EmbeddedRelated.com
Forums

i2c-tools with custom EEPROM

Started by shaun20120 6 years ago10 replieslatest reply 6 years ago1203 views

Hello,

I have a little bit of an issue playing around for my engineer essay.

I am using raspberry as an interface to communicate with custom chip - I am using i2c-tools(i2cdetect i2cget and i2cset).

The chip - I call it custom because I have no idea about manufacturer and model(chip by itself is covered with black liquid so it is impossible to recognize it). I have found out which pin is responsible for communication(so I have found Vcc GND SDA and SCL). Using i2cdetect I have found out that the address of the chip is 0x73. 

I wanted to read something from the chip using i2cdump but the data are changing all the time and it looks every readout diffrent:

No size specified (using byte-data access)

     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f    0123456789abcdef
00: XX 00 XX 00 00 XX 00 XX XX 00 XX XX 00 XX XX XX    X.X..X.XX.XX.XXX
10: XX 00 00 XX 00 00 XX XX XX 00 00 XX XX XX XX 00    X..X..XXX..XXXX.
20: XX XX 00 XX XX 00 00 XX XX 00 XX XX XX 00 00 XX    XX.XX..XX.XXX..X
30: 00 00 00 00 XX XX 00 XX 00 00 00 00 XX 00 XX 00    ....XX.X....X.X.
40: 00 00 XX 00 00 XX XX XX 00 00 00 XX XX XX XX 00    ..X..XXX...XXXX.
50: XX XX 00 00 XX XX XX XX 00 00 XX 00 XX XX XX 00    XX..XXXX..X.XXX.
60: XX 00 00 00 XX XX XX XX 00 XX XX XX 00 XX XX XX    X...XXXX.XXX.XXX
70: 00 00 00 00 XX 00 XX 00 00 XX 00 XX XX XX XX XX    ....X.X..X.XXXXX
80: 00 XX XX XX 00 XX 00 XX 00 00 XX 00 00 XX XX XX    .XXX.X.X..X..XXX
90: 00 00 00 XX 00 XX XX XX XX 00 00 XX XX XX XX 00    ...X.XXXX..XXXX.
a0: XX 00 00 XX 00 00 XX XX XX 00 00 XX XX XX 00 XX    X..X..XXX..XXX.X
b0: XX 00 00 XX XX XX 00 XX XX XX 00 XX XX XX XX 00    X..XXX.XXX.XXXX.
c0: XX XX XX XX XX 00 00 00 XX 00 00 00 XX XX 00 XX    XXXXX...X...XX.X
d0: XX XX XX XX XX XX XX XX 00 XX XX XX 00 XX XX 00    XXXXXXXX.XXX.XX.
e0: XX XX XX XX XX XX XX XX 00 XX XX XX 00 XX XX XX    XXXXXXXX.XXX.XXX
f0: 00 00 XX XX 00 XX 00 00 00 00 XX XX 00 XX 00 00    ..XX.X....XX.X..
No size specified (using byte-data access)

     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f    0123456789abcdef
00: XX 00 00 XX XX 00 00 XX XX XX XX XX XX XX XX XX    X..XX..XXXXXXXXX
10: 00 00 XX XX XX XX XX XX XX XX XX XX XX 00 00 XX    ..XXXXXXXXXXX..X
20: XX XX 00 XX 00 XX XX 00 XX XX XX 00 XX XX XX XX    XX.X.XX.XXX.XXXX
30: XX XX XX XX XX XX 00 XX XX 00 XX 00 00 00 XX XX    XXXXXX.XX.X...XX
40: 00 XX XX XX XX XX XX XX XX 00 00 XX XX 00 XX 00    .XXXXXXXX..XX.X.
50: XX 00 XX 00 XX XX XX 00 XX XX XX 00 00 00 XX XX    X.X.XXX.XXX...XX
60: XX XX XX XX XX XX XX XX 00 00 XX XX 00 XX XX 00    XXXXXXXX..XX.XX.
70: 00 00 XX 00 XX XX XX 00 XX 00 XX XX XX 00 00 XX    ..X.XXX.X.XXX..X
80: XX XX XX 00 00 XX XX XX XX 00 XX XX XX XX XX XX    XXX..XXXX.XXXXXX
90: 00 XX 00 XX 00 XX 00 00 XX XX XX XX XX XX XX XX    .X.X.X..XXXXXXXX
a0: 00 XX XX 00 XX 00 XX 00 00 XX XX XX XX XX XX XX    .XX.X.X..XXXXXXX
b0: XX XX XX 00 XX 00 XX XX XX XX XX XX XX 00 00 XX    XXX.X.XXXXXXX..X
c0: 00 XX 00 XX XX XX XX 00 00 00 XX XX 00 00 XX 00    .X.XXXX...XX..X.
d0: 00 XX XX XX XX XX XX XX XX XX XX 00 XX 00 00 XX    .XXXXXXXXXX.X..X
e0: XX XX 00 XX XX XX XX 00 00 XX XX 00 XX XX XX 00    XX.XXXX..XX.XXX.
f0: 00 XX 00 XX 00 XX XX XX XX 00 XX 00 XX 00 XX XX    .X.X.XXXX.X.X.XX

I have also some kind of a sniffer on Arduino. So I emulated the same address(0x73) and connected to the machine which is using this chip. I see that there must be some authentication to unlock the chip for reading, because every time machine is sending following messages to the chip:

- --MESSAGE---
CC
B9
--END MESSAGE--
Request

- --MESSAGE---
E5
87
D4
D5
B2
76
--END MESSAGE--
Request

- --MESSAGE---
FE
8B
--END MESSAGE--
Request

- --MESSAGE---
17
75
25
F0
49
1A
--END MESSAGE--
Request

- --MESSAGE---
30
45
--END MESSAGE--
Request

- --MESSAGE---
49
2B
7A
29
DE
5
--END MESSAGE--
Request

- --MESSAGE---
62
17
--END MESSAGE--
Request

- --MESSAGE---
7B
19
4F
0
E3
B6
--END MESSAGE--
Request

- --MESSAGE---
94
E1
--END MESSAGE--
Request

- --MESSAGE---
AD
CF
98
8D
C0
E
--END MESSAGE--
Request

Maybe a little bit of an explanation how the sniffer works. It displays all messages(packets) that comes to the address that we are connected as(0x73).

For example if the sniffer has address 0x73 and we send following command:

i2cget -y 1 0x73 0xff

we will get answer like this:

- --MESSAGE---
FF
--END MESSAGE--
Request


And when we send:

i2cset -y 1 0x73 0xff 0x01 0x02 0x03

we get:

- --MESSAGE---
FF
1
2
3
--END MESSAGE--


So if there is a request comming from the machine, sniffer shows "Request".

If there is something to set we can see it because first byte is an address of memory to set and the rest are data to set.

Now how it is possible that machine is sending data to set and request at once?

- --MESSAGE---
E5
87
D4
D5
B2
76
--END MESSAGE--
Request

I am trying to unlock this chip to reset it's value and/or change it. I don;t have enough experience and that is the issue but I learn fast. I cannot also find any more information about this case on the internet.

Any help or thoughts? Maybe there is something that I do wrong and I don't have idea about this?

[ - ]
Reply by mr_banditAugust 2, 2018

The "Request" looks like a read command for information. Often, the order is to send a write with a register number, then do a read for a specific number of bytes. Find I2C devices on Digikey and read their datasheets.

For example, assume an ID string starts at address (meaning register in I2C speak) 0xF0, for 6 bytes. You do a read starting at register F0 for 6 bytes and get the ID characters. Or you write the starting register number (F0 in this case), then do 6 reads. 

Your "i2cset -y 1 0x73 0xff 0x01 0x02 0x03" is a write, so your sniffer is seeing the write - properly.

Try converting the hex to ASCII. This can give clues. However, CustomSarge is spot-on about how hard it is to try to reverse engineer an I2C chip. I would suggest starting more modestly with I2C breakout boards from Sparkfun.com and LadyAda (adafruit.com) and get comfortable with them. Get another Arduino with one as the master and the other as your sniffer.

NOTE: MAKE SURE BOTH MASTER AND SLAVE (and sniffer) ARE AT THE SAME VOLTAGE LEVELS. You might hurt a 3.3v chip with a 5v SDA/SCL, Worse is the lower voltage chip talking to the higher voltage chip can easily fail because the RX side, as open collector, has a shmitt trigger threshold of 0.7vcc: 0.7 * 5.0 = 3.5, and a true 3.3 level SAD/SCL can never get to a "1" input for the 5v device. Sometimes it works, because you might be right over the threshold, say at 3.6v or 3.55v. I got a gig because the original engineer blew that one && I spotted it in the first 60 seconds. you *cannot* "fix it in software".

Get a small EEPROM and try making it work. You will learn a lot. 

If you can reverse engineer the mystery chip, more power to you. But CustomSarge is still spot on. Unlikely you will be able to figure out what the chip is. Your only real hope is to narrow it down by figuring out what its functionality in the system is and go from there. But if it really is a custom chip - a snowball springs to mind...

[ - ]
Reply by shaun20120August 2, 2018

I agree that it is not an easy one and now it is matter of honor because my teacher(promotor) said that I will not do this :D The worst part is that I saw people, where they did read this chip but did not want to share the knowledge with me :(  

The stranger thing(for me) is why there is block of data to be written and at the end there is a request. I mean this result:

- --MESSAGE---
E5
87
D4
D5
B2
76
--END MESSAGE--
Request

As I understand from this, the machine want to write to cell address 0xE5 with block of data: 0x87 0xD4 0xD5 0xB2 0x76. The question is why there is Request. It looks like it would like to read but when you read data there is only memory address without any data like this:

- --MESSAGE---
E5
--END MESSAGE--
Request

When chip is writing to the memory and reads back to get some feedback it should look like this:

- --MESSAGE---
E5
87
D4
D5
B2
76
--END MESSAGE--
- --MESSAGE---
E5
--END MESSAGE--
Request

Machine is writing data and then it is checking if the value is changed.


I am in a very good position because I have the chip and machine that works with it, so I can see full communication but I cannot replicate this message(because it is not only "i2cset"):

- --MESSAGE---
E5
87
D4
D5
B2
76
--END MESSAGE--
Request

When I will be able to do this, then I can see what chip does after that.



The topic is very interesting and thank you very much for your answer. I really appreciate this because you sacrafise your time.

[ - ]
Reply by mr_banditAugust 2, 2018

Put an oscilloscope on SDA and SCL. Look at the full waveform. Your example above is short enough. You are assuming your sniffer is telling you the truth. it may not be. trust nothing you cannot verify.

I assume you have an oscope where you can capture the waveform as a jpg on a USB drive. You can capture sections, then use paint to glue them together and annotate the entire waveform. I do stuff like this all the time - just recently on I2C waveforms.

Keep in mind the chip is probably doing one of three things: memory, or it cruches data, or it gets commands and reads/writes its other pins. Most likely #1 or #3. Think EEPROM for #1, and ADC or bus extender for #3. Look at the rest of the pins. If there are extra pins (not VCC, gnd, SDA, SCL) where do they go?

The interesting thing  is why did they pot the chip? I will bet several large candy bars (a fairly serious bet for me) it is a custom chip, and it has traces that goto other components. Figure out what *they* are - that is a big clue.

Success to you! Keep it up, and you can have a career reverse engineering chips - no joke. There is a company in Albuquerque, New Mexico, that does nothing but, for both civilian and US military. They have equipment that allows them to watch the actual chip execution - bits flowing - in real time. Pretty cool!

Google "defcon reverse engineering chip" - I at the DEFCON 21 talk. They have some pretty cool hacks and techniques, including getting their dentist to x-ray chips for them.

read https://www.defcon.org/images/defcon-21/dc-21-pres...  BUT PAY ATTENTION TO THE WARNINGS ABOUT CHEMICALS.


[ - ]
Reply by shaun20120August 2, 2018

First of all thank you for your reply. It is very kind of you to sacrifice your time to help me :)

The problem is that I have no oscilloscope but I should be able to use one from school - but I have small experience with it.

From my observation I think the chip is doing #1 or #2 as it has no other pins on the small board then SDA, SCL, GND and VCC. The chip is located on small board(like 2cm by 2cm). On the board I can see only chip that is covered in black material(pot let's say :) ) and two SMD resistors.

I assume they pot the chip because they could. It is mass product. Even when you take a little bit of the pot from the side, still the chip has silver top(not black like normally you see). So it is impossible to get any name/model out of it. I also have suspicious that the chip underneath the cover is used in many devices from this manufacturer, that is why they did pot it.

I will read more and think what I can do next. I tried to take some other chip from this manufacturer. The board is in different shape, but chip looks the same(there are also two SMD resistors). But with this chip I cannot find chip address(I tried all combinations with SDA, SCL, Vcc and GND) but no luck.

It is a hard and fun job for me as I larn A LOT ;)

Thank you for the resources that you have attached. There is so much think that you can learn by doing this kinda work.

Again big thanks to you ;)


[ - ]
Reply by mr_banditAugust 2, 2018

The SMD resistors are probably the I2C pullups. Use a meter (when the system is off) and look for what pins on the chip are attached to the pullups. Hint: one side of both resistors are tied to VCC, so find the two ends that are connected together. The other ends are connected to the SDA and SCL pins on the chip. Look at a simple schematic for I2C chips.

You really need to use an oscope. Use the one at your school. When you have the resources, get an oscope - the rigol DS1054Z is $350 US. I will not tell you there is a free hack tool to change it from 50MHz to 100MHz.... see https://www.rigolna.com/products/digital-oscillosc...  - it is also 4 channels.  If you can, always get a 4-channel oscope.

The standard trick for the device address is to try them all - the right one will ACK the address. (send the address, for read  or write, and do a STOP after sending the test address to reset the chip.) Plus, you have a working system. An oscope of the SDA and SCL lines will give you the address.

It occurs to me this might be a crypto chip. The fact the data seems to change, and it is potted are strong clues. Given the system, does that make sense? What is the function of the box ?

[ - ]
Reply by shaun20120August 2, 2018

Investing 350$ is beyond my budget :P

Yes, this is how I was doing to determine the pins and address of the chips(always worked). First I found ground and Vcc because it is pretty easy as there should be always 5v or 3.3v(constant). Later on there is only two possibilities left(with SDA and SCL order) so I connected two possible ways and scan the chip with "i2cdetect". In all cases it worked and I was able to find the chip address and correct pins.

With the new chip is different. There is no constant 5v or 3.3v. Max v that I have found is 3.3v so I assume that the chip is 3.3v. I the other hand I believe that it might be some I2C protocol but a little bit modified because there is no power when the connection is idle. Also the SCL pin is acting like a ground pins, so it gives me positive 3.3v with Vcc and SDA :/

The full purpose to rad the chip is that I have built in tablet in my car(also included in my essay) and I am trying to read chip contains information about accessories. So depending on chip details I will switch off or on some systems but that is already done. The most important to me is to read one of the chip(the crypted one or this one with changed communication way).

The topic is getting more and more complicated as I am running out of ideas.

1) I cannot replicate the message that is sent to the chip. It looks like the device wants to set some data in the memory of the chip, but it also requests(something).

2) I cannot find the address of the device. Pin orders are the same like in the chip above that I have problem with. But there is something with communication. The SCL is sometimes held down to ground I think as I can measure V between SCL and (Vcc or SDA).


[ - ]
Reply by shaun20120August 2, 2018

Now I read, that being uable to detect the other chip might be caused by clock streching. Is it possible? If yes, what to do to be able to use command "i2cdetect" with clock stretching ?

[ - ]
Reply by mr_banditAugust 2, 2018

This is why you need to look at the signals on an oscope. It will tell you if the slave is clock stretching. Otherwise you are groping in the dark. Borrow one from your school, see if a friend has one - whatever it takes.

And, yes, I realize as a student you might not have US$350 to drop on a scope - but you will have that once you start working. It will be one of the most valuable tools you will ever buy as an engineer that deals with electronics. And get a 4-channel scope - you will find a 2-channel scope needs at least one more input.

[ - ]
Reply by CustomSargeAugust 2, 2018

1> if potting compound is hard / "chipable". If so, carefully expose the IC top for make / model.

2> if potting compound is soft, gently heat and scrape off chip top for make / model.

Because without make & model, you're going Nowhere. No knowledge of function, parameter assignment or register layout makes it impossible. Sorry... <<<)))

[ - ]
Reply by shaun20120August 2, 2018

Like I said [up], it is not easy one - I know. I really appreciate your reply and thank you for your time.

The black thing on the chip is hard but chip itself is really small (SMD?).

The best part is that I was reverse engineering some other chip for my essay(but it was useless) and it also had an authentication method. I was able to track it with sniffer connected to the machine, which was simulating the chip. It took me one moth but yea.

It is fun process as I learn a lot during my essay and nothing is impossible :D :D