Sonsivri
 
*
Welcome, Guest. Please login or register.
Did you miss your activation email?
March 28, 2024, 10:07:45 10:07


Login with username, password and session length


Pages: [1]
Print
Author Topic: Project: Casio data-link (Hacking a protocol)  (Read 12401 times)
0 Members and 1 Guest are viewing this topic.
M.yasser
Newbie
*
Offline Offline

Posts: 16

Thank You
-Given: 8
-Receive: 4


« on: July 12, 2011, 02:05:08 14:05 »

Hi,
The Casio fx-5800P programmable calculator can transfer its data to another fx-5800P calculator serially through 3-pin cable. See figure below.

It would be very useful if I can save data to the PC. To do so I have understand the signal properties and the protocol that the Casio fx-5800P calculators use to communicate with each other. After that I can design a data-link between the calculator and the PC.
Sometime a go I’ve build data link for another model Casio CFX9580GB. It was based on RS232.
In the beginning I thought that situation will be the same for fx5800P. so I brought a MAX232 (TTL to RS232 converter) and measured the voltage levels of the transmitted signal from the 2.5mm jack. The levels where 0-2.7v, so to connect to PC using a MAX232 based circuits I needed a voltage level of 0-5V. Thus I constructed a simple level converter based on the LM339 comparator which was in my reach. Fig1 shows the schematic of the level converter, Fig2 and Fig3 shows the transmitted signal before and after the level converter.
Fig1:
Fig2:    Fig3:
The next step is to figure out the protocol that fx5800P use. I needed the baud rate, data bits, parity bits, stop bits to connect the calculator to PC HyperTerminal or any other s/w to analyze the outgoing signals using COM port (RS232 serial port).


An attempt to find the baud rate, I connected the scope to the tip of the 2.5mm jack and issue a transmit command for a selected data in the calculator memory. I repeated this action with the probe of the scope connected to the middle of the 2.5mm jack (I really don’t know which one i.e. tip or middle is transmit or receive). Fig.4 below is for the first case, Fig.5 is for the second.

Fig4:   Fig5:
I tried to measure the narrowest pulse width to make an estimate of the baud rate. Fig.4 dt=64 us (micro second), Fig.5 dt=160 us. Fig.1 seems like a strobe of uniform pulses (clock).
Ok, now ill issue a receive command and see what happens.
 No signal on the tip nor the middle, but when I press cancel (AC button), a signal shows. Fig.4 is for the Tip (2.5mm jack) and Fig.5 is for the middle (2.5mm jack). It seems that the tip is a clock to the data from the middle.
Fig6:
Fig6 is a 2 channel scope image, the yellow signal is from the Tip of the 2.5mm jack and the blue signal is from the middle (2.5mm Jack). The signals are recorded simultaneously after issuing a transmit command.
It seems that the type of serial communication is Synchronous (RS232 serial COM port in PC uses a different type of signal communication called Asynchronous).
A first conclusion is I2C communication type signals. Any suggestions?
Regards.
Logged
pickit2
Moderator
Hero Member
*****
Offline Offline

Posts: 4639

Thank You
-Given: 823
-Receive: 4194


There is no evidence that I muted SoNsIvRi


« Reply #1 on: July 12, 2011, 02:16:04 14:16 »

looks like it's been done before http://www.engineeringsurveyor.com/utilities/#Casio_Utilities
Logged

Note: I stoped Muteing bad members OK I now put thier account in sleep mode
M.yasser
Newbie
*
Offline Offline

Posts: 16

Thank You
-Given: 8
-Receive: 4


« Reply #2 on: July 12, 2011, 02:41:22 14:41 »

Hi pickit2,
Thank you for the fast reply.
Unfortunately the link shows an interface cables which are compatible to Casio CFX9850GB an (Asynchronous RS232 interface style).
The fx5800P measured signals seems to be of synchronous communication style.
Regards.
Logged
DarkClover
Active Member
***
Offline Offline

Posts: 169

Thank You
-Given: 37
-Receive: 60


Still alive...


« Reply #3 on: July 14, 2011, 08:32:15 20:32 »

Well it seems that the data is sampled at the falling edge of the CLOCK signal.
Therefore the transmitted data is 11010000001000011000100001100010

11010000001000011000100001100010...
The blue parts are always the same, looks like a communication start sequence or something.
But on the other site, the first data bulk (purple) is very different to the second two (red and green).
Within purple the red/green part is also present and the rest 01000 would be 8 in decimal.

The purple part could be an Address or the serialnumber or something similar. The other two are similar data.
It would be interesting what happens if you try to transmit other values. Just try transmitting 0-9 so that
one can reverse engineer the protocol.
Logged

Not thinking means to believe what others say!
TRY & ERROR... the fundamental principle our existence is based on
M.yasser
Newbie
*
Offline Offline

Posts: 16

Thank You
-Given: 8
-Receive: 4


« Reply #4 on: July 15, 2011, 09:14:23 21:14 »

Hi,
I’ll try to scope something that may make sense. The calculator allows to send programs, setup,...it does not allow to send values.
Regards.
Logged
M.yasser
Newbie
*
Offline Offline

Posts: 16

Thank You
-Given: 8
-Receive: 4


« Reply #5 on: July 21, 2011, 08:32:35 20:32 »

Hi I’m back,
This is a complete communication session between two calculators. One calculator is sending data and the other is receiving. The left column images are for the probe of the scope connected to the Tip of the 2.5mm jack with respect to the sender and the right column images are for the Middle of the 2.5mm jack. Each row represents the same instant of time.








Posted on: July 21, 2011, 09:19:29 21:19 - Automerged






Analyzing the above data is cumbersome. Anybody suggest a method or a technique to analyze the communication protocol?
Regards.
Logged
DarkClover
Active Member
***
Offline Offline

Posts: 169

Thank You
-Given: 37
-Receive: 60


Still alive...


« Reply #6 on: July 22, 2011, 01:57:57 13:57 »

Woah! Thats a bunch of data.

It would be helpful to know what exactly the transmitting[i/]-calculator
is sending to the other one. Is it a setup, program, ...?
Logged

Not thinking means to believe what others say!
TRY & ERROR... the fundamental principle our existence is based on
M.yasser
Newbie
*
Offline Offline

Posts: 16

Thank You
-Given: 8
-Receive: 4


« Reply #7 on: July 22, 2011, 02:56:02 14:56 »

Hi DarkClover,
It’s a simple program named “kkk” and it contains one statement only;
Code:
5^2
The entire test is done using that same program.
Have a nice day. Smiley
Logged
DarkClover
Active Member
***
Offline Offline

Posts: 169

Thank You
-Given: 37
-Receive: 60


Still alive...


« Reply #8 on: August 01, 2011, 09:18:32 21:18 »

Hi DarkClover,
It’s a simple program named “kkk” and it contains one statement only;
Code:
5^2
The entire test is done using that same program.
Have a nice day. Smiley

Well I don't have much time these days but I'll have a look on it.

I would appreciate some help from experienced reverse engineerers
since I'm not that good in reverse engineering codes or protocols Cheesy

With a little luck, we will get to the goal.
You can try to SIMULATE the signal 1:1 and look if the receiving calculator
does the same. Then change some parameters and maybe we'll get the
initiation code or some other hints.
Logged

Not thinking means to believe what others say!
TRY & ERROR... the fundamental principle our existence is based on
pickit2
Moderator
Hero Member
*****
Offline Offline

Posts: 4639

Thank You
-Given: 823
-Receive: 4194


There is no evidence that I muted SoNsIvRi


« Reply #9 on: August 01, 2011, 09:49:13 21:49 »

http://www.spiderpixel.co.uk/caspro/downloadsindex.html
see if here helps.
Logged

Note: I stoped Muteing bad members OK I now put thier account in sleep mode
M.yasser
Newbie
*
Offline Offline

Posts: 16

Thank You
-Given: 8
-Receive: 4


« Reply #10 on: August 02, 2011, 04:09:25 16:09 »

Hi,
I’m thinking that;
First, if I had a tool that reads the above data blocks and display it on a PC in binary or hexadecimal format then I may analyze the protocol. (Any suggestions?)
Second, design a circuit that emulate the discovered protocol and store data to the PC, maybe through RS232 serial port. I prefer using PIC micro controllers for the task.
Third, write a sort of PC based GUI (Graphical user interface) to initiate commands and control the H/W circuit.

Quote
With a little luck, we will get to the goal.
@DarkClover: I hope the task will be done easily.

Quote
@pickit2: this site is awesome. Unfortunately I couldn’t find  something concerning CASIO fx5800P.

Best regards.
Logged
DarkClover
Active Member
***
Offline Offline

Posts: 169

Thank You
-Given: 37
-Receive: 60


Still alive...


« Reply #11 on: August 24, 2011, 04:47:30 16:47 »

Well, you could design a very simple logic analyzer with a low voltage PIC micro controller. Or use one
with fast ADC. Then send the data to the PC (RS232, USB, whatever).
And for the analyzing part, simply use excel with vba. That's the way I did such tasks till I got my logic analyzer.

But first, try to emulate the data, sent by your casio and make the receiving calculater do what he does when
connected directly to another casio.

Well if you don't get any clue which calculator sends the data, just build a simple real-time-emulator. Where your
pic acts like a repeater but logg the data at the same time. Then you can say where the data blocks come from.
That's very useful if the datastream isn't too fast, like in this case.
Logged

Not thinking means to believe what others say!
TRY & ERROR... the fundamental principle our existence is based on
M.yasser
Newbie
*
Offline Offline

Posts: 16

Thank You
-Given: 8
-Receive: 4


« Reply #12 on: May 15, 2012, 09:48:51 21:48 »

Quote
Well, you could design a very simple logic analyzer with a low voltage PIC micro controller. Or use one
with fast ADC. Then send the data to the PC (RS232, USB, whatever).
And for the analyzing part, simply use excel with vba.
I believe this is somehow a difficult task to start with.
Regards.
Logged
monkey
Newbie
*
Offline Offline

Posts: 20

Thank You
-Given: 74
-Receive: 10


« Reply #13 on: May 16, 2012, 09:20:25 09:20 »

FWIW, from glancing at your waveforms, I would not assume it is simple serial data that can be level shifted to RS232.
Perhaps it is I2C or 3 wire SPI? As I2C is well specified, it should be easy to check that with a CRO.
Logged
h0nk
Senior Member
****
Offline Offline

Posts: 256

Thank You
-Given: 207
-Receive: 230



« Reply #14 on: May 16, 2012, 06:34:44 18:34 »

Hi,
I’m thinking that;
First, if I had a tool that reads the above data blocks and display it on a PC in binary or hexadecimal format then I may analyze the protocol. (Any suggestions?)

Get one of the CY7C68013A-Evalboards from Ebay.
After some modification they will run happily with the Saleae logicanalyzer software.
Replace the 24C128 EEPROM of this board with a smaller one. 24C01 to 24C16 should work.
I used a 24C02. Write the attached file to this EEPROM.
If You need additional assistance, let me know.
The IIC-file is useful with Cypress CyConsole, the HEX-file with a generic EEPROM-programmer.
With the software You may able to export and analyze the data on a PC.


Best Regards
Logged
rsync
Newbie
*
Offline Offline

Posts: 19

Thank You
-Given: 65
-Receive: 20



« Reply #15 on: June 07, 2012, 07:16:43 19:16 »

hi Honk

the file hex work very well. Its for 8 channels. For 16 channels is possible know vid/pid or you can build hex for it.

Thanks  Wink
Logged
h0nk
Senior Member
****
Offline Offline

Posts: 256

Thank You
-Given: 207
-Receive: 230



« Reply #16 on: June 10, 2012, 04:44:31 16:44 »

Hi rsync,

to my best knowledge the 16 channel design of the Saleae-LA is different from the simpler 8 channel design.
So its not a matter of a simple EEPROM-update.

Best Regards
Logged
pickit2
Moderator
Hero Member
*****
Offline Offline

Posts: 4639

Thank You
-Given: 823
-Receive: 4194


There is no evidence that I muted SoNsIvRi


« Reply #17 on: June 10, 2012, 07:21:43 19:21 »

I got one in a job lot of dev-boards a CY7C68013A, I thought it was just a Evalulation Board, till I read this topic.
It has the larger eeprom, and works as a Saleae out of the box. I near missed this, it was put in the to do later pile. 
Logged

Note: I stoped Muteing bad members OK I now put thier account in sleep mode
h0nk
Senior Member
****
Offline Offline

Posts: 256

Thank You
-Given: 207
-Receive: 230



« Reply #18 on: June 10, 2012, 08:55:14 20:55 »

I got one in a job lot of dev-boards a CY7C68013A, I thought it was just a Evalulation Board, till I read this topic.
It has the larger eeprom, and works as a Saleae out of the box. I near missed this, it was put in the to do later pile. 

Hint:
You will not be able to use the actual software with the larger EEPROM.

Best Regards
Logged
pickit2
Moderator
Hero Member
*****
Offline Offline

Posts: 4639

Thank You
-Given: 823
-Receive: 4194


There is no evidence that I muted SoNsIvRi


« Reply #19 on: July 21, 2012, 03:41:22 15:41 »

Hint:
You will not be able to use the actual software with the larger EEPROM.

Best Regards

Update with early version of software (larger eeprom is working)
latest software needed the smaller eeprom, so all is well.

I did not buy the one I have, but it's the same as the one on e-bay and @ about £10 a good buy,
you could even use it as a dev-board Tongue

This Part of Topic would make an intresting project it's self.
Logged

Note: I stoped Muteing bad members OK I now put thier account in sleep mode
Pages: [1]
Print
Jump to:  


DISCLAIMER
WE DONT HOST ANY ILLEGAL FILES ON THE SERVER
USE CONTACT US TO REPORT ILLEGAL FILES
ADMINISTRATORS CANNOT BE HELD RESPONSIBLE FOR USERS POSTS AND LINKS

... Copyright © 2003-2999 Sonsivri.to ...
Powered by SMF 1.1.18 | SMF © 2006-2009, Simple Machines LLC | HarzeM Dilber MC