Reverse Engineering, Part 2, Schematics

In my last post I described how I wanted to reverse engineer a RFID card reader. Read that post first if you haven't.

After identifying all the components on the board, the next step is to figure out how they are connected together. Since I had access to the data sheets for all the big ICs I threw together an image in OpenOffice Draw that i printed out so that I had something to make notes on, and this is the end result (click on the image for a larger version).

Draft Schematics

I then brought out my old trusty multimeter and switched it to the mode where it will beep if there is a connection between the probes, and started probing the board to find all the connections.

I usually start out by following the ground traces, it's fairly easy, just put one probe on a known ground pad such as the housing of the USB connector and then use the other probe on just about everything else on the board. One reason for starting with the ground is that many small components are connected to it. For example, decoupling capacitors are connected to both ground and the voltage supply, pull up or pull down resistors are connected to either ground or the voltage supply, and in this circuit a couple of pins on the LEDs and on the transistor are also connected to ground. After that it's a lot of boring work, systematically trying one pin after another with all other pins until all connections have been found.

This is a fairly easy board to reverse engineer since all the component pins are visible. For denser boards with BGA packages, many pins are hidden under the components. In those cases one has to guess or become more creative, for example by using an oscilloscope to measure the signals on the pin and try to figure out what pin it is by what the oscilloscope shows. But there is usually a lot of guesswork and intuition involved in this process. A bit of knowledge about the components, is a good idea since it means that one can make smarter guesses.

For example, it turns out that the reference schematics for the EM4095 almost perfectly matches my draft. The only differences are that some capacitors from the reference schematics are constructed out multiple capacitors in parallel on the actual board, and that the reader is in read/only mode: the MOD pin is grounded instead of connected to the microcontroller.

EM4095 - figure 8 - Read/Write mode (High Q factor antenna)

One thing that fooled me for a while here is that the resistance over the antenna is only 30 Ohm, and the resistor in series with the antenna is only 8.2 Ohm. For such small resistances my multimeter will beep and signal a connection, so for a while my draft had quite a lot of components connected together that really weren't. When I realised what I had done I had to start over again with all those components and this time actually measure the resistance to get the correct results.

I then used the gschem (schematic capture) application from the gEDA project to produce a cleaned up version of the schematics.

Cleaned up Schematics

So the RFID part is almost the reference design straight out of the EM4095 data sheet, the PIC decodes the DEMOD_OUT signal and outputs some data on it's UART which is then transmitted over USB to the host PC by the FTDI controller. The VPP pin on the PIC is connected to VDD through a resistor which I believe is the recommended way to make the PIC in circuit programmable, so it ought to be possible to replace the firmware in the PIC.

The MOD pin is grounded, and the TX output from the FTDI controller is not connected to the RXD input on the PIC so it's a pure read/only card reader, it can not write anything to a writable RFID tag. Yet...

So basically now I know all there is to know about this board and how it works. I have no idea what kind of firmware there is inside the PIC but since I know how the board works and have the data sheets for all the components it should be trivial to write a new firmware for the PIC.

Reverse Engineering, Part 1, Introduction

I like to do strange stuff with hardware, especially in combination with Linux. For example, I once bought an Acer n30 PDA.  The PDA ran some variant of Windows CE so quite naturally I started poking at the device to see if I could get Linux to run on it instead. A few weeks I actually managed to get Linux to boot on it.

The process of figuring out how an existing piece of hardware works is called "reverse engineering" and I'd like to write a few words about how it's done. I recently bought a RFID card reader that I wanted to figure out how it worked.

So, the first thing I did was to stick the thing in my scanner. Using a scanner is a pretty nifty trick to get good high resolution images of things. Most scanners has a very short field of depth, so it only works on fairly flat objects, anything that's too far away from the glass will become very fuzzy. Luckily enough my old AGFA scanner has a good enough field of depth to work with PCBs so I get quite useful images out of it (click on the image for a larger version).

Parallax RFID Card Reader USB

Having a good image of the hardware is nice because it means I can print the image out on a piece of paper and make notes on it, and some details are just much easier to see in a high resolution image than in real life using a magnifying glass or a microscope.

The next step is to figure out what the components are (click on the image for a larger version).

Identifying the Components

Some of the components are fairly easy to identify.

The clear thing to the left is a two color LED, fairly easy to figure out because it glows green or red when the reader is active.

The yellowish-brown component is an electrolytic capacitor, it's just how they look. The brown line on the left end of it indicates the positive terminal.

The small black components are resistors and nicely enough the lettering on them is readable, so by just looking at the resistors it's possible to see resistance it has, 271 means 27 with 1 zero tacked on at the end, so the resistance is 270 Ohm. 472 is 47 + 2 zeroes = 4700 Ohm or 4.7 kOhm. 8R2 is a bit special, it means 8.2 Ohm.

The other brown things with two terminals are usually ceramic capacitors. There is not lettering on them, so there's no way to just look at one and see how big it is. But when reverse engineering things it's usually not that important, I don't have to know the capacitance, I just need to know that there is a capacitor there.

The diodes where a bit trickier, diodes come in many different shapes and colours. But by using the diode measurement on my multimeter I could see that the component was blocking current in one direction and that it had a voltage drop of about 0.4V in the other direction, so I could with confidence say that it is a diode with a 0.4V voltage drop.

The transistor was also a bit tricky. There are loads of components in exactly the same "SOT-23" package, among others diodes and reset circuits. Once again I was lucky because the lettering on top was visible and said "1AM". A quick google search for SOT-23 + 1AM told me that it was a 2N3904 NPN transistor and also pointed me at the data sheet for it.

The big IC (integrated circuit) on the left is labeled PIC16F627A, and that's exactly what it is, a Microchip PIC microcontroller and the data sheet is available from the manufacturer's web page. Nice.

The second IC is a FTDI FT232RL USB-serial bridge. Once again the data sheet is available from the manufacturer's web page.

The third IC was a bit harder to read, but with a magnifying glass and a good lamp I was able to see EM4095, which a EM Marin "Read/Write analog front end for 125kHz RFID Basestation" which sounds very plausible. And look, another data sheet, shiny.

So with all this done I have a nice picture of the board and I have a good idea of what all the components on the board are.

Restaurang Trattoria La Casa

I fredags ville jag bjuda ut min mor på födelsedagsmiddag och vi hamnade på Trattoria La Casa som finns på Långholmsgatan i Hornstull precis där Västerbron börjar.  Det är en restaurang som jag snubblade in på första gången i vintras.  Jag hade egentligen tänkt gå någon annan stans, men där var det fullt, så då kom jag ihåg den där italienaren som jag knallat förbi flera gånger och tänkt ta en titt på.  Det jag åt den gången var deras lamm och det är också vad jag rekommenderade åt min mor.

Mamma är liten, bara 145 cm lång, och brukar inte äta så mycket, men den här gången så var tallriken helt tom när hon var klar.  Det är nog ett så bra betyg som någon maträtt kan få.  Sen sa mamma nåt om "världens godaste lamm" också, så jag skulle tro att hon var rätt nöjd.  Själv hade jag redan ätit lamm två gånger under veckan, så jag provade på deras pasta med kalvfärs och svamp och tryffelsås och den gick inte av för hackor den heller.

Som en bonus så har deras kök öppet till elva på kvällen, så när Jörgen och jag tänkte gå ut och äta för ett tag sen men hade lite dålig koll på klockan så att allt annat hunnit stänga så var verkligen La Casa räddaren i nöden.  Jörgen blev proppmätt men kunde ändå inte riktigt lägga ifrån sig gaffeln: "egentligen orkar jag inte, men det är ju så gott!"  Så inte nog med att köket har öppettider som passar kvällsmänniskor, det är bra mat också.