Arkiv för november, 2018

IKEA ROTHULT, Part 2 – Connecting wires to the header

Posted in allmänt grinande on 2018-11-18 by Kristian

Having disassembled the lock and gained some kind of feeling for what is on the PCB, it is time to see if we can do something to it.

We could of course hot air the processor and solder something else in place instead (as done here with another IKEA product) but that is not as fun as it is to reprogram the device to do something else. So let’s attempt reprogramming!

Connecting a debugger

Step one is to carefully solder six wires to the small header to be able to connect instruments to the board. Later, I also added (not shown in the first photo) a ground wire directly to the battery compartment header to be able to connect the oscilloscope ground easier. Then I soldered an ordinary pin connector, left-over from an Arduino nano kit, to the wires, which makes oscilloscope connection easier.

The wires are somewhat difficult to solder to the PCB, and be careful to not melt the plastic.

IMG_20181117_174204.jpg

 

The idea is to use the wires to connect to openocd through a bus pirate board, to hopefully be able to dump the IKEA firmware, and analyze it. If you need to flash the BP, the ds30 loader can be found here, the link in the howto is broken.

In part one we identified the pin-out of the debug header, from left to right in the picture:

  • H1 – Pin 24 (PA14, SWCLK, USART2_TX)
  • H2 – Pin 23 (PA13, SWDIO)
  • H3 – Pin 17 (VDD, 3V – see below)
  • H4 – PCB ground plane (if one look at the battery compartment, the negative pole of is connected to the same PCB plane and this is also confirmed by a circuit beep tester)
  • H5 – Pin 20 (PA10, USART1_RX)
  • H6 – Pin 19 (PA9, MCO, USART1_TX)

rothult10

We will examine those pins in turn with a volt meter and an oscilloscope before the bus pirate is connected.

Power pins

We need to examine VDD closer to avoid releasing the magic smoke. The data sheet for the CPU specifies 1.65 V to 3.6 V power supply, but it could be anywhere in that range. The RFID circuit wants 2.4V to 5.5V, but is flexible down to 1.65V on its data pins. (The data sheets are linked in the previous post).

Looking at the PCB photos, it seems as if we can read the print on what seems to be a regulator circuit, so let’s check that as well.

A quick look through a magnifying glass reveals that most likely indeed is a regulator, an 6210A in a SOT-89-5 package, and from the other markings, I guessed that the output voltage is 3.0 volts. I haven’t been able to identify the manufacturer, unfortunately.

I took the opportunity to measure on the pins at the same time, which confirmed both the connectivity as in the list above, and revealed that the VDD indeed is at or slightly below 3 volts.

dsc_62821 (1)

Untitled

Data Pins

Having investigated the power pins, we turn towards the data pins.

I’m actually primarily interested in H1 and H2, since they are connected to the serial wire debug feature (SWCLK, SWDIO) (link to relevant datasheet) which potentially is useful as an attack vector. (And hopefully https://github.com/disk91/PySWD/ can be used for something nice), but figuring out if anything is sent on the other UART is also highly relevant.

So let’s start with USART1 and do the SWD investigations in the next post.

Oscilloscope on H6 – Pin 19 (PA9, MCO, USART1_TX)

Touching one of the IKEA smart cards to the device results in a pulse train on this pin, as shown below. Interesting!

Unfortunately, we get the same message (52 46 41 4C 3A 20 <-> ”RFAL:  ”) regardless of if it is the IKEA card, or an SL card. Something is better than nothing, however, and this is without the motor etc installed so it could be a partial message.

(RFAL  is a reasonable part of a message.)

H6

Oscilloscope image of H6

To be continued…

 

 

 

 

 

Annonser

Teardown of the IKEA ROTHULT RFID lock

Posted in in English, nörderier on 2018-11-01 by Kristian

EDIT: You can connect an stlink to the debug header. I never got that far in the writeup though, due to this being the first ARM project I looked at combined with the vacation ending. I have however tested it and it works.

Disclaimer: If you believe any of the below and burn down your house, lose your dog, or break your lock, or something else that is good or bad happens, it is your own fault. The likelihood of something being wrong is close to 100%.

The IKEA ROTHULT is an RFID-enabled motorized lock for desks, cupboards, etc.

Obviously, it would be nice if it could be connected to, for example, a mysensors network and used for home automation.

Teardown

The ROTHULT is kept together by four screws, no tricky plastic tabs. Simply unscrew the battery compartment and the lid, then lift it away.

Inside, you find the bolt, a gearbox arrangement with a small motor, and a circuit board. The RFID antenna is beneath a snap-in lid (visible in the first picture) and connected through four pins to the PCB. Two microswitches are used as end stops for the bolt.

rothult3

Unfortunately, the RFID antenna is soldered to the main PCB, which means that it cannot be lifted out of the box easily. Everything else can be removed without violence.

 

To remove the lid over the RFID antenna, lift CAREFULLY at the slots, while pushing the plastic tabs from the inside.

rothult6

If you don’t manage to push ”good enough” on the tabs, they are likely to break. (The two closest to the PCB on mine did, but it doesn’t really matter, if you are to use the lock as a lock later, it will not be visible and super glue is cheap :-) )

Lifting the lid reveals a PCB with an antenna on it. Unfortunately, that is all it seems to be, there is no hidden I2C/SPI/serial RFID module ready to be harvested.

PCB

Let’s take a closer look at the PCB.

DSC_6282

Q3-Q8 on top to the right seems to be the power transistors driving the motor.

The build is primarily surface-mounted (no surprise), and uses two main integrated circuits – a guess is that the right one handle the RFID decoding, and the left is the main processor (if there is such a thing in this device). Then, if we are lucky, the header right above the integrated circuit could be a programming/debug header.

Processor

rothult10

A closer look on the suspected CPU reveals the ST logo, and an identification number: L051K86, which is a reasonable match to the STM32L051K8 processor with LQFP32 pinout (datasheet).

If this indeed is the case, the pinout from the datasheet is shown below, rotated to match the photo above.

rothult11-e1541064985721.png

Looking at the header (ref black-and-white photo), from left (H1) to right (H6), the header pins appear to be connected as below – please note, this is still to be confirmed by a second view as well as with measurements!

  • H1 – Pin 24 (PA14, SWCLK, USART2_TX)
  • H2 – Pin 23 (PA13, SWDIO)
  • H3 – Pin 17 (VDD)
  • H4 – PCB ground plane (if one look at the battery compartment, the negative pole of is connected to the same PCB plane)
  • H5 – Pin 20 (PA10, USART1_RX)
  • H6 – Pin 19 (PA9, MCO, USART1_TX)

According to the datasheet (section 3.9 boot modes), programming the flash memory is done by using SPI1 (PA4-PA7), SPI2 (PB12-PB15), USART1 (PA9, PA10), or USART2 (PA2, PA3).

Since we indeed have USART1 connected to H5-H6 is would seem as if we can access the flash through this header (if the BOOT0 pin can be manipulated / is connected in an appropriate way). The datasheet in turn refers to STM32 memory boot mode AN2606. That datasheet can be found here.

For the remaining pins, H1/H2 are connected to the serial wire debug feature (SWCLK, SWDIO), see for example this datasheet for more details.

Let’s leave it at this for now, and move on to the rest of the circuitry.

RFID Decoder

The initial assumption is that integrated circuit #2 is a dedicated RFID decoder.

rothult12

This is confirmed by a new macro photo (the print on this circuit is really hard to read) which identifies it as an AS3911 (datasheet) NFC Initiator / HF reader IC.

The ams logo is quite identifiable once you know it is supposed to be there.

Looking in the datasheet, we find the pinout:

rothult13.png

Again, his is oriented the same direction as in the overview PCB photo (but not as in the closeup showing the markings) and the connections to the CPU can be traced:

  • AS3911 Pin 32 (/SS) <-> CPU Pin 10 (SPI1_NSS)
  • AS3911 Pin 31 (SCLK) <-> CPU Pin 11 (SPI1_SCLK)
  • AS3911 Pin 30 (MOSI) <-> CPU Pin 13 (SPI1_MOSI)
  • AS3911 Pin 29 (MISO) <-> CPU Pin 12 (SPI1_MISO)
  • AS3911 Pin 27 (IRQ) <-> CPU Pin 14 (PB0)

Hence, the AS3911 is connected to the CPU through SPI.

End Switches

The two microswitches seems to switch VDD/GND to an IO pin depending on their position.

  • Switch 1 (above the summer) is connected to CPU pin 27 (PB4)
  • Switch 2 (not above the summer :-)) is connected to CPU pin 28 (PB5)

Summer

No idea.

Motor Drivers

Not investigated yet.

Continued in part 2, where we wire up the debug header and decode the serial output.

 

%d bloggare gillar detta: