Difference between revisions of "JTAGulator: Find IoT-Device's UART interface"
Jostrowski (talk | contribs) |
Jostrowski (talk | contribs) |
||
| Line 37: | Line 37: | ||
* The Data Frame can only send 9 bits when the Parity Bit is turned of. The Data Frame "borrows" the extra bit from the Parity Bit. | * The Data Frame can only send 9 bits when the Parity Bit is turned of. The Data Frame "borrows" the extra bit from the Parity Bit. | ||
* Data is send using least significant bit first. | * Data is send using least significant bit first. | ||
* The baud rate of the 2 devices should be within +-10% | |||
[[File:UART.png]] | [[File:UART.png|400px|border]] | ||
Source: | Source: | ||
| Line 44: | Line 45: | ||
* http://www.circuitbasics.com/basics-uart-communication/ | * http://www.circuitbasics.com/basics-uart-communication/ | ||
== | == Find UART interface == | ||
As explained in the section before the UART interface consist out of two pins: RX and TX. Usually also the pins Gnd and Vcc are layout out together. Therefor these 4 pins are usually right next to each other in a line. | |||
We we look at this mainboard we can see 4 pins next to each other. | |||
[[TODO: Insert image here]] | |||
If you can't find them it helps to look at the datasheet of the microprocessor on the mainboard and connect to the pins of the microprocessor directly. It is good practice to remove the UART interface of the device, since this should only be accessible for testing (exceptions exist) | |||
== Connect to the possible pins == | |||
Connect the JTAGulator Gnd Channel to the Gnd of the target device than connect the channels (start with 0 and proceed incremental) to the possible pins of the UART. | |||
(Tip: you do not have to connect to the Gnd and Vcc of the target device, since Gnd is already connected and Vcc has to be set in the software of the JTAGulator) | |||
== Connect to the JTAGualtor == | |||
''This tutorial is based on the firmware version 1.6'' | |||
; Connect the JTAGulator to the computer | |||
: and open a serial connection using following parameters: (eg. use Putty, minicom, ...) | |||
:: 115200 bps, 8 data bits, no parity, 1 stop bit | |||
; Go into the UART menu | |||
: Type <code>U</code> for the UART menu | |||
: Type <code>H</code> for help and all possible commands | |||
; Find UART pin configuration | |||
: Set the voltage level of the target device | |||
:: <code>V</code> and enter Vcc (if not known check with oscilloscope of multimeter) | |||
: Type <code>U</code> in the UART menu to start the bruteforce on the pin configuration of the UART pins. | |||
: Enter the text string you want to output on the UART interface: | |||
:: Usually you want to keep the <code>default configuration [CR]</code> so <code>just press enter</code> | |||
:: Usually when pressing <code>enter</code> into a UART interface it will great you with response. | |||
: Enter starting channel of the JTAGulator | |||
: Enter ending channel of the JTAGulator | |||
:: Now the JTAGulator will cycle through all pin configurations and possible baud rates and prints out the output character you specified | |||
UART> u | |||
UART pin naming is from the target's perspective. | |||
Enter text string to output (prefix with \x for hex) [CR]: | |||
Enter starting channel [0]: | |||
Enter ending channel [4]: | |||
Possible permutations: 20 | |||
Ignore non-printable characters? [y/N]: n | |||
Press spacebar to begin (any other key to abort)... | |||
JTAGulating! Press any key to abort... | |||
---------- | |||
TXD: 2 | |||
RXD: 3 | |||
Baud: 19200 | |||
Data: ..(t0d^l.. ..... [ AF 85 28 74 30 64 5E 6C D9 0F 20 B7 E7 A5 F5 D4 ] | |||
TXD: 2 | |||
RXD: 3 | |||
Baud: 57600 | |||
Data: ...[32;40m00:16: [ 0D 0A 1B 5B 33 32 3B 34 30 6D 30 30 3A 31 36 3A ] | |||
TXD: 2 | |||
RXD: 3 | |||
Baud: 76800 | |||
Data: . [ 0C ] | |||
... | |||
TXD: 2 | |||
RXD: 4 | |||
Baud: 115200 | |||
Data: ................ [ 9E CF 0F 98 06 9E 0F 0F 98 98 E0 CF F3 98 E6 98 ] | |||
--------- | |||
UART scan complete. | |||
We can see that the JTAGulator received some input. Now you have to filter out the right combination by looking at the output. Usually the UART interface will send back some ASCII characters. 0x0D / 0x0A are very good indicator signalling a carriage return / new line. So the second output (TX:2 RX:3 Baud:56700) looks very promising | |||
; Check the found UART pin configuration | |||
: Now we will use the UART pass-through to send terminal input directly through the JTAGulator to the specific UART pin configuration | |||
: TODO:Finish doc | |||
== Used Hardware == | == Used Hardware == | ||
Revision as of 13:51, 2 December 2019
Summary
Description on how to find the UART interface of an IoT-Device. In this example the "smart" alarm system Technaxx WiFi smart alarm system starter kit TX-84 will be used.
Requirements
- Read subsection 'Finding UART' of JTAGulator: Introduction to understand the basic commands available.
- JTAGualtor
- Technaxx WiFi smart alarm system starter kit TX-84 or some other device
UART explained
UART stands for Universal Asynchronous Receiver/Transmitter and is a communication specification between to devices and allows for a serialized asynchronous communication. The communication can be simplex, half-duplex of duplex.
- UART consist out of
- TX .. Transmit
- RX .. Receive
- Vcc .. Supply Voltage (optional)
- Gnd .. Ground 0V (optional)
whereas the RX from on device is connected to the TX from the other device
The two devices should have the same ground and same Vcc
Data transmission
- UART packet are defined as followed
- - Start Bit: A connected non sending data-line is kept at the Vcc voltage (idle, but can also be the opposite). When one party wants to send data it indicates it by pulling the data-line to ground.
- - Data Frame: The actual data consisting of 5 to 9 bits is sent over the line.
- - Parity: To detect transmission errors a checksum is appended to the packet. There are different modes: total of all even bits, total of all uneven bits.
- - Stop Bit: To end the packet the data-line is set to Vcc for 1 or 2 bit duration.
- The Data Frame can only send 9 bits when the Parity Bit is turned of. The Data Frame "borrows" the extra bit from the Parity Bit.
- Data is send using least significant bit first.
- The baud rate of the 2 devices should be within +-10%
Source:
- https://en.wikipedia.org/wiki/Universal_asynchronous_receiver-transmitter
- http://www.circuitbasics.com/basics-uart-communication/
Find UART interface
As explained in the section before the UART interface consist out of two pins: RX and TX. Usually also the pins Gnd and Vcc are layout out together. Therefor these 4 pins are usually right next to each other in a line.
We we look at this mainboard we can see 4 pins next to each other.
If you can't find them it helps to look at the datasheet of the microprocessor on the mainboard and connect to the pins of the microprocessor directly. It is good practice to remove the UART interface of the device, since this should only be accessible for testing (exceptions exist)
Connect to the possible pins
Connect the JTAGulator Gnd Channel to the Gnd of the target device than connect the channels (start with 0 and proceed incremental) to the possible pins of the UART.
(Tip: you do not have to connect to the Gnd and Vcc of the target device, since Gnd is already connected and Vcc has to be set in the software of the JTAGulator)
Connect to the JTAGualtor
This tutorial is based on the firmware version 1.6
- Connect the JTAGulator to the computer
- and open a serial connection using following parameters: (eg. use Putty, minicom, ...)
- 115200 bps, 8 data bits, no parity, 1 stop bit
- Go into the UART menu
- Type
Ufor the UART menu - Type
Hfor help and all possible commands - Find UART pin configuration
- Set the voltage level of the target device
Vand enter Vcc (if not known check with oscilloscope of multimeter)
- Type
Uin the UART menu to start the bruteforce on the pin configuration of the UART pins. - Enter the text string you want to output on the UART interface:
- Usually you want to keep the
default configuration [CR]sojust press enter - Usually when pressing
enterinto a UART interface it will great you with response.
- Usually you want to keep the
- Enter starting channel of the JTAGulator
- Enter ending channel of the JTAGulator
- Now the JTAGulator will cycle through all pin configurations and possible baud rates and prints out the output character you specified
UART> u
UART pin naming is from the target's perspective.
Enter text string to output (prefix with \x for hex) [CR]:
Enter starting channel [0]:
Enter ending channel [4]:
Possible permutations: 20
Ignore non-printable characters? [y/N]: n
Press spacebar to begin (any other key to abort)...
JTAGulating! Press any key to abort...
----------
TXD: 2
RXD: 3
Baud: 19200
Data: ..(t0d^l.. ..... [ AF 85 28 74 30 64 5E 6C D9 0F 20 B7 E7 A5 F5 D4 ]
TXD: 2
RXD: 3
Baud: 57600
Data: ...[32;40m00:16: [ 0D 0A 1B 5B 33 32 3B 34 30 6D 30 30 3A 31 36 3A ]
TXD: 2
RXD: 3
Baud: 76800
Data: . [ 0C ]
...
TXD: 2
RXD: 4
Baud: 115200
Data: ................ [ 9E CF 0F 98 06 9E 0F 0F 98 98 E0 CF F3 98 E6 98 ]
---------
UART scan complete.
We can see that the JTAGulator received some input. Now you have to filter out the right combination by looking at the output. Usually the UART interface will send back some ASCII characters. 0x0D / 0x0A are very good indicator signalling a carriage return / new line. So the second output (TX:2 RX:3 Baud:56700) looks very promising
- Check the found UART pin configuration
- Now we will use the UART pass-through to send terminal input directly through the JTAGulator to the specific UART pin configuration
- TODO:Finish doc
Used Hardware
JTAGulator Technaxx WiFi smart alarm system starter kit TX-84]