Hey friends, i'm starting to work with microcontrollers, i'm absolute newbie, and I want to ask what does UART and JTAG means? Explain as simple as possible! Thank you so much!
UART = Universal Asyncronous Receiver/Transmitter
JTAG = Joint Test Action Group
UART is a type of chip that controls communications to and from a device, such as a microcontroller, ROM, RAM, etc. Most of the time, it's a serial connection that allows us to communication to a device.
JTAG is a set of test ports that is used for debugging but can also be used to program firmware (which is commonly done).
Related
Hello all.
Experimental version of custom mode controller for TIACXWLN built-in adapters
is located at http://winm-soft.atspace.com
Who is interested may test it...
Hello AlexB.
I was trying to run your program on hermes with WM6 which according to wiki is equipped with TI chipset, I found references in registry to TIACXWLN drivers but unfortunately your custom mode controller don't want to work all I've got is "Cannot process memory block!........" after choosing yes "Cannot read configuration! It is possible device is off." but the wlan device is actually on. I'll send you my *.dmp files maybe you can manage to make it work on hermes.
I had been toying around with the custom mode driver and have had little success thus far. Another thread was started and I have since taken great interest in trying to achieve promiscuous packet sniffing on my Tytn. I believe the problem may lie within either the custom driver, tiacxwln.dll or the hardware itself.
A little more information...
Mode controller works (attempt) directly with adapter (ACX100, PCMCIA!!!), not with the driver (standard, not patched). Program extracts an address of adapter registers window from TIACXWLN driver (TIACXWLN1 device object) and next it enables some packet filters, executes commands and etc...
I have no new ideas now why it works badly on such built-in adapter (device process commands with success status)...
On Dell I receive all packets but sometimes only...
Alex is it possible for you to patch internal driver to use promiscuous mode and don't bother with custom controller?
The custom mode controller is probably the best way to go about activating promiscuous scanning, since it's affect can be made temporary. If this mode of packet scanning were always enabled, I believe it would not allow one to associate with an access point.
I've attached the dump files that were generated after the unsuccessful execution of tiacxwln_ctrl.. perhaps the author or someone else can derive a solution .
Hi, Alex.
I was looking for your tiacxwln_ctrl custom controller on your web site, http://winm-soft.atspace.com/ but I could only find TNETWLN and WCF-11 files. Has it been moved, or deleted? I'd like to try it on my HTC 8525 with WM6.
Walt
I've received a private request for the file that AlexB developed and had posted on his site winm-soft (it's no longer available) which is mentioned above.. it will not enable promiscuous scanning on the Hermes. I repeat, it is broken, it does not work. AlexB did a great job creating this hack, however I don't believe that it was ever intended to work with the 8525. If AlexB would be so kind as to provide his source then perhaps we would have a decent starting point to enable this feature, however anyone who would be interested in doing this would find 3 perhaps not so obvious hurdles.
1: The TIACXWLN.DLL driver needs to be hacked to enable monitor mode.
2: A program capable of capturing and storing .pcap files would be necessary at this point as the only program that I'm aware of capable of sniffing out weak keys is airsnort which only accepts pcap dumps.
3: The pcap file would be huge. ie - could quite possibly take up 1gb or more of a micro sd card.
Just my $.02. Comments are welcome. Now onto the file. Enjoy!
Hi everybody,
The TIACXWLN controller was developed (beta/gamma...) for Dell X51 PDA and program worked bad and it is discarded! That program got some pointers (parameters) from context parameters of standard tiacxwln driver... Standard driver in Dell and driver in HTCs are different... Some experience of controller development was used to make TNETWLN controller (also TexasInstr adapter)... All controllers try to enable only promiscuous mode (not monitor mode).
As yet there are no TIACXWLN promiscuous mode ideas and devices...
Now some ideas for TNETW1251 (with SDIO) exist.
Thanks for the clarification.
Alex, I don't understand your reluctance to release source code, unless you based it upon "inside knowledge" of someone's copyrighted code, in which case I understand completely. If (and I fit into this category myself from time to time) you are simply embarrassed by code that "worked bad and it is discarded!" then maybe you could release it to a small group of coders who would be able to make it work without a lot of public exposure.
My personal interest is simple. I have a Zaurus C3200 that I use to sniff out rogue access points on the networks I am responsible for. It's big and clunky, and only works on 802.11b networks, so I don't carry it all the time, whereas I *always* have my 8525 with me, and it will work on b/g.
As far as WEP cracking goes, with ARP injection you can get aircrack to find a key with files of around 1-2MB in size, so the pcap files would not be too big. Of course, as I understand it, you *would* need monitor mode for packet injection to work.
IMHO this is a valuable development work that should continue. I just wish I had the skills and time to do more myself!
Walt
About sources
Main idea of contollers is working in special modes in parallel with vendor driver/software (without patching and etc.). All information, command structures and register constants was extracted from: http://acx100.sourceforge.net/
Who is intersted in building of new TIACXWLN driver should analize these sources. There are many commands and constants in these sources but controller used only Packet Filter command. All that the controller needed was address of mapped window of registers (it was stored in vendor driver context)... TIACXWLN adapter on Dell X51v processed these asynchronous commands with success (by response) but vendor driver was as post-processor any commands...
Commands are used by controller (details see in Linux driver (acx_struct.h)):
1) ACX1xx_CMD_INTERROGATE (IE_RXCONFIG)
2) ACX1xx_CMD_CONFIGURE (IE_RXCONFIG, RX_CFG1_RCV_PROMISCUOUS)
...
Hi, thanks to Lancealot for upload this file.
I install this controll driver in my HTC Universal (Universal have Wi-Fi chip from same corporation as TyTN: tiacxwln).
But this controll utility is not work on my UNiversal :-(
That setings promiscous mode, so Universal is freezed :-(
Anybody have any ideas ?
* Please excusive my for my bad english, thanks.
Hi Alex
I hv Sedna and have the discvussed Wi Fi driver..My problem is that it connects to wi fi router (g) but I cannot surf..most of the times I have to on/off and it works, but after long periods it disconnects.I hope this will solve the problem, also if u can suggest any guidance,I will b greatful
AlexB does your sniffer allow you to capture wifi traffic in all channels?
Hi,
Sniffer captures "adapter driver <-> protocols stack" packets...
Standard driver of WiFi adapter returns packets only after connecting to some network therefore sniffer gets traffic from one network on some channel... In promiscuous mode adapter gives user packets with foreign destination address.
Hello everybody,
first of all, I want to apologize myself for my questions, because they are often discussed in several forums (USB-RS232).
BUT I did not find a solution. Sometimes I found "it works" and sometimes for the same problem "no chance". Enough ;-)
I'm writing a program in VB.net to log
1) all data from the GPS at COM4 and
2) all data from an acceleration sensor which might be connected via the USB-Port of my XDA Orbit (HTC Artemis).
Logging the GPS-data is no problem excepted the speed of the Sirf star III Chip. Can it update faster than 1sec?
My main problem is the connection to the sensor. I know that port of the XDA is an USB-Client. The data I receive from the development-board is sent via RS232-out.
My question:
Is it possible to get those data-strings into the xda to log them via the existing USB-port? How can I implement it?
Can I connect the USB-plug and the RS232 like I found several times in this forum? Does it work???
The solution of this project is very important for me.
For everybodys help, I am very grateful.
Thank you very much.
Greetings from Germany
Dee
If I understand you correctly, you wish to connect an RS232 output to the mini USB connector on your device and log the serial data coming into the USB port? Yes, this is possible, but not without a PIC microcontroller in between. RS232 runs on, IIRC, +9v/-9v, while USB runs on +5v. If you directly plug an RS232 output into your USB input without anything in between you very well might fry your phone. I don't recommend it.
Fortunately, RS232 to USB devices are easily found, both schematics and pre-made adapters.
A quick Google search found this schematic:
http://pinouts.ru/SerialPortsCables/usb_serial_adapter_pinout.shtml
fluxist
Hi fluxist,
thank you for your answer. It sounds very good to me. But does it work with an USB-Client-PDA?
Thanx a lot.
Greetings
Dee
USB Client to rs232
Hellow
If You want "USB Client to rs232" interface please contact me([email protected]). I can produce it for You. I Use this converter in many PDA projects.
Best regards
RBA
Hi folks,
Does anyone know if the Uni has an accessible UART (hardware serial port) anywhere on the motherboard? I want to physically connect to a device that needs serial access. I'm happy with level-shifting from 3.3V to RS232, which I assume I'll need to do - just need ot know where there is a tx and rx pin that I can get to.
Cheers if you can help,
Johnny_G
Is there any progress after 7 years ? I need uart too, but maybe it`s impossible in universal?
Okay so on my device I have two serial ports. One port is labeled J2 with 4 pin outs that I think is the UART. The seconded port labeled JPEEK3 has 6 pin outs that I think is the JTAG. Here's the problem, they aren't giving me UART and JTAG readings on my multimeter or logic analyzer.
J2 is reading like this.
3.28VGND3.28V3.28V
No data just straight to idling high.
As for JPEEK3 I'm reading this
GND.04V.04V2.95V2.95VGND
On this I'm getting data on all active pins. I tried hooking my JTAGulator up to the device to read it but every time I do the device it's stuck in reset mode.
Anyone got any idea of what these readings mean?
biomedguy said:
Okay so on my device I have two serial ports. One port is labeled J2 with 4 pin outs that I think is the UART. The seconded port labeled JPEEK3 has 6 pin outs that I think is the JTAG. Here's the problem, they aren't giving me UART and JTAG readings on my multimeter or logic analyzer.
J2 is reading like this.
3.28VGND3.28V3.28V
No data just straight to idling high.
As for JPEEK3 I'm reading this
GND.04V.04V2.95V2.95VGND
On this I'm getting data on all active pins. I tried hooking my JTAGulator up to the device to read it but every time I do the device it's stuck in reset mode.
Anyone got any idea of what these readings mean?
Click to expand...
Click to collapse
The voltage levels for the UART are OK.
UART "J2"
3.28V GND 3.28V 3.28V
It could match the signals:
VCC, GND, TxD, RxD
For UART you need to know the communication baud rate and other connection parameters. You also need to know the communication protocol at the UART layer.
The voltage levels for JTAG are OK.
JTAG "JPEEK3"
GND .04V .04V 2.95V 2.95V GND
It could match the signals:
GND, CLK, DIO, RST, VCC, GND
Which is JTAG in SWD mode.
Maybe "JPEEK3" is SWD?
For full JTAG you have this pins on "JPEEK3":
TDI, TCK, TMS, TDO, RST, VDD, GND
If RST is missing in JTAG, the problem is to get the target into debug mode if the targer has its own power supply.
Appreciate the help, never considered the pinouts for JPEEK3 to be SWD.
The board doesn't technically have it's own supply, the power comes from other boards that it's connected to, in order to power on. Should I figure out a way to power it on with a power bank in that case?
As for the UART, I have a DSLogic Plus, should I just test multiple baud rates and see what happens? I'm not sure what other protocols and communications to look for other then that.
biomedguy said:
Appreciate the help, never considered the pinouts for JPEEK3 to be SWD.
The board doesn't technically have it's own supply, the power comes from other boards that it's connected to, in order to power on. Should I figure out a way to power it on with a power bank in that case?
As for the UART, I have a DSLogic Plus, should I just test multiple baud rates and see what happens? I'm not sure what other protocols and communications to look for other then that.
Click to expand...
Click to collapse
It is a question of whether the board is powered from an external source or only from the JTAG programmer (SWD). For JTAG / SWD, it is better if the target is powered only from the JTAG programmer (SWD), unless it is required to power other peripherals and cover power requirements. For JTAG (SWD), there must be direct JTAG (SWD) programmer support for a specific target (MCU), debug mode, Flash write, and so on. Each MCU has a different protocol and must be directly supported by the JTAG (SWD) programmer or control software. For JTAG (SWD) communication, you can change the communication speed arbitrarily (it is not fixed), if it fails to connect to the target (MCU), you can reduce the communication speed.
For the UART, the communication speed (connection) is precisely determined in advance, you must know it or analyze the output data (timing of given bytes using DSLogic Plus ) if it is sent natively on the UART interface (boot log). The protocol on the UART interface also needs to be known if it is not a shell terminal output.
Well hot dog, that's a lot of solid info. Appreciate it, really.
I just got a flyswatter2 in the mail, hopefully that'll be compatible with the AT91 Atmel MCU on the board, apparently it's using an ARM7 processor. Good to know to not power on the board like I have been with the JTAGulator and DSLogic.
You wouldn't happen to know how to locate the configuration memory for the FPGA, now would you? I'm talking with my cousin whose an EE major, and he was asking for it. I'm not even sure how that'll help with getting into the JTAG.
biomedguy said:
Well hot dog, that's a lot of solid info. Appreciate it, really.
I just got a flyswatter2 in the mail, hopefully that'll be compatible with the AT91 Atmel MCU on the board, apparently it's using an ARM7 processor. Good to know to not power on the board like I have been with the JTAGulator and DSLogic.
You wouldn't happen to know how to locate the configuration memory for the FPGA, now would you? I'm talking with my cousin whose an EE major, and he was asking for it. I'm not even sure how that'll help with getting into the JTAG.
Click to expand...
Click to collapse
Atmel AT91 MCU is supported by OpenOCD. Flyswatter2 works with OpenOCD. From the FT2232H chip used by Flyswatter2, I made a programmer for SPI EEPROM [https://geekdoing.com/threads/unbrick-mi-band-3-with-without-nfc.700/]
I have never used Field Programmable Gate Arrays (FPGA), always only MCUs, I will not advise you in this area. Unfortunately. FPGA arrays have configuration memory as an external memory chip.
The JTAG programming interface is also used for FPGA arrays. FPGA and MCU are completely different technologies. Custom MCUs can also be created using an FPGA array.
I have a "Tata Sky HD" Set-top Box and I was about to throw this in garbage but before I want to know what is happening under the hood.
I search on internet and I found nothing except this. I'm noob so sorry for if say something silly.
I found this specifications.
Product : TATA SKY HD
Original Maker : Technicolor
Product Model Number : DSI729TAT
Chipset : STiH237 BHKB B3L
Type : ST40 -32 BIT
Architecture : RISC
RAM : 2GB [ SK Hynix H5TQ2G63FFR H9C
Storage : 1GB [ Spanison ML01G100
Power : 12v DC
Software: busybox 1.18.2 , mtdwrap, uclibc, Linux Kernel 2.6.32.59_stm24_0211, ST drivers: embx.ko, embxmailbox.ko, ics.ko, ics_user.ko, lxload.ko, mme.ko, mme_user.ko, LZO Decompression Library 2.03, Decompression Utility
PORTS : 1 HDMI 1.2/1.3/1.4, 1 USB 2.0, SAT-IN & 2 Audio 1 Video Out , 1 Optical S/PDIF (for Dolby Digital Plus Audio ), 1 Digi Card.
I Found 1 UART PORT Which would be used while extraction of Firmware.
AFTER SOME REASEARCH I FOUND THAT IT HAS SIMILAR TO ARM-CORTEX-A9 AND MALI-400 GPU. (MAYBE I'M WORNG)
IDEA : It has a a Good processor and ram which can run as raspberry-pi os.
so we can repurpose it as a Media Center, Gaming Console, NAS, Smart Home, Small Server or a Mini Computer.
storage is low so we have to add some storage. I'm not sure how this is possible. except swapping the NAND flash Chip.
GOAL 1 : Extract Firmware and Extract Paid Decryption key which is use to verify the sat-in signals. ( a stb which don't required subscription to watch any tv channel )
i think they modified the software which capture the unencrypted signal and if we have a signal receiver then we are good to go. but for big companies wants to earn money so they added these barriers which needs decryption. and if the satellite is sending encrypted signal then we need to find the key. ( i know it's hard that's why we are here. I'll love to hear you thoughts on these)
GOAL 2: Change the Firmware and install Linux.
Goal 3: Find a way to use it as media server with increased storage and add a wireless module for WIFI access.
I'm not sure it is possible or not. but i think its possible. just think about it a small hardware can collect signal from satellite and decrypt the signals in HD with Dolby HD audio. we just need to find a way to access this.
I SHARED MY IDEA AND I DON'T KNOW MUCH ABOUT THESE.
PROBLLY I'M GOING TO ACCESS THIS WITH UART INTERFACE AND TRYING TO ACCESS THE BOOTLOADER.
OR MAYBE DESIGN A CUSTOM KERNAL.
I'M SEARCHING FOR COMPATIBLE FIRMWARE WHICH I CAN MODIFY AS I NEED.
EXTRA : I FOUND A SIMILAR STB WHICH USED IN RUSSIA "NTV PLUS SET TOP BOX" HAS SIMILAR PROPERTIES LIKE TATASKY HD BUT WITH EXTRA I/O PORTS.
THANK YOU. IF YOU HAVE ANY ADDIONAL IDEA THEN I'LL LOVE TO HEAR THAT.
Links Used For Gathering Information
Chipset : https://www.st.com/en/digital-set-top-box-ics/stih237.html
RAM : https://www.electronicsdatasheets.com/manufacturers/sk-hynix/parts/h5tq2g63ffrh9c
OS information : https://www.technicolor.com/node/1899
Storage : https://www.qdatasheet.com/search.jsp?sWord=ML01G100&page=2&op=i
RISC BASED TOOLS AND APPS : https://www.riscosopen.org/content/downloads/common
This is probably the UART. You will most likely get a shell and U-Boot logs provided that it's not fused-off (ST microcontrollers can have debug interfaces fused off during flashing at the manufacturer)
How to find the pinout:
GND will have continuity with metallic parts of the board (heatsinks, HDMI ports, etc)
VCC will measure 1.8-5V DC depending on logic level
RX will not measure very much voltage
TX will go crazy during boot on an oscilliscope.
Try baudrate 115200 8n1
$cronos_ said:
This is probably the UART. You will most likely get a shell and U-Boot logs provided that it's not fused-off (ST microcontrollers can have debug interfaces fused off during flashing at the manufacturer)
View attachment 5877483
How to find the pinout:
GND will have continuity with metallic parts of the board (heatsinks, HDMI ports, etc)
VCC will measure 1.8-5V DC depending on logic level
RX will not measure very much voltage
TX will go crazy during boot on an oscilliscope.
Try baudrate 115200 8n1
Click to expand...
Click to collapse
Well i don't have oscilloscope yet, soon I will try your guide, thanks for guidance. I will try to update upcoming experiments.
dyal96 said:
IDEA : It has a a Good processor and ram which can run as raspberry-pi os.
so we can repurpose it as a Media Center, Gaming Console, NAS, Smart Home, Small Server or a Mini Computer.
storage is low so we have to add some storage. I'm not sure how this is possible. except swapping the NAND flash Chip.
GOAL 1 : Extract Firmware and Extract Paid Decryption key which is use to verify the sat-in signals. ( a stb which don't required subscription to watch any tv channel )
i think they modified the software which capture the unencrypted signal and if we have a signal receiver then we are good to go. but for big companies wants to earn money so they added these barriers which needs decryption. and if the satellite is sending encrypted signal then we need to find the key. ( i know it's hard that's why we are here. I'll love to hear you thoughts on these)
Click to expand...
Click to collapse
I think we can utilize the usb port on the back to add the external storage, as the usb port is used for storing the TV recording (as far as I can recall), and for the uart part, we can also use it for accessing root shell in the initial step, to figure out the operation method and framework.
I don't have any idea about the encryption keys, it would be cool if there's a way for that.
I have the same STB, would love to repurpose the old box, what's your progress on this so far ?
If you have a multimeter, you can check if the pins are for UART, RX voltage would be very low, TX voltage would be fluctuating upon boot, check continuity for GND with any grounded part like the HDMI port shield or the AV port silver port, VCC would be 3.3 or 5 volts