Reverse Engineering Serial Ports – /dev/tty. S0. Given the name of this blog and the number of requests that I’ve had, I think it’s high time we discussed serial ports; specifically, serial ports in embedded systems. My goal here is to describe the techniques that I’ve found effective in identifying and reverse engineering embedded serial ports through the use of definitive testing and educated guesses, and without the need for expensive equipment. Introduction. Serial ports are extremely useful to embedded developers, who commonly use them for: Accessing the boot loader. Observing boot and debug messages. Interacting with the system via a shell. Needless to say, this functionality is also useful to hackers, so finding a serial port on an embedded device can be very advantageous. As a case study, we’ll be examining the PCB of a Westell 9. EM Fi. OS router for possible serial ports: Westell 9. EM PCBNow, these aren’t your dad’s RS- 2. Universal Asynchronous Receiver Transmitters (UARTs), commonly found in embedded devices. Although protocol compatible, RS- 2. UART are not voltage compatible (from here on out I will use the terms “UART” and “serial port” interchangeably). UARTs most commonly operate at 3. Unfortunately there aren’t any industry standardized UART pin outs, and manufacturers don’t often go around advertising or documenting their debug interfaces, so we’ll need to do a bit of work in order to interface with these serial ports. Download Reverse Engineer Serial at Reverse Informer: HW Virtual Serial Port, Virtual Serial Port Kit, Virtual Serial Ports Driver XP. Reverse Engineering Serial Ports By Craig . Reverse Engineering Tips, Electronics Reverse Engineering, Reverse Software, Reverse Engineering. We are often called in to reverse engineer electronics and reverse engineer software. You can create fake serial ports. HHD Software Virtual Serial Ports is a software package that allows you to create virtual COM ports. Virtual COM Ports can be successfully used by: software developers. Software protection from reverse engineering. I've seen the tool used to MsgBox the calulated serial number. How to encrypt your codes so people doon't reverse engineer your software. Reverse Engineering/Mac OS X. Apple released for the Intel platforms a software component called Rosetta which would. Since most target binaries that you wish to reverse engineer on the Mac OS X platform are in the. Specifically, we need to reverse engineer both the hardware interface and the software protocol settings. Let’s start with the hardware interface first. For this, you’ll need a multimeter and a pair of eyeballs (or even one will do just fine). Yes, oscilloscopes and logic analyzers are useful and sometimes necessary, but 9. Identifying Serial Headers. The first step is to try to identify potential candidates for serial port headers. Most serial port headers have at a minimum four pins: Typically you’ll want to look for a single row of 4- 6 pins, although this is not a hard and fast rule and they can come in any pin configuration the manufacturer has decided on. On our 9. 10. 0EM PCB we find two possible candidates, labeled P1. P1. 40. 4: Possible serial port headers. Reverse Engineering Serial Ports. How To: Reverse Engineer a Serial Device. Problem is, this display (SLC16H-IR aka CL-A7x80RG) doesn’t have any linux based software. But there is an ancient windows program that does work in wine. Job solved you might think? How to Reverse Engineer Software (Windows). In order to start reverse engineer software you need to have. Monitors Serial and Parallel ports and all traffic that is going through them. Sometimes you won’t have a nicely broken out set of pins like this, and you’ll have to examine test points on the board; usually starting with test points closest to the So. C is a good idea. Here is an example of a serial port exposed via test points on a different board, the WL5. G: Serial port test points on a WL5. GIn either case the process of pin identification is the same, but usually takes longer if there is no header since there will likely be more than 4 test points on the board that you will need to examine. At this point either P1. P1. 40. 4 could be serial port headers. Or they could both be serial port headers. Or neither could be a serial port header. So we’ll examine the pins on each header individually to try to gain some insight. Visual Inspection. First, let’s visibly inspect the pins. We’ll start by taking a look at P1. P1. 40. 2 top. P1. On the top layer of the PCB the right most pin is labeled as pin “1”. This is not terribly important, but it gives a common frame of reference when describing the pin numbers. On the bottom of the PCB we see that pin 3 has four traces in a crosshair pattern that connect it to the surrounding ground plane. This easily identifies pin 3 as ground. Pins 2 and 4 have thin traces connected to them, while pin 1 is connected to a fatter trace. Wide traces are typically used for supplying power, while narrow traces are usually used for signal traces. This suggests that pin 1 is Vcc and pins 2 and 4 are potentially transmit and receive (although we don’t yet know which is which). Let’s take a look at the P1. P1. 40. 4 top. P1. Here, the left most pin is marked as pin 1. Again, we see that pin 3 is connected to ground on the bottom layer of the PCB. Pin 4 also has a thin trace connected to it, so it could be a transmit or receive pin. The other two pins of P1. PCB. It could be that they aren’t connected to anything, but more likely their traces are connected on one of the inner layers of the PCB that we can’t see. Time to break out the multimeter. Identifying Grounded Pins. A continuity test introduces a small current into the circuit; if enough current passes from one probe to the other (i. The first thing we want to do is perform a continuity test between ground and all the pins on each of the headers using the multimeter. This will tell us which pins are connected directly to ground. We’ll start with P1. Metal shielding is a convenient ground point to use for testing. Placing one probe on a shield and touching the other to pin 3, the multimeter emits a continuous audible tone, indicating that pin 3 is connected to ground as we previously observed: Continuity test between pin 3 and ground. Performing the same test against pins 2 and 4 results in no audible tone, so we know those pins aren’t grounded. The same continuity tests for P1. Thus we know that for both P1. P1. 40. 4 pin 3 is grounded and pins 2 and 4 are not. Identifying Vcc. Vcc is less important to identify since we don’t actually need to connect anything to it, but locating the Vcc pin is a good exercise and is useful in eliminating the Vcc pin as a possible candidate for transmit or receive. Based on the trace widths, we suspect that pin 1 is Vcc; measuring the voltage on pin 1 when the board is powered on appears to confirm this: Measuring voltage on P1. A steady voltage reading on P1. The same voltage readings hold true for P1. P1. 40. 2 and P1. Vcc. Another method of identifying Vcc is to perform a continuity test between ground and the suspected Vcc pin. Although it may first appear counter intuitive, this will commonly result in a very short beep (though not a continuous tone). What happens with the Vcc continuity test is that there is usually a filter capacitor connected between the Vcc pin and ground. This is done to eliminate any possible noise in the power lines on the PCB, and such filter capacitors are used liberally in any well designed board. Due to the nature of how capacitors work, they will “pass” a direct current very briefly until they are charged to capacity, at which point they will cease “passing” direct current and will “block” direct current, resulting in the short beep observed during the continuity test (it is worth nothing that current doesn’t actually pass through a capacitor, although it appears that way to an outside observer). Although it doesn’t always work, the continuity test is a more conclusive method of determining Vcc than simply measuring the voltage on each pin, as any number of pins could all read the same voltage. Note that you will also need a multimeter with a rather responsive continuity tester in order to perform this test properly; cheaper ones can take up to a second or more before they are triggered, at which point the capacitor has already been charged. Most multimeters in the $1. Identifying the Transmit Pin. The transmit pin is fairly easy to identify provided that the serial port is active and is transmitting data (and if it’s not, this entire effort will likely be futile anyway). The transmit pin on the board will be pulled high to the same voltage as Vcc (typically 3. As it transmits bits of data, the voltage will drop to 0 volts (to send a “space”), then back to 3. When reading a changing DC voltage, digital multimeters will end up displaying an average of the sampled voltage; this means that the average voltage – and thus, the voltage displayed on the multimeter – will briefly dip down during bursts of activity on the transmit pin. The most activity on the transmit pin typically occurs during system boot up when all the boot information from the bootloader/kernel/system is being printed to the serial port. By monitoring pins 2 and 4 during boot, we should be able to easily identify which of them is the transmit pin. Let’s try header P1. Measuring voltage on P1. Measuring voltage on P1. The voltage readings for both pins 2 and 4 on header P1. Voltage reading for P1. This is not encouraging, so let’s move on to the P1. We’ll start with pin 2: Measuring voltage on P1. The voltage reading on pin 2 hovers around 4. Initial voltage reading for P1. Final voltage reading for P1. Let’s check pin 4 next: Measuring voltage on P1. The voltage reading for pin 4 is a steady 3. Initial voltage reading for P1. Then suddenly we begin seeing rapid but substantial changes to the voltage on pin 4: P1. P1. 40. 4 pin 4 voltage rising back up to 3. P1. 40. 4 pin 4 voltage dropping back down to 2. There is definitely some activity on P1. Although this is an effective method of identifying the transmit pin, it is worth noting that if the serial port only transmits a small amount of data, the voltage fluctuations will be too brief for the multimeter to register and you will need an oscilloscope or logic analyzer to capture the data activity on the transmit pin. This is rare however; usually there is ample data sent out on the serial port for this method to work. Identifying the Receive Pin. Definitively identifying the receive pin is the most difficult, as it has no truly unique defining characteristics. I have observed various voltages for the receive pin from one system to the next, including: Pulled high to the same voltage as Vcc. Pulled high to a voltage a few hundred millivolts lower than that of Vcc. Left “floating”, wildly fluctuating around a few hundred millivolts. Left “floating” for a few seconds and then pulled high when the serial port is initialized. Since we have only one unknown pin left on both headers and we know that only P1. P1. 40. 4 is the receive pin. However, sometimes it just comes down to connecting a serial adapter to all possible receive pins individually, pressing a few keys in minicom (or your terminal emulator of choice) and seeing what happens. Speaking of connecting our serial adapter, let’s do just that. Connecting a UART Adapter.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2017
Categories |