Firmware dump

[Ingramz]

The main microcontroller used is Renesas R5F21258SN.

The programming and debug interface is supposedly done via 6 pins: VCC, GND, RX, TX, RST, MODE

Most of it is plain UART, however it looks like MODE and RST has to be used in a specific way to trigger the programming features.

ToorCon 13 badge provides some instructions. It should be possible to use a simple FTDI FT232 3.3V adapter to interface with the chip.

A quick glance at the datasheet shows that it is possible to "protect" chip from being read via 7 byte (56 bit) key. Obvious keys that should be tried are 00:00:00:00:00:00:00 and FF:FF:FF:FF:FF:FF:FF. If a different key is used, then an effort should be made to attempt to figure out the key, however as it is 56 bits, brute force will not be practical. A way to poke memory via modbus should be investigated in this case to extract or at worst overwrite the key.

If firmware binaries can be obtained from working units, this will enable upgrading early models to a newer firmware and further study its functions via inspecting the assembled binary. Also it might enable cross-flashing application 116/130 unit to application 131 if one wanted.

[Ingramz]

Success!

[Ingramz]

Help wanted!

I'm looking for someone who could provide me a dump of software version 1.08. I can provide the necessary tools for the job and know-how.

[mattiaslundin]

If you are still interested i can help out with 1.08

[Ingramz]

@mattiaslundin yes, definitely. Do you happen to own an FTDI serial adapter to perform he task outlined on the firmware page?

[mattiaslundin]

I’ve got an rs232 and 485 adapter but not sure if they’ll work. Will give it a try at least.

[Ingramz]

Plug them to your computer and see what the USB device ID-s are.

[Ingramz]

@mattiaslundin would you be still up for helping to dump the firmware?