Reverse Engineering A Proprietary Serial Communication

Richard Msiska Thompson Rivers University Supervisors: Kevin ONeil, Sharon Brewer, and Bruno Cinel

Outline
Term Objectives and Analysis Current progress Future progress

Term Objectives
Discover commands for initializing the instrument, performing a Lab and shutting down the TOC analyzer. Send and receive those commands using a C++ interface. Create a simplified web interface that allows remote connection to the TOC Analyzer.(if Time Permits)

The Instrument

The Total Organic Carbon/Total Nitrogen (TOC/TN) Analyzer analyses for the Organic Carbon or Nitrogen present in a water sample. The TN value is used to infer water quality, the higher it is the poorer the quality of the water.

Tools Used in the Project

Visual Studio 2010 as an Integrated Development Environment (IDE). Serial port sniffer for reading traffic. USB to serial port converter for creating a serial port from a USB port. Serial port splitter for sharing of one serial port.

Software Implementation
A standard C++ Library was used for serial port communication. The interface contains a lot of timing issues. Development methodology used was Agile.

Objectives Completed
Completed Analysis of the Perform Lab use case Completed Analysis of the Shutdown Commands Use case. Partial Analysis of start up commands.

Current Configuration
Perform Lab and Shutdown

Serial Port Splitter Toc Analyzer

TOC Proprietary Software

Initialization

The Nature of the Lab

The lab parameters of the TOC Analyzer are known before hand. The user has to:
pick the vial position which contains the sample start the lab which commands the software wait for the TOC Analyzer to return a value for TN.

TOC Initialization Protocol

A5 0B F4 00 04 01 00 00 00 00 00 00 00 04 A5 03 FC 00 01 00 (Good) A5 03 FC 00 02 00(Bad)

System Parameters

System Parameters
Header A503FC000100 Payload Checksum A503FC000100A523DC0 50 1041B000000000000D000 1 00 00 00 150000000B000000030000 00 29 00 00 00

0B determines the Hours when this was sent. 03 determines minute when this was sent. 29 determines seconds when this was sent. 50 is the checksum A hexadecimal conversion tells us this command was sent at 11:03:49

Lab Start Up Bytes

A timed handshake protocol is performed. A block of data is sent to the TOC Analyzer defining the lab parameters including injection volume and vial position.

Lab Start Up Bytes Example

A5 03 FC 0001 00 A5 73 8C 07 04 5A 00 00 00 00 00 00 00 0000 00 00 09 00 00 00 03 00 00 00 03 00 00 00 3C00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2201 00 00 00 00 00 00 22 01 00 00 0A 00 00 00 0000 00 00 03 00 00 00 00 00 00 00 00 00 00 00 F000 00 00 F0 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 FF FF FF FF E1

Lab Start Up Bytes Example

A5 03 FC 0001 00 A5 73 8C 07 04 5A 00 00 00 00 00 00 00 0000 00 00 09 00 00 00 03 00 00 00 03 00 00 00 3C00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2201 00 00 00 00 00 00 22 01 00 00 0A 00 00 00 0000 00 00 03 00 00 00 00 00 00 00 00 00 00 00 F000 00 00 F0 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 FF FF FF FF E1

Lab Start Up Bytes Example

A5 03 FC 0001 00 A5 73 8C 07 04 5A 00 00 00 00 00 00 00 0000 00 00 09 00 00 00 03 00 00 00 03 00 00 00 3C00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2201 00 00 00 00 00 00 22 01 00 00 0A 00 00 00 0000 00 00 03 00 00 00 00 00 00 00 00 00 00 00 F000 00 00 F0 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 FF FF FF FF E1

Lab Start Up Bytes Example

A5 03 FC 0001 00 A5 73 8C 07 04 5A 00 00 00 00 00 00 00 0000 00 00 09 00 00 00 03 00 00 00 03 00 00 00 3C00 00 00 00 00 00 00 02 00 00 00 01 00 00 00 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2201 00 00 00 00 00 00 22 01 00 00 0A 00 00 00 0000 00 00 03 00 00 00 00 00 00 00 00 00 00 00 F000 00 00 F0 00 00 00 00 00 00 00 00 00 00 00 0000 00 00 FF FF FF FF E1

Lab Start Up Bytes Explained

3C, tells the TOC to inject 60ml of the sample. OA , tells the interface the vial position is at position 10.

Shutdown Protocol
A5 0F F0 07 04 51 00 00 00 00 00 00 00 01 00 00 00 5C A5 03 FC 00 01 00 (Command to initiate shutdown)

A5 03 FC 0001 00 + Payload(Good)

A503FC000200 (Bad)

A5 03 FC 00 01 00 A5 0B F4 0804 02 00 00 00 00 00 00 00 0D (Final Shutdown)

Future Prospects
Updated configuration Finalize Serial Port Commands and Communication Create Local Interface Create Web Interface Network Security Assessment New chair to sit on.

Future Local Configuration

Initialization, Perform Lab and Shutdown

Toc Analyzer Lab Results and protocol feedback File containing sample information

Future Cloud Configuration

BC-ILN CLOUD ARCHITECTURE

LAB REQUEST

LAB RESULTS

Perform Lab Toc Analyzer Lab Results

API + WEB INTERFACE

Remaining Analysis
Completing start up commands Starting and completing Lab Results analysis

Local and Web Interface

Local Interface is a matter of completing my code Web Interface would require more communication with the BC-ILN. Learn about the BC-ILN cloud architecture.

Network Assessment
To verify that the network that instrument on is secure.

Difficulties
Determining correct serial port timings as software works in milliseconds. Determining correct serial port configuration. Decoding a serial port protocol simply by observing bytes. Black Box Reverse Engineering.

Overall
Working towards an interface that will allow labs to be performed remotely. Next step is finding out more information about the protocol.

Questions?

Demonstration
Head to the Science Lab room 237