Difference between revisions of "Information/HGAVR"

From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search
(Link firmware section to HG AVR flash dump page)
Line 100: Line 100:
  
 
Finally lets dump the 2k program area - this contains the firmware that the AVR runs. Due to the size of this I put it on another wiki page, you can find it [http://buffalo.nas-central.org/wiki/Information/HGAVR_Flash_Dump here].
 
Finally lets dump the 2k program area - this contains the firmware that the AVR runs. Due to the size of this I put it on another wiki page, you can find it [http://buffalo.nas-central.org/wiki/Information/HGAVR_Flash_Dump here].
 +
 +
==== Dump Flash To Intel Hex ====
 +
 +
In order to be able to reverse engineer the firmware more easily rather than use the above method it is useful to dump it out to a file in [http://en.wikipedia.org/wiki/Intel_HEX Intel hex] format so we can convert it back to [http://en.wikipedia.org/wiki/Executable_and_Linkable_Format ELF].
 +
 +
Here is how we dump the contents of the flash memory to a file called out.hex in the correct format:
 +
 +
  <tt>macbook-pro-15:~ root# avrdude -c usbtiny -p 2313 -n -Uflash:r:out.hex:i
 +
 
 +
  avrdude: AVR device initialized and ready to accept instructions
 +
 
 +
  Reading | ################################################## | 100% 0.01s
 +
 
 +
  avrdude: Device signature = 0x1e9101
 +
  avrdude: reading flash memory:
 +
 
 +
  Reading | ################################################## | 100% 4.64s
 +
 
 +
  avrdude: writing output file "out.hex"
 +
 
 +
  avrdude done.  Thank you.</tt>
  
 
=== Pin assignment for the HGAVR ===
 
=== Pin assignment for the HGAVR ===

Revision as of 18:40, 27 February 2011

This article was originally based on work by Frontalot at linkstationwiki.org and has since been largely re-written.

The Linkstation HG AVR

Hardware Information

Basic Information

The AVR in the HG Linkstation is an AT90S2313-4SC made by ATMEL, not Freescale as previously documented here. This is a cheap 4 MHz AVR with 2k program space and 128 EEPROM.

CN4 (next to the battery on the LS HG board) is a 6 pin ISP header that can be used to read/program the AVR with a cheap device such as a usbtiny that can be purchased as a kit/assembled from various hobby electronics websites. The cable supplied with the usbtiny has the same pin out and fits perfectly.

Hacking with avrdude

This is a basic walkthrough on analysing the AVR in the HG Linkstation with avrdude, dude. The following analysis was done entirely on OS X and will work the same in Linux.

Basic Testing

The following command tests connectivity to the AVR using a usbtiny connected to CN4: 

  macbook-pro-15:~ root# avrdude -c usbtiny -p2313 -n
  
  avrdude: AVR device initialized and ready to accept instructions
  
  Reading | ################################################## | 100% 0.01s
  
  avrdude: Device signature = 0x1e9101
  
  avrdude done.  Thank you.

This shows that avrdude can sucessfully connect to the AVR on the HG Linkstation, which means we can probably upload new firmware if we want to and extract the existing firmware that it shipped with originally.

Extracting AVR Information

So we want to know more information about our AVR. We could look in the datasheet for this information, but the part command in avrdude will tell us all we need to know to extract the firmware and anything else in the EEPROM. Typically I'll poke an AVR with an interactive avrdude session at this stage, here is how to start one with a usbtiny: 

  macbook-pro-15:~ root# avrdude -c usbtiny -p2313 -n -t
  
  avrdude: AVR device initialized and ready to accept instructions
  
  Reading | ################################################## | 100% 0.01s
  
  avrdude: Device signature = 0x1e9101
  avrdude>

Now the avrdude console can be issues various commands to interact with the AVR. Lets use the part command we talked about earlier: 

  avrdude> part
  >>> part 
  
  AVR Part                      : AT90S2313
  Chip Erase delay              : 20000 us
  PAGEL                         : P00
  BS2                           : P00
  RESET disposition             : dedicated
  RETRY pulse                   : SCK
  serial program mode           : yes
  parallel program mode         : yes
  Timeout                       : 200
  StabDelay                     : 100
  CmdexeDelay                   : 25
  SyncLoops                     : 32
  ByteDelay                     : 0
  PollIndex                     : 3
  PollValue                     : 0x53
  Memory Detail                 :
  
                           Block Poll               Page                       Polled
    Memory Type Mode Delay Size  Indx Paged  Size   Size #Pages MinW  MaxW   ReadBack
    ----------- ---- ----- ----- ---- ------ ------ ---- ------ ----- ----- ---------
    eeprom         4    12    64    0 no        128    0      0  4000  9000 0x80 0x7f
    flash          4    12   128    0 no       2048    0      0  4000  9000 0x7f 0x7f
    signature      0     0     0    0 no          3    0      0     0     0 0x00 0x00
    fuse           0     0     0    0 no          1    0      0     0     0 0x00 0x00
    lock           0     0     0    0 no          1    0      0  9000  9000 0x00 0x00
  
  avrdude>

From the above information we can see the different memory types present in the AVR and their sizes - this means we can easily dump out the EEPROM (storage) and flash (program area) memory and see what is inside them.

EEPROM Dump

Lets dump the EEPROM and have a look inside - this memory area is typically used by an AVR for persistent storage: 

  >>> dump eeprom 0 100 
  0000  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
  0010  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
  0020  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
  0030  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
  0040  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
  0050  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
  0060  ff ff ff ff                                       |....            |
  
  avrdude>

As we can see, it does not have anything useful inside.

Flash Dump

Finally lets dump the 2k program area - this contains the firmware that the AVR runs. Due to the size of this I put it on another wiki page, you can find it here.

Dump Flash To Intel Hex

In order to be able to reverse engineer the firmware more easily rather than use the above method it is useful to dump it out to a file in Intel hex format so we can convert it back to ELF.

Here is how we dump the contents of the flash memory to a file called out.hex in the correct format: 

  macbook-pro-15:~ root# avrdude -c usbtiny -p 2313 -n -Uflash:r:out.hex:i
  
  avrdude: AVR device initialized and ready to accept instructions
  
  Reading | ################################################## | 100% 0.01s
  
  avrdude: Device signature = 0x1e9101
  avrdude: reading flash memory:
  
  Reading | ################################################## | 100% 4.64s
  
  avrdude: writing output file "out.hex"
  
  avrdude done.  Thank you.

Pin assignment for the HGAVR

NOTE THIS SECTION IS POSSIBLY WRONG AND NEEDS RE-WRITING - unless there is a different edition of the HG Linkstation that uses a different kind of MCU (the number of AVR pins in my HG is 20, can someone verify 28 on another?)

The pin assignment and its functions used in HG is listed in the following table:

PIN SIGNAL Description PIN SIGNAL Description
1 ZIRQ CN3.3 28 ZRST CN3.4
2 PTA0 DIAG LED 27 PTA5 Power switch input
3 VSS CN3.6 / CN3.9 26 PTD4 Fan pulse input for status checking
4 OSC1 CN3.1 25 PTD5 HRST (CN5.13)
5 OSC2 - 24 PTD2 Control 12V feed to the main switching power via TR5, TR3
6 PTA1 Disk full LED 23 PTA4 Reset switch input
7 VDD CN3.2 22 PTD3 Fan speed control via TR2,TR1
8 PTA2 Power LED green 21 PTB0 CN3.5
9 PTA3 Power LED yellow 20 PTB1 CN3.10
10 PTB7 NC 19 PTD1 IDE reset / TRST (CN5.4 via R66)
11 PTB6 NC 18 PTB2 CN3.7
12 PTB5 NC 17 PTB3 CN3.8
13 RXD Connects to /dev/ttyS1 16 PTD0 Flash reset (ZRP on IC8.12)
14 TXD Connects to /dev/ttyS1 15 PTB4 NC

Software Information

Interaction With AVR In Linux

The AVR controls much of the LinkStation hardware, including the power button and LED indicator. It is controlled by the commands sent to /dev/ttyS1. To send commands to the AVR: 

echo -n "commands" > /dev/ttyS1
Command Action/Code
\30\30\30\30 Stops smbd and atalkd if /dev/hda3 is not mounted to /mnt. Sent by /www/script/melsub_diskcheck.sh.
[[[[ Starts slowly blinking power LED (sleep).
]]]] High-speed cooling fan rotation.
\\\\ Low-speed cooling fan rotation.
>>>> Unknown. Sent by ppc_uartd on boot.
AAAA Unknown. Sent by ppc_uartd on boot.
CCCC Sent by shutdown -r now (reboot).
EEEE Sent by shutdown -h now (halt).
FFFF Unknown. Sent by ppc_uartd on boot.
JJJJ Unknown. Sent by ppc_uartd on boot.
KKKK Unknown. Sent by ppc_uartd on boot.
QQQQ Unknown. Sent by ppc_uartd on set timer.
RRRR End of clear flash memory.
SSSS Start of clear flash memory and /www/script/melsub_init.sh. Sent by /www/script/melsub_flash.sh.
TTTT Flash memory update completed (stops blinking power, disk full, and diagnostic LEDs).
UUUU Flash memory update started (starts blinking power, disk full, and diagnostic LEDs).
VVVV Turns off disk full LED.
WWWW Turns on disk full LED.
XXXX Stops blinking disk full LED.
YYYY Starts blinking disk full LED.
ZZZZ Stops slowly blinking power LED. Sent by ppc_uartd.
gggg Diagnostic LED blinks 3 times and system shutdown (partition error).
iiii Diagnostic LED blinks 4 times and system shutdown (cooling fan error).
kkkk Diagnostic LED blinks 5 times and system powers off (flash memory error).
mmmm Diagnostic LED blinks 6 times and system shutdown (hard drive or ppc_uartd error).
oooo Diagnostic LED blinks 7 times and system shutdown (RAM, NIC, or HDD controller error).
Retrieved from "http://buffalo.nas-central.org/w/index.php?title=Information/HGAVR&oldid=30539"