diff --git a/CLAUDE.md b/CLAUDE.md index 2458d06..e167bd6 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -68,7 +68,7 @@ Five known Winegard dish variants documented by Gabe Emerson (KL1FI) / saveitfor - **Carryout G2 is RS-422 full-duplex:** Separate TX/RX pairs at 115200 baud via RJ-12 6P6C, vs. RS-485 half-duplex at 57600 on the Trav'ler variants. Tested with DSD TECH SH-U11 USB-to-RS422 adapter (FTDI FT232R). **Polarity matters** — A/B (or +/-) labeling is not standardized; if you get garbled data at the correct baud rate, swap the +/- wires on the RX pair. TX pair polarity swap causes the dish to not receive commands (silent failure). - **Carryout G2 position format differs from Trav'ler:** Position query `a` in `MOT>` submenu returns `Angle[0] = 180.00` / `Angle[1] = 45.00` — not the `AZ = / EL =` format used by HAL 0.0.00 and HAL 2.05. Move confirmation returns `Angle = 46.00` (no array index). `CarryoutG2Protocol.get_position()` uses `Angle\[0\]`/`Angle\[1\]` regex. Motor overshoot is direction-dependent: +0.01–0.05° in travel direction, -0.02–0.06° on return (stepper backlash). - **Carryout G2 firmware version 02.02.48** confirmed (Copyright 2013 - Winegard Company). Bootloader version 1.01. MCU: Kinetis (NXP ARM Cortex-M). DVB tuner: BCM4515 (Broadcom). -- **Carryout G2 boot sequence:** Bootloader → SPI init → Motor init (System=12Inch, master=40000 steps, slave=24960 steps, ratio=1.602564) → DVB tuner init (BCM4515) → NVS load → EL home (stall detect, 2s timeout) → AZ home (stall detect, 8s timeout) → `Antenna Facing Front` → `TRK>` prompt (if tracker disabled) or search start. +- **Carryout G2 boot sequence:** Bootloader v1.01 → SPI1 init @ 4 MHz (A3981 motor drivers, mode 0x03) → Motor init (System=12Inch, master=40000 steps, slave=24960 steps, ratio=1.602564) → SPI2 init @ 6.857 MHz (BCM4515 DVB tuner, mode 0x03) → `EXTENDED_DVB_DEBUG ENABLED` → DVB init (AP RAM FW verified, BCM4515 ID 0x4515 Rev B0, FW v113.37, strap 0x25018) → auto-search config (blind scan, 18000-24000 ksps, rolloff 0.35) → `Enabled LNB STB` → `Ant ID - 12-IN G2` → NVS load → EL home (stall detect, 2s timeout) → AZ home (stall detect, 8s timeout) → `Antenna Facing Front` → `TRK>` prompt (if tracker disabled) or search start. When NVS 20 = TRUE (tracker disabled), homing is skipped entirely — motors stay uncalibrated and AZ position reads as INT_MAX (2147483647). - **Carryout G2 cable wrap:** Confirmed from homing output: `wrap_min:-42333 wrap_max:2333` (centidegrees). Total range ~446.66°. - **Carryout G2 has `h ` homing:** Explicit motor home-to-reference command. Not documented on other variants. - **Carryout G2 has DVB/RSSI:** BCM4515 tuner (ID 0x4515, Rev B0, firmware v113.37). DVB submenu provides `rssi ` (bounded, returns `Reads: RSSI[avg: cur: ]`), `agc` (streaming RF/IF AGC + SNR + NID), `snr`, `lnbdc odu` (enable LNA 13V), `lnbv` (streaming voltage monitor), `dis` (channel params), `config` (hardware ID), `table` (transponder scan), and DiSEqC 2.x commands (`di2*`, `send`). RSSI noise floor is ~500. `lnbdc odu` sets 13V (V-pol); boot default is 18V (H-pol). Streaming commands run until interrupted by `q` or another command. @@ -191,14 +191,15 @@ For short cable runs (under ~3m between ESP32 and dish), the built-in 120 ohm te ### Firmware Console Commands -Full command inventory from automated deep probe (firmware 02.02.48, 2026-02-12). -Probed with `scripts/hidden_menu_probe.py --deep --wordlist scripts/wordlists/winegard.txt`. +Full command inventory from automated deep probe + interactive `?` exploration +(firmware 02.02.48, 2026-02-12). Automated probe finds commands that respond +without arguments; interactive `?` in each submenu reveals the full set including +parameter-requiring commands the probe misses. #### Root Menu (TRK>) ``` ? — list available commands (alias: help) -command — undocumented (accepts input, purpose unknown) a3981 — enter motor driver submenu adc — enter ADC submenu dipswitch — enter dipswitch submenu @@ -218,110 +219,177 @@ odu — tunnel to outdoor unit (Trav'ler Pro only) ngsearch — enter search submenu (HAL 2.05 only) ``` +Note: `command` appeared in automated probe results — this is a false positive. +The help parser extracted it from the `help []` usage text, where +`` is a parameter placeholder, not an actual command. + #### A3981 Submenu (A3981>) — Allegro Stepper Driver +6 commands. Controls the two A3981 stepper motor driver ICs via SPI. + ``` -reset — reset Az/El A3981 fault flags -diag — read AZ/EL diagnostic status (OK / fault) -cm — Hi/Lo current control (torque) mode -help / ? — list available commands -q — return to TRK> +cm — current control mode: AZ/EL both report "AUTO" or "HiZ"/"LoZ" +diag — fault pin status: "AZ DIAG: OK EL DIAG: OK" (or FAULT) +reset — reset AZ/EL A3981 fault flags +sm — step size mode: AZ/EL both report "AUTO" or fixed mode +ss — step size: returns integer (FULL=16, HALF=8, QTR=4, EIGHTH=2, SIXTEENTH=1) +st — torque level: AZ/EL report "HIGH" (moving) or "LOW" (idle/holding) +? / q — help / return to TRK> ``` #### ADC Submenu (ADC>) — Analog-to-Digital Converter +5 commands. Hardware-level ADC readings from the LNB signal chain and board ID. + ``` -m — monitor RSSI (streaming, interrupt with q) -rssi — read RSSI (single-shot, returns raw ADC value) -scan — position sweep with RSSI readings (AZ/EL + lock + SNR) -help / ? — list available commands -q — return to TRK> +bdid — board identity: returns "STATIONARY" (Carryout G2 variant) +bdrevid — board revision: returns "A" +m — monitor RSSI (streaming, CR-overwrite line, interrupt with q) +rssi — single-shot RSSI (raw ADC count, ~233-238 noise floor) +scan — AZ sweep with per-position RSSI/Lock/SNR readings + Output: "Motor: Angle: RSSI: Lock:<0/1> SNR: Scan Delta:" + WARNING: without arguments on uncalibrated AZ, targets INT_MAX (2147483647) + and DEADLOCKS the shell — requires power cycle to recover! +? / q — help / return to TRK> ``` #### DIPSWITCH Submenu (DIPSWITCH>) +1 command. Reads physical DIP switch GPIOs and interprets satellite config code. + ``` -dipswitch — read interpreted dipswitch value -help / ? — list available commands -q — return to TRK> +dipswitch — read dipswitch: "val:" (raw GPIO) + "app_dipswitch:" (interpreted) + val:ffffff01 = all switches OFF/up. app_dipswitch:101 = DISH 110+119+129°W +? / q — help / return to TRK> ``` #### DVB Submenu (DVB>) — BCM4515 Tuner +38 commands. Controls the Broadcom BCM4515 DVB-S2 tuner and DiSEqC 2.x LNB interface. +Help is paginated: `?` shows first page, `man` shows extended commands. + ``` agc — stream RF/IF AGC + SNR + NID (continuous, interrupt with q) -config — BCM hardware/firmware version +config — BCM hardware/firmware version (ID 0x4515, Rev B0, FW v113.37) +def — restore DVB defaults diag — multi-block per-transponder diagnostics dis — display channel parameters (frequency, symbol rate, LNB polarity) e — edit channel parameter freqs — tuner frequency list -h — select transponder by ID (1-13) -help / ? — list available commands (first page) lnbdc odu — enable LNA in ODU mode (13V = V-pol; boot default 18V = H-pol) lnbv — stream LNB voltage readings (continuous, interrupt with q) -ls — lock status -man — extended help (srch_mode, stats, t, etc.) +ls — lock status (total reads, no-signal count, glitch count, NID table) +man — extended help page (shows srch_mode, stats, DiSEqC commands, etc.) +msw — multi-switch control +nid — streaming NID reads (Network ID, FFFF = no signal) +pwr — power control qls — quick lock status +range — signal range test rssi — RSSI averaged over n samples (bounded, returns avg + cur) +shuf — shuffle/reorder transponders snr — SNR level (streaming) -srch_mode — auto search mode (from man page) -stats — satellite read stats (from man page) +srch — start satellite search +srch_mode — auto search mode setting +stats — accumulated satellite read statistics t — select transponder table — generate transponder table +tablex — extended transponder table +tabto — table timeout setting +to — timeout setting +di2conf — DiSEqC LNB config register (raw: "3 21180544 238 <4.5") +di2cs — DiSEqC committed switch command di2id — DiSEqC read LNB hardware ID +di2rcs — DiSEqC read committed switch status +di2sc — DiSEqC switch control di2stat — DiSEqC read LNB status flags +ovraddr — DiSEqC override address +pretx — DiSEqC pre-transmit delay +rrto — DiSEqC receive reply timeout send — raw DiSEqC packet (max 6 bytes, space-delimited hex) -q — return to TRK> +tdthresh — DiSEqC tone detect threshold +? / q — help / return to TRK> ``` -#### EEPROM Submenu (EEPROM>) +#### EEPROM Submenu (EE>) — K60 FlexNVM/EEPROM + +3 commands. Low-level EEPROM access (separate from NVS). Prompt is `EE>`, not `EEPROM>`. +Most indices read as 0 (unwritten) or fail with val:65793 (0x10101 marker = uninitialized). +The firmware primarily uses NVS, not EEPROM, for persistent settings. ``` ee [] — read/write EEPROM value at index -inv [] — EEPROM inventory (from help) -def — restore defaults (from help) -help / ? — list available commands -q — return to TRK> + Read: "Index: Read value = " or "Failed to read eeprom index: val:65793" +inv — INVALIDATE EEPROM index (DESTRUCTIVE — marks entry invalid, not "inventory"!) +def — restore EEPROM defaults +? / q — help / return to TRK> ``` #### GPIO Submenu (GPIO>) +4 commands. Direct access to K60 GPIO ports A-E. Pin naming: `` (e.g., B0, E12). + ``` -dir — set GPIO pin direction -r — read GPIO pin (returns e.g. "B0 = 1") -w — write GPIO pin (requires parameters) -help / ? — list available commands -q — return to TRK> +dir — query pin direction: returns "INPUT" or "OUTPUT" +r — read single GPIO pin value (0 or 1) +regs — dump ALL GPIO pin states across ports A-E (26+16+20+16+14 = 92 pins) + Note: A20-A23, B12-B15 absent (not bonded). E29 shows "Unknown bit E29" +w — write GPIO pin (requires pin name and value) +? / q — help / return to TRK> ``` #### LATLON Submenu (LATLON>) +1 command. Satellite triangulation calculator — computes ground station lat/lon from +look angles to two known geostationary satellites. Used for auto-location when GPS +is unavailable. Values stored internally as centidegrees. + ``` -l — calculate lat/lon position (requires 4 parameters) -help / ? — list available commands -q — return to TRK> +l + — calculate lat/lon from 4 parameters (likely AZ/EL pairs for 2 satellites) + Output: "anglesentered = " + "Lat = Lon = " (centidegrees) +? / q — help / return to TRK> ``` #### MOT Submenu (MOT>) — Motor Control +25 commands. High-level motor control with angle-based positioning. + ``` a — show position: Angle[0] (AZ), Angle[1] (EL) a — move motor to absolute angle (0=AZ, 1=EL) a +/-deg — relative move (G2 only, undocumented) -azscan — scan AZ from EL min to max (from help, untested) +azscan [az_rel] [el_rel] [delay] + — AZ sweep: scan relative AZ range at EL steps with delay +azscanwxp [motor] [span_deg] [res_cdeg] [num_xponders] + — AZ sweep + transponder cycling (radio telescope mode) e — engage motors (energize steppers) +ela2s — elevation angle to steps converter (centidegrees internally) +elminmaxhome — show EL limits: "Min: Max: Home: " (NVS values) +els2a — elevation steps to angle converter (reports overflow if out of range) g — go to AZ/EL (aborts on new input) -h — home motor to reference position +h — home motor to reference position (stall-detect based) l — list motors and state (0=AZIMUTH, 1=ELEVATION) +life — motor lifetime/usage stats ma — read max acceleration per motor +motorboth — simultaneous dual-motor move test +motorlife — detailed motor life statistics +mv — max velocity per motor: "Max Vel [0] = / Max Vel [1] = " p — read raw step positions +pid [motor] [Kp] [Kv] [Ki] + — read or set PID gains for motor control loop r — release motors (de-energize steppers) sd — stall detection test (motor, direction, timeout) -sw — undocumented (requires parameters) +sp [motor] [pos] + — set position (override current position register) +sw [motor] [pos] + — set wrap position (cable wrap reference point) v — read motor velocities -w — undocumented (requires parameters) -help / ? — list available commands -q — return to TRK> +vms [motor] [deg_per_rev] [ms] + — velocity move for duration: spin motor at velocity for N milliseconds +w [motor] [ON/OFF] + — wrap manager: enable/disable cable wrap protection per motor +? / q — help / return to TRK> ``` #### NVS Submenu (NVS>) — Non-Volatile Storage @@ -336,8 +404,7 @@ d — dump single value with details e — read NVS value at index e — write NVS value at index (NOT saved until `s`) s — save pending changes to flash -help / ? — list available commands -q — return to TRK> +? / q — help / return to TRK> ``` #### OS Submenu (OS>) @@ -347,29 +414,45 @@ id — full MCU/firmware identification (NVS version, System ID, chi reboot — reboot microcontroller tasks — list running tasks (HAL 0.0.00 only, not on G2) kill — kill a named task (HAL 0.0.00 only, not on G2) -help / ? — list available commands -q — return to TRK> +? / q — help / return to TRK> ``` #### PEAK Submenu (PEAK>) — Signal Peak / DiSEqC Switch +6 commands. EchoStar/DiSEqC switch control and LNB polarity-switched RSSI. + ``` -ts — EchoStar switch toggle status -pw — peak signal (from help, details truncated) -help / ? — list available commands -q — return to TRK> +pw — peak signal search (likely requires sat lock) +psnr — peak SNR measurement +pxy1 — peak XY single-axis (likely az or el sweep) +rssits — RSSI with LNB toggle switch: alternates H-pol (18V, even transponders) + and V-pol (13V, odd transponders). Reports "Even_sig = , Odd_sig = ". + Noise floor: even ~489, odd ~235 (V-pol quieter). +stb — STB (set-top box) control / DiSEqC switch test +ts — EchoStar switch toggle status: "SW Status: 0b " + (reads 4-bit status, all zeros = no switch connected) +? / q — help / return to TRK> ``` #### STEP Submenu (STEP>) — Low-Level Stepper Control +7 commands. Raw stepper API in microstep units (ustep/sec, ustep/sec/msec). +MOT wraps STEP with angle-to-step conversion. + ``` e — engage motor (same as MOT `e`) -ma — set/read max acceleration -p — read step positions (raw counts, not degrees) -r — release motor (same as MOT `r`) -v — read velocity (raw, not degrees/sec) -help / ? — list available commands -q — return to TRK> +ma — max acceleration: "Accel[0] = 44 / Accel[1] = 28" (ustep/sec/ms) + Set: `ma [motor] [ustep/sec/ms]` +mv — max velocity: "Max Vel [0] = 7222 / Max Vel [1] = 3120" (ustep/sec) + Set: `mv [motor] [ustep/sec]` + (7222 ustep/s ÷ 40000 steps/rev × 360° = 65.0°/s AZ) + (3120 ustep/s ÷ 24960 steps/rev × 360° = 45.0°/s EL) +p — goto position in raw step counts: `p [motor] [steps]` +pid — PID values: "Kp=250 Kv=50" (no Ki at STEP level) + Set: `pid [motor] [Kp] [Kv]` +r — release motors (same as MOT `r`) +v — go to velocity (continuous spin): `v [motor] [ustep/sec]` +? / q — help / return to TRK> ``` ### Known NVS Indices @@ -400,6 +483,16 @@ Full dump in `docs/g2-nvs-dump.md` (firmware 02.02.48, captured 2026-02-12). | `AZ MOTOR STALLED` | Obstruction preventing rotation | | `EL MOTOR STALLED` | Obstruction preventing elevation change | | `EL Motor Home Failure` | Requires EL recalibration via IDU menu | +| `Step to Position EL angle error: 2147483647` | INT_MAX sentinel — motor axis uncalibrated/unhomed | + +### Known Console Hazards + +- **ADC `scan` without arguments on uncalibrated AZ:** Targets position 2147483647 (INT_MAX), + motor task blocks forever, shell deadlocks. No serial input (CR, Ctrl+C, ESC, `q`, `reboot`) + can recover — requires hardware power cycle. The firmware shell is single-threaded: UART + input is only parsed between command completions, so a blocking motor move prevents all input. +- **Root `q` command:** Terminates the shell task entirely. Console becomes unresponsive until + power cycle (same as deadlock, but intentional). ### IDU/ODU Cable Wiring (if cut)