Aghaster

"Hidden" Serial Consoles

18 posts in this topic

I have never used a serial console except for LOM on my Sun Fire v100, if that can count. I've read over time various articles from people that could find a few pins on a board they were trying to reverse engineer that would correspond to a Linux serial console. I have no idea how many pins are usually needed, what are the most common types of these consoles and their pinouts. I'd like some advice on where to find additional resource on 1) the various types of serial consoles that exist and 2) instructions on how to connect them to another Linux computer in order to use it and 3) tips on how to figure out if there is any on a board you're trying to find one.

I posted pictures of the board here: http://www.binrev.com/forums/index.php/topic/43424-hackable-media-center/

If anybody can give advice, or if you think there's something on those pictures that looks like one, your help would be much appreciated.

0

Share this post


Link to post
Share on other sites

I don't know.. but you might get lucky with a logic analyzer.

This one is pretty cheap for the crowd : http://www.saleae.com/logic/

it will decode various protocols. Maybe it could help you sort through all the various test points.

edit: check out the features tag for the protocols.

Edited by PurpleJesus
0

Share this post


Link to post
Share on other sites

I have never used a serial console except for LOM on my Sun Fire v100, if that can count. I've read over time various articles from people that could find a few pins on a board they were trying to reverse engineer that would correspond to a Linux serial console. I have no idea how many pins are usually needed, what are the most common types of these consoles and their pinouts. I'd like some advice on where to find additional resource on 1) the various types of serial consoles that exist and 2) instructions on how to connect them to another Linux computer in order to use it and 3) tips on how to figure out if there is any on a board you're trying to find one.

I posted pictures of the board here: http://www.binrev.co...e-media-center/

If anybody can give advice, or if you think there's something on those pictures that looks like one, your help would be much appreciated.

Well, I can't say too much on this. However, most SOC's support serial ports and my RTOS's come with them by default. Embedded developers often use them during development in some way or leave the drivers in for maintenance purposes. Point? There's a decent chance that some serial protocol is accessible. The only tip I can give you for sure is to figure out what SOC or processor or whatever is in use. Many come with support for certain protocols on-chip. I'd start by figuring out what chips are being used and getting their datasheets. Many developers working quickly and cheaply will just go with suggested defaults. So, you might be able to use that as clue to get a serial console working.

0

Share this post


Link to post
Share on other sites

I have never used a serial console except for LOM on my Sun Fire v100, if that can count. I've read over time various articles from people that could find a few pins on a board they were trying to reverse engineer that would correspond to a Linux serial console. I have no idea how many pins are usually needed, what are the most common types of these consoles and their pinouts. I'd like some advice on where to find additional resource on 1) the various types of serial consoles that exist and 2) instructions on how to connect them to another Linux computer in order to use it and 3) tips on how to figure out if there is any on a board you're trying to find one.

I posted pictures of the board here: http://www.binrev.co...e-media-center/

If anybody can give advice, or if you think there's something on those pictures that looks like one, your help would be much appreciated.

Well, I can't say too much on this. However, most SOC's support serial ports and my RTOS's come with them by default. Embedded developers often use them during development in some way or leave the drivers in for maintenance purposes. Point? There's a decent chance that some serial protocol is accessible. The only tip I can give you for sure is to figure out what SOC or processor or whatever is in use. Many come with support for certain protocols on-chip. I'd start by figuring out what chips are being used and getting their datasheets. Many developers working quickly and cheaply will just go with suggested defaults. So, you might be able to use that as clue to get a serial console working.

I went through the available bootloader source code yesterday, and found some interesting hints. The bootloader code suggests the usage of UART 16550C, and also an optional YAMON interface. I found out that if I connect the device directly to a computer USB port using the mini-usb port on the back, the bootloader will detect it and automatically make the hard disk inside available to the connected computer. However, the hard disk is useless to me, as the OS isn't installed there. Do you know of any website that has pictures or diagrams of the number of pins or that these ports look like on a board usually?

0

Share this post


Link to post
Share on other sites

Do you know of any website that has pictures or diagrams of the number of pins or that these ports look like on a board usually?

No, I do not unfortunately. The closest thing I have is the computer hardware poster. Maybe it will provide you clues.

post-16357-127523803156_thumb.png

0

Share this post


Link to post
Share on other sites

I took much better pictures this time, I uploaded them here:

Could have warned about the 47MByte... ;-)

So this is you media player thingie. Obviously the main processor is the largest (RTD1262) luckly for you it is a Quad flat pack as you can actually get probes/wires onto the pins.

GL850: USB 2.0 4-PORT HUB CONTROLLER

JM20330 is a single chip solution for serial and parallel ATA translation.

Do you have a IC name/number for the one in IMG_3082?

I'd check datasheet pinout against older RTD1261 (probably same/similar) or maybe try to trace tracks from other image:

http://rtd1261.wikidot.com/internals

Serial will be LV-TTL on chip's pins. Check the supply rail (3.3V or 2.8V) and use a USB/Serial convertor such as:

http://www.robotshop.ca/sfe-lilypad-usb-link-mini-b-1.html

As well as serial ports, you could track down the JTAG pins. Depending on what processor is used inside this beast these can give 100% control of I/O ring and if you are lucky of the processor it's self.

Have fun,

Mungewell.

0

Share this post


Link to post
Share on other sites

The bootloader code suggests the usage of UART 16550C, and also an optional YAMON interface.

Most modern SOCs have standardised peripherals built into the chip, so this will be refering to the on-board UART rather than an external device.

If you have the boot loader you may have important information about the memory interface configuration. If you can get to the JTAG port, you may be able to configure the memory interface by hand and simply read out binary from the flash chip.

Mungewell.

0

Share this post


Link to post
Share on other sites

Thanks for the tips!

I've updated the transcription of the text on the chips with my much better pictures, and I found the datasheets for all of them except for the RTD1262 (that one doesn't have public documentation)


JMicron JM20330
Serial ATA Bridge

JM20330
0922 TGAZ0 C0
3715M0031

Realtek RTD1262

RTD1262PA
93H26Q1
G918C TAIWAN

Genesys Logic GL850A
USB 2.0 Low-Power HUB Controller

GL850A
MS1FA01G06
916SK04801

Macronix MX25L6405D
64M-Bit CMOS Serial Flash

MX B091931
25L6405DMI-12G
384480C0
TAIWAN

National Semiconductor LM1085
3A Low Dropout Positive Regulator

JM81RD
LM1085
IS-ADJ

Genesys Logic GL811S
USB 2.0 to ATA/ATAPI Bridge Controller

GL811S
MN1BB03G03
913AA4904

NANYA NT5DS32M16BS
512MB DDR SDRAM

NANYA 0820
NT5DS32M16BS-5T
807239Y1BF SG

GL811S

GL850A

JM20330

LM1085

MX25L6405DMI-12G

NT5DS32M16BS-5T

0

Share this post


Link to post
Share on other sites

A console serial connection requires no flow control usually, so all you need is TxD and RxD and GND -- 3 pins. They're often brought out to a 9-pin (or 10-pin with corner key) header, following the standard DB-9 RS-232 pinout, if they actually use RS-232 levels. Many embedded systems only provide TTL serial, since the console port isn't regularly used by end users; therefore, you'll need a level converter IC like the MAX232 (or any of its numerous clones) to shift the TTL to RS-232 levels.

Edited by systems_glitch
0

Share this post


Link to post
Share on other sites

Does anybody know if there exists a way of physically placing a device on top of the SOC that would fit directly on the 256 pins and allow you to more easily probe them, or connect them to a serial port?

0

Share this post


Link to post
Share on other sites

Does anybody know if there exists a way of physically placing a device on top of the SOC that would fit directly on the 256 pins and allow you to more easily probe them, or connect them to a serial port?

The magic words you are looking for are "ic test clips"...

http://parts.digikey.com/1/parts-cats/test-clips-ic-test-equipment

http://www.pomonaelectronics.com/index.php?i=a_probe_choice

0

Share this post


Link to post
Share on other sites

Does anybody know if there exists a way of physically placing a device on top of the SOC that would fit directly on the 256 pins and allow you to more easily probe them, or connect them to a serial port?

For the size device that you are looking at, these would be HUGELY expensive. My suggestion would be to looks for info around the web, there was some suggestion that there was a Telnet port active on other variants - did you try portscanning it?

If you are pretty sure that the ASC pins are not connected on your board you could target the unconnected ones and probe with the input to a FTDE adapater (so that you can see any serial activity on PC when board is powered). You will also need a ground connected to board ground.

Serial data is pretty destinctive.

Mungewell.

0

Share this post


Link to post
Share on other sites

Does anybody know if there exists a way of physically placing a device on top of the SOC that would fit directly on the 256 pins and allow you to more easily probe them, or connect them to a serial port?

For the size device that you are looking at, these would be HUGELY expensive. My suggestion would be to looks for info around the web, there was some suggestion that there was a Telnet port active on other variants - did you try portscanning it?

If you are pretty sure that the ASC pins are not connected on your board you could target the unconnected ones and probe with the input to a FTDE adapater (so that you can see any serial activity on PC when board is powered). You will also need a ground connected to board ground.

Serial data is pretty destinctive.

Mungewell.

I've been searching and trying really hard to get telnet working on my device. I was unlucky enough to get one of the firmwares with a busybox build that didn't have telnetd in it. I'm very happy, I just "rooted" it :) I downloaded some backup of the flash coming from an italian forum where the guy claimed to have a similar device with telnetd. I found that one of the partitions he backed up was a squashfs image. The squashfs image was too big compared to mine, so it failed to flash. I first tried replacing the video player app that was much larger with the one I had originally, but then I wouldn't get any video. I then tried using my original firmware, but replacing /bin, /usr/bin, /usr/sbin and /etc with the one from the online backup (which had a working telnetd). I flashed it... and...


aghaster@sidux:~$ telnet 192.168.1.115
Trying 192.168.1.115...
Connected to 192.168.1.115.
Escape character is '^]'.
Venus login: root
warning: cannot change to home directory


BusyBox v1.1.3 (2008.10.23-09:40+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ # uname -a
Linux Venus 2.6.12.6-VENUS #6 Tue Nov 25 11:06:53 CST 2008 mips unknown
/ # ls -l
-rwxr-xr-x 1 root root 61440 Oct 13 2008 Test.fat
drwxr-xr-x 2 root root 481 Jun 2 2010 bin
drwxr-xr-x 1 root root 0 Jan 1 1970 dev
drwxr-xr-x 4 root root 241 Jun 2 2010 etc
drwxr-xr-x 3 root root 425 Oct 14 2008 lib
lrwxrwxrwx 1 root root 11 Jun 2 2010 linuxrc -> bin/busybox
drwxr-xr-x 7 root root 65 Oct 14 2008 mnt
dr-xr-xr-x 58 root root 0 Jan 26 12:33 proc
drwxr-xr-x 2 root root 256 Oct 14 2008 sbin
drwxr-xr-x 11 root root 0 Jan 26 12:33 sys
drwxr-xr-x 12 root root 0 Jan 26 12:33 tmp
drwxr-xr-x 8 root root 69 Oct 14 2008 tmp_orig
drwxr-xr-x 5 root root 48 Oct 14 2008 usr
lrwxrwxrwx 1 root root 4 Jun 2 2010 var -> tmp/

Now, the rest is going to be trivial :) getting telnet working was the hard part, hehehe. There are various tweaks on wikis on how to make the root partition writable, etc. Some people even got chrooted debian environments :P

0

Share this post


Link to post
Share on other sites

The squashfs image was too big compared to mine, so it failed to flash. I first tried replacing the video player app that was much larger with the one I had originally, but then I wouldn't get any video. I then tried using my original firmware, but replacing /bin, /usr/bin, /usr/sbin and /etc with the one from the online backup (which had a working telnetd). I flashed it... and...

Congrats!! and now a 'handy Mungewell hint'....

If you are mounting the embedded disk image and changing stuff, you can find that the 'old stuff' is still on disk and lessens the amount of compression that can be done on it (I found this when playing with Linux-VR on MIPS PDA a while ago, so might not be applicable now).

By creating an empty disk (with dd if=/dev/zero of=...) and then taring/untaring the altered disk into it you can be sure that there is no cruft left behind.

Which graphics system (X11, SVGALib, etc) are they using, which media player, etc....?

Munge.

0

Share this post


Link to post
Share on other sites

Very neat!!

This has always been EXACTLY the type of hacking I have wanted to learn but never could.

I just can't wrap my head around on how to find the serial ports. xD

0

Share this post


Link to post
Share on other sites

Here are some updated photos, I opened it again to take better pictures of the back of the mainboard. Some of these pictures were in the zip posted earlier. Beware, they're high definition. I'm trying to figure out if the mysterious unpopulated part of the board is for EJTAG.

http://www.awakecoding.com/pictures/MP800DVR/front_panel.jpg

http://www.awakecoding.com/pictures/MP800DVR/GL811S.jpg

http://www.awakecoding.com/pictures/MP800DVR/GL850A.jpg

http://www.awakecoding.com/pictures/MP800DVR/JM20330.jpg

http://www.awakecoding.com/pictures/MP800DVR/LM1085.jpg

http://www.awakecoding.com/pictures/MP800DVR/unpopulated.jpg

http://www.awakecoding.com/pictures/MP800DVR/mainboard_back1.jpg

http://www.awakecoding.com/pictures/MP800DVR/mainboard_back2.jpg

http://www.awakecoding.com/pictures/MP800DVR/mainboard_back3.jpg

http://www.awakecoding.com/pictures/MP800DVR/mainboard_back4.jpg

http://www.awakecoding.com/pictures/MP800DVR/mainboard_back5.jpg

http://www.awakecoding.com/pictures/MP800DVR/MX25L6405DMI-12G.jpg

http://www.awakecoding.com/pictures/MP800DVR/NT5DS32M16BS-5T.jpg

http://www.awakecoding.com/pictures/MP800DVR/RTD1262.jpg

I *almost* got the point where I could make a chrooted debian installation. I made an ext3-formatted usb drive and used debootstrap to prepare a debian lenny mipsel installation on it. However, to complete the debootstrapped installation, I need to be able to run the stage 2 of the installation, which requires a chrooted environment on the target device with rw, exec and dev permissions. The system automatically mounts the ext3 partition with ro,noexec,nodev. I can remount the partition with rw and exec, but for some reason I still was unable to remount it with dev permissions. Any ideas?

0

Share this post


Link to post
Share on other sites

I'm trying to figure out if the mysterious unpopulated part of the board is for EJTAG.

Nope. ;-)

My best guess would be that alternative tuners/demod cards can be fitted to work with DVB-T, Digital Satellite, etc... The main processor can handle transport stream and would most likely control the tuner via I2C. Multiple transport streams would be unused in dual tuner PVRs to allow for the recording of a program (which might be on a different multiplex) to the one being watched.

Mungewell.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now