Saturday, May 9, 2009

UART Sniffing Notes

by Travis Goodspeed <travis at radiantmachines.com>
concerning a collaboration with Reilly Grant.

The following are some brief notes on asynchronous serial traffic, how to decipher it, and how to identify a baud rate when a scope is unavailable.

RS232, TTL UART Waveforms


RS232 Serial
TTL Serial

Of the two waveforms above, the first is RS232 and the second is TTL-level serial. They are on opposite sides of a MAX232 level-converter, and the images have been scaled to show the same point in the transmission, which is inverted and amplified by the MAX232. Here, the TTL line is +5V for a 1 and 0V for a 0. The RS232 line is -10V for a 0 and +10V for a 1.

In decoding serial traffic, it is important to recognize that the least significant bit is transmitted first, and that it is preceded by a start bit of 0. Following the most significant bit will be an optional parity bit and stop bit of 1. Thus, 0xEE would be
111111110011101111111111
where the bold portion is the data byte and the surrounding ones are the idle state. For practice, draw arbitrary bytes on paper, both as RS232 and as TTL-level. Further, note that the exact end of the byte is not immediately clear, and can only be found by matching timing from the starting 0 bit.

Here is a photograph of a few bytes.
Smart Card ATR

Double Timing


Sniffing at the wrong rate.
When decoding serial traffic, it is crucially important to do so at the proper rate. It is for this reason that the standard baud rates have been decided upon. The traffic above was received at roughly, but not quite exactly, twice its baud rate. Note--by clicking the image for a better view--how common bytes of 0xFF and 0x00 are, as well as how rare a byte containing just a single 1 or 0 in isolation is.

Close Timing


Once sniffing traffic on the proper order of magnitude, it is often the case that a smart card reader will not be using exactly the same timing. As timing is synchronized not to a clock, but to a start bit, the less significant bits will be correct with errors being found in the more significant bits. For example, "0x3B 0x02" might be mistakenly read as "0x9B 0x82" if the transmission is being sniffed at a slower rate than the actual. This is because the stop bits are being misinterpreted as most-significant bits. (10,400 baud being sniffed at 9600 baud, in this case.)

To determine the next guess from an incorrect read without a scope, draw the misinterpreted byte and the correct byte of graph paper, comparing them. Shown below are 0x3B and 0x9B, click on the image for annotations.
Bytes

Unfortunately, Unix was not designed with odd baud rates in mind, and the Linux solution isn't terribly elegant either. In short, you must configure the port to run at 38,400 baud and override that baud rate with a manually chosen clock divider. For details, see the setserial documentation, looking at the spd_cust option. Further complicated matters, spd_cust doesn't seem to work with the FTDI usb/serial chip. If you can get the chip to work at an odd rate, please post a comment with details.

Automation


Automatically identifying the baud rate isn't terribly hard for a microcontroller, which can watch traffic to measure the bit width and adjust its reception appropriately. At some point, I'll write firmware for the MSP430 to do just that.

13 comments:

murali said...
This comment has been removed by the author.
murali said...

Hey Travis,

Thanks for the interesting post!

I was having issues checking out the 3.3 V ttl serial signals on my rigol ds1052E. I was expecting a signal similiar to the second image in your post(btw i'm using a cp2102 based usb-serial converter and sending HEX data using hercules serial terminal),but i was not able to get a squarish signal,rather a triangular/trapezoidal signal.I'm pretty new to all this stuff,I dont know what i'm doing wrong!,Can you please help and let me know what might be the possible issue?? Due to this i'm unable to identify the bits of the data which i plan to decode! Heres a screenshot of the signal for reference
dl.dropbox.com/u/92673895/ttl_serial.bmp

Taylor Bara said...

You would go here https://samedaypaper.org/blog/critical-essay after all. Because this service is the best!

Rahul Aniket said...

best water purifier in India

Jim Rhodes said...

I would like to see the full report. But these notes are nice too. Thanks!

Timothy Roberson said...

I got excessive fascinating things on your blog site. I think I am not the only one having all the pleasure here! Maintain the good job. To learn more about text-to-speech technology (TTS) Please do refer the article text to speech converter. Here you will learn text to speech. Thank for the attention.

Devilson : Buy MotoGP Suits, Jacket, Boots and Matching Gloves at UK best online Store said...

Hello I do believe your web site may be having web browser compatibility problems. Whenever I look at your blog in Safari it looks fine however when opening in I.E. it has some overlapping issues. I just wanted to give you a quick heads up! Other than that great site!
body bags for halloween

suzukirizla

kawaski monster

motorcycle red and black

devil fashion clothing

john david said...

Hello I am Toni, I live in USA, currently working in a marketing firm. I found this post useful because it contains a unique content and some useful content which is very helpful for everyone. If you are looking for a Mold inspections services kindly check, Mold inspections Boca Raton FL
They offer best services in town with good quality work.

Anonymous said...

If you are interested in the blogging industry, check out the latest posts on the great site. Post-related How fast you can click spacebar click. Read the article spacebar counter and have a good reading experience.

Spy Blogs said...

Such an informative blog i really love to read your blogs. I wrote a inspiring blog on startups for young generations

johns said...

Your blogs are really good and interesting. It is very great and informative. The following are some brief notes on asynchronous serial traffic, how to decipher it, and how to identify a baud rate when a scope is unavailable Sex Crime Lawyer. I got a lots of useful information in your blog. Keeps sharing more useful blogs..

albaflores said...

Recruiting-as-a-Service, or RaaS, is a complete and adaptable service offered by specialised talent acquisition firms. These external partners are in charge of locating, analysing, and presenting top-tier applicants for various jobs within an organisation. Best Fintech Recruitment Companies in US hiring organisations seeking to access a diverse pool of talent without the requirement for an internal recruitment staff might tremendously benefit from these services.

Amelia said...

In today's fast-changing business world, the typical office setup is no longer the only choice for startups and entrepreneurs. As things change and traditional corporate structures face challenges, a fresh approach is gaining popularity – one that focuses on community, flexibility, and working together. Work Hall, Best Coworking Space in Karachi, provides individuals and businesses the chance to excel in their work by offering well-designed private offices in beautiful locations in Karachi.