Buspirate SPISniffer Solved

Hacking multi-tool. Get one for $30, including worldwide shipping.

Buspirate SPISniffer Solved

Postby krishnak » Thu Jan 03, 2013 12:41 pm

Hi

I got the bus pirate V3 yesterday. So still a newbie with it.

I am trying to snoop SPI data using it and have hit some problems.

I have a Wiimote like remote control for a game console.

The remote and the console both communicate wirelessly using NRF24L01 nordic chip.

The remote has a led on it to show that it is paired with the game console (you need to press a button on the console and the remote simultaneously to pair them, once paired they are paired for ever).

In the remote, a micro controller communicates with the nRF via SPI.

I am trying to use buspirate along with SPIsniffer utility to capture the data transfer between the microcontroller and the nrf chip on the remote.

On the buspirate, I run SPIsniffer program - it shows the following at start up

Parameters used: Device = /dev/ttyUSB0, Speed = 115200, Clock Edge= 1, Polarity= 0
Opening Bus Pirate on /dev/ttyUSB0 at 115200bps...
Starting SPI sniffer...
Configuring Bus Pirate...
Entering binary mode...
(OK) Happy sniffing! Press ESC to stop.
Sync

At this point I have the remote and the game console both powered ON, the LED on the remote shows that it is paired with the game console.

When I start connecting the MISO,MOSI,CLK and CSN to corresponding pins on the remote control (there are proper header)
the pairing light on the remote control goes off - i.e the remote and console no longer communicate.

After some trial and error, I have narrowed it to MOSI pin, i.e when the MOSI pin from bus pirate gets connected to the corresponding SPI pin on the remote, the pairing on the remote switches off. The remote has to be power cycled and bus pirate disconnected to enable the pairing again.

Because of this I am not able to get the SPI data when the remote is paired with the game console.

However I do get SPI data when there is no pairing - the following data gets repeated again and again from the SPI bus
[0x03(0x0E)0x20(0x03)]
[0x00(0x0E)0x0C(0x08)]
[0x03(0x0E)0x20(0x03)]
[0x00(0x0E)0x12(0x08)]
[0x03(0x0E)0x20(0x03)]
[0x00(0x0E)0x00(0x08)]
[0x03(0x0E)0x20(0x03)]
[0x00(0x0E)0x07(0x08)]
[0x03(0x0E)0x20(0x03)]
[0x00(0x0E)0x00(0x08)]
[0x03(0x0E)0x20(0x03)]
[0x00(0x0E)0x01(0x08)]
[0x03(0x0E)0x20(0x03)]
[0x00(0x0E)0x00(0x08)]

Could some one throw some light on to why the nordic chip looses its pairing as soon as a SPI probe is plugged in from buspirate and any ideas to over come it.

Many thanks
Last edited by krishnak on Tue Jan 08, 2013 9:28 pm, edited 2 times in total.
krishnak
Newbie
Newbie
 
Posts: 13
Joined: Thu Jan 03, 2013 12:15 pm

Re: Buspirate SPISniffer

Postby tayken » Thu Jan 03, 2013 3:34 pm

Hey there!

Did you try plugging in the pins while everything is off, then put BP to sniffer mode, then turn on the remote? My guess is while the device is sending and receiving data when you plug the CLK and/or CSN pins the communication is disrupted as either the CSN pin goes high thus disabling the radio or CLK pin changes state thus ICs receiving strange messages.
User avatar
tayken
Developer
Developer
 
Posts: 1384
Joined: Sat Dec 12, 2009 10:58 am
Location: Tokyo, Japan

Re: Buspirate SPISniffer

Postby krishnak » Thu Jan 03, 2013 10:26 pm

Thanks for you reply. I did try that i.e plugging everything between the buspirate and the remote. then turning on Sniffer and then remote. When I do that the remote doesn't get paired at all.
Last edited by krishnak on Sat Jan 05, 2013 7:21 am, edited 1 time in total.
krishnak
Newbie
Newbie
 
Posts: 13
Joined: Thu Jan 03, 2013 12:15 pm

Re: Buspirate SPISniffer

Postby matseng » Thu Jan 03, 2013 10:52 pm

Just a random idea - Have you tried this using a laptop running on batteries? A desktop connected to mains power might screw up the rf comms.
User avatar
matseng
Hero Member
Hero Member
 
Posts: 876
Joined: Sat Oct 15, 2011 12:29 pm
Location: Kuala Lumpur, Malaysia

Re: Buspirate SPISniffer

Postby krishnak » Fri Jan 04, 2013 9:29 am

Tried with laptop just on batteries. It didn't make any difference.

My earlier observations were with a Ubuntu Laptop.

I ran the test on a Windows 7 Laptop

However there is a change to my earlier observation, the pairing stays put with 3 pins connected i.e CS,CLK and MISO - it is only when MOSI is connected the pairing stops.

The pairing stays put with the three pins connected to the remote before or after it was switched ON.

But connecting the MOSI pin disrupts the pairing.

I will try to run the test again using Ubuntu to see whether I am able to reproduce the same behaviour as windows or whether I get my earlier issue of CS and CLK disrupting the pairing.
krishnak
Newbie
Newbie
 
Posts: 13
Joined: Thu Jan 03, 2013 12:15 pm

Re: Buspirate SPISniffer

Postby krishnak » Sat Jan 05, 2013 7:17 am

I have tested again using ubuntu and windows, after double checking for shorts etc.

I am running the SPIsniffer utility on the buspirate, I am connecting the remote control's SPI pins to buspirate SPI pins

MISO, CLK,CS,GND

As soon as I connect the MOSI from buspirate to the remote, the remote looses pairing.
krishnak
Newbie
Newbie
 
Posts: 13
Joined: Thu Jan 03, 2013 12:15 pm

Re: Buspirate SPISniffer

Postby tayken » Sat Jan 05, 2013 9:06 am

I was guessing this is not an OS problem but a HW problem. Probably MOSI pin is stuck at a certain output thus affecting the comm.

BTW, I forgot to ask these before. Which firmware version are you using and did you update to the latest firmware?
User avatar
tayken
Developer
Developer
 
Posts: 1384
Joined: Sat Dec 12, 2009 10:58 am
Location: Tokyo, Japan

Re: Buspirate SPISniffer

Postby krishnak » Sat Jan 05, 2013 10:30 am

Dear Tayken

The version is

Bus Pirate v3a
Firmware v5.10 (r559) Bootloader v4.4
DEVID:0x0447 REVID:0x3046 (24FJ64GA002 B8)


I am not sure whether the latest Firmware V6.x is suitable for this board?

Could you please confirm.
krishnak
Newbie
Newbie
 
Posts: 13
Joined: Thu Jan 03, 2013 12:15 pm

Re: Buspirate SPISniffer

Postby tayken » Sat Jan 05, 2013 10:54 am

It is suitable, no problems there. I use the same firmware with my v2go board. :)

Just update the firmware and try it again. That way we can see if it is an already solved issue in the firmware or there is sth else.
User avatar
tayken
Developer
Developer
 
Posts: 1384
Joined: Sat Dec 12, 2009 10:58 am
Location: Tokyo, Japan

Re: Buspirate SPISniffer

Postby krishnak » Sat Jan 05, 2013 8:16 pm

No luck with the firmware upgrade - it is still behaving in the same way. I am going to try to sniff some other SPI traffic between a PIC24 and a RaspberryPI and see whether the sniffer really works on the buspirate. In that way I can probably eliminate whether the issue with the buspirate or the remote.
krishnak
Newbie
Newbie
 
Posts: 13
Joined: Thu Jan 03, 2013 12:15 pm

Re: Buspirate SPISniffer

Postby krishnak » Sun Jan 06, 2013 6:18 am

I have tested the buspirate SPISniffer utility against a PIC24 on a Microstick and a RaspberryPI, the SPI sniffer utility is picking up the data with out disrupting anything. So there doesn't seem to be a fault with the MOSI line on the buspirate.
krishnak
Newbie
Newbie
 
Posts: 13
Joined: Thu Jan 03, 2013 12:15 pm

Re: Buspirate SPISniffer

Postby mungewell » Mon Jan 07, 2013 12:02 pm

Hi krishnak, you has PM'ed me regarding my previous testing with RF24L01. I was sniffing a USB dongle (cyprus micro driving RF24L01) and from what I remember I had no problem with link dropping when sniffing.

I would suggest that you check the power supply voltages. You might find that your target is using a lower voltage that the BP and therefore having problems when the BP is connected. You may need to buffer the signal(s) before connecting them, I'd suggest a non-inverting O/C driver with input connected to target and output to BP (pulled up to BP's supply with 10K or so).

You should also look at upping the baud rate or you might loose data, I think you can get close to 921K if you use the custom baud rate value (check my older posts).
Simon
(PM me again if you need more info, as I'm not routinely on this forum)
mungewell
Newbie
Newbie
 
Posts: 31
Joined: Wed Aug 18, 2010 1:47 am

Re: Buspirate SPISniffer

Postby krishnak » Tue Jan 08, 2013 4:00 am

Hi Simon

I followed your advise and connected the remote with the 3.3V power output of the buspirate. The results are the same as before i.e as soon as you plug in to MOSI the RF link (pairing) between the remote and its game console stops. Remote and bus pirate are still powered ON though. Did not use opto couplers as I don't have any fast one's handy.

Please note if you plug the MOSI before switching on the remote, the RF link is not established at all, irrespective of the power source.

I disconnected everything and did some analysis just with the remote control's MOSI,MISO,CLK,CSN and GND

When I measure the resistance between GND and any of the pins in the remote i.e MISO,CLK,CSN - the multimeter shows infinite resistance.

However between MOSI and GND it shows 125K.

I tried the following analysis - removed buspirate completely from the picture.

Exp 1

Powered on the remote with 2xAA battery

The remote powered ON and the RF link between console and the remote was established - there is a LED for RF link which gets lit.

Now I took a jumper cable and inserted it to the GND pin - other end of the cable is isolated from any contacts, it is just floating.

Now I took another jumper cable and inserted to each one of the following pins one pin at a time, MISO,CLK,CSN. This cables other end is isolated and floating as well. I inserted in to MISO - RF linked stayed ON. Hence removed the jumper cable and inserted in to CLK and so on.

When the cable was inserted in to the MOSI pin on the remote the RF link stopped working.

Please note the inserted cable's other end is not connected to anything else and the other end is isolated.

I repeated this experiment several times and I got the same result each time.

Exp 2

Remote powered with 2AA batteries. RF link up.

I removed the extra jumper cable from GND, which was used in the previous experiment.

Now I tried inserting a jumper cable in to MISO,CLK,CSN one pin at a time - RF link stayed ON. The jumper cable's other end is isolated.

Only 1 cable is used and it is plugged and unplugged from each PIN.

I tried inserting it in to MOSI - RF linked stayed ON.

Moved the cable with reasonable force in the MOSI header to see whether to check whether any shorts, none - RF link stayed ON. Unplugged, replugged this cable in MOSI several times - RF link stayed ON.

With the cable plugged inside MOSI header, I inserted a separate jumper cable (not connected to any where) to the GND header - RF link stayed ON.

After a while, when the jumper wire was still plugged in the GND, I removed the jumper cable from MOSI. RF link dropped.

I repeated this several times and am able reproduce it every time.


The MOSI pin seems to disrupt the RF link only if the ground gets connected to something even if it is a simple wire.

The snooped data with RF link down is something like this (this data was captured when the remote was powered ON with MOSI plugged in and hence no RF link)

[0x81(0xFE)]
[0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)0x00(0xFF)]
[0x04(0x39)]
[0x88(0xF3)]
[0x42(0x1C)]
[0x40(0x1F)]
[0x01(0x3F)]
[0x03(0x0F)]
[0x23(0x0F)]

after the above data, 0x03 and 0x23 keep repeating in no particular order

Do you make out any thing from this information?

Does the remote employ some anti snooping mechanism?
krishnak
Newbie
Newbie
 
Posts: 13
Joined: Thu Jan 03, 2013 12:15 pm

Re: Buspirate SPISniffer

Postby mungewell » Tue Jan 08, 2013 12:41 pm

krishnak wrote:I followed your advise and connected the remote with the 3.3V power output of the buspirate.


Not quite what I suggested, but if it didn't damage your hardware then it proves the power domains are not the problem.

krishnak wrote:However between MOSI and GND it shows 125K.


Just to be clear this is the resistance MOSI to GND on the target board, without BP attached.

125K is fairly ''weak'. One would normally have pull ups, but they might be using pull downs (or relying on the inherent input resistance of the RF24L01).

Do you have the pull ups enabled on the BP? If yes, try turning them off....
http://dangerousprototypes.com/docs/Practical_guide_to_Bus_Pirate_pull-up_resistors

A 'stronger' pull up might be interacting with the pull down and preventing the remote/micro being able to drive the signal low. I still suggest that you use some form of buffer between the MOSI signal and the BP.

krishnak wrote:Does the remote employ some anti snooping mechanism?


Most unlikely, vendors don't normally care and engineers are lazy.....
Simon
mungewell
Newbie
Newbie
 
Posts: 31
Joined: Wed Aug 18, 2010 1:47 am

Re: Buspirate SPISniffer

Postby mungewell » Tue Jan 08, 2013 12:49 pm

Oh by O/C I meant open collect output. In my work life I like to use these little devices to interface signals between different power domains, when only a couple of signals are required.
http://www.digikey.ca/product-detail/en/SN74LVC2G07DCKR/296-13495-2-ND/486429

Power from the source domain, pull up on the destination domian,
Simon
mungewell
Newbie
Newbie
 
Posts: 31
Joined: Wed Aug 18, 2010 1:47 am

Next

Return to Bus Pirate Support