feat: add raw command for protocol exploration

Add a new 'raw' command that sends arbitrary bootloader commands and
displays detailed TX/RX packet analysis with field interpretation.
Useful for exploring undocumented commands, debugging protocol issues,
and security research. Hardware tests extended in test-hw.sh.

Example usage:
  radfu raw 0x3A           # Signature request
  radfu raw 0x3B 0x00      # Area info for area 0
  radfu raw 0x2C           # DLM state request
  radfu raw 0x99           # Test unknown command (returns error)

Signed-off-by: Vincent Jardin <vjardin@free.fr>

Author: vjardin

radfu.h2m

@@ -119,6 +119,43 @@ blocks are protected from programming/erasure. A value of 0 means protected,
 1 means unprotected. PBPS (Permanent Block Protection) cannot be reversed
 once set to 0.
 
+.TP
+.B raw <cmd> [data...]
+Send a raw bootloader command for protocol exploration and debugging. The command
+byte and optional data bytes are specified as hexadecimal values (with or without
+0x prefix). Displays detailed TX/RX packet analysis including field-by-field
+breakdown, checksum verification, and interpretation of known response fields.
+
+This command is useful for:
+.IP \(bu 4
+Exploring undocumented bootloader commands
+.IP \(bu
+Debugging protocol issues
+.IP \(bu
+Security research and reverse engineering
+.IP \(bu
+Testing device behavior with specific command sequences
+
+.SS Output Format
+The command displays:
+.IP \(bu 4
+Raw hexdump of transmitted and received packets
+.IP \(bu
+Field analysis: SOH/SOD, length, command/response code, data, checksum, ETX
+.IP \(bu
+Interpretation of known fields (addresses, DLM states, error codes, etc.)
+.IP \(bu
+Checksum validation status
+
+.SS Examples
+.nf
+radfu raw 0x3A                    # Signature request (device info)
+radfu raw 0x3B 0x00               # Area information for area 0
+radfu raw 0x2C                    # DLM state request
+radfu raw 0x15 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xFF  # Read 256 bytes from 0x0
+radfu raw 0x99                    # Test unknown command (returns error)
+.fi
+
 [id authentication]
 Some RA devices have ID code protection enabled. To access protected devices,
 you must provide the correct 16-byte ID code using the \fB-i\fR option.
@@ -397,6 +434,8 @@ radfu boundary-set --cfs1 0 --cfs2 0 --dfs 0 --srs1 0 --srs2 0
 radfu boundary-set --file zephyr.rpd    # Load from .rpd file
 radfu -u -p /dev/ttyUSB0 info    # UART via USB-UART adapter
 radfu write -q firmware.bin      # Write without progress bar
+radfu raw 0x3A                   # Raw protocol exploration
+radfu raw 0x3B 0x00              # Area info with data byte
 .fi
 
 [progress display]

scripts/test-hw.sh

@@ -579,6 +579,74 @@ test_multi_file_write() {
     rm -f "${TEST_FILE}_1.bin" "${TEST_FILE}_2.bin"
 }
 
+test_raw() {
+    echo
+    log_info "=== Test: raw command (protocol exploration) ==="
+
+    # Test 1: Signature request (0x3A) - should return device info
+    local output
+    if output=$(run_radfu raw 0x3A 2>&1); then
+        if echo "$output" | grep -q "TX Packet" && \
+           echo "$output" | grep -q "RX Packet" && \
+           echo "$output" | grep -q "SIG (Signature request)"; then
+            log_ok "raw: signature request (0x3A)"
+            if [ "$VERBOSE" -eq 1 ]; then
+                echo "$output" | head -30
+            fi
+        else
+            log_fail "raw: signature request missing expected output"
+            return 1
+        fi
+    else
+        log_fail "raw: signature request command failed"
+        return 1
+    fi
+
+    # Test 2: Area info for area 0 (0x3B with data 0x00)
+    if output=$(run_radfu raw 0x3B 0x00 2>&1); then
+        if echo "$output" | grep -q "ARE (Area information)" && \
+           echo "$output" | grep -q "KOA:"; then
+            log_ok "raw: area info request (0x3B 0x00)"
+        else
+            log_fail "raw: area info missing expected output"
+            return 1
+        fi
+    else
+        log_fail "raw: area info command failed"
+        return 1
+    fi
+
+    # Test 3: DLM state request (0x2C)
+    if output=$(run_radfu raw 0x2C 2>&1); then
+        if echo "$output" | grep -q "DLM (DLM state request)" && \
+           echo "$output" | grep -q "DLM state:"; then
+            log_ok "raw: DLM state request (0x2C)"
+        else
+            log_fail "raw: DLM state missing expected output"
+            return 1
+        fi
+    else
+        log_fail "raw: DLM state command failed"
+        return 1
+    fi
+
+    # Test 4: Unknown command (0x99) - should return error 0xC0
+    if output=$(run_radfu raw 0x99 2>&1); then
+        # Command should "succeed" (sends and receives)
+        log_fail "raw: unknown command should have failed"
+        return 1
+    else
+        # Expected to fail with error response
+        if echo "$output" | grep -q "UNKNOWN" && \
+           echo "$output" | grep -q "ERROR"; then
+            log_ok "raw: unknown command (0x99) returns error as expected"
+        else
+            log_fail "raw: unknown command unexpected response"
+            return 1
+        fi
+    fi
+}
+
 test_input_formats() {
     echo
     log_info "=== Test: input formats (write from ihex/srec) ==="
@@ -722,6 +790,7 @@ Tests (default: all safe tests):
   area        Memory area selection (--area)
   reconnect   Multiple command sessions
   baudrate    Baud rate switching
+  raw         Raw command protocol analysis
   write       Write/erase/verify tests (requires -w)
   multiwrite  Multi-file write test (requires -w)
   informat    Input format tests (requires -w)
@@ -806,6 +875,7 @@ for test in $TESTS; do
         area)       test_area_selection ;;
         reconnect)  test_reconnection ;;
         baudrate)   test_baudrate ;;
+        raw)        test_raw ;;
         write)      test_write_data_flash; test_write_with_verify_flag ;;
         multiwrite) test_multi_file_write ;;
         informat)   test_input_formats ;;
@@ -827,6 +897,7 @@ for test in $TESTS; do
             test_area_selection
             test_reconnection
             test_baudrate
+            test_raw
             # Write tests (require -w flag)
             test_write_data_flash
             test_write_with_verify_flag

src/main.c

@@ -52,6 +52,7 @@ usage(int status) {
       "  key-verify <type>       Verify DLM key (secdbg|nonsecdbg|rma)\n"
       "  ukey-set <idx> <file>   Inject user wrapped key from file at index\n"
       "  ukey-verify <idx>       Verify user key at index\n"
+      "  raw <cmd> [data...]     Send raw command (hex bytes) for protocol analysis\n"
       "\n"
       "Options:\n"
       "  -p, --port <dev>     Serial port (auto-detect if omitted)\n"
@@ -203,6 +204,7 @@ enum command {
   CMD_KEY_VERIFY,
   CMD_UKEY_SET,
   CMD_UKEY_VERIFY,
+  CMD_RAW,
 };
 
 /* DLM key types (KYTY) per R01AN5562 */
@@ -726,6 +728,11 @@ main(int argc, char *argv[]) {
     if (optind >= argc)
       errx(EXIT_FAILURE, "ukey-verify requires index argument");
     key_index = (uint8_t)strtoul(argv[optind], NULL, 10);
+  } else if (strcmp(command, "raw") == 0) {
+    cmd = CMD_RAW;
+    if (optind >= argc)
+      errx(EXIT_FAILURE, "raw command requires at least a command byte (hex)");
+    /* Arguments parsed later after device connection */
   } else {
     errx(EXIT_FAILURE, "unknown command: %s", command);
   }
@@ -951,6 +958,37 @@ main(int argc, char *argv[]) {
   case CMD_UKEY_VERIFY:
     ret = ra_ukey_verify(&dev, key_index, NULL);
     break;
+  case CMD_RAW: {
+    /* Parse command byte and optional data from remaining args */
+    uint8_t raw_cmd;
+    uint8_t raw_data[256];
+    size_t raw_len = 0;
+
+    /* Parse command byte */
+    char *endptr;
+    unsigned long val = strtoul(argv[optind], &endptr, 16);
+    if (*endptr != '\0' || val > 0xFF) {
+      warnx("invalid command byte: %s (use hex 0x00-0xFF)", argv[optind]);
+      ret = -1;
+      break;
+    }
+    raw_cmd = (uint8_t)val;
+
+    /* Parse optional data bytes */
+    for (int i = optind + 1; i < argc && raw_len < sizeof(raw_data); i++) {
+      val = strtoul(argv[i], &endptr, 16);
+      if (*endptr != '\0' || val > 0xFF) {
+        warnx("invalid data byte: %s (use hex 0x00-0xFF)", argv[i]);
+        ret = -1;
+        break;
+      }
+      raw_data[raw_len++] = (uint8_t)val;
+    }
+    if (ret < 0)
+      break;
+
+    ret = ra_raw_cmd(&dev, raw_cmd, raw_data, raw_len);
+  } break;
   default:
     break;
   }