Playing with a Saleae Logic Analyzer
Hey all, I was hanging out w/ Awgh the other day and he started dropping tons of hardware hacking knowledge on me. As we were rummaging through his hardware hacking tools we came across a logic analyzer, and I mentioned how I always wanted to mess with one. Next thing I know, Awgh was running me through a crash course in analyzing serial ports. It was my first time playing w/ a Saleae logic analyzer, and I have to say I was blow away. I had looked at getting one before but was timid about it because I was unsure how useful they could be. Granted there are tons of articles on their website for getting started with one, but it wasn't till I sat down and saw how powerful it could be in my own hands that I was moved to buy one. This is that story.
As Awgh instructed, it all starts with opening the device and visual inspection of the hardware, we are looking for serial ports or a way to debug the hardware's boot process. I actually started with a volt meter, testing different exposed pads, basically probing pads till I found some type of signal. Once I found the pads I wanted to read, I broke off some single row, male pin headers, and stuck them in through the exposed PTH pads. This turns out to be a UART port after I did some more research. Next getting the ground was a pretty crucial part, then I could just hook up the rest of the pins on the port. I had to play around to find the ground pin which finally gave me a discernible pattern while sampling in the Saleae application.
It was a good idea that I took a picture of this pin position too, as it helps me remember both ground and the read pin (channel 7), which you will see. The signal it produced, looked like that below. I have to say, not only is the Saleae hardware really nice, but the software is also what sold me. The interface is very clean and easy to use, just like the hardware:
At first, this signal might as well have been Greek to me, as it meant pretty much nothing. Next, I clicked the gear on the channel and applied the auto-analyzer, with the auto-baud detection option enabled. That resulted in a decoded signal like that below. I was curious how the auto-analyzer worked, and discovered a wealth of information on their site, including all of their supported protocols and community protocol analyzers. Notice how the signal now has several characters in blue above it, that is the decoded serial message.
I exported this data to a csv file then parsed it down to just the decoded values. This data still needed to be doctored quite a bit, but once trimmed up this data looks like the following.
Here is a full dump of the data if you wanted to look at it yourself. From here you would analyze this data for vulnerabilities. You may notice, if you read that full dump, that the uboot menu offers multiple ways to load your own code onto the system and option four even lets you drop into a terminal shell. From here one simply has to connect a USB TTL serial cable, such as these FTDI cables, to access said menu (using something like minicom). Here's a more solid guide on how to get that shell. All in all, this was super fun and I'm def picking up a logic analyzer now. If you like this kind of post please comment, as I plan to write some more hardware hacking posts in the future.
As Awgh instructed, it all starts with opening the device and visual inspection of the hardware, we are looking for serial ports or a way to debug the hardware's boot process. I actually started with a volt meter, testing different exposed pads, basically probing pads till I found some type of signal. Once I found the pads I wanted to read, I broke off some single row, male pin headers, and stuck them in through the exposed PTH pads. This turns out to be a UART port after I did some more research. Next getting the ground was a pretty crucial part, then I could just hook up the rest of the pins on the port. I had to play around to find the ground pin which finally gave me a discernible pattern while sampling in the Saleae application.
It was a good idea that I took a picture of this pin position too, as it helps me remember both ground and the read pin (channel 7), which you will see. The signal it produced, looked like that below. I have to say, not only is the Saleae hardware really nice, but the software is also what sold me. The interface is very clean and easy to use, just like the hardware:
At first, this signal might as well have been Greek to me, as it meant pretty much nothing. Next, I clicked the gear on the channel and applied the auto-analyzer, with the auto-baud detection option enabled. That resulted in a decoded signal like that below. I was curious how the auto-analyzer worked, and discovered a wealth of information on their site, including all of their supported protocols and community protocol analyzers. Notice how the signal now has several characters in blue above it, that is the decoded serial message.
I exported this data to a csv file then parsed it down to just the decoded values. This data still needed to be doctored quite a bit, but once trimmed up this data looks like the following.
Here is a full dump of the data if you wanted to look at it yourself. From here you would analyze this data for vulnerabilities. You may notice, if you read that full dump, that the uboot menu offers multiple ways to load your own code onto the system and option four even lets you drop into a terminal shell. From here one simply has to connect a USB TTL serial cable, such as these FTDI cables, to access said menu (using something like minicom). Here's a more solid guide on how to get that shell. All in all, this was super fun and I'm def picking up a logic analyzer now. If you like this kind of post please comment, as I plan to write some more hardware hacking posts in the future.
