Skip to main content

Messages

This section allows you to view all Messages made by this member. Note that you can only see Messages made in areas you currently have access to.

Messages - s3c

1
Bus Pirate Support / Re: RF Sniffing
Arduino will work fine, just the BP UART latency that got me if I recall. Easiest way would probably be to open up the transmitter and look at the ICs inside, the datasheet will probably explain the protocol. (as was the case with mine)
2
Bus Pirate Support / Re: RF Sniffing
Feel like posting a images zoomed in on a single frame/repeat? would love to see what that signal looks like up close.
3
Bus Pirate Support / Re: RF Sniffing
Glad to see you got it working, was this everything you were trying to accomplish? I tried doing transmission with these TX modules way back using the BP UART mode. Latency kept getting in my way and I used something else though.
4
Bus Pirate Support / Re: RF Sniffing
Quote
Which baudrate did you use ?

You don't need to worry about this at all, I only used the command interface to turn on the bus pirate power supplies, if I remember correctly you have to enter some functional mode before it's allowed however. Can you verify that these are in fact turned on while sniffing? The power led should be lit when it's on.

Quote
Did you use 5v or 3v ?

These receivers get picky when you drop the voltage too much, ideally you want to use 5v.

Quote
Which output type did you use ? Normal or Hi-z ?

Since no outputs are used this doesn't matter.

When capturing data hold down the button for one of those transmitters before you press capture, that should give you a nice trace like the ones I got.
5
Bus Pirate Support / Re: RF Sniffing
Glad to see someone found my blog post useful, even if only in part. What RF device are you trying to pick up? I tried two different ones, a normal 433mhz keeyloq remote and a stupid 403.55mhz static remote. For the second I had to turn out the inductor slug completely to get it to tune to that frequency.

The thing with these receivers is that they give complete rubbish when they don't pick up a signal. Setting the trigger mode thus won't be usefull. Also, you can probably get away with a much lower sampling rate, only guessing but prob something like 10khz. With a lower sample rate you can then record for longer which is usful since you can't use the trigger. Hope that helps.
7
AVRDude / BP V4 as STK500 with AVRStudio6
Has anyone played around with the BP V4 as an STK500 programmer. I can confirm that it doesn't work (for me at least) with AVRStudio6 with the V6.1 firmware. My understanding was that the STK500 firware was integrated? Does it have anything todo with this thread:

viewtopic.php?f=41&t=4207
8
Bus Pirate Support / Re: Binary Raw wire not responding with read data.
Thanks for the replay Ian, I found the bug and you are spot on: I needed a delay between 3.5mS and 4.5mS for this application, the only way I could get it was to disable blocking on serial reads, this had the side effect of of breaking some of the reads. I'm guessing the BP isn't the ideal platform for dumping this device.
9
Bus Pirate Support / Binary Raw wire not responding with read data.
I'm hoping someone can give me a quick kick to get me in the right direction, when using the binary raw wire mode I can confirm that the waveform is what I'm expecting (using the open logic analyzer) but the data returned by the bp is not correct, is there anything simple I'm overlooking?

Here's a screen shot of the read waveform:



Which reads back "ABCDE" from a device, the read function however returns 0 most of the time and a random value some others, I was thinking maybe the bp is using the wrong pin to read back the data? Here's the code:

Code: [Select]
    memset(data, 0, 24);
    for(loop = 0; loop < 24; loop++){
        data[loop] = sendcommand(hComm, CMD_READ_BYTE);
        printf("%d ", data[loop]);
        sleep(2);
    }

Code: [Select]
unsigned char sendcommand(HANDLE hComm, unsigned char command){
    int bytes_written, bytes_received;
    unsigned char received_byte;
    
    PurgeComm(hComm, PURGE_RXCLEAR);
    WriteFile(hComm, &command, 1, &bytes_written, 0);
    //sleep(2);
    ReadFile(hComm, &received_byte, 1, &bytes_received, 0);
    
    return received_byte;
}

The values printed are "0 0 0 0 ..."
10
Open Bench Logic Sniffer / ISE Webpack simulation woes.
I have a decent logic background and have started studying up on VHDL but I'm not ready to start writing some code just yet. After downloading the xilinx software I tried to do a simple schematic circuit and simulate the project, can anyone direct me on getting the simulations up and running. I've found reference on the web of a GUI waveform editor but can't seem to locate it. How do you define custom waveforms and assign them to input pins for running simulations?
13
Open Bench Logic Sniffer / Triggering tips and strange bus behaviour.
A while back I posted the circuit diagram for a hardware dongle I took apart:

http://dangerousprototypes.com/forum/index.php?topic=306.0

This is actually the immobilizer dongle for my car. I finally got around to playing around with it some more and hooked up the OLS. Some of the dumps made sense and others not so much, the bus pirate in I2C monitor mode made a lot more sense though, here's 3 consecutive dumps.

Code: [Select]
][0xA0+0x06+[0xA1+0x30+][][0xA0+0x05+[0xA1+0x03+][][0xA0+0x04+[0xA1+0xCE+]]]]]]

][0xA0+0x06+[0xA1+0x30+][][0xA0+0x05+[0xA1+0x03+][][0xA0+0x04+[0xA1+0xCE+]]]]

][0xA0+0x06+[0xA1+0x30+][][0xA0+0x05+[0xA1+0x03+][][0xA0+0x04+[0xA1+0xCE+]]]]]]

Easy enough to understand, it reads 3 bytes, byte 6, byte 5 and byte 4, in my case being 0x30, 0x3, 0xCE (Yes, you know have enough info to steal my car). I would simply have done one read of 3 bytes starting at location 4 and not 3 random reads but that's not the part that tickles me. Are the logic dumps wrong or is this design deliberately misleading.

I had some trouble getting these dumps as well, more than half the time getting only a blank output, I'd get a good dump, change the memory setting and then get nothing again, a fault on my part perhaps? If you're interested please take a look at the dumps and tell me what you think.

( ! ) Fatal error: Uncaught exception 'Elk_Exception' with message 'Please try again. If you come back to this error screen, report the error to an administrator.' in /var/www/dangerousprototypes/forum/sources/database/Db-mysql.class.php on line 696
( ! ) Elk_Exception: Please try again. If you come back to this error screen, report the error to an administrator. in /var/www/dangerousprototypes/forum/sources/database/Db-mysql.class.php on line 696
Call Stack
#TimeMemoryFunctionLocation
10.01832428560session_write_close ( )...(null):0
20.01882560176ElkArte\sources\subs\SessionHandler\DatabaseHandler->write( )...(null):0
30.01882560952Database_MySQL->query( ).../DatabaseHandler.php:119
40.07332699704Database_MySQL->error( ).../Db-mysql.class.php:273