Information/HGAVR
From NAS-Central Buffalo - The Linkstation Wiki
(Add new section/link to page on disassembling ELF32-AVR format file which will be on another page...) |
(→Basic Information: Add missing data sheet link) |
||
| (One intermediate revision not shown) | |||
| Line 11: | Line 11: | ||
CN4 (next to the battery on the LS HG board) is a 6 pin ISP header that can be used to read/program the AVR with a cheap device such as a [http://www.ladyada.net/make/usbtinyisp/download.html usbtiny] that can be purchased as a kit/assembled from various hobby electronics websites. The cable supplied with the usbtiny has the same pin out and fits perfectly. | CN4 (next to the battery on the LS HG board) is a 6 pin ISP header that can be used to read/program the AVR with a cheap device such as a [http://www.ladyada.net/make/usbtinyisp/download.html usbtiny] that can be purchased as a kit/assembled from various hobby electronics websites. The cable supplied with the usbtiny has the same pin out and fits perfectly. | ||
| + | |||
| + | You can find the data sheet for this MCU [http://buffalo.nas-central.org/w/images/f/f5/AT90S2313.pdf here]. | ||
=== Hacking with avrdude === | === Hacking with avrdude === | ||
| Line 132: | Line 134: | ||
==== Disassembling AVR ELF Binary ==== | ==== Disassembling AVR ELF Binary ==== | ||
| - | Again the output from this step is too large to print so I have put it on another page [http://buffalo.nas-central.org/wiki/Information/ | + | Again the output from this step is too large to print so I have put it on another page [http://buffalo.nas-central.org/wiki/Information/HGAVR_Flash_Dump_Disassembled here]. |
=== Pin assignment for the HGAVR === | === Pin assignment for the HGAVR === | ||
Latest revision as of 21:45, 27 February 2011
This article was originally based on work by Frontalot at linkstationwiki.org and has since been largely re-written.
Contents |
The Linkstation HG AVR
Hardware Information
Basic Information
The AVR in the HG Linkstation is an AT90S2313-4SC made by ATMEL, not Freescale as previously documented here. This is a cheap 4 MHz AVR with 2k program space and 128 EEPROM.
CN4 (next to the battery on the LS HG board) is a 6 pin ISP header that can be used to read/program the AVR with a cheap device such as a usbtiny that can be purchased as a kit/assembled from various hobby electronics websites. The cable supplied with the usbtiny has the same pin out and fits perfectly.
You can find the data sheet for this MCU here.
Hacking with avrdude
This is a basic walkthrough on analysing the AVR in the HG Linkstation with avrdude, dude. The following analysis was done entirely on OS X and will work the same in Linux.
Basic Testing
The following command tests connectivity to the AVR using a usbtiny connected to CN4:
macbook-pro-15:~ root# avrdude -c usbtiny -p2313 -n avrdude: AVR device initialized and ready to accept instructions Reading | ################################################## | 100% 0.01s avrdude: Device signature = 0x1e9101 avrdude done. Thank you.
This shows that avrdude can sucessfully connect to the AVR on the HG Linkstation, which means we can probably upload new firmware if we want to and extract the existing firmware that it shipped with originally.
Extracting AVR Information
So we want to know more information about our AVR. We could look in the datasheet for this information, but the part command in avrdude will tell us all we need to know to extract the firmware and anything else in the EEPROM. Typically I'll poke an AVR with an interactive avrdude session at this stage, here is how to start one with a usbtiny:
macbook-pro-15:~ root# avrdude -c usbtiny -p2313 -n -t avrdude: AVR device initialized and ready to accept instructions Reading | ################################################## | 100% 0.01s avrdude: Device signature = 0x1e9101 avrdude>
Now the avrdude console can be issues various commands to interact with the AVR. Lets use the part command we talked about earlier:
avrdude> part
>>> part
AVR Part : AT90S2313
Chip Erase delay : 20000 us
PAGEL : P00
BS2 : P00
RESET disposition : dedicated
RETRY pulse : SCK
serial program mode : yes
parallel program mode : yes
Timeout : 200
StabDelay : 100
CmdexeDelay : 25
SyncLoops : 32
ByteDelay : 0
PollIndex : 3
PollValue : 0x53
Memory Detail :
Block Poll Page Polled
Memory Type Mode Delay Size Indx Paged Size Size #Pages MinW MaxW ReadBack
----------- ---- ----- ----- ---- ------ ------ ---- ------ ----- ----- ---------
eeprom 4 12 64 0 no 128 0 0 4000 9000 0x80 0x7f
flash 4 12 128 0 no 2048 0 0 4000 9000 0x7f 0x7f
signature 0 0 0 0 no 3 0 0 0 0 0x00 0x00
fuse 0 0 0 0 no 1 0 0 0 0 0x00 0x00
lock 0 0 0 0 no 1 0 0 9000 9000 0x00 0x00
avrdude>
From the above information we can see the different memory types present in the AVR and their sizes - this means we can easily dump out the EEPROM (storage) and flash (program area) memory and see what is inside them.
EEPROM Dump
Lets dump the EEPROM and have a look inside - this memory area is typically used by an AVR for persistent storage:
>>> dump eeprom 0 100 0000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 0010 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 0020 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 0030 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 0040 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 0050 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 0060 ff ff ff ff |.... | avrdude>
As we can see, it does not have anything useful inside.
Flash Dump
Finally lets dump the 2k program area - this contains the firmware that the AVR runs. Due to the size of this I put it on another wiki page, you can find it here.
Dump Flash To Intel Hex
In order to be able to reverse engineer the firmware more easily rather than use the above method it is useful to dump it out to a file in Intel hex format so we can convert it back to ELF.
Here is how we dump the contents of the flash memory to a file called out.hex in the correct format:
macbook-pro-15:~ root# avrdude -c usbtiny -p 2313 -n -Uflash:r:out.hex:i avrdude: AVR device initialized and ready to accept instructions Reading | ################################################## | 100% 0.01s avrdude: Device signature = 0x1e9101 avrdude: reading flash memory: Reading | ################################################## | 100% 4.64s avrdude: writing output file "out.hex" avrdude done. Thank you.
Convert Intel Hex To ELF
This step converts the Intel hex file out.hex from the previous to an elf32-avr format file called out.bin.
I already had a full tool-chain installed for AVR development on OS X which provides this and other useful utilities called CrossPack for AVR Development.
macbook-pro-15:~ root# avr-objcopy -I ihex -O elf32-avr out.hex out.bin
Disassembling AVR ELF Binary
Again the output from this step is too large to print so I have put it on another page here.
Pin assignment for the HGAVR
NOTE THIS SECTION IS POSSIBLY WRONG AND NEEDS RE-WRITING - unless there is a different edition of the HG Linkstation that uses a different kind of MCU (the number of AVR pins in my HG is 20, can someone verify 28 on another?)
The pin assignment and its functions used in HG is listed in the following table:
| PIN | SIGNAL | Description | PIN | SIGNAL | Description |
| 1 | ZIRQ | CN3.3 | 28 | ZRST | CN3.4 |
| 2 | PTA0 | DIAG LED | 27 | PTA5 | Power switch input |
| 3 | VSS | CN3.6 / CN3.9 | 26 | PTD4 | Fan pulse input for status checking |
| 4 | OSC1 | CN3.1 | 25 | PTD5 | HRST (CN5.13) |
| 5 | OSC2 | - | 24 | PTD2 | Control 12V feed to the main switching power via TR5, TR3 |
| 6 | PTA1 | Disk full LED | 23 | PTA4 | Reset switch input |
| 7 | VDD | CN3.2 | 22 | PTD3 | Fan speed control via TR2,TR1 |
| 8 | PTA2 | Power LED green | 21 | PTB0 | CN3.5 |
| 9 | PTA3 | Power LED yellow | 20 | PTB1 | CN3.10 |
| 10 | PTB7 | NC | 19 | PTD1 | IDE reset / TRST (CN5.4 via R66) |
| 11 | PTB6 | NC | 18 | PTB2 | CN3.7 |
| 12 | PTB5 | NC | 17 | PTB3 | CN3.8 |
| 13 | RXD | Connects to /dev/ttyS1 | 16 | PTD0 | Flash reset (ZRP on IC8.12) |
| 14 | TXD | Connects to /dev/ttyS1 | 15 | PTB4 | NC |
Software Information
Interaction With AVR In Linux
The AVR controls much of the LinkStation hardware, including the power button and LED indicator. It is controlled by the commands sent to /dev/ttyS1. To send commands to the AVR:
echo -n "commands" > /dev/ttyS1
| Command | Action/Code |
| \30\30\30\30 | Stops smbd and atalkd if /dev/hda3 is not mounted to /mnt. Sent by /www/script/melsub_diskcheck.sh. |
| [[[[ | Starts slowly blinking power LED (sleep). |
| ]]]] | High-speed cooling fan rotation. |
| \\\\ | Low-speed cooling fan rotation. |
| >>>> | Unknown. Sent by ppc_uartd on boot. |
| AAAA | Unknown. Sent by ppc_uartd on boot. |
| CCCC | Sent by shutdown -r now (reboot). |
| EEEE | Sent by shutdown -h now (halt). |
| FFFF | Unknown. Sent by ppc_uartd on boot. |
| JJJJ | Unknown. Sent by ppc_uartd on boot. |
| KKKK | Unknown. Sent by ppc_uartd on boot. |
| QQQQ | Unknown. Sent by ppc_uartd on set timer. |
| RRRR | End of clear flash memory. |
| SSSS | Start of clear flash memory and /www/script/melsub_init.sh. Sent by /www/script/melsub_flash.sh. |
| TTTT | Flash memory update completed (stops blinking power, disk full, and diagnostic LEDs). |
| UUUU | Flash memory update started (starts blinking power, disk full, and diagnostic LEDs). |
| VVVV | Turns off disk full LED. |
| WWWW | Turns on disk full LED. |
| XXXX | Stops blinking disk full LED. |
| YYYY | Starts blinking disk full LED. |
| ZZZZ | Stops slowly blinking power LED. Sent by ppc_uartd. |
| gggg | Diagnostic LED blinks 3 times and system shutdown (partition error). |
| iiii | Diagnostic LED blinks 4 times and system shutdown (cooling fan error). |
| kkkk | Diagnostic LED blinks 5 times and system powers off (flash memory error). |
| mmmm | Diagnostic LED blinks 6 times and system shutdown (hard drive or ppc_uartd error). |
| oooo | Diagnostic LED blinks 7 times and system shutdown (RAM, NIC, or HDD controller error). |
