Tuesday, December 30, 2008

Sniffing the MSP430 FET Protocol

by Travis Goodspeed <travis at radiantmachines.com>
regarding his independent recreation of anonymous, unpublished by other neighborly fellows. update: see here for the original implementation.

As the MSP430's gdbproxy relies upon closed-source libraries, which are not available for platforms other that Windows and i386 Linux, it would be valuable to generate an open-source alternative. Further, these closed libraries do not allow the debugging of all MSP430's. As reverse engineering the protocol by code review would be prohibitively complicated, grabbing serial traffic is an effective alternative. The following method allows for the dumping of serial frames for later analysis.

It is also a worthy goal to reverse engineer the proprietary aspects of TI's JTAG standard, but that is not the subject of this article. Here I will only investigate the protocol between a workstation and the MSP430 JTAG tool.

The simplest means of doing so is by using LD_PRELOAD to proxy--and print--calls to the write() and read() methods. To do so, I authored serspy.

Serspy works by proxying each call to the read() and write() system calls. For example, to trap the write() command,

//trap the write command
static ssize_t (*_write)(int fd, const void *buf, size_t count)=0;
int write(int fd, const void *buf, size_t count){
int num;

//This grabs a pointer to the original function.
_write=(ssize_t (*) (int fd, const void *buf, size_t count)) dlsym(RTLD_NEXT,"write");

//Now really write.

//And log it.
return num;

The code above is a replacement for the write() function which uses dlsym() to request a pointer to the original write() function, to which it forwards the call before logging it. As msp430-gdbproxy doesn't link against libdl and it is a 32-bit application, LD_PRELOAD must be set to ``./serspy.so:/usr/lib32/libdl.so''. Further, serspy.so itself must be compiled with the -m32 switch on 64-bit workstations.

Consider an example transaction, such as
W  7e 01 01 16 07 7e
R 0c 00
R 01 02 00 00 01 00 50 9e 98 00 67 4b

Writes (W) from the workstation begin and end with 0x7e, which never appears within the request. An encoding method of some sort is used to remove them. Reads (R) from the FET device begin with a 16-bit, little endian length. Following this length are the bytes themselves.

Consider also the following Writes, all of which are fetches for memory.
x/h 0x0200
7e 0d 02 02 00 00 02 00 00 02 00 00 00 b0 17 7e
x/h 0xfc00
7e 0d 02 02 00 00 fc 00 00 02 00 00 00 c0 06 7e
x/h 0xfc02
7e 0d 02 02 00 02 fc 00 00 02 00 00 00 af 0d 7e

All addresses are found intact as little endian: "00 02" for 0x200, "00 fc" for 0xfc00, and "02 fc" for 0xfc02. That won't be true for bytes which contain illicit characters, as I'll demonstrate later. Also note that the final two bytes of each message vary drastically; these are most likely a checksum of some sort.

Regarding the checksum, there are two common possibilities. The first is a CRC16 checksum, while the latter is the XOR of all transmitted bytes. The MSP430's serial bootstrap loader uses the latter method, but it is easy to rule out here. As the examples above for fetching 0xfc00 and 0xfc02 differ by only one bit apart from the checksum, yet the checksums show no resemblance, this checksumming function must be more complicated. A solution to the checksumming problem will be presented in a later article.

Illicit characters are dealt with by escaping. Consider the following queries,
x/h 0xeeee
7e 0d 02 02 00 ee ee 00 00 02 00 00 00 5c ac 7e
x/h 0xee7e
7e 0d 02 02 00 7d 5e ee 00 00 02 00 00 00 c6 3c 7e
x/h 0xee7d
7e 0d 02 02 00 7d 5d ee 00 00 02 00 00 00 16 b6 7e
x/h 0xee7f
7e 0d 02 02 00 7f ee 00 00 02 00 00 00 79 bd 7e
x/h 0xee7c
7e 0d 02 02 00 7c ee 00 00 02 00 00 00 a9 37 7e

From this it can be seen that 0x7d is the escape character, and that 0x7d and 0x7e are the characters to be escaped. Each is escaped by following 0x7d with either 0x5e or 0x5d, taking the lesser nybble.

Performing a few more queries exposes the length field of the memory read, as queries for 2, 1, and 4 bytes yield
x/h 0xeeee
7e 0d 02 02 00 ee ee 00 00 02 00 00 00 5c ac 7e
x/b 0xeeee
7e 0d 02 02 00 ee ee 00 00 01 00 00 00 91 89 7e
x/w 0xeeee
7e 0d 02 02 00 ee ee 00 00 04 00 00 00 c6 e7 7e

The first byte after the frame-start is 0xd, which is also the first byte of the response. Taking this further, a command/response code can be discovered, which is the first byte of both the encapsulated request and the response. In the follwoing case, an examine query has the code 0x0d while the set query has a code of 0x0e.
set *0xffd0=0xdead
W 7e 0e 04 01 00 d0 ff 00 00 02 00 00 00 ad de 49 6e 7e
R 06 00
R 0e 00 00 00 9c 52
x/h 0xffd0
W 7e 0d 02 02 00 e0 ff 00 00 02 00 00 00 4d b6 7e
R 0c 00
R 0d 03 00 00 02 00 00 00 ff ff 03 b8

This series will be continued once the checksumming routine has been reimplemented, at which point a custom client may be written.

See this post for details on my implementation.


Unknown said...

The framing is very similar to PPP, so maybe it's using the same CRC too (RFC 1662).

Travis Goodspeed said...

So it is, FCS-16 from page 18 works like a charm!

Anonymous said...
This comment has been removed by a blog administrator.
Blogger said...

If you need your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you got to watch this video
right away...

(VIDEO) Get your ex back with TEXT messages?

Blogger said...

Quantum Binary Signals

Professional trading signals delivered to your mobile phone every day.

Follow our signals NOW and make up to 270% daily.

Lara Gargett said...

Thank you for this useful content, It’s a very useful content that helps me to complete my assignment at right time. I would like to write about my experience of Australian assignment help or online assignment help. I am an academic expert here who provides reference assignment including Accounting, Management, Finance, IT, Economics, Computer Science, Nursing, Marketing; all Academic subjects to University Students across Australia or even globe. We are a big online assignment help providers who help students to get HD grades according to assessment guidelines and instructions.

Angel Claudia said...

Once you request for our Cheap Custom Essay Writing Services our writers use a guide in creating your assignments. Each paper is crafted from scratch to guarantee plagiarism free work. Whether you have a topic in mind or require help in choosing the most suitable topic, Online Essay Writing Services can help get your paper completed.

Vipin Chauhan said...

Thanks for provide great informatic and looking beautiful blog, really nice required information & the things i never imagined and i would request, wright more blog and blog post like that for us. Thanks you once agian

court marriage in delhi ncr
court marriage in delhi
court marriage in noida
court marriage in ghaziabad
court marriage in gurgaon
court marriage in faridabad
court marriage in greater noida
name change online
court marriage in chandigarh
court marriage in bangalore

Bextol said...

Tracking possibilities for shipments are rated at 3.5. It indicates a satisfactory performance - the tracking systems provide all the basic information as well as additional data about shipments; most of the times it also has a weel established cooperation with foreign and international tracking systems, as well as usually provides information in multiple languages. http://www.confiduss.com/en/jurisdictions/latvia/infrastructure/

call center software said...

Thank you for this post. Good luck.
Call Center Software

alex cooper said...

Awesome article, it was exceptionally helpful! I simply began in this and I'm becoming more acquainted with it better! Cheers, keep doing awesome!
viagra tablet

Online Treetment said...

Brand Viagra was developed by the pharmaceutical company PFIZER. Buy Original Viagra Price In Pakistan

louisarthur said...

Thank you for telling me about such coding techniques. I am recently giving Nursing dissertation editing and proofreading services UK based so I don’t have much time to read it thoroughly but I will very soon because besides nursing coding and software-related admires me a lot. and I just can’t wait to learn more about it.