USBee SX protocol description

This page describes the part of the USBee SX protocol I've been able to decypher using SniffUsb. It looks like there is a separate firmwares for signal generation and capture. The endpoints used are the same, although they accept different commands on endpoint 0x01 (set state). A simple implementation of this protocol using Python and libusb can be found on my bitbucket page.

USB endpoints

The endpoints are usable after the device comes out of reset.

EndpointDescription
0x01Set device state
0x02Write sample data
0x81Read status (0x00, 0x01, 0x02 or 0x55). Appears to be number of processed commands on endpoint 0x01. After initialization succesful, it is 0x55.
0x86Read sample data

State commands for Capture firmware:

Packets are always 2 bytes.

CommandDescription
0x01 0x01Sample at 24Mhz
0x01 0x02Sample at 16Mhz
0x01 0x03Sample at 12Mhz
0x01 0x05Sample at 8Mhz
0x01 0x07Sample at 6Mhz
0x01 0x0bSample at 4Mhz
0x01 0x0fSample at 3Mhz
0x01 0x17Sample at 2Mhz
0x01 0x2fSample at 1Mhz

After setting the state, bytes can be read from endpoint 0x86.

State commands for Signal Generation firmware:

Base packet (always 33 bytes):
0x01
0x01 0x01 0x01 0x01 0x01 0x01 0x3d 0x07 
0x02 0x02 0x02 0x02 0x02 0x02 0x07 0x00 
0xe3 0xe3 0xe3 0xe3 0xe3 0xe0 0xe2 0xe3
0x3f 0x47 0x00 0x00 0x00 0x00 0x36 0x3f 

Byte 1:5

ValueDescription
0x01 0x01 0x01 0x01Don't care
0x2a 0x01 0x13 0x2bTrigger on step up
0x2a 0x01 0x1a 0x1dTrigger on step down
0x2a 0x01 0x2a 0x01Trigger on high
0x2a 0x01 0x15 0x01Trigger on low

Byte 5:8

ValueDescription
0x01 0x01 0x3dSend at 24Mhz
0x01 0x01 0x3cSend at 16Mhz
0x02 0x03 0x3cSend at 12Mhz
0x03 0x04 0x3cSend at 8Mhz
0x05 0x06 0x3cSend at 6Mhz
0x07 0x08 0x3cSend at 4Mhz
0x0b 0x0c 0x3cSend at 2Mhz
0x17 0x18 0x3cSend at 1Mhz

Byte 17:25

ValueDescription
0xe3 0xe3 0xe3 0xe3 0xe3 0xe0 0xe2 0xe3Data change on rising edge
0xe1 0xe1 0xe1 0xe1 0xe1 0xe2 0xe0 0xe1Data change on falling edge

After setting the state, bytes can be written to endpoint 0x02. The maximum URB size is 0x10000 (65536). Make sure that data is written back-to-back, especially in the faster modes, as there is not much buffering on the device.