outdoor unit (Trav'ler Pro only)
ngsearch — enter search submenu (HAL 2.05 only)
```
#### A3981 Submenu (A3981>) — Allegro Stepper Driver
```
reset — reset Az/El A3981 fault flags
diag — read AZ/EL diagnostic status (OK / fault)
cm — Hi/Lo current control (torque) mode
help / ? — list available commands
q — return to TRK>
```
#### ADC Submenu (ADC>) — Analog-to-Digital Converter
```
m — monitor RSSI (streaming, interrupt with q)
rssi — read RSSI (single-shot, returns raw ADC value)
scan — position sweep with RSSI readings (AZ/EL + lock + SNR)
help / ? — list available commands
q — return to TRK>
```
#### DIPSWITCH Submenu (DIPSWITCH>)
```
dipswitch — read interpreted dipswitch value
help / ? — list available commands
q — return to TRK>
```
#### DVB Submenu (DVB>) — BCM4515 Tuner
```
agc — stream RF/IF AGC + SNR + NID (continuous, interrupt with q)
config — BCM hardware/firmware version
diag — multi-block per-transponder diagnostics
dis — display channel parameters (frequency, symbol rate, LNB polarity)
e <n> <v> — edit channel parameter
freqs — tuner frequency list
h <n> — select transponder by ID (1-13)
help / ? — list available commands (first page)
lnbdc odu — enable LNA in ODU mode (13V = V-pol; boot default 18V = H-pol)
lnbv — stream LNB voltage readings (continuous, interrupt with q)
ls — lock status
man — extended help (srch_mode, stats, t, etc.)
qls — quick lock status
rssi <n> — RSSI averaged over n samples (bounded, returns avg + cur)
snr — SNR level (streaming)
srch_mode — auto search mode (from man page)
stats — satellite read stats (from man page)
t <n> — select transponder
table — generate transponder table
di2id — DiSEqC read LNB hardware ID
di2stat — DiSEqC read LNB status flags
send <hex> — raw DiSEqC packet (max 6 bytes, space-delimited hex)
q — return to TRK>
```
#### EEPROM Submenu (EEPROM>)
```
ee <idx> [<v>] — read/write EEPROM value at index
inv [<idx>] — EEPROM inventory (from help)
def — restore defaults (from help)
help / ? — list available commands
q — return to TRK>
```
#### GPIO Submenu (GPIO>)
```
dir — set GPIO pin direction
r — read GPIO pin (returns e.g. "B0 = 1")
w — write GPIO pin (requires parameters)
help / ? — list available commands
q — return to TRK>
```
#### LATLON Submenu (LATLON>)
```
l — calculate lat/lon position (requires 4 parameters)
help / ? — list available commands
q — return to TRK>
```
#### MOT Submenu (MOT>) — Motor Control
```
a — show position: Angle[0] (AZ), Angle[1] (EL)
a <id> <deg> — move motor to absolute angle (0=AZ, 1=EL)
a <id> +/-deg — relative move (G2 only, undocumented)
azscan — scan AZ from EL min to max (from help, untested)
e — engage motors (energize steppers)
g <az> <el> — go to AZ/EL (aborts on new input)
h <id> — home motor to reference position
l — list motors and state (0=AZIMUTH, 1=ELEVATION)
ma — read max acceleration per motor
p — read raw step positions
r — release motors (de-energize steppers)
sd — stall detection test (motor, direction, timeout)
sw — undocumented (requires parameters)
v — read motor velocities
w — undocumented (requires parameters)
help / ? — list available commands
q — return to TRK>
```
#### NVS Submenu (NVS>) — Non-Volatile Storage
**Caution:** NVS `e <idx> <value>` writes values. Any unrecognized input is treated
as a sequential index read (no error string), which generates false positives during
probing but is harmless. `s` saves pending changes to flash.
```
d — dump all NVS values (name/current/saved/default)
d <idx> — dump single value with details
e <idx> — read NVS value at index
e <idx> <v> — write NVS value at index (NOT saved until `s`)
s — save pending changes to flash
help / ? — list available commands
q — return to TRK>
```
#### OS Submenu (OS>)
```
id — full MCU/firmware identification (NVS version, System ID, chip)
reboot — reboot microcontroller
tasks — list running tasks (HAL 0.0.00 only, not on G2)
kill <name> — kill a named task (HAL 0.0.00 only, not on G2)
help / ? — list available commands
q — return to TRK>
```
#### PEAK Submenu (PEAK>) — Signal Peak / DiSEqC Switch
```
ts — EchoStar switch toggle status
pw — peak signal (from help, details truncated)
help / ? — list available commands
q — return to TRK>
```
#### STEP Submenu (STEP>) — Low-Level Stepper Control
```
e — engage motor (same as MOT `e`)
ma — set/read max acceleration
p — read step positions (raw counts, not degrees)
r — release motor (same as MOT `r`)
v — read velocity (raw, not degrees/sec)
help / ? — list available commands
q — return to TRK>
```
### Known NVS Indices

1436
docs/g2-nvs-dump.md
View File

File diff suppressed because it is too large Load Diff

1043
scripts/hidden_menu_probe.py Normal file
View File

File diff suppressed because it is too large Load Diff

60
scripts/wordlists/winegard.txt Normal file
View File

@ -0,0 +1,60 @@
# Winegard satellite dish firmware - device-specific candidate commands
# Load with: --wordlist scripts/wordlists/winegard.txt
# Dish / antenna
stow
deploy
park
home
search
scan
find
locate
track
point
dish
antenna
ant
feed
# Satellite / signal
sat
satellite
lnb
pol
polarity
rf
signal
snr
ber
rssi
blind
ngsearch
# Units
idu
odu
iru
# GPS / position
gps
nmea
position
pos
loc
gyro
imu
accel
tilt
level
# Motor / motion
motor
drive
move
goto
slew
az
el
sk
skew