Categories

Site Sponsors

Who's Online

  • 0 Members.
  • 6 Guests.
«  
  »

Hacking USB Serial Ports

By openschemes, on September 17th, 2009
5,402 views

An unnamed bonus of this dual-port setup is if you would like to eavesdrop on some system’s internal RS-232 communication .   By splicing both the USB and the DB9 ports into that system, you can force it to talk to your PC who then retransmits the data to where it was originally going.   The system you’re attacking has no idea, but you can now record all the communications between them, modify the communications, or pipe in your own commands.   Very useful if you need to get into a trusted system that requires handshaking or other authentication to proceed.

Details:

As was previously mentioned, the device you are looking for is a two-chip system.   There are some adapters on the market that have the usb controller and level shifter integrated into a single chip – these are no good for us.   I don’t know what device you may happen to encounter, but the hack process is the same.

1) Disassemble the device and identify the controller and level shifter.   This is usually pretty easy because the controller is fairly large, but you can also use the following clues.

  • Controller is connected to USB side (and usually physically located there) and the level shifter is connected to the DB9 side.
  • Controller usually has a metal can crystal connected to it in close proximity.

2) Identify the RxD, TxD lines running from the controller to the level shifter.

  • Easiest way is to use the datasheet for one or both of the devices.
  • More difficult way is to trace the circuit, either by physical observation or by using a multimeter on “beep” mode to find which pins (other than VDD and GND) are connected between the two devices.

3) Cut the TxD and RxD lines between the controller and level shifter, and install jumpers or ports for connecting to your own project.

  • NOTE: If you’re tracing by hand, you will still need to determine which one is TxD and which one is RxD.   After cutting the lines between the chip, you can apply 3.3v or 0v to the level shifter inputs and watch the voltage on the DB9 port to see which pin goes high and low.   Pin 2 on the DB9 is the PC’s RxD (PC Receive, controller transmit) and pin 3 is the PC’s TxD (PC transmit, controller receive).

Examples:

We will use the example of the Keyspan HS-19HS, which contains the Texas Instruments TUSB3410 microcontroller as the USB controller, and a no-name RS232 chip as the level shifter.

The first thing we do is download the TUSB3410 datasheet and look at the pinout.   This is the easiest way to identify the pins, obviously.   We see from the pinout diagram that pin 17 is “SIN” (Serial in, TUSB RxD) and pin 19 is “SOUT” (Serial out, TUSB TxD).

TUSB3410 Pinout

Fig 3 – TUSB3410 Pinout

By checking these pins with a DMM on “beep” mode, we can verify that they are really connected to the level shifter as a sanity check before doing any cutting.   In our case, the traces were VERY small so it was much easier to carefully pry up the pins with tweezers while heating the pin with a soldering iron.   Carefully is the operative word here, break the pin off and you might as well trash the adapter – you’re down one port.   For our device, we soldered a yellow wire onto SIN and a red wire onto SOUT.   Please note that you must also connect the GND of this board to the GND of the board you’re working on (or else it won’t know what’s 3.3v and what’s 0v!) so you can see a third wire, black, also soldered to the board.   For GND, you can usually find a large copper area of ground plane and just scratch off the green solder mask with an x-acto knife.
Continued on the next page…
By openschemes, on September 17th, 2009

Pages: 1 2 3

Hacks
«  
  »

Leave a Reply

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

«  
  »