Given the name of this blog and the number of requests that I’ve had, I think it’s high time we discussed serial ports; specifically, serial ports in embedded systems.
My goal here is to describe the techniques that I’ve found effective in identifying and reverse engineering embedded serial ports through the use of definitive testing and educated guesses, and without the need for expensive equipment.
Serial ports are extremely useful to embedded developers, who commonly use them for:
Accessing the boot loader
Observing boot and debug messages
Interacting with the system via a shell
Needless to say, this functionality is also useful to hackers, so finding a serial port on an embedded device can be very advantageous. As a case study, we’ll be examining the PCB of a Westell 9100EM FiOS router for possible serial ports:
The Gumbi board provides a flexible USB interface to the real world in the form of 64 digital I/O pins – all controllable from the comfort of your Python shell, allowing you to rapidly prototype and create new tools for interfacing with external devices.
Take flashbin for example, an open source flash programmer I’ve written for working with external parallel flash chips.
Although popular for firmware storage, parallel NOR flash chips are particularly difficult for hobbyists/hackers to work with because their interface typically requires 30 to 40 I/O pins (or more!). This tends to result in error-prone wiring that has to be re-wired whenever you need to interface with a different chip:
Using the Gumbi board however, everything can be defined (and re-defined) in software. Just plug the chip in, create a flashbin config file that defines the pin configuration for your target chip, and you’re ready to go:
A 4MB NOR flash chip connected to the Gumbi board via a ZIF socket adapter
Dumping firmware from the 4MB flash chip with flashbin
I picked up an old J.H. Bunnell telegraph relay, which from what I’ve been able to deduce is a mainline type 2-3 relay made sometime in the late 1800′s. It was missing a few parts, but a binding post from the junk box and a spring from an old floppy drive soon fixed that. I hooked it up to the power supply and hey, whaddya know, it still works!
J.H. Bunnell Relay
Manually turning the relay on and off is fun, but I figured I could do better. So, I programmed an AVR micro controller to tap out some morse code on the relay. The relay draws a little over half an amp at 12 volts, so there’s no way the AVR was going to drive it directly; instead the AVR controls a simple transistor switch that trips the relay. The result? Pure awesomeness:
Now to maybe find some practical use for it. I’m thinking some sort of early-warning system is in order.
For a while now I’ve been looking for an easy way to interface with external SPI and I2C devices over USB in a manner that can be easily integrated into future projects as well as used in a simple stand-alone system.
Although there are many existing SPI/I2C interface solutions, most of them are microcontroller based and connect to the PC though a USB to serial converter. This works fine, but I wanted something with a bit more speed while also remaining simple, cheap, and readily available.
After some searching, the FTDI FT-2232 family of chips seemed to fit the bill nicely. Although they are more commonly used to interface with JTAG devices, the FT-2232′s Multi-Protocol Synchronous Serial Engine (MPSSE) also supports the SPI and I2C protocols, clock rates of up to 30MHz, and a full-speed USB interface. Development boards are also cheap – the UM232H is $20 from DigiKey or Mouser in single quantities.
I’ve written libmpsse, a Linux wrapper library around libftdi that provides an easy to use API for interfacing with SPI and I2C devices using C and Python.
So how does this relate to hacking embedded systems you ask? Let’s take a look…