meshcore-dev · ViezeVingertjes · Feb 6, 2026 · Feb 6, 2026 · Feb 6, 2026 · Feb 6, 2026
diff --git a/docs/kiss_modem_protocol.md b/docs/kiss_modem_protocol.md
@@ -1,14 +1,14 @@
 # MeshCore KISS Modem Protocol
 
-Serial protocol for the KISS modem firmware. Enables sending/receiving MeshCore packets over LoRa and cryptographic operations using the modem's identity.
+Standard KISS TNC firmware for MeshCore LoRa radios. Compatible with any KISS client (Direwolf, APRSdroid, YAAC, etc.) for sending and receiving raw packets. MeshCore-specific extensions (cryptography, radio configuration, telemetry) are available through the standard SetHardware (0x06) command.
 
 ## Serial Configuration
 
 115200 baud, 8N1, no flow control.
 
 ## Frame Format
 
-Standard KISS framing with byte stuffing.
+Standard KISS framing per the KA9Q/K3MC specification.
 
 | Byte | Name | Description |
 |------|------|-------------|
@@ -18,89 +18,156 @@ Standard KISS framing with byte stuffing.
 | `0xDD` | TFESC | Escaped FESC (FESC + TFESC = 0xDB) |
 
 ```
-┌──────┬─────────┬──────────────┬──────┐
-│ FEND │ Command │ Data (escaped)│ FEND │
-│ 0xC0 │ 1 byte  │ 0-510 bytes  │ 0xC0 │
-└──────┴─────────┴──────────────┴──────┘
+┌──────┬───────────┬──────────────┬──────┐
+│ FEND │ Type Byte │ Data (escaped)│ FEND │
+│ 0xC0 │  1 byte   │ 0-510 bytes  │ 0xC0 │
+└──────┴───────────┴──────────────┴──────┘
 ```
 
+### Type Byte
+
+The type byte is split into two nibbles:
+
+| Bits | Field | Description |
+|------|-------|-------------|
+| 7-4 | Port | Port number (0 for single-port TNC) |
+| 3-0 | Command | Command number |
+
 Maximum unescaped frame size: 512 bytes.
 
-## Commands
-
-### Request Commands (Host → Modem)
-
-| Command | Value | Data |
-|---------|-------|------|
-| `CMD_DATA` | `0x00` | Packet (2-255 bytes) |
-| `CMD_GET_IDENTITY` | `0x01` | - |
-| `CMD_GET_RANDOM` | `0x02` | Length (1 byte, 1-64) |
-| `CMD_VERIFY_SIGNATURE` | `0x03` | PubKey (32) + Signature (64) + Data |
-| `CMD_SIGN_DATA` | `0x04` | Data to sign |
-| `CMD_ENCRYPT_DATA` | `0x05` | Key (32) + Plaintext |
-| `CMD_DECRYPT_DATA` | `0x06` | Key (32) + MAC (2) + Ciphertext |
-| `CMD_KEY_EXCHANGE` | `0x07` | Remote PubKey (32) |
-| `CMD_HASH` | `0x08` | Data to hash |
-| `CMD_SET_RADIO` | `0x09` | Freq (4) + BW (4) + SF (1) + CR (1) |
-| `CMD_SET_TX_POWER` | `0x0A` | Power dBm (1) |
-| *reserved* | `0x0B` | *(not implemented)* |
-| `CMD_GET_RADIO` | `0x0C` | - |
-| `CMD_GET_TX_POWER` | `0x0D` | - |
-| *reserved* | `0x0E` | *(not implemented)* |
-| `CMD_GET_VERSION` | `0x0F` | - |
-| `CMD_GET_CURRENT_RSSI` | `0x10` | - |
-| `CMD_IS_CHANNEL_BUSY` | `0x11` | - |
-| `CMD_GET_AIRTIME` | `0x12` | Packet length (1) |
-| `CMD_GET_NOISE_FLOOR` | `0x13` | - |
-| `CMD_GET_STATS` | `0x14` | - |
-| `CMD_GET_BATTERY` | `0x15` | - |
-| `CMD_PING` | `0x16` | - |
-| `CMD_GET_SENSORS` | `0x17` | Permissions (1) |
-
-### Response Commands (Modem → Host)
-
-| Command | Value | Data |
-|---------|-------|------|
-| `CMD_DATA` | `0x00` | SNR (1) + RSSI (1) + Packet |
-| `RESP_IDENTITY` | `0x21` | PubKey (32) |
-| `RESP_RANDOM` | `0x22` | Random bytes (1-64) |
-| `RESP_VERIFY` | `0x23` | Result (1): 0x00=invalid, 0x01=valid |
-| `RESP_SIGNATURE` | `0x24` | Signature (64) |
-| `RESP_ENCRYPTED` | `0x25` | MAC (2) + Ciphertext |
-| `RESP_DECRYPTED` | `0x26` | Plaintext |
-| `RESP_SHARED_SECRET` | `0x27` | Shared secret (32) |
-| `RESP_HASH` | `0x28` | SHA-256 hash (32) |
-| `RESP_OK` | `0x29` | - |
-| `RESP_RADIO` | `0x2A` | Freq (4) + BW (4) + SF (1) + CR (1) |
-| `RESP_TX_POWER` | `0x2B` | Power dBm (1) |
-| *reserved* | `0x2C` | *(not implemented)* |
-| `RESP_VERSION` | `0x2D` | Version (1) + Reserved (1) |
-| `RESP_ERROR` | `0x2E` | Error code (1) |
-| `RESP_TX_DONE` | `0x2F` | Result (1): 0x00=failed, 0x01=success |
-| `RESP_CURRENT_RSSI` | `0x30` | RSSI dBm (1, signed) |
-| `RESP_CHANNEL_BUSY` | `0x31` | Result (1): 0x00=clear, 0x01=busy |
-| `RESP_AIRTIME` | `0x32` | Milliseconds (4) |
-| `RESP_NOISE_FLOOR` | `0x33` | dBm (2, signed) |
-| `RESP_STATS` | `0x34` | RX (4) + TX (4) + Errors (4) |
-| `RESP_BATTERY` | `0x35` | Millivolts (2) |
-| `RESP_PONG` | `0x36` | - |
-| `RESP_SENSORS` | `0x37` | CayenneLPP payload |
-
-## Error Codes
+## Standard KISS Commands
+
+### Host to TNC
+
+| Command | Value | Data | Description |
+|---------|-------|------|-------------|
+| Data | `0x00` | Raw packet | Queue packet for transmission |
+| TXDELAY | `0x01` | Delay (1 byte) | Transmitter keyup delay in 10ms units (default: 50 = 500ms) |
+| Persistence | `0x02` | P (1 byte) | CSMA persistence parameter 0-255 (default: 63) |
+| SlotTime | `0x03` | Interval (1 byte) | CSMA slot interval in 10ms units (default: 10 = 100ms) |
+| TXtail | `0x04` | Delay (1 byte) | Post-TX hold time in 10ms units (default: 0) |
+| FullDuplex | `0x05` | Mode (1 byte) | 0 = half duplex, nonzero = full duplex (default: 0) |
+| SetHardware | `0x06` | Sub-command + data | MeshCore extensions (see below) |
+| Return | `0xFF` | - | Exit KISS mode (no-op) |
+
+### TNC to Host
+
+| Type | Value | Data | Description |
+|------|-------|------|-------------|
+| Data | `0x00` | Raw packet | Received packet from radio |
+
+Data frames carry raw packet data only, with no metadata prepended. The Data command payload is limited to 255 bytes to match the MeshCore maximum transmission unit (MAX_TRANS_UNIT); frames larger than 255 bytes are silently dropped. The KISS specification recommends at least 1024 bytes for general-purpose TNCs; this modem is intended for MeshCore packets only, whose protocol MTU is 255 bytes.
+
+### CSMA Behavior
+
+The TNC implements p-persistent CSMA for half-duplex operation:
+
+1. When a packet is queued, monitor carrier detect
+2. When the channel clears, generate a random value 0-255
+3. If the value is less than or equal to P (Persistence), wait TXDELAY then transmit
+4. Otherwise, wait SlotTime and repeat from step 1
+
+In full-duplex mode, CSMA is bypassed and packets transmit after TXDELAY.
+
+## SetHardware Extensions (0x06)
+
+MeshCore-specific functionality uses the standard KISS SetHardware command. The first byte of SetHardware data is a sub-command. Standard KISS clients ignore these frames.
+
+### Frame Format
+
+```
+┌──────┬──────┬─────────────┬──────────────┬──────┐
+│ FEND │ 0x06 │ Sub-command  │ Data (escaped)│ FEND │
+│ 0xC0 │      │   1 byte    │   variable   │ 0xC0 │
+└──────┴──────┴─────────────┴──────────────┴──────┘
+```
+
+### Request Sub-commands (Host to TNC)
+
+| Sub-command | Value | Data |
+|-------------|-------|------|
+| GetIdentity | `0x01` | - |
+| GetRandom | `0x02` | Length (1 byte, 1-64) |
+| VerifySignature | `0x03` | PubKey (32) + Signature (64) + Data |
+| SignData | `0x04` | Data to sign |
+| EncryptData | `0x05` | Key (32) + Plaintext |
+| DecryptData | `0x06` | Key (32) + MAC (2) + Ciphertext |
+| KeyExchange | `0x07` | Remote PubKey (32) |
+| Hash | `0x08` | Data to hash |
+| SetRadio | `0x09` | Freq (4) + BW (4) + SF (1) + CR (1) |
+| SetTxPower | `0x0A` | Power dBm (1) |
+| GetRadio | `0x0B` | - |
+| GetTxPower | `0x0C` | - |
+| GetCurrentRssi | `0x0D` | - |
+| IsChannelBusy | `0x0E` | - |
+| GetAirtime | `0x0F` | Packet length (1) |
+| GetNoiseFloor | `0x10` | - |
+| GetVersion | `0x11` | - |
+| GetStats | `0x12` | - |
+| GetBattery | `0x13` | - |
+| GetMCUTemp | `0x14` | - |
+| GetSensors | `0x15` | Permissions (1) |
+| GetDeviceName | `0x16` | - |
+| Ping | `0x17` | - |
+| Reboot | `0x18` | - |
+| SetSignalReport | `0x19` | Enable (1): 0x00=disable, nonzero=enable |
+| GetSignalReport | `0x1A` | - |
+
+### Response Sub-commands (TNC to Host)
+
+Response codes use the high-bit convention: `response = command | 0x80`. Generic and unsolicited responses use the `0xF0`+ range.
+
+| Sub-command | Value | Data |
+|-------------|-------|------|
+| Identity | `0x81` | PubKey (32) |
+| Random | `0x82` | Random bytes (1-64) |
+| Verify | `0x83` | Result (1): 0x00=invalid, 0x01=valid |
+| Signature | `0x84` | Signature (64) |
+| Encrypted | `0x85` | MAC (2) + Ciphertext |
+| Decrypted | `0x86` | Plaintext |
+| SharedSecret | `0x87` | Shared secret (32) |
+| Hash | `0x88` | SHA-256 hash (32) |
+| Radio | `0x8B` | Freq (4) + BW (4) + SF (1) + CR (1) |
+| TxPower | `0x8C` | Power dBm (1) |
+| CurrentRssi | `0x8D` | RSSI dBm (1, signed) |
+| ChannelBusy | `0x8E` | Result (1): 0x00=clear, 0x01=busy |
+| Airtime | `0x8F` | Milliseconds (4) |
+| NoiseFloor | `0x90` | dBm (2, signed) |
+| Version | `0x91` | Version (1) + Reserved (1) |
+| Stats | `0x92` | RX (4) + TX (4) + Errors (4) |
+| Battery | `0x93` | Millivolts (2) |
+| MCUTemp | `0x94` | Temperature (2, signed) |
+| Sensors | `0x95` | CayenneLPP payload |
+| DeviceName | `0x96` | Name (variable, UTF-8) |
+| Pong | `0x97` | - |
+| SignalReport | `0x9A` | Status (1): 0x00=disabled, 0x01=enabled |
+| OK | `0xF0` | - |
+| Error | `0xF1` | Error code (1) |
+| TxDone | `0xF8` | Result (1): 0x00=failed, 0x01=success |
+| RxMeta | `0xF9` | SNR (1) + RSSI (1) |
+
+### Error Codes
 
 | Code | Value | Description |
 |------|-------|-------------|
-| `ERR_INVALID_LENGTH` | `0x01` | Request data too short |
-| `ERR_INVALID_PARAM` | `0x02` | Invalid parameter value |
-| `ERR_NO_CALLBACK` | `0x03` | Feature not available |
-| `ERR_MAC_FAILED` | `0x04` | MAC verification failed |
-| `ERR_UNKNOWN_CMD` | `0x05` | Unknown command |
-| `ERR_ENCRYPT_FAILED` | `0x06` | Encryption failed |
-| `ERR_TX_PENDING` | `0x07` | TX already pending |
+| InvalidLength | `0x01` | Request data too short |
+| InvalidParam | `0x02` | Invalid parameter value |
+| NoCallback | `0x03` | Feature not available |
+| MacFailed | `0x04` | MAC verification failed |
+| UnknownCmd | `0x05` | Unknown sub-command |
+| EncryptFailed | `0x06` | Encryption failed |
+
+### Unsolicited Events
+
+The TNC sends these SetHardware frames without a preceding request:
+
+**TxDone (0xF8)**: Sent after a packet has been transmitted. Contains a single byte: 0x01 for success, 0x00 for failure.
+
+**RxMeta (0xF9)**: Sent immediately after each standard data frame (type 0x00) with metadata for the received packet. Contains SNR (1 byte, signed, value x4 for 0.25 dB precision) followed by RSSI (1 byte, signed, dBm). Enabled by default; can be toggled with SetSignalReport. Standard KISS clients ignore this frame.
 
 ## Data Formats
 
-### Radio Parameters (CMD_SET_RADIO / RESP_RADIO)
+### Radio Parameters (SetRadio / Radio response)
 
 All values little-endian.
 
@@ -111,35 +178,77 @@ All values little-endian.
 | SF | 1 byte | Spreading factor (5-12) |
 | CR | 1 byte | Coding rate (5-8) |
 
-### Received Packet (CMD_DATA response)
+### Version (Version response)
 
 | Field | Size | Description |
 |-------|------|-------------|
-| SNR | 1 byte | Signal-to-noise × 4, signed |
-| RSSI | 1 byte | Signal strength dBm, signed |
-| Packet | variable | Raw MeshCore packet |
+| Version | 1 byte | Firmware version |
+| Reserved | 1 byte | Always 0 |
 
-### Noise Floor (RESP_NOISE_FLOOR)
+### Encrypted (Encrypted response)
 
-Response to `CMD_GET_NOISE_FLOOR` (0x13). Little-endian.
+| Field | Size | Description |
+|-------|------|-------------|
+| MAC | 2 bytes | HMAC-SHA256 truncated to 2 bytes |
+| Ciphertext | variable | AES-128-CBC encrypted data |
 
-| Field        | Size | Description                    |
-|--------------|------|--------------------------------|
-| Noise floor  | 2    | int16_t, dBm (signed), e.g. -120 |
+### Airtime (Airtime response)
 
-The modem recalibrates the noise floor every two seconds with an AGC reset every 30 seconds.
+All values little-endian.
 
-### Stats (RESP_STATS)
+| Field | Size | Description |
+|-------|------|-------------|
+| Airtime | 4 bytes | uint32_t, estimated air time in milliseconds |
 
-Response to `CMD_GET_STATS` (0x14). All values little-endian.
+### Noise Floor (NoiseFloor response)
+
+All values little-endian.
+
+| Field | Size | Description |
+|-------|------|-------------|
+| Noise floor | 2 bytes | int16_t, dBm (signed) |
+
+The modem recalibrates the noise floor every 2 seconds with an AGC reset every 30 seconds.
+
+### Stats (Stats response)
+
+All values little-endian.
 
 | Field | Size | Description |
 |-------|------|-------------|
 | RX | 4 bytes | Packets received |
 | TX | 4 bytes | Packets transmitted |
 | Errors | 4 bytes | Receive errors |
 
-### Sensor Permissions (CMD_GET_SENSORS)
+### Battery (Battery response)
+
+All values little-endian.
+
+| Field | Size | Description |
+|-------|------|-------------|
+| Millivolts | 2 bytes | uint16_t, battery voltage in mV |
+
+### MCU Temperature (MCUTemp response)
+
+All values little-endian.
+
+| Field | Size | Description |
+|-------|------|-------------|
+| Temperature | 2 bytes | int16_t, tenths of °C (e.g., 253 = 25.3°C) |
+
+Returns `NoCallback` error if the board does not support temperature readings.
+
+### Device Name (DeviceName response)
+
+| Field | Size | Description |
+|-------|------|-------------|
+| Name | variable | UTF-8 string, no null terminator |
+
+### Reboot
+
+Sends an `OK` response, flushes serial, then reboots the device. The host should expect the connection to drop.
+
+### Sensor Permissions (GetSensors)
 
 | Bit | Value | Description |
 |-----|-------|-------------|
@@ -149,14 +258,25 @@ Response to `CMD_GET_STATS` (0x14). All values little-endian.
 
 Use `0x07` for all permissions.
 
-### Sensor Data (RESP_SENSORS)
+### Sensor Data (Sensors response)
 
 Data returned in CayenneLPP format. See [CayenneLPP documentation](https://docs.mydevices.com/docs/lorawan/cayenne-lpp) for parsing.
 
+## Cryptographic Algorithms
+
+| Operation | Algorithm |
+|-----------|-----------|
+| Identity / Signing / Verification | Ed25519 |
+| Key Exchange | X25519 (ECDH) |
+| Encryption | AES-128-CBC + HMAC-SHA256 (MAC truncated to 2 bytes) |
+| Hashing | SHA-256 |
+
 ## Notes
 
+- Data payload limit (255 bytes) matches MeshCore MAX_TRANS_UNIT; no change needed for KISS “1024+ recommended” (that applies to general TNCs, not MeshCore)
 - Modem generates identity on first boot (stored in flash)
-- SNR values multiplied by 4 for 0.25 dB precision
-- Wait for `RESP_TX_DONE` before sending next packet
-- Sending `CMD_DATA` while TX is pending returns `ERR_TX_PENDING`
+- All multi-byte values are little-endian unless stated otherwise
+- SNR values in RxMeta are multiplied by 4 for 0.25 dB precision
+- TxDone is sent as a SetHardware event after each transmission
+- Standard KISS clients receive only type 0x00 data frames and can safely ignore all SetHardware (0x06) frames
 - See [packet_structure.md](./packet_structure.md) for packet format