IKEA ROTHULT, Part 2 – Connecting wires to the header

Having disassembled the lock and gained some kind of feeling for what is on the PCB, it is time to see if we can do something to it.

We could of course hot air the processor and solder something else in place instead (as done here with another IKEA product) but that is not as fun as it is to reprogram the device to do something else. So let’s attempt reprogramming!

Connecting a debugger

Step one is to carefully solder six wires to the small header to be able to connect instruments to the board. Later, I also added (not shown in the first photo) a ground wire directly to the battery compartment header to be able to connect the oscilloscope ground easier. Then I soldered an ordinary pin connector, left-over from an Arduino nano kit, to the wires, which makes oscilloscope connection easier.

The wires are somewhat difficult to solder to the PCB, and be careful to not melt the plastic.

IMG_20181117_174204.jpg

 

The idea is to use the wires to connect to openocd through a bus pirate board, to hopefully be able to dump the IKEA firmware, and analyze it. If you need to flash the BP, the ds30 loader can be found here, the link in the howto is broken.

In part one we identified the pin-out of the debug header, from left to right in the picture:

  • H1 – Pin 24 (PA14, SWCLK, USART2_TX)
  • H2 – Pin 23 (PA13, SWDIO)
  • H3 – Pin 17 (VDD, 3V – see below)
  • H4 – PCB ground plane (if one look at the battery compartment, the negative pole of is connected to the same PCB plane and this is also confirmed by a circuit beep tester)
  • H5 – Pin 20 (PA10, USART1_RX)
  • H6 – Pin 19 (PA9, MCO, USART1_TX)

rothult10

We will examine those pins in turn with a volt meter and an oscilloscope before the bus pirate is connected.

Power pins

We need to examine VDD closer to avoid releasing the magic smoke. The data sheet for the CPU specifies 1.65 V to 3.6 V power supply, but it could be anywhere in that range. The RFID circuit wants 2.4V to 5.5V, but is flexible down to 1.65V on its data pins. (The data sheets are linked in the previous post).

Looking at the PCB photos, it seems as if we can read the print on what seems to be a regulator circuit, so let’s check that as well.

A quick look through a magnifying glass reveals that most likely indeed is a regulator, an 6210A in a SOT-89-5 package, and from the other markings, I guessed that the output voltage is 3.0 volts. I haven’t been able to identify the manufacturer, unfortunately.

I took the opportunity to measure on the pins at the same time, which confirmed both the connectivity as in the list above, and revealed that the VDD indeed is at or slightly below 3 volts.

dsc_62821 (1)

Untitled

Data Pins

Having investigated the power pins, we turn towards the data pins.

I’m actually primarily interested in H1 and H2, since they are connected to the serial wire debug feature (SWCLK, SWDIO) (link to relevant datasheet) which potentially is useful as an attack vector. (And hopefully https://github.com/disk91/PySWD/ can be used for something nice), but figuring out if anything is sent on the other UART is also highly relevant.

So let’s start with USART1 and do the SWD investigations in the next post.

Oscilloscope on H6 – Pin 19 (PA9, MCO, USART1_TX)

Touching one of the IKEA smart cards to the device results in a pulse train on this pin, as shown below. Interesting!

Unfortunately, we get the same message (52 46 41 4C 3A 20 <-> ”RFAL:  ”) regardless of if it is the IKEA card, or an SL card. Something is better than nothing, however, and this is without the motor etc installed so it could be a partial message.

(RFAL  is a reasonable part of a message.)

H6

Oscilloscope image of H6

To be continued…

 

 

 

 

 

Annonser

2 svar to “IKEA ROTHULT, Part 2 – Connecting wires to the header”

  1. […] Mysensors-capable CO2-sensor IKEA ROTHULT, Part 2 – Connecting wires to the header […]

  2. […] « IKEA ROTHULT, Part 2 – Connecting wires to the header […]

Kommentera

Fyll i dina uppgifter nedan eller klicka på en ikon för att logga in:

WordPress.com Logo

Du kommenterar med ditt WordPress.com-konto. Logga ut /  Ändra )

Google-foto

Du kommenterar med ditt Google-konto. Logga ut /  Ändra )

Twitter-bild

Du kommenterar med ditt Twitter-konto. Logga ut /  Ändra )

Facebook-foto

Du kommenterar med ditt Facebook-konto. Logga ut /  Ändra )

Ansluter till %s

%d bloggare gillar detta: