Dummies Guide To Reverse Engineering

February 13, 2017 by Anool Mahidharia 8 Comments

[Juan Carlos Jiménez] has reverse engineered a router — specifically, a Huawei HG533. While that in itself may not sound substantial, what he has done is write a series of blog posts which can act as a great tutorial for anyone wanting to get started with sniffing hardware. Over the five part series, he walks through the details of identifying the hardware serial ports which open up the doors to the firmware and looking at what’s going on under the hood.

The first part deals with finding the one or several debug ports on the hardware and identifying the three important pins – Rx, Tx and GND. That’s when he shows novices his first trick – shining a flashlight from under the PCB to find the pins that have trace connections (most likely Rx and Tx), those that don’t have any connections (most likely CTS and DTR) and those that have connections to the copper pour planes (most likely VCC and GND). The Tx signal will be pulled up and transmitting data when the device is powered up, while the Rx signal will be floating, making it easy to identify them. Finding the Baud rate, though, will require either a logic analyser, or you’ll have to play a bit of a guessing game.

Once you have access to the serial port and know its baud rate, it’s time to hook it up to your computer and use any one of the several ways of looking at what’s coming out of there — minicom, PuTTY or TeraTerm, for example. With access to the devices CLI, and some luck with finding credentials to log in if required, things start getting interesting.

Over the next part, he discusses how to follow the data paths, in this case, looking at the SPI signals between the main processor and the flash memory, and explaining how to use the logic analyser effectively and decode the information it captures. Moving further, he shows how you can hook up a USB to SPI bridge, connect it to the flash memory, take a memory dump of the firmware and read the extracted data. He wraps it up by digging in to the firmware and trying to glean some useful information.

It’s a great series and the detailed analysis he does of this particular piece of hardware, along with providing a lot of general tips, makes it a perfect starting point for those who need some help when getting started on debugging hardware.

Thanks, [gnif] for posting this tip.

Continue reading “Dummies Guide To Reverse Engineering” →

Quad Serial Adapter

July 22, 2016 by Al Williams 31 Comments

Despite concerted efforts to kill them, serial ports are alive and well, especially in embedded system. True, most of them end in a USB port, these days, but there’s still a lot of gear with a DE-9 (it isn’t a DB-9, despite the common use of the word) or a TTL-serial port lurking around. [James Fowkes] got tired of managing a bunch of USB to serial adapters, so he decided to build his own FT4232 breakout board that would provide four serial ports from a USB connection.

The small board has transmit and receive LEDs for each port along with EMI and ESD protection on the USB port. The ports are all TTL serial, serving the modern hacker, and the 3.3V pins are 5V tolerant.

Continue reading “Quad Serial Adapter” →

Cable Butchering For Logic-Level Serial

May 30, 2016 by Al Williams 24 Comments

Early PCs and other computers had serial ports, sometimes as their main interfaces for peripherals. Serial ports still survive, but these days they are more likely to have a USB connection into the main computer. However, when you are working with a microcontroller, you probably don’t want a proper RS232 port with its plus and minus 12 volt signals.

You can get converters that specifically output logic-level signals but you probably can’t pick one up at the local office supply store. They might, though, have a normal USB to serial cable. [Aaron] had the same problem so he hacked into a cable to pull out the logic level signals.

On the one hand, hacks like this are a good inspiration for when you have a similar problem. On the other hand, you probably won’t wind up with the same cable as [Aaron]. He got lucky since the board inside his cable was clearly marked. Just to be sure, he shorted the transmit and receive lines to see that he did get an echo back from a terminal program.

Unsurprisingly, you can also repurpose an ESP8266 to perform this same task. Or, you can use a cable as an I/O device.

Fixing A Multimeter’s Serial Interface

December 5, 2014 by Brian Benchoff 25 Comments

[Shane] bought a multimeter with the idea of using its serial output as a source for data logging. A multimeter with a serial port is a blessing, but it’s still RS-232 with bipolar voltage levels. Some modifications to the meter were required to get it working with a microcontroller, and a few bits of Python needed to be written, but [Shane] is getting useful data out of his meter.

The meter in question is a Tenma 72-7735, a lower end model that still somehow has an opto-isolated serial output. Converting the bipolar logic to TTL logic was as easy as desoldering the photodiode from the circuit and tapping the serial data out from that.

With normal logic levels, the only thing left to do was to figure out how to read the data the meter was sending. It’s a poorly documented system, but [Shane] was able to find some documentation for this meter. Having a meter output something sane, like the freaking numbers displayed on the meter would be far too simple for the designers of this tool. Instead, the serial port outputs the segments of the LCD displayed. It’s all described in a hard to read table, but [Shane] was able to whip up a little bit of Python to parse the serial stream.

It’s only a work in progress – [Shane] plans to do data logging with a microcontroller some time in the future, but at least now he has a complete understanding on how this meter works. He can read the data straight off the screen, and all the code to have a tiny micro parse this data.

Reverse Engineering Serial Ports

December 14, 2013 by Phillip Ryals 12 Comments

Can you spot the serial port in the pic above? You can probably see the potential pads, but how do you figure out which ones to connect to? [Craig] over at devttys0 put together an excellent tutorial on how to find serial ports. Using some extreme close-ups, [Craig] guides us through his thought process as he examines a board. He discusses some of the basics every hobbyist should know, such as how to make an educated guess about which ports are ground and VCC. He also explains the process to guessing the transmit/receive pins, although that is less straightforward.

Once you’ve identified the pins, you need to actually communicate with the device. Although there’s no easy way to guess the data, parity, and stop bits except for using the standard 8N1 and hoping for the best, [Craig] simplifies the process a bit with some software that helps to quickly identify the baud rate. Hopefully you’ll share [Craig’s] good fortune if you reach this point, greeted by boot messages that allow you further access.

Logging Two Multimeters At (nearly) The Same Time

August 26, 2013 by Mike Szczys 13 Comments

log-two-multimeters-at-one-time

It’s pretty common to have at least a couple of meters around to measure different values of a circuit at the same time. Where [Emilio P.G. Ficara] ran into a problem was logging the data from both at once. These ~~Fluke~~ meters have a serial-out, but his computer only has a single serial-in port. He cracked open one of the meters and figured out how to log data from both at the same time.

A lot of folks would look to a microcontroller to solve this problem. You use the chip to pull from each meter simultaneously and report back to a computer (or just dump the values onto an SD card). But this solution is a simple mechanical connector and a bit of creative programming. The way the serial output is set up on these meters they won’t interfere with each other as long as they’re read one at a time. [Emilio] wired them up as seen above, using his own software to manage the pins of the serial port. The example output he posted shows readings from the meters taken within about a tenth of second from each other. That should be good enough for most applications.

Bit Banging Through A USB Parallel Port Adapter

February 21, 2013 by Mike Szczys 25 Comments

If you’ve ever looked into low-level parallel port access you may have learned that it only works with actual parallel port hardware, and not with USB parallel port adapters. But here’s a solution that will change your thinking. It borrows from the way printers communicate to allow USB to parallel port bit banging without a microcontroller (dead link, try Internet Archive).

Sure, adding a microcontroller would make this dead simple. All you need to do is program the chip to emulate the printer’s end of the communications scheme. But that’s not the approach taken here. Instead the USB to RS232 (serial) converter also pictured above is used as a reset signal. The strobe pin on the parallel port drives an inverter which triggers a thyristor connected to the busy pin. Thyristors are bistable switches so this solution alone will never clear the busy pin. That’s where the serial connection comes into play. By alternating the data transmitted from the computer between the bit-bang values sent to LP0 and 0xF0 sent to the serial connector the eight parallel data bits become fully addressable. See the project in action in the clip after the break.