Difference between revisions of "Bus Pirate"
Line 196: | Line 196: | ||
|- |
|- |
||
! Vasco DP810 |
! Vasco DP810 |
||
− | |align="right" | |
+ | |align="right" | 1.064MHz |
|align="right" | ~2750? |
|align="right" | ~2750? |
||
|align="right" | ~1400 |
|align="right" | ~1400 |
||
Line 202: | Line 202: | ||
|- |
|- |
||
! Vasco DP840 |
! Vasco DP840 |
||
− | |align="right" | |
+ | |align="right" | 1.064MHz |
|align="right" | ~2750? |
|align="right" | ~2750? |
||
|align="right" | ~1400 |
|align="right" | ~1400 |
Revision as of 11:43, 24 November 2010
Description
I'm talking about this beast
Installation
My udev rules
I added a /dev/bus_pirate symlink by following this post:
$ ATTRS=$(sudo udevadm info -a -p \ $(sudo udevadm info -q path -n /dev/$(dmesg|\ grep "FTDI.*attached"|\ tail -n 1|\ grep -o "ttyUSB[0-9]\+"))|\ egrep "ATTRS{(serial|idVendor|idProduct)}"|\ head -n 3) $ echo "SUBSYSTEM==\"tty\"" $ATTRS "SYMLINK+=\"bus_pirate\""|\ sudo tee /etc/udev/rules.d/91-usb-buspirate.rules
If you've problems with modem-manager trying to access the device (as seen in /var/log/syslog), you can add the following rule:
ATTRS{idVendor}=="0403" ATTRS{idProduct}=="6001" ENV{ID_MM_DEVICE_IGNORE}="1"
Firmware upgrade
My bus pirate is a hardware v3b, firmware v4.1 and boodloader v4.1
To upgrade those two last ones:
Latest stable firmwares are available here
Let's take Bus.Pirate.firmware.v5.9.zip
And for the bootloader we'll follow this procedure, using this zip
To use the uploader, see here
$ screen /dev/bus_pirate 115200 Type "$" to enter bootloader mode Press ctrl-a \ y to quit screen $ ./pirate-loader_lnx --dev=/dev/bus_pirate --hex=BPv3-bootloader-upgrade-v4xtov4.3.hex $ screen /dev/bus_pirate 115200 Type "yes" to upgrade bootloader Press ctrl-a \ y to quit screen $ ./pirate-loader_lnx --dev=/dev/bus_pirate --hex=BPv3-Firmware-v5.9.hex Unplug/replug
Firmware v5.9 extra contains a few more things but only those modes:
Firmware v5.9 (r529) [HiZ 2WIRE 3WIRE KEYB LCD DIO]
While for normal firmware:
Firmware v5.9 (r539)
Hardware mod
I found the 2 greed LEDs of bus pirate v3b a bit weak especially through the plastic box so I replaced their resistors (1.1k) by resistors of 100 ohms.
It may vary with the exact LEDs in use with your board so don't assume 100 ohms will work on your own board!
Usage
CLI
screen /dev/bus_pirate 115200 i Bus Pirate v3 Firmware v4.2 Bootloader v4.2 DEVID:0x0447 REVID:0x3043 (B5) http://dangerousprototypes.com HiZ> ctrl-A \ (y) to quit
Pinouts
See also http://dangerousprototypes.com/category/pin-reference/
WARNING in the nice sticker colorscheme, the cable is put upside-down (it's said in the comment but I missed it completely the first time)
So if you put your cable going "outwards of the PCB", as seen in the introduction picture, pinout is the following:
GDN - brown, black EZhook +3.3 - red +5 - pink, red EZhook ADC - yellow Vpu - green AUX - blue CLK - violet MOSI - grey CS - white MISO - black
We can perform a self-test with the cable by connecting together red+yellow and pink+green, then simply run "~" on the CLI.
Logic analyzer
See http://dangerousprototypes.com/docs/Logic_analyzer_mode
Installing SUMP is not that easy...
I chose to try a fork of it mentioned in the comments of Sump PC client page
wget http://dl.dropbox.com/u/1026013/Java/Logic%20Analyzer/Logic%20Analyzer.zip unzip Logic%20Analyzer.zip sudo aptitude install libftdi-dev librxtx-java
I modified the runme as following for my Debian, and to be able to use a symlink to the runme:
#!/bin/bash
if [ -h $0 ]; then
DIR=$(dirname "$(readlink $0)")
cd "$DIR"
fi
java -Xmx256m -cp /usr/share/java/RXTXcomm.jar:analyzer.jar \
-Dgnu.io.rxtx.SerialPorts="/dev/bus_pirate" \
-Djava.library.path="/usr/lib/jni" \
org.sump.analyzer.Loader
Now trying it:
We've only to change the recording size to 4k or lower, other params should be ok
Pins & channels:
chan0 - CS - white chan1 - MISO - black chan2 - CLK - violet chan3 - MOSI - grey chan4 - AUX - blue GND - brown
See also other analyzers:
I also tried this fork: http://www.lxtreme.nl/ols/
and changed a bit the run.sh script to handle it through symlink :
if [ -h $0 ]; then
DIR=$(dirname "$(readlink $0)")
cd "$DIR"
BASEDIR=.
else
BASEDIR=$(dirname -- "${0}")
fi
Practice
7816-3 T=0 at arbitrary baudrate
I wanted to sniff the exchange between an autonomous smartcard reader and a card.
I used my bus pirate first in logic analyzer mode then in UART mode.
Physically I had simply a fake smartcard linked to a passive reader slot, a bit similar to this device
First thing a smartcard is emitting when powered and reset is it's ATR (Answer-to-Reset)
ATR in this case is 3B 67 00 00 00 00 00 00 00 90 00 as seen by any reader
But when trying with the UART mode, I couldn't get the proper bytes being decoded
Let's first have a raw trace to have a rough idea of the signal:
Using the logical analyzer on I/O, sampling 10kHz + a trigger on RST
ATR in bin I/O signal UART 2400 3B 00111011 0.11011100.1111... <> 9D 10011101 67 01100111 0.11100110.1111... <> B3 10110011 00 00000000 0.00000000.1111... <> 80 10000000 00 00000000 0.00000000.1111... <> 80 10000000 00 00000000 0.00000000.1111... <> 80 10000000 00 00000000 0.00000000.1111... <> 80 10000000 00 00000000 0.00000000.1111... <> 80 10000000 00 00000000 0.00000000.1111... <> 80 10000000 00 00000000 0.00000000.1111... <> 80 10000000 90 10010000 0.00001001.1111... <> C8 11001000 00 00000000 0.00000000.1111... <> 80 10000000
=> We see clearly (last columns) that bus pirate configured at 2400 baud is misinterpreting the bytes, it misses the first LSB and gets the stop bit as MSB.
The reason is that, compared to RS232, smartcards are following the external clock signal and one should use a quartz at 3686400Hz to get a proper I/O communication at 9600 bauds. (T=0: 9600 bit/s, 8 data bits, 1 parity bit, 2 stop bits, no handshake and even parity, + inversion compared to RS232 signals)
Clock of the autonomous reader was around 1.05MHz (measured roughly with an oscillo, bus pirate needs a CLK for one whole second to be able to measure the frequency but the reader I'm using provides a clock only during operations)
smartcard baudrate = CLK / 384
So in our case => ~2734 baud
UPDATE: according to ISO7816-3, the frequency divisor should be 372 and not 384. I've still to dig into that, maybe I'm just at the tolerance limit (1-(372/384)=3%)
See UART doc: we need firmware >= 5.1 to have full BRG control
BRG conversions: (only valid for bus pirate, see PIC datasheets for others)
- baudrate=4000000/(BRG+1)
- BRG=(4000000/baudrate)-1
So in our case => BRG=~1461
Let's try:
m3 UART mode 10 BRG raw value 1400 see below 2 8 bits, even parity 1 1 STOP bit 1 1 when idle 1 open drain (we don't connect Tx anyway) [ UART Live display .... sniffer is active ] Stop UART Live display
BRG=1461 produced some errors occasionally and I had better results with a slightly higher baudrate (2855 baud)
So finding the proper baudrate is extremely important when sniffing busses not using a standard baudrate!
We couldn't measure the CLK frequency very well so we had to do trial & error to find a suitable baudrate.
On some readers, CLK signal is kept running all the time, from insertion or during operation.
In that case, we can measure very precisely the frequency with the bus pirate:
- link reader CLK signal to bus pirate AUX probe and press "f" (works both in HiZ or UART modes)
Here are some measures on various readers:
Reader | CLK | baudrate | BRG | Remarks |
---|---|---|---|---|
Dell RT7D60 | 4009216 Hz | 10441 | 382 | |
ACR38U | 4009216 Hz | 10441 | 382 | |
Vasco DP905 | 3700736 Hz | 9637 | 414 | mode 9600 works too (416) |
Vasco DP810 | 1.064MHz | ~2750? | ~1400 | hand-tuned BRG |
Vasco DP840 | 1.064MHz | ~2750? | ~1400 | hand-tuned BRG |
Gemalto PC USB-SL | 4000768Hz | 10419 | 383 | |
Gemalto "digipass" | 1501696Hz | 3911 | 1022 |
It would be much easier if bus pirate integrates those baudrate<>BRG conversions.
E.g.
UART> m3 Set serial port speed: (bps) ... 10. BRG raw value 11. Approximative baudrate value (1) > 11 Baudrate value to approximate: (9600)> 11250 Choosing BRG=355, baudrate=11236, error=0.13% ...
UART> i Bus Pirate v3b ... UART (spd brg br dbp sb rxp hiz)=( 11 355 11236 0 0 1 )
Note that there is currently a little bug in UART info display, spd counts from 0 while menu items count from 1 (so menu=5 (9600) => spd=4)