Jump to content


Photo
- - - - -

"Hidden" Serial Consoles


  • Please log in to reply
17 replies to this topic

#1 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 28 May 2010 - 07:09 AM

I have never used a serial console except for LOM on my Sun Fire v100, if that can count. I've read over time various articles from people that could find a few pins on a board they were trying to reverse engineer that would correspond to a Linux serial console. I have no idea how many pins are usually needed, what are the most common types of these consoles and their pinouts. I'd like some advice on where to find additional resource on 1) the various types of serial consoles that exist and 2) instructions on how to connect them to another Linux computer in order to use it and 3) tips on how to figure out if there is any on a board you're trying to find one.

I posted pictures of the board here: http://www.binrev.co...e-media-center/

If anybody can give advice, or if you think there's something on those pictures that looks like one, your help would be much appreciated.

#2 PurpleJesus

PurpleJesus

    Dangerous free thinker

  • Members
  • 1,578 posts
  • Gender:Male
  • Location:800

Posted 29 May 2010 - 09:20 AM

I don't know.. but you might get lucky with a logic analyzer.

This one is pretty cheap for the crowd : http://www.saleae.com/logic/

it will decode various protocols. Maybe it could help you sort through all the various test points.

edit: check out the features tag for the protocols.

Edited by PurpleJesus, 29 May 2010 - 09:21 AM.


#3 army_of_one

army_of_one

    SUP3R 31337 P1MP

  • Members
  • 282 posts

Posted 30 May 2010 - 01:57 AM

I have never used a serial console except for LOM on my Sun Fire v100, if that can count. I've read over time various articles from people that could find a few pins on a board they were trying to reverse engineer that would correspond to a Linux serial console. I have no idea how many pins are usually needed, what are the most common types of these consoles and their pinouts. I'd like some advice on where to find additional resource on 1) the various types of serial consoles that exist and 2) instructions on how to connect them to another Linux computer in order to use it and 3) tips on how to figure out if there is any on a board you're trying to find one.

I posted pictures of the board here: http://www.binrev.co...e-media-center/

If anybody can give advice, or if you think there's something on those pictures that looks like one, your help would be much appreciated.


Well, I can't say too much on this. However, most SOC's support serial ports and my RTOS's come with them by default. Embedded developers often use them during development in some way or leave the drivers in for maintenance purposes. Point? There's a decent chance that some serial protocol is accessible. The only tip I can give you for sure is to figure out what SOC or processor or whatever is in use. Many come with support for certain protocols on-chip. I'd start by figuring out what chips are being used and getting their datasheets. Many developers working quickly and cheaply will just go with suggested defaults. So, you might be able to use that as clue to get a serial console working.

#4 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 30 May 2010 - 11:25 AM


I have never used a serial console except for LOM on my Sun Fire v100, if that can count. I've read over time various articles from people that could find a few pins on a board they were trying to reverse engineer that would correspond to a Linux serial console. I have no idea how many pins are usually needed, what are the most common types of these consoles and their pinouts. I'd like some advice on where to find additional resource on 1) the various types of serial consoles that exist and 2) instructions on how to connect them to another Linux computer in order to use it and 3) tips on how to figure out if there is any on a board you're trying to find one.

I posted pictures of the board here: http://www.binrev.co...e-media-center/

If anybody can give advice, or if you think there's something on those pictures that looks like one, your help would be much appreciated.


Well, I can't say too much on this. However, most SOC's support serial ports and my RTOS's come with them by default. Embedded developers often use them during development in some way or leave the drivers in for maintenance purposes. Point? There's a decent chance that some serial protocol is accessible. The only tip I can give you for sure is to figure out what SOC or processor or whatever is in use. Many come with support for certain protocols on-chip. I'd start by figuring out what chips are being used and getting their datasheets. Many developers working quickly and cheaply will just go with suggested defaults. So, you might be able to use that as clue to get a serial console working.


I went through the available bootloader source code yesterday, and found some interesting hints. The bootloader code suggests the usage of UART 16550C, and also an optional YAMON interface. I found out that if I connect the device directly to a computer USB port using the mini-usb port on the back, the bootloader will detect it and automatically make the hard disk inside available to the connected computer. However, the hard disk is useless to me, as the OS isn't installed there. Do you know of any website that has pictures or diagrams of the number of pins or that these ports look like on a board usually?

#5 army_of_one

army_of_one

    SUP3R 31337 P1MP

  • Members
  • 282 posts

Posted 30 May 2010 - 11:47 AM

Do you know of any website that has pictures or diagrams of the number of pins or that these ports look like on a board usually?


No, I do not unfortunately. The closest thing I have is the computer hardware poster. Maybe it will provide you clues.

Attached Files



#6 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 30 May 2010 - 04:04 PM

I took much better pictures this time, I uploaded them here:

http://www.awakecodi...ads/RTD1262.zip

#7 mungewell

mungewell

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 376 posts
  • Location:Planet Earth

Posted 31 May 2010 - 12:56 PM

I took much better pictures this time, I uploaded them here:


Could have warned about the 47MByte... ;-)

So this is you media player thingie. Obviously the main processor is the largest (RTD1262) luckly for you it is a Quad flat pack as you can actually get probes/wires onto the pins.

GL850: USB 2.0 4-PORT HUB CONTROLLER
JM20330 is a single chip solution for serial and parallel ATA translation.

Do you have a IC name/number for the one in IMG_3082?


I'd check datasheet pinout against older RTD1261 (probably same/similar) or maybe try to trace tracks from other image:
http://rtd1261.wikidot.com/internals

Serial will be LV-TTL on chip's pins. Check the supply rail (3.3V or 2.8V) and use a USB/Serial convertor such as:
http://www.robotshop...k-mini-b-1.html

As well as serial ports, you could track down the JTAG pins. Depending on what processor is used inside this beast these can give 100% control of I/O ring and if you are lucky of the processor it's self.

Have fun,
Mungewell.

#8 mungewell

mungewell

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 376 posts
  • Location:Planet Earth

Posted 31 May 2010 - 01:01 PM

The bootloader code suggests the usage of UART 16550C, and also an optional YAMON interface.


Most modern SOCs have standardised peripherals built into the chip, so this will be refering to the on-board UART rather than an external device.

If you have the boot loader you may have important information about the memory interface configuration. If you can get to the JTAG port, you may be able to configure the memory interface by hand and simply read out binary from the flash chip.

Mungewell.

#9 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 31 May 2010 - 06:58 PM

Thanks for the tips!

I've updated the transcription of the text on the chips with my much better pictures, and I found the datasheets for all of them except for the RTD1262 (that one doesn't have public documentation)

JMicron JM20330
Serial ATA Bridge

JM20330
0922 TGAZ0 C0
3715M0031

Realtek RTD1262

RTD1262PA
93H26Q1
G918C TAIWAN

Genesys Logic GL850A
USB 2.0 Low-Power HUB Controller

GL850A
MS1FA01G06
916SK04801

Macronix MX25L6405D
64M-Bit CMOS Serial Flash

MX B091931
25L6405DMI-12G
384480C0
TAIWAN

National Semiconductor LM1085
3A Low Dropout Positive Regulator

JM81RD
LM1085
IS-ADJ

Genesys Logic GL811S
USB 2.0 to ATA/ATAPI Bridge Controller

GL811S
MN1BB03G03
913AA4904

NANYA NT5DS32M16BS
512MB DDR SDRAM

NANYA 0820
NT5DS32M16BS-5T
807239Y1BF SG

GL811S
GL850A
JM20330
LM1085
MX25L6405DMI-12G
NT5DS32M16BS-5T

#10 systems_glitch

systems_glitch

    Dangerous free thinker

  • Moderating Team
  • 1,623 posts
  • Gender:Male

Posted 31 May 2010 - 08:29 PM

A console serial connection requires no flow control usually, so all you need is TxD and RxD and GND -- 3 pins. They're often brought out to a 9-pin (or 10-pin with corner key) header, following the standard DB-9 RS-232 pinout, if they actually use RS-232 levels. Many embedded systems only provide TTL serial, since the console port isn't regularly used by end users; therefore, you'll need a level converter IC like the MAX232 (or any of its numerous clones) to shift the TTL to RS-232 levels.

Edited by systems_glitch, 31 May 2010 - 08:30 PM.


#11 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 01 June 2010 - 01:44 PM

Does anybody know if there exists a way of physically placing a device on top of the SOC that would fit directly on the 256 pins and allow you to more easily probe them, or connect them to a serial port?

#12 MrFluffy

MrFluffy

    HACK THE PLANET!

  • Validating
  • 68 posts
  • Country:
  • Gender:Male
  • Location:somewhere

Posted 01 June 2010 - 04:15 PM

Does anybody know if there exists a way of physically placing a device on top of the SOC that would fit directly on the 256 pins and allow you to more easily probe them, or connect them to a serial port?


The magic words you are looking for are "ic test clips"...

http://parts.digikey...-test-equipment

http://www.pomonaele...=a_probe_choice

#13 mungewell

mungewell

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 376 posts
  • Location:Planet Earth

Posted 01 June 2010 - 05:24 PM

Does anybody know if there exists a way of physically placing a device on top of the SOC that would fit directly on the 256 pins and allow you to more easily probe them, or connect them to a serial port?


For the size device that you are looking at, these would be HUGELY expensive. My suggestion would be to looks for info around the web, there was some suggestion that there was a Telnet port active on other variants - did you try portscanning it?

If you are pretty sure that the ASC pins are not connected on your board you could target the unconnected ones and probe with the input to a FTDE adapater (so that you can see any serial activity on PC when board is powered). You will also need a ground connected to board ground.

Serial data is pretty destinctive.
Mungewell.

#14 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 01 June 2010 - 07:26 PM


Does anybody know if there exists a way of physically placing a device on top of the SOC that would fit directly on the 256 pins and allow you to more easily probe them, or connect them to a serial port?


For the size device that you are looking at, these would be HUGELY expensive. My suggestion would be to looks for info around the web, there was some suggestion that there was a Telnet port active on other variants - did you try portscanning it?

If you are pretty sure that the ASC pins are not connected on your board you could target the unconnected ones and probe with the input to a FTDE adapater (so that you can see any serial activity on PC when board is powered). You will also need a ground connected to board ground.

Serial data is pretty destinctive.
Mungewell.


I've been searching and trying really hard to get telnet working on my device. I was unlucky enough to get one of the firmwares with a busybox build that didn't have telnetd in it. I'm very happy, I just "rooted" it :) I downloaded some backup of the flash coming from an italian forum where the guy claimed to have a similar device with telnetd. I found that one of the partitions he backed up was a squashfs image. The squashfs image was too big compared to mine, so it failed to flash. I first tried replacing the video player app that was much larger with the one I had originally, but then I wouldn't get any video. I then tried using my original firmware, but replacing /bin, /usr/bin, /usr/sbin and /etc with the one from the online backup (which had a working telnetd). I flashed it... and...

aghaster@sidux:~$ telnet 192.168.1.115
Trying 192.168.1.115...
Connected to 192.168.1.115.
Escape character is '^]'.
Venus login: root
warning: cannot change to home directory


BusyBox v1.1.3 (2008.10.23-09:40+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ # uname -a
Linux Venus 2.6.12.6-VENUS #6 Tue Nov 25 11:06:53 CST 2008 mips unknown
/ # ls -l
-rwxr-xr-x    1 root     root        61440 Oct 13  2008 Test.fat
drwxr-xr-x    2 root     root          481 Jun  2  2010 bin
drwxr-xr-x    1 root     root            0 Jan  1  1970 dev
drwxr-xr-x    4 root     root          241 Jun  2  2010 etc
drwxr-xr-x    3 root     root          425 Oct 14  2008 lib
lrwxrwxrwx    1 root     root           11 Jun  2  2010 linuxrc -> bin/busybox
drwxr-xr-x    7 root     root           65 Oct 14  2008 mnt
dr-xr-xr-x   58 root     root            0 Jan 26 12:33 proc
drwxr-xr-x    2 root     root          256 Oct 14  2008 sbin
drwxr-xr-x   11 root     root            0 Jan 26 12:33 sys
drwxr-xr-x   12 root     root            0 Jan 26 12:33 tmp
drwxr-xr-x    8 root     root           69 Oct 14  2008 tmp_orig
drwxr-xr-x    5 root     root           48 Oct 14  2008 usr
lrwxrwxrwx    1 root     root            4 Jun  2  2010 var -> tmp/

Now, the rest is going to be trivial :) getting telnet working was the hard part, hehehe. There are various tweaks on wikis on how to make the root partition writable, etc. Some people even got chrooted debian environments :p

#15 mungewell

mungewell

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 376 posts
  • Location:Planet Earth

Posted 03 June 2010 - 12:05 PM

The squashfs image was too big compared to mine, so it failed to flash. I first tried replacing the video player app that was much larger with the one I had originally, but then I wouldn't get any video. I then tried using my original firmware, but replacing /bin, /usr/bin, /usr/sbin and /etc with the one from the online backup (which had a working telnetd). I flashed it... and...


Congrats!! and now a 'handy Mungewell hint'....

If you are mounting the embedded disk image and changing stuff, you can find that the 'old stuff' is still on disk and lessens the amount of compression that can be done on it (I found this when playing with Linux-VR on MIPS PDA a while ago, so might not be applicable now).

By creating an empty disk (with dd if=/dev/zero of=...) and then taring/untaring the altered disk into it you can be sure that there is no cruft left behind.

Which graphics system (X11, SVGALib, etc) are they using, which media player, etc....?
Munge.

#16 thepcdude

thepcdude

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 353 posts
  • Location:Computer, Desk

Posted 05 June 2010 - 11:32 PM

Very neat!!

This has always been EXACTLY the type of hacking I have wanted to learn but never could.

I just can't wrap my head around on how to find the serial ports. xD

#17 Aghaster

Aghaster

    The Frenchman

  • Agents of the Revolution
  • 2,093 posts
  • Country:
  • Gender:Male
  • Location:Quebec, Canada

Posted 07 June 2010 - 09:41 PM

Here are some updated photos, I opened it again to take better pictures of the back of the mainboard. Some of these pictures were in the zip posted earlier. Beware, they're high definition. I'm trying to figure out if the mysterious unpopulated part of the board is for EJTAG.

http://www.awakecodi...front_panel.jpg
http://www.awakecodi...0DVR/GL811S.jpg
http://www.awakecodi...0DVR/GL850A.jpg
http://www.awakecodi...DVR/JM20330.jpg
http://www.awakecodi...0DVR/LM1085.jpg
http://www.awakecodi...unpopulated.jpg
http://www.awakecodi...board_back1.jpg
http://www.awakecodi...board_back2.jpg
http://www.awakecodi...board_back3.jpg
http://www.awakecodi...board_back4.jpg
http://www.awakecodi...board_back5.jpg
http://www.awakecodi...6405DMI-12G.jpg
http://www.awakecodi...S32M16BS-5T.jpg
http://www.awakecodi...DVR/RTD1262.jpg

I *almost* got the point where I could make a chrooted debian installation. I made an ext3-formatted usb drive and used debootstrap to prepare a debian lenny mipsel installation on it. However, to complete the debootstrapped installation, I need to be able to run the stage 2 of the installation, which requires a chrooted environment on the target device with rw, exec and dev permissions. The system automatically mounts the ext3 partition with ro,noexec,nodev. I can remount the partition with rw and exec, but for some reason I still was unable to remount it with dev permissions. Any ideas?

#18 mungewell

mungewell

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 376 posts
  • Location:Planet Earth

Posted 08 June 2010 - 10:48 AM

I'm trying to figure out if the mysterious unpopulated part of the board is for EJTAG.


Nope. ;-)

My best guess would be that alternative tuners/demod cards can be fitted to work with DVB-T, Digital Satellite, etc... The main processor can handle transport stream and would most likely control the tuner via I2C. Multiple transport streams would be unused in dual tuner PVRs to allow for the recording of a program (which might be on a different multiplex) to the one being watched.

Mungewell.




BinRev is hosted by the great people at Lunarpages!