Reverse Engineering A Proprietary Serial Communication

Richard Msiska

Thompson Rivers University

Supervisors: Kevin O’Neil, Sharon Brewer, and Bruno Cinel

Outline

• Term Objectives and Analysis• Current progress• Future progress

Term Objectives

• Discover commands for initializing the instrument, performing a Lab and shutting down the TOC analyzer.

• Send and receive those commands using a C++ interface.

• Create a simplified web interface that allows remote connection to the TOC Analyzer.(if Time Permits)

The Instrument

• The Total Organic Carbon/Total Nitrogen (TOC/TN) Analyzer analyses for the Organic Carbon or Nitrogen present in a water sample.

• The TN value is used to infer water quality, the higher it is the poorer the quality of the water.

Tools Used in the Project

• Visual Studio 2010 as an Integrated Development Environment (IDE).

• Serial port sniffer for reading traffic.• USB to serial port converter for creating a

serial port from a USB port.• Serial port splitter for sharing of one serial

port.

Software Implementation

• A standard C++ Library was used for serial port communication.

• The interface contains a lot of timing issues.• Development methodology used was Agile.

Objectives Completed

• Completed Analysis of the Perform Lab use case

• Completed Analysis of the Shutdown Commands Use case.

• Partial Analysis of start up commands.

Current Configuration

Interface

TOC Proprietary Software

Serial Port

SplitterToc Analyzer

Initialization

Perform Lab and Shutdown

The Nature of the Lab

• The lab parameters of the TOC Analyzer are known before hand.

• The user has to: – pick the vial position which contains the sample– start the lab which commands the software – wait for the TOC Analyzer to return a value for TN.

TOC Initialization Protocol

A5 0B F4 00 04 01 00 00 00 00 00 00 00 04

A5 03 FC 00 01 00(Good)

A5 03 FC 00 02 00(Bad)

System Parameters

System ParametersHeader Payload Checksum

A503FC000100 A503FC000100A523DC01041B000000000000D0001 00 00 00 150000000B00000003000000 29 00 00 00

50

0B determines the Hours when this was sent.03 determines minute when this was sent.29 determines seconds when this was sent.50 is the checksumA hexadecimal conversion tells us this command was sent at 11:03:49

Lab Start Up Bytes

• A timed handshake protocol is performed.• A block of data is sent to the TOC Analyzer

defining the lab parameters including injection volume and vial position.

Lab Start Up Bytes Example

A5 03 FC 0001 00 A5 73 8C 07 04 5A 00 00 00 00 00 00 00 0000 00 00 09 00 00 00 03 00 00 00 03 00 00 00 3C00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2201 00 00 00 00 00 00 22 01 00 00 0A 00 00 00 0000 00 00 03 00 00 00 00 00 00 00 00 00 00 00 F000 00 00 F0 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 FF FF FF FF E1

Lab Start Up Bytes Example

A5 03 FC 0001 00 A5 73 8C 07 04 5A 00 00 00 00 00 00 00 0000 00 00 09 00 00 00 03 00 00 00 03 00 00 00 3C00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2201 00 00 00 00 00 00 22 01 00 00 0A 00 00 00 0000 00 00 03 00 00 00 00 00 00 00 00 00 00 00 F000 00 00 F0 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 FF FF FF FF E1

Lab Start Up Bytes Example

A5 03 FC 0001 00 A5 73 8C 07 04 5A 00 00 00 00 00 00 00 0000 00 00 09 00 00 00 03 00 00 00 03 00 00 00 3C00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2201 00 00 00 00 00 00 22 01 00 00 0A 00 00 00 0000 00 00 03 00 00 00 00 00 00 00 00 00 00 00 F000 00 00 F0 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 FF FF FF FF E1

Lab Start Up Bytes Example

A5 03 FC 0001 00 A5 73 8C 07 04 5A 00 00 00 00 00 00 00 0000 00 00 09 00 00 00 03 00 00 00 03 00 00 00 3C00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2201 00 00 00 00 00 00 22 01 00 00 0A 00 00 00 0000 00 00 03 00 00 00 00 00 00 00 00 00 00 00 F000 00 00 F0 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 FF FF FF FF E1

Lab Start Up Bytes Explained

• 3C, tells the TOC to inject 60ml of the sample.• OA , tells the interface the vial position is at

position 10.

Shutdown Protocol

A5 0F F0 07 04 51 00 00 00 00 00 00 00 01 00 00 00 5C A5 03 FC 00 01 00 (Command to initiate shutdown)

A5 03 FC 0001 00 + Payload(Good)

A5 03 FC 00 01 00 A5 0B F4 0804 02 00 00 00 00 00 00 00 0D (Final Shutdown)

A503FC000200 (Bad)

Future Prospects

• Updated configuration • Finalize Serial Port Commands and

Communication• Create Local Interface• Create Web Interface• Network Security Assessment• New chair to sit on.

Future Local Configuration

Interface

Toc Analyzer

Initialization, Perform Lab and Shutdown

Lab Results and protocol feedback

File containing sample

information

Future Cloud Configuration

Interface Toc AnalyzerPerform Lab

Lab Results

BC-ILN CLOUD ARCHITECTURE

API + WEB INTERFACE

LAB REQUEST

LAB RESULTS

Remaining Analysis

• Completing start up commands• Starting and completing Lab Results analysis

Local and Web Interface

• Local Interface is a matter of completing my code

• Web Interface would require more communication with the BC-ILN.

• Learn about the BC-ILN cloud architecture.

Network Assessment

• To verify that the network that instrument on is secure.

Difficulties

• Determining correct serial port timings as software works in milliseconds.

• Determining correct serial port configuration.• Decoding a serial port protocol simply by

observing bytes.• Black Box Reverse Engineering.

Overall

• Working towards an interface that will allow labs to be performed remotely.

• Next step is finding out more information about the protocol.

Questions?

Demonstration

• Head to the Science Lab room 237