Reverse engineer serial port commands
Alan Felt wrote 04/03/2016 at 02:23 • 0 pointsI'm attempting to reverse engineer a serial device that I know very little about. I figured out the BAUD rate of it and when I press a button on it, it writes "..\nBooted" to the serial console. Is there some program I can run that will brute force what commands the devices serial interface allows, if any?
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.
Yep, that is the groups page. I've gone through the documents there and didn't find much useful. I also tried contacting them but got no response. The tmote is indeed similar but it looks like it has sensors built in. The form factor on the boards I have is about the size of a standard thumb drive. I'm thinking the next step is to just contact Rincon and see if they can help any. Thanks for doing some digging! Impressive finding that berkley message board, wonder if the email listed for him works..
Are you sure? yes | no
PS Looks like the guy at Rincon asked this question:
https://www.millennium.berkeley.edu/pipermail/tinyos-help/2009-September/042109.html
about a "tmote sky" instead of "rmote". Googling that showed something similar to the pic in the PPT on the groupnumbertwo wikispaces page. Maybe that will lead you somewhere.
Are you sure? yes | no
Is the team these guys?:
http://groupnumbertwo.wikispaces.com/wiki/members
Is manufacturer these guys?:
http://www.rincon.com/tech_caps.htm
Nothing else obvious came up, and yeh, like the others have said: Unlike in the movies, where the hacker can use a special program to immediately probe for whatever protocol is involved, in real life, unless you can dump the ROM and look for strings, you're a bit SOL.
...R
Are you sure? yes | no
Dump the rom as binary and scan it for ASCII strings. That will probably give you a list of commands that can be typed, and a list of messages it will send out in various circumstances.
Also, try variations on "h", "help", "?" and so on to see if it responds.
Are you sure? yes | no
Sorry, to say but serial communication does not provide any intelligence - there is no way to know what it is expecting. Serial communication is like talking on a telephone and not knowing who is listening on the other end. Your only hope is to identify the board and find out what it is used for - then some creative guesing may get some results.
Are you sure? yes | no
I really should have given more information. It is a board with an MSP430 and an FTDI chip installed on it to allow connection via the onboard USB connector. it also has wireless capabilities with a built in wireless chip and antenna. As for what it was used for, from what I have been able to tell it was supposed to be part of a mesh network ( I actually have two of these boards) for sensor communication.
I tried contacting the members of the team that originally used them (no response) and I have thought about contacting what I think is the manufacturer of the board but have yet to do so. It identifies as an "rmote2500" on my mac and is possibly using tinyOS which is for devices such as mine (called motes).
Thank you for the response, It shouldn't be too difficult to write a chunk of code to run through commands, and using a Raspberry Pi will likely make it easier to hard reset.
And it is possible that the serial output is just an output for debugging as you say, in which case the next step is to figure out how to program the thing.
Are you sure? yes | no
Your life will be significantly easier if you have the device in its context and some sort of sender connected to it. Do you have something that is supposed to talk to it?
If not, writing a piece of code in python would be an easy way to start. While you're there you can also use RTS / DTR lines to control a Mosfet that power cycles your target device to restore a known state (in case you lock it up due to malformed commands or security features).
Without further information the rest is more guessing for us than for you. Maybe you're talking to an SoC that runs some sort of RTOS. Maybe you're just seeing a debug output.
For known commands you can use predefined sequences in hterm.
Are you sure? yes | no