reverse engineering serial protocol
DESCRIPTION
This research project involves looking at the serial protocol of a Total Organic Carbon (TOC) analyzer. The TOC instrument chemically analyzes water samples and then reports information based on that sample. The communication between the instrument and a computer (PC) occurs through proprietary software. My research is concerned with determining and examining the data sent between the computer and the TOC analyzer and then writing software on the PC to control the instrument. The software written on the PC will have to mimic a portion of functionality to the point where the TOC analyzer believes it is communicating with its own proprietary software.The project is part of a larger framework and international initiative concerned with allowing students to access instruments and conduct labs from remote locations. Through the BC Integrated Laboratory Network and iLab Central, students will have the chance to access this instrument and conduct analyses from anywhere in the world over the internet.Methods used in this project involve observing the bit information exchanged, spamming the instrument with commands, and extracting the data exchanged between the serial ports. Research so far has revealed the low level properties of the serial port and determining the serial port is based on a binary protocol rather than a simple text-based protocol. I have also identified the format of the data being passed on the serial port. This research will give more insight into the field of data communications and the methodologies used are the core aspects in data communication systems.TRANSCRIPT
Reverse Engineering A Proprietary Serial Communication
Richard Msiska
Thompson Rivers University
Supervisors: Kevin O’Neil, Sharon Brewer, and Bruno Cinel
Outline
• What?• Why?• How?• What did I find?
Goal of project
• Discover commands for initializing the instrument, performing a Lab and shutting down the TOC analyzer.
• Send and receive those commands using a C++ interface.
• Create a simplified web interface that allows remote connection to the TOC Analyzer.
The Instrument
• The Total Organic Carbon/Total Nitrogen (TOC/TN) Analyzer analyses for the Organic Carbon or Nitrogen present in a water sample.
• The TN value is used to infer water quality, the higher it is the poorer the quality of the water.
Tools Used in the Project
• Visual Studio 2010 as an Integrated Development Environment (IDE).
• Serial port sniffer for reading traffic.• USB to serial port converter for creating a
serial port from a USB port.• Serial port splitter for sharing of one serial
port.
Software Implementation
• A standard C++ Library was used for serial port communication.
• The interface contains a lot of timing issues.• Development methodology used was Agile.
The Nature of the Lab
• The lab parameters of the TOC Analyzer are known before hand.
• The user has to: – pick the vial position which contains the sample– start the lab which commands the software – wait for the TOC Analyzer to return a value for TN.
TOC Initialization Protocol
A5 0B F4 00 04 01 00 00 00 00 00 00 00 04
A5 03 FC 00 01 00(Good)
A5 03 FC 00 02 00(Bad)
System Parameters
System ParametersHeader Payload Checksum
A503FC000100 A503FC000100A523DC01041B000000000000D0001 00 00 00 150000000B00000003000000 29 00 00 00
50
0B determines the Hours when this was sent.03 determines minute when this was sent.29 determines seconds when this was sent.50 is the checksumA hexadecimal conversion tells us this command was sent at 11:03:49
Lab Start Up Bytes
• A timed handshake protocol is performed.• A block of data is sent to the TOC Analyzer
defining the lab parameters including injection volume and vial position.
Lab Start Up Bytes Example
A5 03 FC 0001 00 A5 73 8C 07 04 5A 00 00 00 00 00 00 00 0000 00 00 09 00 00 00 03 00 00 00 03 00 00 00 3C00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2201 00 00 00 00 00 00 22 01 00 00 0A 00 00 00 0000 00 00 03 00 00 00 00 00 00 00 00 00 00 00 F000 00 00 F0 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 FF FF FF FF E1
Lab Start Up Bytes Example
A5 03 FC 0001 00 A5 73 8C 07 04 5A 00 00 00 00 00 00 00 0000 00 00 09 00 00 00 03 00 00 00 03 00 00 00 3C00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2201 00 00 00 00 00 00 22 01 00 00 0A 00 00 00 0000 00 00 03 00 00 00 00 00 00 00 00 00 00 00 F000 00 00 F0 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 FF FF FF FF E1
Lab Start Up Bytes Example
A5 03 FC 0001 00 A5 73 8C 07 04 5A 00 00 00 00 00 00 00 0000 00 00 09 00 00 00 03 00 00 00 03 00 00 00 3C00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2201 00 00 00 00 00 00 22 01 00 00 0A 00 00 00 0000 00 00 03 00 00 00 00 00 00 00 00 00 00 00 F000 00 00 F0 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 FF FF FF FF E1
Lab Start Up Bytes Example
A5 03 FC 0001 00 A5 73 8C 07 04 5A 00 00 00 00 00 00 00 0000 00 00 09 00 00 00 03 00 00 00 03 00 00 00 3C00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2201 00 00 00 00 00 00 22 01 00 00 0A 00 00 00 0000 00 00 03 00 00 00 00 00 00 00 00 00 00 00 F000 00 00 F0 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 FF FF FF FF E1
Lab Start Up Bytes Explained
• 3C, tells the TOC to inject 60ml of the sample.• OA , tells the interface the vial position is at
position 10.
Difficulties
• Determining correct serial port timings as software works in milliseconds.
• Determining correct serial port configuration.• Decoding a serial port protocol simply by
observing bytes.• Black Box Reverse Engineering.
Overall
• Working towards an interface that will allow labs to be performed remotely.
• Next step is finding out more information about the protocol.
Acknowledgements
• Kevin O'Neil for proposing the idea, helping me when I got stuck.
• Sharon Brewer and Bruno Cinel for being great clients and helping me with the equipment needs.
• Questions? Send me an email at [email protected]
