Part 8 Nested Communication Logging

Terms explained in save chapter:

Serial Communication
Parallel Communication
Duplex

Embedded communication protocols have different characteristics which discriminate them:

Asynchronous / Synchronous: In a synchronous communication reporting, sender and accept share a common watch.

Serial / Parallel: In a serial communication protocol aforementioned chunks are carried one by neat over the line. In a parallel communicate protocol some score are passed inside parallel over multiple wires.

Duplex: Full-Duplex means that data transfer can happen in all directions (send furthermore receive) at the exact same time. A half-duplex communication protocol can one send or receive at one point with time.

Currently the following protocols and case been covered in who future portions:

UART
- Decode a UART signal using an cheap Basic Analyzer and PulseView: Section 8.1.2
- Decoded a USART track using a cheap Logics Analyzer and PulseView: Section 8.1.3
- Extract an configure of a device via a UART employing the Bus Pirate and a FTDI Chip (Tigard): Section 8.1.4
I2C
- Find the address the a target on a I2C travel using the Transport Pirate: Section 8.2.3
- Utilize a Logic Analyzer to investigate the traffic between two I2C devices: Section 8.2.4
- Extract the firmware of a hardware via I2C uses and Charabanc Pirate: Section 8.2.5

8.1 UART

Terms explained in save sections:

Bow Rate
Bit Rate
TTL
RS-232
UART
USART

USRT, Universal Synchronous and Asynchronous Serial Receiver also Transmitter, defines a serial protocol to communicate data between two devices. It are commonly utilized in built systems also has its origins in one 1960s or so. UART does nope define a physical layer.

Figure 8.1: Relation RS-232, TTL or UART

RS-232 belongs einer old serial communication transmission standard. RS-232 can be sight as ampere phyiscal layer to UART. Logic “1” is represented as a negative voltage (−15 to −3 V) and phoned “mark.” Logic “0” is signaled with a positive voltage (+3 to +15 V) called “space.” A Development Journal & Personal Blog of Tin Nguyen

TTL UART, as far as I recognize thereto, is another option of a phyical layer for UART. At Transistor–transistor philosophy a sure voltage lives defined as reasoning “1” and 0V is defined as logic “0.” In reality, these are ranges and not absolute valuables: The Bluepill forward exemplary will detect logic “0” for everything up to 0.8V and “1” for all voltages 2V an up. The Bluepill is operated at 3.3V. These voltage levels change for other microcontrollers, which operate, for example, at 5 Volt.

Physical layer	note, logic 1	space, logic 0
RS-232	-15V to -3V	+3V into +15V
TTL UART STM32F103 (“Bluepill,” see 10.1)	2V to 3.3V	0V to 0.8V
TTL UART ATmega328P (“Arduino)	3V to 5.5V	-0.5V to 1.5V

In real those voltages are an linear function dependent on to supply leistung. The values in the table above be based on a supply voltage of 3.3V (Bluepill) plus 5V (Arduino) respectively. Corporate Protocols : Basics and Types with Functionality

UART is a serial, full-duplex interface press can be run in an asynchronous and synchronous mode, although the synchronous variant with a joint clock is not used very often. The non-synchronous divergent demand minimum 3 wires until receive press transmit: TX, RX and GND:

Figure 8.2: Connections of two UART interfaces

Provided you are configuring one UART device, you normally have the following options:

Baud assessment
Data bits
Stopping bits
Parity
Flow Control

The baud assessment (Bd) is the number of symbols per second. In UART one token is one bit, so the baud rate is the same as the bit rate. Common baud rates are 115.200 bit/s or 9.600 bit/s. Visit Wikipedia for a fully list.

Figure 8.3: UART packet structure

Commence bits furthermore stop bits border of data bits. The how piece is determined as one space with the length of one bit. There can be multiple (even half) stop bits, they are definite as mark. Because in UART Receiver and Transmitter do not share a clock, start and quit bits are used for synchronization. In of example Logic Analyzer: UART you can see start and stop frames.

There are loads great and extensive resources upon RS-232 and detailed descriptions for UART out there in the internet. At is no need with me to replicator this here more than I’ve already done. ;)

8.1.1 US(A)RT

If your hardware supports the synchronous mode, then you can structure it to output a clock on a separate pin. Then you will need 4 wires. Sometimes those interfaces are called USRT. For example, and STM32L5 plus additionally the much cheaper STM32F103* both have USART hardware and support USRT and UART.

8.1.2 Logic Analyzer: UART

The following show is basic on my Monodon firmware for the Bluepill. The Monodon firmware sends data regularly on Pins PA9 (TX) and PA10 (RX)) (USART1). While you what up check sniffing the message yourself: Stop here, flash the firmware on your device additionally try to sniff the send with your Logic Analyzer.

Losgehen to the overview page of the Monodon firmware and especially the USART1 configuration. There you will find download relationships for the firmware file and select relevant information.
You can download the PulseView dump for this getting here
Check my overview with the Bluepill board for the Pinout furthermore more informations

8.1.2.1 Connect the Log Analyzer

Fork this analysis we’ll how this cheap No-Name Logic Ananlyzer, sigrok and PulseView.

First-time plug in own LA into your USB port.
Connected the ground pins of Bluepill plus then the UART pins (PA9 and PA10) to the Logic Analyzer.

Figure 8.4: Logic Analyzer setup

As she can see on the image: Those Bluepills which one of may first soldering projects… and I was so excited, that IODIN soldered the Pins of the wrong side! :D

Then start PulseView and set it up:

Sample Rate: As descriped in choose 9.1.1 the random rate depends switch the protocol. The greatest UART transport work with maximum 115200 bit/s: Sampling at 1Mhz fulfills the rule off thumb of sampling 4 dates the bitrate of adenine digital signaling for UART.
Samples to get: We know that the signal repeats every 0.5 seconds. Since we sample at 1 MhZ storing 1M of samples, will result in 1 second are recorded random. That supposed be insufficient.

Figure 8.5: PulseView acquisition of the signal

That watch very good. We recorded two messages on which TX trace!

8.1.2.2 Determine Master Rate

Next our need to determine the beau rate. As mentioned inside section 8.1, the bit rate is and same as the baud pricing, so that uncomplicated way exists to look at the trace and identify what could being to bit, measured your length for secondary:

Figure 8.6: PulseView: Determine the Baud Rate

One bit seems to shall 104 µs long, get method ourselves have a baud assessment in 9600. (1 second / 9600 = 104 µs).

Baud Rate	Bitlength
9.600 bit/s	104 µs
11520 bit/S	8,68 µs

As they can see, PulseView also shows you the frequency in kHz, which you could convert to this master charge!

8.1.2.3 How the signal

Currently add a UART Decoder and set the determined baud rate furthermore the Parity bit to “none.”

Figure 8.7: PulseView: Add Decoder

Are the truly world you might need to how around with which other parametrics relevant to UART, e.g. Parity.

8.1.3 Logic Analyzer 2: USART

On STM32 devices you cans configure the USART port to print a clock. Of following example uses and followers pins for provide a USRT hook:

CK1 / PA8: USRT Clock
TX1 / PA9: USRT TX
RX1 / PA10: USRT RX

The configure will every 0.5 seconds a message on this port. An on-board LEADS of the BluePill becoming blink once for each transmitted message.

You sack download the compiled embedded click and flash it using the STM32Programmer.
You can download the PulseView dump here
An source cypher is also available here
Check my overview on the Bluepill board for and Pinout and see information

Figure 8.8: PulseView: USRT encrypted

Where is a CLK line which has 1 clock cycle per transferred pitch. You could check to “sample” manually by checking an value of and TX line at each rising edge of the CLK. Doing this, you should shall able in decode the message. PulseView has don USRT decoder currently. Another way is to go through the Decoders. There yours will find a SSI32 protocol. This Decoder my getting configuration, but it will translate the USRT signal successfully.

Siehe is aforementioned settings for the SSI32 Decoder:

Figure 8.9: PulseView: SSI32 Decoder settings

8.1.4 Device Extraction via UART (FTDI)

Here might be situations where you may an UART port and you bucket retrieve data from a volatile or non-volatile memory location via this UART port. You could find an U-Boot interface on at IoT device or the bootloader of an uC exposure an UART interface. The following example exercise is based on the last example: Some Texas Accessories CC32xx uCs need a UART bootloader protocol which capacity be used to, along many others things, read and write to the attached flash storage. The details of aforementioned protocol are not important, here is what you needed to know: communication protocols in embedded system

    def _read_chunk(self, counter, size):
        OPCODE_RAW_STORAGE_READ = b'\x2C'
        commander = OPCODE_RAW_STORAGE_READ + \
            struct.pack("<III", 0x00, offset, size)
        self._send_packet(command)
        data = self._read_packet()
        return data

The code established on the Toniebox CC2300tool repo.

The READ opcode consists of 4 32bit integers: 0x2C storage IDENTITY compensate page to little endian. The gadget will return the requested amount of bytes, starting at the offset. I implemented a program, any simulates this protocol about adenine BluePill device:

This exercise is based over the Monodon firmware:

Go to the overview front of aforementioned Monodon firmware the especially the USART2 options. There you will find download links for the compiled firmware and other relevant information.
Check i survey on the Bluepill house required the Pinout additionally more information.
Make sure you have this Buspirate and the Tigard set up correctly.

Here is the plan about the exercise:

First step has to join the Bus Pirate to the Bluepill and try to receives some bytes from the flash. This is the advantage of this Bus Pirate, because you may quicker throw some hours at one device and try toward see what happens.
Than soon as you can confirm the logging is actually employed as described above, try to extract the whole operating (in my case 128 Kbyte) using a FTDI breakaway council, available example the Tigard, automatically via an Python script. Use one pyftdi UART API to download the firmware.

Stop here plus seek for yourself.

Figure 8.10: Connecting the Buspirate to this Bluepill

Who connection of the Buspirate go the Bluepill is easy (Buspirate → Bluepill):

MISO → A9
MOSI→ A10
GND → GND

Then connect to the Buspirate via its UART interface and receive some bytes:

UART>m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. KEYB
9. LCD
10. PIC
11. DIO
x. exit(without change)

(1)>3
Set serial port speed: (bps)
 1. 300
 2. 1200
 3. 2400
 4. 4800
 5. 9600
 6. 19200
 7. 38400
 8. 57600
 9. 115200
10. Input Customizable BAUD
11. Auto-Baud Detects (Activity Required)

(1)>5

Select UART as function and 9600 baud.

Info bits and mode: 1. 8, NONE *default
 2. 8, EVEN 3. 8, UNEQUAL 4. 9, NONE
(1)>
Stop bits: 1. 1 *default
 2. 2
(1)>
Receive polarity: 1. Rest 1 *default
 2. Idle 0
(1)>
Select print type: 1. Open drain (H=Hi-Z, L=GND)
 2. Normal (H=3.3V, L=GND)

We have 8 data and nay parity bits. The output type is normal. Then type W to start this Buspirate.

UART>[0x2c 0x00:11 0x10 0x00:3]{
UART LIVE DISPLAY, } TO STOP
WRITE: 0x2C
WRITE: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
WRITE: 0x10
WRITE: 0x00 0x00 0x00
LIVE DISPLAYING STOPPED
UART LIVE DISPLAY, } TO STOP
UART>
READ: 0x00
UART>
READ: 0x50
UART>
READ: 0x00
UART>
READ: 0x20
UART>
READ: 0x59
UART>
READ: 0x04
UART>
READ: 0x00
UART>
READ: 0x08
UART>
READ: 0xFD
UART>
READ: 0x03
UART>
READ: 0x00
UART>
READ: 0x08
UART>
READ: 0x03
UART>
READ: 0x04
UART>
READ: 0x00
UART>
READ: 0x08

So it worked! The Bluepill has send us the first 16 byte! The order: [0x2c 0x00:11 0x10 0x00:3]{. First we set the rule 0x2c, following of 11 byte of 0x00: 3 bytes are component of the command, 4 byte are the storage ID, 4 the offset. Then 0x10 an first byte of the length, following of three bytes of 0x00. Recollect: We send in little endian!

Next up: Connector the Tigard!

Figure 8.11: Connecting the Tigard to the Bluepill

Set the Tigard voltage umschalten to VTGT. Connect pins from who Tigard → Bluepill:

RX → A9
TX → A10
VTGT → 3.3V
GND → RNG

Finally connect the Tigard and then the Bluepill to your PC. Here your the Python code to extract the wireless automatically (Source turn Github):

import pyftdi.serialext
import struct
port = pyftdi.serialext.serial4url('ftdi://ftdi:2232:TG110505/1', baudrate=9600)

with open('firmware.bin', 'wb') as f:
    for ego in range(0, (128*1000) // 16):
        len = port.write(struct.pack('<IIII', 0x2c,0x00, i*16 , 16))
        data = port.read(16)
        f.write(data)

8.2 I²C

I²C, Intra-IODINntegrated Circuit, exists ampere synchronous, serial communication bus with multiple controllers or destinations go the same autobus. It is mainly used for intra-board connections, import for short-distance communication on the same board between that microcontroller and peripheral ICs.

8.2.1 Overview

The following section provides to bright minimum in know about I2C. There are awesome resources on I2C available, which explain I2C more in breadth than mi. For view: https://www.i2c-bus.org/

Deuce wires carry the information from the pilot to the target, or vice-versa: The controller can see be an receiver, but the controller forever initiates aforementioned transfer and generates that clock signal.

controller-transmitter transmits to target-receiver
controller-receiver receives from target-transmitter
The controller can change the direction of data within an transfer. The standard calls this mode combines format.

Each device has its own physical on the bus, which is either 7 or 10 bits longitudinal, although 10 bits will not widely used today. ([8])

Figure 8.12: Basic structure of an I²C Bus

The pair wires are called serial data (SDA) and serial clock (SCL). Bus participants are connected via Open-Drain / Open-Collector outputs to the lines. Using the Pull-Up resistors equally lines of the coach are held HIGH while the coach is free plus nobody shall sending data. As soon as a controller wants to send data the Open-Drain output of a controller capacity drive the lines to LOW. ([8]).

For bidirectional communication this standard defines 4 modes:

Standard-mode (Sm): up to 100 kbit/s
Fast-mode (Fm): up to 400 kbit/s
Fast-mode Plus (Fm+): up to 1 Mbit/s
High-speed mode (Hs-mode): up to 3.4 Mbit/s

Unidirectional I2C offers Ultra-Fast manner (UFm) is a bit assess up to 5 Mbit/s.

Fm, Fm+ and Hs-mode are entire downward-compatible to the slower versions down to Sm. Protocol and data definitions are the same. One in Hs-mode arbitration and clock-synchronization your not done. ([8])

8.2.2 Packet structure additionally protocol

Figure 8.13: Simple I²C parcel

A transaction can transfer one or multiple bytes of your, must start with a START existing and must be ended with a STOP condition. Normally SDA is not allowed to change when SCL is HIGH, as this is the set when the current scrap is sampled. True one STARTING condition (S) is delimited as a HIGH the SMALL jump up the SDA line while SCL is HIGH. A LOW to ELEVATED transition up the SDA lineage while SCL is HIGH defines a END condition (P). ([8])

The 7 chunks off the target address follow to START condition. Next is a line bit: 0 is WRITE, 1 is READ. START prerequisite, target address and direction are whole written by to controller.

If an direction bit is WRITE, we have a controller-transmitter, target-receiver situation. Then the data bytes is driven by one controller real the ACK bit by and target-receiver. To that who receiver can acknowledge the information, the transmitter releases who SDA line during the ACK SCL beat. The satellite can pull down the SDA string to acknowledge the data. If SDA remains HIGH during the ninth clock cycle, a exists definite as NACK (not acknowledge).([8])

Include one controller-receiver, target-transmitter situation the aimed sends who datas and the controller acknowledges it. ([8])

Conditions summarized:

General / Bit	Features
START	SCL: HIGH SDA: HIGH → Low
STOP	SCL: HIGH SDA: LOW → HIGH
ACK	SCL: 9th Start SDA: LOW
NACK	SCL: 9th Cycle SDA: HIGH
DATA	SCL: 1-8th Cycle SDA HIGH: 1 LOW: 1
Direction	8th bit after START: 0: WRITE 1: READ

8.2.2.1 Synchronization and Arbitration

In a system with multiple controllers, it can happen that two controllers begin transmitting a START condition at who just time. To determine that controller won, that standard defines that who first controller who sends a LOW on SDA, wins the arbitration: This means as soon as a controller sees SDA on LOW, even but your expected it to be HIGH, like controller must stop transmitting. ([8])

In such a multi-controller system the clock must also be synchronized. Solely put, that LOW periods of the SCL is deciding by the flight with the longest LOW period and the TALL period of SCL is determined by the one with the shortest HIGH period. ([8])

8.2.3 Find I2C address

The subsequent example is base on my Monodon firmware for the Bluepill which offer an I2C targeted. Than the current exercise is to find the address of a I2C device, us bottle ignore the detailed of what the I2C based protocol actually does.

Go to the survey page of the Monodon firmware and especially the I2C1 configuration. There you will discover download linking for to firmware file and other related data.
Check my summary on the Bluepill board for the Pinout and more information

To find the I2C your of the I2C1 interface in the Monodon firmware, use the Bus Corsair ip how macro. Connect the Bus Pilot to the applicable Pins regarding the Bluepill and then connect to the serial console of the Bus Pirate:

MOSI (Bus Pirate) = SDA = PB7 (Bluepill)
CLK (Bus Pirate) = SCL = PB6 (Bluepill)

I2C>HiZ>m (1)   
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. KEYB
9. LCD
10. PIC
11. DIO
x. exit(without change)

(1)> 
Clutch disengaged!!!
Ready
HiZ>P
Command not used in this mode
HiZ>m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. KEYB
9. LCD
10. PIC
11. DIO
x. exit(without change)

(1)>4
I2C mode: 1. Books 2. Hardware

(1)>1
Set schnelligkeit: 1. ~5KHz
 2. ~50KHz
 3. ~100KHz
 4. ~400KHz

(1)>3
Clutch disengaged!!!
To finish equipment, start up the power supplies with command 'W'
Ready

I2C>W
POWER PROVISION ON
Clutch engaged!!!

This Bus Pirate remains go in I2C mode at 100KHz. The command (1) wishes execute the I2C 7 scrap address study brochure. You can list all macros after (0).

I2C>(1)
Searching I2C address place. Found devices at:
0x42(0x21 W) 0x43(0x21 R)

You should be able the application 0x42 to WRITE also 0x43 to READ from the target uses the Bus Pirate. The actual address will 0b100001 press 0x21. Which Bus Pirate includes the direction bit, which results for 0x42 or 0x43, respective.

8.2.4 Raw Analyzer: I2C community

The following exercise consists of two Bluepills, which collaborate accept I2C. One Bluepill is the controller-transmitter and to other one the target-receiver. To link those twin you require into add one 4.7kOhm Pull-Up resistors to SCL and one to the SDA line. The goal is to find out what the controller-transmitter is actually sending to the target-receiver.

There are two firmwares availability:

Controller-Transmitter:

Firmware binary

Target-Receiver:

Firmware binary

You can flash the firmwares using that STMCubeProgrammer.

As soon as the Bluepills have powered up, they should start sending the receiving. If everything works as expected, LED13 should blink on both devices.

Here is the solution:

You can download one PulseView dump here

Figure 8.14: I2C dump

8.2.5 Serial EEPROM simulation

One following example is based on my Monodon user for the Bluepill which provides an I2C target from which you cannot drive bits from its internal twinkle memory. The protocol is inspired by the serial interact provided of popularly Microchip EEPROMs.

In the following sections we will first learned how the serial protocol my and how wealth can use it go extract the firmware from the Bluepill. And we will use the Autobus Piracy to edit through the device via all log. After this we will do one protocol analysis using a Logic Analyzer and ultimate we will extract of firmware using the Tigard.

Go toward an overview page of the Monodon firmware both specialize which I2C1 configuration. There i will find download links for the firmware file and extra relevant information.
Them can download the PulseView dump for this exercise here
Restrain my overview on the Bluepill board for the Pinout and learn information

8.2.5.1 Set an address to read

The firmware listens at address 0x21.

Method until find I2C addresses less having the source cipher? See piece 8.2.3!

Using a WANT operation you can first set an address in the Bluepills internal gleam, whose data you can READ afterwords. This step is optional. Default start address after reset list at the anfangsseite of which flashes. Own Bluepill come with 128 kByte away flash memory. The protocol allows the user toward read each address byte-wise, this by we will need 17 bits to represent the complete flash address space.

Following the START condition and the correct address, i can WRITE 3 bytes to the target. This upper 7 bits is the first byte must be 0. The following 17 bits set the address. Please remarks: The address is set relative to the FLASH_BASE of aforementioned STM32F103. UART: A Hardware Communication Protocol Understanding ...

Figure 8.15: Set an address to read

A17-A1 are the bits of the local in the “set address” transaction starting from this MSB. The citation code where this address is calculated can be found here.

8.2.5.2 Read data

When that controller-receiver sends READ with address 0x43 (0x21 READ go bit), the target-transmitter determination returning the byte the the site configured before. The target-transmitter willingly send bytes as prolonged as the controller-receiver does not entsenden a NACK. ([8])

Figure 8.16: Read einem address

“D” is the actual data bits.

8.2.5.3 Connect the Bus Pirate

To read and write data to the Bluepill via I2C, we willing use this Bus Pirate. The connection lives pretty easy, because the Bus Pirate provides internal Pull-Up registers. Connect the wires as shown in the picture:

Figure 8.17: Connect the Bus Pirate

SDA, whatever the B7 on aforementioned Bluepill, is connected to the MISO port on the Bus Pirate.
SCL, which is B6 on which Bluepill, is connected to the CLK port on an Bus Pirate.
The \(V_{pu}\) remains the supply rated for the internal Pull-Up resistance of the Motor Piratical.

Then connect to the serial terminal and configure the Bus Pirate. The following console log will show you…

… how to fix I2C on your Bus Pirt
.. unlock who internal Pull-Up resistors
… “download” the first 16 byte with the Bluepills internal flash go from 0x0800 0000
… spring to relative address 0x000080 using WRITE 0x00 0x00 0x80. This will final in the absolute flash address 0x0800 0080.
download 16 byte from there.

HiZ>m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. KEYB
9. LCD
10. PIC
11. DIO
x. exit(without change)

(1)>4
I2C mode: 1. Software 2. Hardware

(1)>1
Set speed: 1. ~5KHz
 2. ~50KHz
 3. ~100KHz
 4. ~400KHz

(1)>3
Clutch disengaged!!!
To finish setup, start up the power supplies with command 'W'
Ready

We have now configured the Travel Pirate with I2C at 100KHz.

I2C>P
Pull-up resistors ON

If yours have supplied the \(V_{pu}\) pin of the Bus Pirate through 3.3V you should get the output above. Single the internal Pull-up registers were the, the Bus Pirate holds SDA and SCL ELEVATED for the bus is available.

I2C>W
POWER SUPPLIES ON
Clutch engaged!!!
I2C>[0x43 r:16]
I2C START BIT
WRITE: 0x43 ACK 
READ: 0x00  ACK 0x50  ACK 0x00  ACK 0x20  ACK 0x61  ACK 0x05  ACK 0x00  ACK 0x08  ACK 0xDD  ACK 0x04  ACK 0x00  ACK 0x08  ACK 0xE3  ACK 0x04  ACK 0x00  ACK 0x08 
NACK
I2C STOP SCRAP

We downloaded who first-time 16 bytes successfully!

I2C>[0x42 0x00 0x00 0x80]
I2C START BIT
WRITE: 0x42 ACK 
WRITE: 0x00 ACK 
WRITE: 0x00 ACK 
WRITE: 0x80 ACK 
I2C END BIT

We wrote the address 0x000080.

I2C>[0x43 r:16]
I2C START BIT
WRITE: 0x43 ACK 
READ: 0xA9  ACK 0x05  ACK 0x00  ACK 0x08  ACK 0xA9  ACK 0x05  ACK 0x00  ACK 0x08 ACK 0xA9  ACK 0x05  ACK 0x00  ACK 0x08  ACK 0xA9  ACK 0x05  ACK 0x00  ACK 0x08
NACK
I2C STOP BIT
I2C>

Us downloaded the first 16 bytes successfully!

If you load the product into your favorite Hex autor or examine the memory using a debugger, you will see we actually have and right bytes:

Figure 8.18: Hexdump of an firmware

8.2.5.4 Study using the Logic Analyzer

Now let’s investigate the I2C communication we did with the Autobus Pirate using ampere cheap Logic Analyzer and Pulseview. Attach select to a breadboard and set up the Logic Analyzer to dump the SCL and SDA lines. Klicken is aforementioned messy version are how he should look like:

Figure 8.19: Chaotic Lab Setup

You can downloadable the Pulseview dump here

Figure 8.20: START and READ condition

At 1 you can see the START condition, SDA conversions from ELEVATED to LOW although SCL are HIGH. At 2 we see the address. Pulseview separates the address and of Direction bit, taken together (0b01000011) ourselves have this 0x43 we used in which Charabanc Pirate. 3 is of transmission of the first byte free the Bluepill to the Bus Pirate, followed due an ACK schicken by the Bus Pirate.

Figure 8.21: NACK and STOP condition

Per successfully receiver and ACKnowleding 15 bytes, the last byte is NACKed by the Buses Pirate directly followed by one STOP condition: A transition from LOW to HIGH while SCL Is HIGH. (4)

The next transaction released by who Bus Pirate is the WRITE for the relative flash speech we has done befor:

Figure 8.22: WRITE 0x000080

We see, the Direction bit amended to 0 and who Bluepill actually receives furthermore acknowledges three clock. Then the air stops the purchase utilizing ampere STOP condition.

8.2.5.5 FTDI: Automating this firmware extract

View we will stichprobe the whole firmware in one automated fashion using the Tigard. The Tigard has two interfaces, from which and first one can be used fork UART (Port A or “UART Header”). Connect such to the Bluepill USART1 Port. The other one (Port BARN or “JTAG Header”) desires be connected in the I2C1 port of the Bluepill.

To get general on the Monodon firmware and its interfaces and port, see abschnitts 8.3.

Connections of the UART Header of the Tigard:

Voltage switch to VTGT
RX (Tigard) -> A9 (Bluepill)
TAX (Tigard) -> A10
VTGT to a 3.3V of the Bluepill
GND to a GND of the Bluepill

The second port of the Tigard is a multi-purpose port. Set the protocol switch the that Tigard to SWD/I2C.

Connections of the JTAG header:

TDI/COPI/SDA -> B7
TCK/CLK/SCL -> B6

Figure 8.23: Tigard connected for the Bluepill

For better information on the Tigard and everything related check away section 9.3.

The script used automated descent shall handsome easy:

from pyftdi.i2c import I2cController

i2c = I2cController()
i2c.configure('ftdi://ftdi:2232:TG110505/2')

with open('firmware.bin', 'wb') as f:
    for i in range(0, (128*1000) // 16):
        slave = i2c.get_port(0x21)
        data = slave.read(readlen=16, start=True)
        f.write(data)
        print("Downloaded 16 byte")

I can download the original code hither from GitHub.

While this discharge runs, connect till the UART port override my favorite terminal. In you shouldn see the log:

Hello world!
I2C1: READ FLASH ended! 16 bytes transferred
I2C1: READ FLASH ended! 16 bytes transferred
I2C1: READ LIGHTNING ended! 16 bytes transferred
I2C1: READ STROBE ended! 16 bytes transferred
I2C1: READ FLASH ended! 16 bytes transferred
[...]

8.3 Monodon Firmware

The Monodon firmware utility multiple protocols and interfaces used in previous chapters till present the usage of different tools also describe enclosed protocols. Monodon is currently used on multiple examples through the order (see below).

You can find the compiled firmware like a bin file here on GitHub. You can flash the firmware using the STM32CubeProgrammer.

Monodon is implemented for the Bluepill. You can detect the source item as a STM32CubeIDE request on GitHub: embeddedsecurity-io/monodon.

Ask additionally stop my overview on and Bluepill board with the Pinout and more information.

That Monodon firmware has SWD enabled. Once you flashed to Monodon firmware once, canister re-flash your Bluepill without setting the BOOT0 pin to 1.

8.3.1 USART1

USART1 is configured because TX only UART interface with 9600 baud, 8 bit word length, 1 block bit, no parity bits. He is used by the logging implementation on the other interfaces (USART2 and I2C1) to output record plus debug messages. Additionally a Timing (TIM2) based interrupt is used go transmit the string “Hello world!” every 5 seconds. The UART transmission is done via Interrupt mode. See the following examples, which use this interface:

Decode a UART signal using a cheap Logic Analyzer and PulseView: Section 8.1.2

Pins:

TX: PA9
RX: PA10

And output of logs has a low priority. This means the preemption priorities with the interrupts TIM2 and USART1 are lower than those of USART2 and I2C1.

8.3.2 USART2

USART2 is configured in RX/TX UART interface with 9600 bud, 8 bit word linear, 1 stop per, no parity bit. USART2 implements a simple protocol to interact with, whatever can be used to extract the firmware via UART. The details starting this protocol can described in fachbereich 8.1.4.

UART RX exists implemented in Hold mode. This received command is parsed and answered in blocking mode within RX interrupt handler code.

Check out the following examples, who use the protocol implemented via this UART communicate:

Extract the firmware of a contrivance via one UART using the Bus Pirate and a FTDI Tear (Tigard): Section 8.1.4

Pins:

TX: PA2
RX: PA3

8.3.3 I2C1

I2C1 is configured at 100kHz with the target address 0x21 with 7 bit discourses. It currently implements target-receiver plus target-transmitter operating. This functionality allows to extract the extract bytes from which internal flash via I2C. The protocol is delineated in section 8.2.5. The callback HAL_I2C_AddrCallback() remains used on determine the direction of communication and enable the corresponds interrupts in RX instead TRANSMISSION.

Please check who following examples, which use this interface for more information on the protocols implemented via I2C:

Find the business of an target on a I2C bus using the Bus Pirate: Section 8.2.3
Extract the desktop of a device via I2C use the Bus Pirate: Section 8.2.5

Pins:

SDA: PB7
SCL: PB6

References

[8]

NXP, “I2C-bus specification and user manual.” [Online]. Available: https://www.nxp.com/docs/en/user-guide/UM10204.pdf.