Reverse Engineering the iPod Nano 6 LCD interface

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

Watched this last night, very interesting indeed.

πŸ‘οΈŽ︎ 11 πŸ‘€οΈŽ︎ u/CalcProgrammer1 πŸ“…οΈŽ︎ Apr 15 2013 πŸ—«︎ replies

So cool. Its amazing what you can do with a good scope.

πŸ‘οΈŽ︎ 3 πŸ‘€οΈŽ︎ u/[deleted] πŸ“…οΈŽ︎ Apr 15 2013 πŸ—«︎ replies

Most of this guys videos are excellent. Perhaps a bit long at times but awesome over all.

πŸ‘οΈŽ︎ 3 πŸ‘€οΈŽ︎ u/seanhead πŸ“…οΈŽ︎ Apr 16 2013 πŸ—«︎ replies

I have no idea what I've just watched, but it was absolutely fascinating. I'm not an engineer. What would be the practical application of being able to do this?

πŸ‘οΈŽ︎ 1 πŸ‘€οΈŽ︎ u/SexWithTwins πŸ“…οΈŽ︎ Apr 16 2013 πŸ—«︎ replies

Great channel. The guy is hardcore. He took apart a huge x-ray machine, got out the eproms, disassembled the code and cracked the admin password. Awesome.

πŸ‘οΈŽ︎ 1 πŸ‘€οΈŽ︎ u/sydoka πŸ“…οΈŽ︎ Apr 16 2013 πŸ—«︎ replies

Mike is a fucking wizard! I can only hope to have comparable skills at some point in my career.

πŸ‘οΈŽ︎ 1 πŸ‘€οΈŽ︎ u/circuitology πŸ“…οΈŽ︎ Apr 16 2013 πŸ—«︎ replies
Captions
hi I'm a coffee asked about techniques for reverse engineering now it's one of those things that you can't really teach because every jobs different there's all sorts of different techniques well I recently have need to investigate some hardware so I thought their video just to cover some of the basic techniques I used I'm not going to do it like as I go along that's just not practical but I'll just off repeat basically the important parts of the process that I use it's also a good opportunity to explain some of the more advanced features that are coming into oscilloscopes previously only available on fairly high end cable isn't a lot of the features like intensity displays segmented memory burst triggers which are started to appear in much local scope like the for example the regal regal mm so now what was actually looking at was the feasibility of using the screen for the 6th gen iPod Nano for a large installation using a lot of them and so the question reveals you know about how can we drive these here available nice and cheap there at high res 240 by 240 and then a square format which is fairly unusual rule number one of a reverse engineering is know your enemy in other words spend a fair amount of time trying to find out any information you can from any source I just can't overemphasize how important this is because even literally a tiny snippet or one line under the datasheet can give you that magic piece of information you need or just point you in the right direction or give you a little clue or even just give you a clue as to what not to look look for we had the datasheet for this but it was a really brief datasheet it's got block diagram showing natural signals going in and out some specification in fact this was probably one of the most important bits of the bits of information on this datasheet it's saying the the interface is me p1 line 24 bits D fine now I never come across this before we're going to go into that in a minute go through that what else is on this they sure that's useful we've got max ratings on especially of interest we've got some natural characteristics that tells us our supply voltage which is always a good start and very useful a pin out now quite often when you're reverse engineering something you don't have the luxury of a pin out but in lock cases it's not always that hard to figure out at least of majority the signal so for example typically you know given just a connector that you don't know anything about on a on a board of a piece of equipment the first thing you do is off you find all the grounds and you can literally just do that with a meter and continuity continuity mode you can always find a ground point somewhere on a fielding cam or something and then if you go go go across each pin finding out which one has constitutes to the ground power connections again for example you've got a thick track going to the pin chances are that's a power connection if you've got a decoupling cap right next to it again chances are that something to do with power obviously you can go around with a scope or a meter or two each pin and look at what voltage on each pin but that won't necessarily tell you if the signal is a lot a static logic signal or a power signal but generally you can quite from eliminate a lot of the things like power and ground which then leaves you the data and control signals which are of interest porosity having this just save time you know most of this could probably have been figured out without the datasheet but again you know having that the time spent finding data is usually well well well worth it because that will save you way more time in the actual reverse engineering and general figuring stuff out process there's not much else that usually is LCD to ship data sheets are full of all sorts of optical characteristics so just have no interest whatsoever so that's really it so it's a very brief datasheet the only other bit of motion that's handy here is this drawing that actually tells you how the pin numbers relate to the actual connect the other useful thing here is it tells you the actual manufacturer part number the connector now one thing that's quite important if your reverse engineering something with a view to actually using it for something particularly if you know you want to use it in production or for a project that you can be more than one of is make sure you can actually get the connector I mean I'd look at a very early I pod display a few years ago there's some information on my website about that and although I thought managed to figure out most of the details that project pretty much grounds a halt because you just used a flat flex connector that had a really weird number of pins and yeah the only way you could get those was to order about 10,000 of them on a 16 weekly time so you know don't spend a lot of time reverse engineering something that you can then find you cannot reuse each you can't get the damn connector but fortunately this is yeah they tell you the connect train is from molex which means you can actually get them you can get them on digi-key in mine offs quite quite readily now okay it's good that you can get the connectors but this one was not quite challenging is that these connectors are a bit on the small side they're not point four millimeter pitch and in fact this one is about the same size as a 12:06 resistor so they are very very small so even though making up an adaptor to break this out is somewhat non-trivial exercise right so this was pretty much the only information we get about the interface the key phrase is bear here big sort of MIT PD Phi and psi now this is something I've never heard of before but it turns out this is nippies and organizations to set standards for peripheral devices and interfaces for typically mobile phone and similar devices on a typical modern mobile phone you've got so many different interfaces for cameras displays RF staff GPS tracking all sorts of other things that a group of companies that make silicon for therefore these devices decide it makes sense to actually try and standardize on the interfaces and the one we're interested in is the display interface DSi display serial interface and there's quite a few difference or standards relating to the gives an overview about what each bit does well it's what they're trying to achieve and so on so it goes from the sort the overall command interface color representation and the low-level Hardware signaling is on however here's the problem you can only get these specs if you're a member of the organisation someone like the SD card situation and surprise surprise to become a member you have to pay either $8,000 or if you can show that your turnover is less than 250 billion dollars a year you get at the bargain price as $4,000 and of course once you sign this you've gotta sign NDA so you've got the spec your lender limited as to how much information you can pass on so this is our problem we can't get the specification we've only got a very brief datasheet so how do we find out more now there are a few snippets of information on the Miffy website there's like a very general overview overview of some of the specs so there's a bit of information about the D Phi which is the physical layer but not a gradient of course this of to quite a wide variety of different displays so we don't quite know what subset our display conforms to beer just gives us a few little snippets of information now I did quite a lot of goofing around with various or permutations of the MEP DSi the height etcetera and this was actually one of the most useful bits of information I found this is actually from Agilent and it's a set of presentation slides on test solutions for this of the Agilent cell expensive test setup to testing all this high frequency stuff but there's actually some quite nice bits of overview information in it in these slides that gives us actually quite a lot of useful information then we get on to the actual defy information which gives us a bit of information there and there actually starts going to quite a lot of detail about the physical signaling levels which again is very useful and some nice sample scope traces and explaining what the various phases the communication are so yeah this is really really useful information and also things like this it actually starts giving you some general outline information on packet formats which of course is extremely useful if we consider in your scope is a big load of bits having at least some background information will sort of structure these things is extremely useful in trying to figure out what's actually going on so that this was probably the one document that was the most useful I did find some other things there's not another some other documents this is actually a user manual for some software for generating and simulating these signals and it does give you food for example you can set up all the signals for an LCD on here again there's a few little snippets of information tossed around here so that's actually quite a few very handy little bits of information there which at least will help to actually understanding what we're seeing once we actually start looking at the the the signals on the real device that Harbor and the real challenge on this is actually getting a connection to the thing while it's running there's these two connectors which will they display in the touchscreen respectively but the problem is that once these are plugged in you've got very little access to them and you know once those are in place you've got just a tiny tiny slot one side you can just about get a probe in sorts of the four corner connections and that's that that's really pretty much it now one thing I was considering doing was to make was making some sort of riser by taking these two connectors again some PT be made with some plain formula pitch tracks and have the put two pieces of PCB right angles to the connector so I could actually get you get maybe a few millimeters of distance plug it plug into this socket and just lift this high enough up and have some PT B to connect to what I was waiting for these connections come in from digi-key I actually had a close look at the PCB probably not gonna be visible on the camera but there's I noticed that there's a track going from one of the data lines which went up and then across here and then along to this chip and I noticed it was another one running in parallel with it by the time it got here and then another two so I just scraped the resist off the PCB and just did some continuity checks and verified that these are actually the the two differential clock and data lines so by just scraping this resist off I did actually have access to the most important signals I needed to look at now one word of warning when you're sort of doing this with PCBs that have got a very fine pitch the copper layers tend to be quite thin because of the etching process you generally can't have a track which is thinner than the thickness of the copper because of the you know the etching process so that where you've got a very fine tracking the copper itself is probably very fine copper so you need to be quite careful you don't scrape and actually take the copper off what I tend to use the initial attack is a number 10 scalpel blade if you've got the curve on it and you can just get in there and give it a scrape assume you've got enough space to get the blade on if this is even smoke even more cram pod mouth on the ground a little bit off this blade just to get get a really small wavelength and the other thing that can be quite handy is a fiberglass pencil which is just a low fiber blast fat and so you can get some quite some quite good abrasion in there just to get the get resist off and you need to get it back so you've got just solid clear copper there before you can get at it then of course you got the challenge solving wise onto this now these tracks are too really too small to get solder wire on there so generally what I you the technique that I use is to just put some solder paste on there and then just touch the facts with the finest tip solve it finest something I took I've got to find don't touch the tip onto the track in that will then melt some solder because you need to have some solder on these tracks before you start you'll never solve or anything to it unless you know heat in me so I mean this is the finest point even that you see that's actually wider than the track track itself but eventually I managed to get some solder on this is a second unit for two units to sacrifice to do this so this is the the relatively untouched one so here's the actual unit that I did this is some very fine in old copper wire just getting these five wires on took about two hours so the trick is once you've got the solder on the faxes to then get the fine piece of wire get plenty of solder on it plenty of flux on there and just get the wire held in the right position and just touch it with the irons just to reflow will typically take quite a few attempts and we'll see when you've got them very close together you've got the risk of accidental ring the adjacent ones or view here we also have the challenge it is it has to go go horizontally to clear the plug when it's plugged in so you've got so little space around it and there's one other connection the sink and that was really really difficult that was needed to take a single pit right on the middle and I that I think that that should look about 40 minutes of effort just to get that with that one on there without doing any other damage the other thing that's really important when you're doing this is to not skimp on making a nice little solid platform for working on then what you don't want is just your a load of wires hanging off this thing because they'll just fall off the snap off so they're so incredibly fragile so what I did life you saw just got this little board stuck the thing down with the sticky tape made a little platform to hold the LCD in a nice position for the Flex to curve around in there made a nice thing for holding our probes I've done a separate video on the probing so basically what I've done is these wires I stuck down this bit this is a piece of prototyping board nice again stuck down very firmly so that when I was attaching these wires I do very solid point you know from where I was going I then had a very solid place to solve those down to and that then gave me some nice pads I can solder to excel see you don't know how long you're going to need this for because it might be a very long effort you don't necessary know what you're going to need to connect to it you might need to actually add a little board on the side for to make some things to cap your hardware or something but the other aspect is that once you do get it working on maybe on your own hardware you're still going to want this for reference so that for example when your thing isn't working you want to be able to compare the waveforms between what this thing is doing and what your thing is doing so it's really worth the time to actually make something that's nice and solid you know you might want to put it away and come back to it later so you you know you want something you can just put on the shelf for that worrying about these these wires coming off I think this is something I did a good few years ago this is awesome much much less tiny but similar principle I broke out surface mount EEPROM to an external memory I'm you later on it and there's a nice square prompt that's also attack down but again this is all you know fixed together really solidly so by just picking this up moving it it's not gonna fall apart and stop working cuz it's nothing worse than spending ages getting 95% through a reverse engineering thing and then your test rig breaks or just yeah dies or you kill something that's extremely frustrating so it's well worth the time to make a nice good solid debug platform the other thing you need to think quite carefully about when you're figuring it how to fix this down is to make sure that you don't block off access to anything you need so you've got access to the ports access to the buttons you've got the screen nice and visible it can use the screen you can operate the touchscreen with that answer like go to weird angles so you just think about where you're going to take your cables out how you're going to stick it down so that you're not you know you don't stick the whole thing together then suddenly find you can turn it on well you can't get to a button or something but it's saying so you've got this thing working quite happily in it sort of semi disemboweled State so we can now start probing and seeing what's actually going on with it I've got this set up with a display next to the scope so you can see both at once just for convenience for the video it's not very convenient wave actually were so you can actually see well the first thing we notice we only see display day two when the displays changing so that tells us that there's going to be memory on here that holds the display when it's not being updated and obviously on a portable device one reason for doing that is power every time it's sending data this displays it's using power so obviously that that's a bit of a pain when you're trying to analyze what's going on but one thing I've found is the clock display does actually update fairly continuously so that that's a help so at least we've you know it's worth playing around with different modes just to get an idea of which things cause which behavior just to figure out which ones are the easiest to use the other big advantage of something like this is that it lets you load photos into it now of course what that means is that we can actually generate test patterns so for example we can generate four squeeze of full white for black individual lines gray shades whatever that gray shade is our particular one which we'll get onto in a minute but basically it means that we can force this thing to display pretty much whatever we want so that's going to be very useful in figuring out the actual format of the display Dave we're looking at the two data lines one of the differential clock lines and also the sync line this is the sync one up here for just trigger on that give us a little bit of stability now because we had that data sheet we actually know that this sync signal is an output from the display to the host and problem is when you freeze a touch screen and look at the scope at the same time you do tend to get out of step sometimes we know that a signal from the display to the scope but quite often if you're debugging an interface you don't necessarily know which direction the interface is going in so how do you tell well for that you really need some sort of the grab debug setup where you can actually break the connection between that signal and that and let's say it's a display it's also applicable for example you've got two devices just communicating over a bi-directional bus maybe I squared C or something you sometimes need to know which direction that data is going in and there's actually quite simple method of figuring that out so if you have your two devices and one of them has a driver driving a signal into the other one but you don't know which which so you don't know whether it's the post talking to display all the display talking to the host what you do is you just add some resistance into that line typically say a few hundred ohms will be a normal value what you can then do is you actually probe one line but you add some high resistant let's say I'm 10k would be a good so let's say for example that Sano 220 ohms and this might be perhaps a 10k what you've now done is you've formed a potential divider so if you probe it there if you look at those two signals because you've got this potential divider now and these ladies aren't lowing up I'm gonna attenuate the signal enough that this thing's going to stop working but you're going to see a higher amplitude of signal at that point then you're gonna see here because this divider so if what if you probe it this way and you see that then you know it's this side sending similarly if it's the other way around if you if you saw did this one first because this output driver is generally gonna be a fairly strong signal if that's the first one you tried then you probably wouldn't see any difference between the side and that will tell you that that's the drive side but if you've got a situation where you've actually got two signals driving say fly state bus you can use a similar technique if you just got literally a setup like that whichever one is driving will give you the the highest signal if if he actually blows this from both sides you can actually make it a bit easier sometimes so if you set up like that with two resistors and a series resistor then whichever one is giving you the higher signal it's going to be the one that's driving it at that particular instant so that's quite a handy technique for figuring out which way data is going but see it doesn't mean you need to break into the signal so if we had to do this on this thing we'd actually need to make that riser board we'd have to car track on it which would begin quite fiddly but this is failure there are the extreme levels of fiddly nests and a lot of things are a lot easier to get it get into and start chopping tracks and inserting resistors all right so we can see our basic signals here this is our frame sync signal there's this general question what's going on with that but one issue is when we zoom in this sync signal isn't really locked very well to the actual stage of signals so we've got quite a lot of jitter so in terms of actually wanting to get stopped looking at in detail that that same signal isn't really gonna be very good thing to trigger off of now the other thing about the video signals in general you've got quite a wide range of time codes you've got like about 16 milliseconds or so frame time and then you sort of zoom right in to the actual clock and it's actually about a hundred megahertz lot we've got here so this is where having a scope with deep memory is really useful I mean if we just take a single snapshot of that we can actually get pretty much this is going make a sample storage scope just timing out but if we start from there we can actually zoom in quite a long way and still get fed up with resolution but if we you know you always run into some little memory so if we see if we grab that amount of data and then zoom in we start fighting that we just run up which you've got no resolution it's just completely disappearing right this whole situation it's very important to think about triggering and scopes with more advanced trig of thirties can actually make life a whole lot easier see one if you got here say we've got this jittery - yeah the easiest thing we're thinking we're triggering off is this this frame st. but that's actually not very good because it's not very stable relative to the way in forms we're looking at so let's actually try triggering on this waveform data will trigger on this place here which is the green now the first problem is that we've just lost our frame thing because I'll see we've got lots lots of edges and we're triggering on pretty much any old edge so the way you get around this is to use hold off what hold off does is when it's triggered it then at the time delay before it's allowed to trigger again so where you have a complex signal that has some built in period if we say I hold off time to be similar to that period so make sure we're not an auto trigger mode as well of course that makes quite a difference so this is with zero hold off we now increase the hold off to be similar to our frame time which we know is about 16 milliseconds we can now get us get situation so you this is one these things where you really have to adjust it by eye so for example if the hold off is slightly too long what's happening we're triggering on here we're holding off to here and then we're triggering somewhere in here but if the hold off period is from here to about here we get a completely solid waveform because we trigger on that point and then we're completely ignoring any events until this window so we've actually now got a nice solid stable way form and because although we've got jitter between the frame sink and the these signals these signals signals seem to be on a fairly solid clock so you can actually now go in and we've got a fairly good stay away from and then I see about hold off because it's a hold off from an absolute time from the trigger start to that point we can actually change our time-based settings without losing our synchronization we're still synched on that on that point so that's that's our initial trigger event now we do have a little bit of jitter internal timing jitter from this thing but it's certainly a lot more stable than it was so that that's our first thought we've proved upon trigger now there's another issue we can all see we've got this much stable signal we can zoom in and look at look at it wherever we like in principle so if we're looking here for example we've got this nice or solid trigger we can see a hundred megahertz what we've got a little bit of differ on it but not not too much that's quite usable well the problem is if we then want to zoom in say here we've still got a little bit of jitter that this first thing we're triggering on there's a little bit of jitter between that and the start of the actual frame but even if we didn't have that there's a secondary issue in that yeah the time between there and there say 16 milliseconds but if we want to go right down to the clock level we're talking you know just a few nanoseconds and however stable your signal is and there's always gonna be a certain amount of jitter so if you're starting off here and then zooming in all the way down here you'd still get as if I know she gets a bit more stable right the photo mode seems to be a bit more stable than the clock mode so we've got this fairly stable trigger these these pulses here seems to sort of wiggle around a little bit but we we've still got a little bit of jitter on these pulses now for this sort thing a really handy trigger trigger mode is a burst trigger from different scopes might actually call different things on the edge on this is called an nth burst and what this does is you tell that this is a burst of pulses you also tell it what what you consider to be the idle time and what you can then tell it to do is trick it on a specific pulse within that bursts like xxx yeah xxx the first or whatever so for example here we can tell it which is your edge we want to trigger a let me just get this back into our so here we're turning idle time back nine over microseconds which is just basically a time that's bigger than the the policies that the only to look at so we're now telling it to trigger on the first pulse so we've now got a nice sunlit solid trigger on this first thing but because we've got this jitter on these simply these other ones that that's not variable for these Bart if we now tell it to go on the second one we're now seeing the second pulse nice and stable and the third and so on so we can actually select which of those pulses we want to trigger on so that means that say even if this is a fairly steady waveform we're not relying on the stability of everything from there to here we're just counting these pulses and then getting a really nice trigger so we can actually go if you want to go right to the end we can actually go right up to the end of the waveform and we can zoom in and we've now got a Rocksteady trigger on that pulse and the other two things is really useful for is actually counting line so for example if you wanted to know how many of these pulses were happening we can actually use the N fed trigger to do literally count so we know that by setting that the trigger point incident is over here so that's triggering on the first edge as we change that to the second third so that's the fourth age and we can actually do literally move move through so the first of this verse was actually edge number four and if we look at what number the last edge is in this controls a bit switches you have to turn it really slowly to to make the numbers move slowly but you can't see we're actually actually moving through here but it's it's a bit hard to actually see it so here we're getting towards the end and our last edge is there which is number 243 so that yeah that's told us now that we've got 240 pulses one thing I actually find annoying which I don't never seen on any scope what I'd really like to be able to do is get some cursors and like set two cursors up like that and get it to tell me how many pulses you can see between those two cursors but I've never actually found the scope that does that for this sort thing that will be really handy but say the nth trigger mode which is a way of getting getting to it but say it also allows you to get to get this really nice stable trigger on specific parts of the waveform we've got complex pulse trains and so on so that that's a really handy facility picture triggers you don't often see explained very well this is where it starts getting quite interesting so for example here we see all white scrolling - all black I mean we can see a very clear transition so I mean this tells us quite a few things about the nature of the data were looking at even without without having any sort of particularly complex trigger setup yeah it tells us that on this trace this is this is a differential signal so we normally expect the two to be an inverse so if we it tells us as this is basically the positive signal because when it's white we've got a high and when it's black we've got a low so that tells us that the information is probably a fairly simple binary coding and it's not scrambled or encrypted iron things stupid like that it's going to take a closer look at the find eaten out from that Agilent document it told us that there's actually two signal level signal levels going on we've got a low speed low power signaling level which is basically still normal logic level so we've got these low speed low power signaling levels here if we zoom in on here we can actually see there is actually slight offset so just the the relative timing of these two conveys some very simple information like sort of this is the start of the data and then the actual data is transmitted by these high speed LVDS signals now and an LDS driver is basically a current mode driver it fries there's the receiver tends to have a termination resistor something like a hundred ohms and it's driving current through that termination resistance and it's using two lines differentially so that the signal is the difference between the two so the absolute voltage level doesn't matter it's the difference between these two signals that's giving us our bow data so this interface it start yet switches between a low modell radius mode so in this mode when it's not updating the display the LVDS drivers are turned off to save power and if we look at the data in more detail the other thing we can tell if we actually look at that clock signal is that this is actually DDR double date rate data you can actually see that we've got transitions of the data on both edges of the clock right so now we're going to just take a look and like this data in a bit more detail and just see if we you know what we can make what sense we can make out of it we're using the nth trigger so we're truhearing on one specific line on the display and you can actually see that by what's happening on the display here that we're clicking on the line that's fairly fairly close to this top edge and we can see that the data you know when it's bright it's light when it's dark it's low so the data looks like it's probably fairly straightforward one things bear in mind is also we've you know we've generated images of the right resolution but it's possibly it might be going through some additional processing so we can't necessarily assume that if we give it like a 255 RGB value that it's actually displaying a by a new value of 255 there might be some gamma correction and scaling going on but we've clearly got a very very obvious correspondence between what's happening on the screen and what's happening on the waveforms and if we for example look at those individual line data's you can actually see this line on the screen and that's that's obviously the data corresponding to it we've got this in zoom mode so we can sort of zoom zoom right in on if we just stop that we just zoom right in on that and actually see individual bits now obviously one one of the first problems with any serial system is that you know what you're looking at is a big stream of bits so to get an understanding what's going on you need to figure out things like you know where are the actual boundaries between these to give them meaning as my values and okay you might sort of make an assumption that yeah perhaps the bit they just start at the first bit but that isn't necessarily the case because there might be some run-in or there might be some life synchronization sequence you can see the beginning of the line we've got this fairly fixed set a date or a Girt regardless of the actual image data so we've got some sort of fixed data here and the other thing that we've got looking at that agilent document this is that what they call the checksum now there's various ways of checking data and checks under the simplest but they're not really used that often because CRC's give much better error protection one the major differences between a checksum on a CRC is that with a checksum if you've got the same data put in a different position that gives the same checksum whereas a CRC it does actually depend on the position as well as the age related content so basically you see a CRC will give a much more random like result from a set of uniform data so you can quite clearly see that yeah this looks like it's the yeah the intensity data is ending here because we you know we can actually sort of see it let's see it's crawling in and out but then we've got this packet sum at the end and by the fact that it's changing you know almost completely randomly there's no obvious or progression or anything in there even with like a simple pattern which is just say the thin line pattern moving across that strongly suggests that this is CLC and not checksum mostly see how that the COCs are harder to reverse-engineer than check Tom's but say unless they're deliberately obfuscated there was a relatively small number particular than IC there's only a 16-bit CLC if it's a 32-bit and that's what makes life a lot harder but with this this level of checks of scale seeing it's quite viable to try several the standard check sums try them in different bit orders and if there's a very good chance that you're actually going to get somewhere but say what the other thing we don't actually know is whether this displays even checking this CRC could be completely ignoring in which cases it's not a problem and also you it also if your target reverse engineering is let's say you want to take you up or this thing and drive it into a different LCD you wouldn't really know you could just ignore this because you don't you know you don't actually have to check that data the other issue on the again from the Agilent information it said that the initial commands had an error correction code in them so we can see here this is also fixed fix out-of-date and we have our video data starting here but again okay it's got this error correcting code but because it's a fixed command it doesn't matter because we don't need to know how it's calculating that error correction code from the data because it's always the same so we can just look at what what it's actually putting there and just copy it so as long as you know this data isn't changing we don't actually have to about calculating and ECC as long as the number of different commands we have to deal with is relatively small then you know that really isn't a big deal and if we go back and look at the those short packets right at the beginning those are probably going to be different have different data but again it's fixed it's always the same data so although this data will probably contain both the ECC on the command and the checksum on the contents of the packet because it's all constant you know we can literally just go through manually figuring out what the bit values are and just copy it so that's you know one thing you quite often don't need to bother about whereas for example if this was maybe some point count or a line count or something then you know it might be a bit more effort right so we've got this bunch of bits that we can see but we you know what we don't know is how these are actually divided into bytes and also the other thing we don't know is what the bit order is we don't know whether it's least significant bit first or most significant bit first now this is why I generated this grayscale pattern because this pattern will in principle have basically a sequence of bytes of increasing value now okay because of the mode there may be some correction that you know we might not get a complete mapping we can see that as we start from that gray section we're starting off with just a single bit which corresponds to one and if you actually look at this in detail you can actually see that what we actually have here is a binary count so as we we can see this left-hand bit is flipping fairly slowly to move greatly increase up again so that tells us firstly that it's least significant bit first and it's you can see it counting upwards as them as we get to the more significant bits we initially try and isolate a single the reason I use green rather than white here instead is because again there might be some color processing going on if you did it from black to white you might find that it was actually giving different values in the RGB fields through some color Corrections on so if you keep to a primary color then that probably gives you a better chance of it being fairly individual noticeable by values so what we're expecting the according to the data sheet it said it was transmitting 24 bits so what we're expecting this to be is a 24 bit period in each of these spikes and then each of these being one bit now there's a couple of ways that can make life a bit easier for doing this one is most scopes are got a fine time control so one thing you can do is actually adjust the fine time base until it corresponds to the the grid lines on the display we can probably actually get it to display exactly one bit or either one or maybe two bits per division now one limitation of that is just the fact that you've only got typically ten divisions so you quite from what actually want a bit more information than that but the other thing you can do is if you've got a clock signal like one like we have here is if we just expand that clock signal if we just take the grid out the way we can actually use our clock signal as the grid so what we can see we're expanding now down to the level of these the cursors just to mark where the where we think the first bit is which is there and then we use the second cursor so we've got let's assume we've got 1 by 6 1 2 3 4 5 6 7 8 so between these cursors we've we've got a single byte and we can actually see that's a very obvious binary counting pattern so as we're up here somewhere as you scroll it up we go 1 2 3 4 5 6 7 8 so we've got busier a bit 1 bit 2 etc I'm assuming you can all count in binary in your heads that's something you just get used to doing interesting really get getting something in what I'm assuming is one of the other color channels so again it may well be there's some color correction going on as we as this green you're getting intent it looks like we're actually getting a little bit in the next color Channel as well so it probably is doing some sort of color adjustment so you need to be a little bit loopy wary and not assume that this data is exactly you know going unmolested from your original photo to because it met as well as the displayed correction of course it might be going through got JPEG compression or other lossy compression what this is telling us now we now know you know we know the byte framing and we know the bits order so that will allow us to in principle figure out the bite value of every single bite within this frame okay might get bit tedious but yeah it we can now do that we know where it all starts so that the trick here for example if you want to figure out how the starting sequence works would go right back to the beginning literally where where the display data starts so that's our first bit of display data there so what you can now do is actually work back through this packet to figure out where it starts and where the actual bytes are at this point it's generally the easiest way is to it's just a screen capture and then go to pen and paper to work out what's going on again it I think it is actually doing some color mixing it's if we you know if we had a screen full of red we would sort of expect to only see information in the red fields but I think we're actually getting some it's maybe doing a similar technique to what they use on DLP projectors actually mixing some other or maybe fairly mixing some white into it just to make display look brighter than it it actually is one of the little detail I think actually mentioned this in the probing video is that when you're using the clock like this to actually frame these bits there's a good chance that what you're actually going to see is not going to be totally lined up but again a decent scope will have a way of adjusting the skew which is basically the final einman the channels so you can use that just to get get the clock of the data nicely lined up so you can then just effectively you're just using the clock as a grid as a visual aid right so here the printout of that capture the start of the packet the first things just write in the binary value so we know we see our cursor aware we know to be the boundary between the first bit of image driver and the first bit of the packet so if we just go along here and just write the vibe binary values that say having this clock signal here makes it really easy is a nice or easy grid so can just go along write our binary values we know now if we just put the the bite boundaries in so we know that this is a boundary here and now we know the the bit order is this significant bit first which is the one thing that can catch you out the bit officer you lure me so when you see buying you written down it's almost always the most significant bit on the left that because because there's a time plot and we know it's least significant bit first it's actually backwards so for example this first buy here this is our least significant bit so when we to turn this into hex yeah first launch you'd say oh that's one but nice height because that's the most significant bit it works downwards so but also when we're looking at bike value you know we need to take you from the whole bike so we we just we just cover this is the hex which basically needs to turn the whole thing around so for example that would be base I've got b8 Murphy and this data was the same on every line so is there any sense we can make out of this well one thing we do know from that Agilent information is that one the values in here is a word count so if we assume that we're getting a full line of 240 pixels 240 pixels times 3 bytes for pickax it's RGB gives us 720 if we convert that into hex we get to d0 now what we have here 0 2 d1 which is pretty damn close there's maybe an extra byte thrown in there for some reason or another but I mean that you know that that's close enough that that is really not a coincidence so yeah that's our length actually if we look back at that actual information we know that that is the ECC and this is the data ID so in fact that's where that extra byte comes from we know that our image data starts from there onwards so you've got 200 and by 2 D R 2 D 0 X bytes of image data Plus that extra 1 and that gives us our 2d 1 so you know that the only thing we don't know about sbit know that again that may well be some sort of synchronization header or something again that's fairly constant so I mean that would certainly give us enough to maybe start actually start generating data and throwing day four at it out on FPGA or something now is around the that when I got to about this point this was the point I started well you know I wanted a bit of reassurance and that was on the right track this looks pretty yeah pretty good going so I did a bit more searching and found some more information when they're going back to what I was saying earlier about time doing research beforehand is well spent I sort of only half took that advice partway through I decided just have another look and what I tried doing is I just tried searching for just that string what I've mainly looking for is things like data sheets or other LCDs that had that same interface that might have had a bit more information since always worth looking for yeah related objects a driver chips whatever so I just did a search for that and the second thing that came up courtesy of our friends in China I found this a draft version of the actual specification confidential Members Only etcetera so I could then sort go through this and actually look at why I found so far and just see how this matched up with specification and just to show that I was on the right track and we'll probably not have to spend quite as much time reverse engineering stuff but you can probably see that even if I hadn't found this I'd already got pretty close to as much information as I needed that the main thing that I didn't have was the information on the the CRC at the end of the data lines and I see our season check sums can be the absolute sort of killer in terms of reverse engineering something in that if what you're talking to has some double check over the data and if that data is something you need to vary like say display data then if you can't figure out how that check is calculated then you know you're pretty much screwed just sort product where people aren't actively trying to obfuscate it then there is a good chance it can be a fairly standard algorithm but even with some like a 16-bit CRC you know there's quite a few variants you then have to look either you know taking lots of sample data and trying to compare that with various crcs or trying to just generate various CRC types and seeing what's accepted but one other thing I did find read through this document is that it's not actually mandatory in the standard that the device checks the CE out the CRC value so it is possible that you don't actually need to do it and while my there are some ways of actually checking that for example if you can introduce some deliberate errors if you you know you've got your test set up and if you can like inject some little glitch in the middle of the data stream you could then probably fairly easily see where that difficut gets displayed or whether the device ignores the packet so if you see it yeah you see that picture on display chances are it's not actually checking the checksum and you can get away without actually generating it right so try and produce that glitch in this data to see what happens I'm using my regal arbitrary waveform generator but you could use either any pulse generator or even though I control all I'm doing is I'm triggering off this sync edge and just generating a short pulse I can put in the middle of those also you don't want to drips the beginning of the data because that's got the command head all we want to do is actually stamp on the actual data and see if that is actually displayed they do mostly this jitter is because they we saw earlier the sync is is a bit jittery with respect to the natural data packets but it's good enough for what we want to do because that my simple sing pulse that's just the easiest thing to trigger the trigger the generator prop now because this is an LVDS signal the actual data is the difference between the plus and minus I'm only showing one moment to run our channels now what I was initially feeding the output of the generator through a diode so that it will only it put anything on the bus during the the pulse it doesn't try it bending the Buster in the dead times you can see we can actually sort of Bend the data but that's not actually having any effect on it because we've got this termination resistor between the plus and minus on the display all that's doing is shifting the whole bus so what we need to do is basically short those pins together if I just manually short them you can see it does actually have some effects on the display but so just short the plus and minus together display just not freezes and it sort of ditches and so on but the problem is that doesn't really tell us anything because we're we're also sort of losing all the commands and everything we want to be shorter we're only actually crab data to see whether that Jackson's having any effect on it I think any luck directly injecting the data the pom uses quite low impedance circuit so it's quite hard to actually stamp on the data hard enough so I'm doing now it's got a MOSFET there and I'm just basically dragging one line to ground right on the generator on so and if I turn the generator on we can actually see on the right we are actually getting clicks data but more importantly it's not really disturbing the rest this fly and we get an occasional glitch I think where the pulse drifts into the header and then the whole display moves up but that is displaying it not blanking it again occasional horizontal drift and I think that's where it's just stamping on the packet header it's slipping one latch and missing a complete lines it's not recognizing the command and the whole rest of the data shifting out but that's looking very promising else and see if I can actually just stamp on a bit more of it just to get confirmation of that I know just set this up in burst mode so it's generating pulses on multiple lines and again you can see here we've got and again you see now it's actually producing quite a lot of data on the screen but it's the only time it's glitching the position is where that pulse is drifting into the header because we've got this on slightly unstable sync from the vsync pulse but yet we clearly have data being source splattered on real display time the reason I'm using the clock displays this mode updates continuously but yeah we are managing to over ice and Bay from there so if it was checking that CL see every time then yeah we wouldn't be able to do this so I think that because there's a reasonable confidence that it's not actually paying any attention to that so you'll see at the end of the packet which makes life a lot easier when we're driving it another common issue with LCDs in particular is they've almost always got some special sequence to initialize them when they first turn on so as well you know we seem to have captured some fairly good good data from the other repetitive frame information but we also need to just check my hands when it turns on so I'll just set this up just to do an edge trigger on a powerup on a fairly slow time base and we can see there's a few there's a few sort of odd little things going on there's a few very short commands and again this is a good example where a segmented memory is quite a handy way of capturing the data so you can just set up some short captures so we can actually just capture all those those individual packets in the same way that we did with the other ones and the examine them in detail to see what's going on alright so if we look at what that's the spec says the defy spec says that the there's a synchronization start sequence which is 0 1 1 101 so in fact that's what we see here we've got the i/o 1 101 so that you there start by it and if we look at the ESI spec we see there's a command 3 9 which says DCs long right stroke right there ut read through that spec in more detail dcs downs with display command set and that's another specification document that actually describes the commands of the LCD controller and this 3c basically says write date starting from the previous address there's another command to see which says to write the data from the write data at the start address so I'm guessing if we actually look back in those frames will see that the first frame has a 2 C and the subsequent ones have 3 C in it so let's just have a look and see if we can confirm that all right so this is triggering on the string the second line will just framed up the right here and so I've triggered on that that first byte of the packet off the ECC so we've got 0 0 1 1 1 1 0 0 which is 3 C we found out if I now change the trigger to trigger on the line before it just we can now see exchange 2 to C so we've got that - C command for you have start to frame and then 3 C 2 right day for a subsequent address is of course that's an example of the subtle little detail that either you can spend ages on if you just didn't happen to notice that it was sending you know a different command on that first line than all the others you know you could spend quite a lot of head-scratching from the figure out what the hell is going on when your your hardware is not working so the other thing I found when I searching I found a slightly more detailed version of the LCD datasheet and this included a page of initialization sequences so if we look at those we can actually see that those also correspond with the initialization data I captured from this and these are the captured data at the startup we've got a 5-11 seek response in this entry and the LCD they sheet then every second one on 530 608 which again corresponds to the lights we've got on the LCD timesheet so we've pretty much got everything there right so that's that's basically most three of us engineering done I will write this up at some point but I'm gonna wait until I've actually got managed to drive this thing separately before I do that just to make sure everything's correct so please don't message me asking me if you can drive this off an Arduino no you can't it needs to be the data rate is too high the amount of data is too much what might be interesting to see is how slowly you can clock this and have it still work because it's it's conceivable you might just be able to convince something like a quad SPI part on an arm micro to generate data fast enough to do it but it may or may not be feasible that with the probably offs and timeouts built into this thing so I'm not sure a bargain it'll knock up something with an FPGA to generate timings that match this as close as possible to actually get the thing working and then at some point maybe look to see if it can be slowed down at all but yeah at the very it is pretty much going to be an FPGA solution you might be able to do something with a high-end arm or maybe something of a fast processor but maybe a CPA or something just to do the high-speed serialization but you know this is not a you know not an old Nokia monochrome display this is this needs quite a lot of data rate to talk to it although it does appear it has got built-in memory else is one way you can only write it so you couldn't do for example a line draw in its own buffer because you won't be able to read modify write but it might be feasible to just send it commands to just plot certain objects on the screen but you may well for example you might be limited to only writing whole lines in one go so I think you know the prospects for driving this seriously with something that doesn't have enough memory for full frame buffer are going to be sort of fairly minimal and this is a fairly tall Pyrus display as small displays go you know you'd neither a frame buffer about 168 K for full frame so you're looking at sort of fairly high in system you could probably do pixel doubling or go monochrome or something to drive it from something a bit smaller but if you want to do I proper shape blotting and so on we need the full frame buffer you do not directly need quite a lot of RAM so it's we're way out of the scope of you know the low-end stuff and I'll see the other issues you need to generate the LVDS signals you've got 1.8 volts signalling and the over EDS so it should be relatively faithful to drive it from an FPGA but not from a microcontroller underneath with an FPGA you're going to need some external memory quite a big FPGA to get that much memory on board so you probably looking at an FPGA with some external memory I hope the reverse engineering aspects we're interesting is a lot of those techniques are very applicable to all sorts of things not just displays and also just hope it just gave an insight into you know the advantages of having a scope that's got some more advanced triggering facilities because it for things like this it does actually really speed things up it just gives you much more insight into what's going on it makes you make it much easier to sort of grab the information you're looking for so you can actually start decoding sauce if you actually wanting to decode things down to the the level of you know what actual by commands are flight flying around the place you need a nice or stable signal you can just look at look at analyze ourselves you have more communication protocols you might need to start if you're building bits of custom hardware to actually grab the data and dump it down to something if there's like a lot of data but so have that was interesting
Info
Channel: mikeselectricstuff
Views: 182,224
Rating: 4.953342 out of 5
Keywords:
Id: 7TedIzmguP0
Channel Id: undefined
Length: 55min 3sec (3303 seconds)
Published: Sun Apr 14 2013
Related Videos
Ipod Nano 6 LCD hack part 2
mikeselectricstuff
46K
EEVblog #1044 - LCD Technology Tutorial
EEVblog
121K
GE Talaria projector light valve
mikeselectricstuff
16K
DEF CON 23 - Chris Domas - Repsych: Psychological Warfare in Reverse Engineering
DEFCONConference
127K
TSP #34 - Teardown, Analysis & Repair of an Agilent E4407B 26.5GHz ESA-E Spectrum Analyzer
The Signal Path
79K
iPod Nano 6th Generation: The Coolest iPod I'll Never Own
Pocket Pixel
12K
EEVblog #1020 - Is A $7 LCR / Component Tester Any Good?
EEVblog
643K
Workshop organization and parts storage
mikeselectricstuff
31K
Reverse Engineering a Uniden Cordlessphone LCD
Kerry Wong
11K
Assembly and Review - PE6502 Hobby Computer
The 8-Bit Guy
1.2M
I FOUND The Rest of My Collection! Let’s Open It! – iPod Series S.1 EP.11
Hrutkay Mods
1.4K
Ben Heck's FPGA LCD Driver Hack
element14 presents
214K
$20,000 Sun SPARC64 CPU Module
mikeselectricstuff
49K
Digital x-ray panel sensors, teardown & reverse-engineering
mikeselectricstuff
32K
Biometric Iris scanner Aoptix Insight VM AB1012C
mikeselectricstuff
26K
Spectral Instruments 800 Series 16Mpixel Cooled CCD camera Part 2
mikeselectricstuff
37K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.