Information/HGAVR

'' This article was originally based on work by Frontalot at linkstationwiki.org and has since been largely re-written. ''

= The Linkstation HG AVR =

Basic Information
The AVR in the HG Linkstation is an AT90S2313-4SC made by ATMEL, not Freescale as previously documented here. This is a cheap 4 MHz AVR with 2k program space and 128 EEPROM.

CN4 (next to the battery on the LS HG board) is a 6 pin ISP header that can be used to read/program the AVR with a cheap device such as a usbtiny that can be purchased as a kit/assembled from various hobby electronics websites. The cable supplied with the usbtiny has the same pin out and fits perfectly.

You can find the data sheet for this MCU here.

Hacking with avrdude
This is a basic walkthrough on analysing the AVR in the HG Linkstation with avrdude, dude. The following analysis was done entirely on OS X and will work the same in Linux.

Basic Testing
The following command tests connectivity to the AVR using a usbtiny connected to CN4:

macbook-pro-15:~ root# avrdude -c usbtiny -p2313 -n avrdude: AVR device initialized and ready to accept instructions Reading | ################################################## | 100% 0.01s avrdude: Device signature = 0x1e9101 avrdude done. Thank you.

This shows that avrdude can sucessfully connect to the AVR on the HG Linkstation, which means we can probably upload new firmware if we want to and extract the existing firmware that it shipped with originally.

Extracting AVR Information
So we want to know more information about our AVR. We could look in the datasheet for this information, but the part command in avrdude will tell us all we need to know to extract the firmware and anything else in the EEPROM. Typically I'll poke an AVR with an interactive avrdude session at this stage, here is how to start one with a usbtiny:

macbook-pro-15:~ root# avrdude -c usbtiny -p2313 -n -t avrdude: AVR device initialized and ready to accept instructions Reading | ################################################## | 100% 0.01s avrdude: Device signature = 0x1e9101 avrdude>

Now the avrdude console can be issues various commands to interact with the AVR. Lets use the part command we talked about earlier:

avrdude> part >>> part AVR Part                     : AT90S2313 Chip Erase delay             : 20000 us   PAGEL                         : P00 BS2                          : P00 RESET disposition            : dedicated RETRY pulse                  : SCK serial program mode          : yes parallel program mode        : yes Timeout                      : 200 StabDelay                    : 100 CmdexeDelay                  : 25 SyncLoops                    : 32 ByteDelay                    : 0 PollIndex                    : 3 PollValue                    : 0x53 Memory Detail                : Block Poll              Page                       Polled Memory Type Mode Delay Size Indx Paged  Size   Size #Pages MinW  MaxW   ReadBack --- - -  -- --  -- - - -     eeprom         4    12    64    0 no        128    0      0  4000  9000 0x80 0x7f flash         4    12   128    0 no       2048    0      0  4000  9000 0x7f 0x7f signature     0     0     0    0 no          3    0      0     0     0 0x00 0x00 fuse          0     0     0    0 no          1    0      0     0     0 0x00 0x00 lock          0     0     0    0 no          1    0      0  9000  9000 0x00 0x00 avrdude>

From the above information we can see the different memory types present in the AVR and their sizes - this means we can easily dump out the EEPROM (storage) and flash (program area) memory and see what is inside them.

EEPROM Dump
Lets dump the EEPROM and have a look inside - this memory area is typically used by an AVR for persistent storage:

>>> dump eeprom 0 100 0000 ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................| 0010 ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................| 0020 ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................| 0030 ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................| 0040 ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................| 0050 ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................| 0060 ff ff ff ff                                       |.... |  avrdude>

As we can see, it does not have anything useful inside.

Flash Dump
Finally lets dump the 2k program area - this contains the firmware that the AVR runs. Due to the size of this I put it on another wiki page, you can find it here.

Dump Flash To Intel Hex
In order to be able to reverse engineer the firmware more easily rather than use the above method it is useful to dump it out to a file in Intel hex format so we can convert it back to ELF.

Here is how we dump the contents of the flash memory to a file called out.hex in the correct format:

macbook-pro-15:~ root# avrdude -c usbtiny -p 2313 -n -Uflash:r:out.hex:i avrdude: AVR device initialized and ready to accept instructions Reading | ################################################## | 100% 0.01s avrdude: Device signature = 0x1e9101 avrdude: reading flash memory: Reading | ################################################## | 100% 4.64s avrdude: writing output file "out.hex" avrdude done. Thank you.

Convert Intel Hex To ELF
This step converts the Intel hex file out.hex from the previous to an elf32-avr format file called out.bin.

I already had a full tool-chain installed for AVR development on OS X which provides this and other useful utilities called CrossPack for AVR Development.

macbook-pro-15:~ root# avr-objcopy -I ihex -O elf32-avr out.hex out.bin

Disassembling AVR ELF Binary
Again the output from this step is too large to print so I have put it on another page here.

Pin assignment for the HGAVR
NOTE THIS SECTION IS POSSIBLY WRONG AND NEEDS RE-WRITING - unless there is a different edition of the HG Linkstation that uses a different kind of MCU (the number of AVR pins in my HG is 20, can someone verify 28 on another?)

The pin assignment and its functions used in HG is listed in the following table:

Interaction With AVR In Linux
The AVR controls much of the LinkStation hardware, including the power button and LED indicator. It is controlled by the commands sent to /dev/ttyS1. To send commands to the AVR:

echo -n "commands" > /dev/ttyS1