lectures.alex.balgavy.eu

Lecture notes from university.
git clone git://git.alex.balgavy.eu/lectures.alex.balgavy.eu.git
Log | Files | Refs | Submodules

index.md (6052B)

      1 +++
      2 title = 'Embedded systems'
      3 +++
      4 # Embedded systems
      5 Pervade nearly every aspect of modern life, and their state of security often lags behind.
      6 
      7 Embedded system: special-purpose computing system, running software tightly coupled to hardware, as part of a larger system
      8 
      9 May have: no/specialized user interfaces, low power consumption and computational power, interfaces to physical world, non-customizable software, non-Avon Neumann architecture
     10 
     11 ## Core components
     12 ### Memory
     13 Non-volatile: data persists even if power is removed. holds code, static data, config. Examples are NAND/NOR flash.
     14 
     15 Volatile: holds runtime data (stack, heap) and code (copied from NV memory). Examples are DRAM and SRAM (info stored in transistor logic, no refresh needed)
     16 
     17 ### Peripherals
     18 Input/output devices, typically interfaced via memory-mapped IO (MMIO)
     19 
     20 On-chip: shares chip with processing unit, directly interfaces. Example is a timer.
     21 
     22 Off-chip: physical separation from processing unit, connected via bus. Example is WiFi chipset.
     23 
     24 ### Processing unit
     25 Generally have workload specific instruction set architecture.
     26 
     27 Variants:
     28 - microcontroller: IC containing also memory and peripherals
     29 - system-on-chip: IC containing full computing system
     30 - digital signal processor: microprocessor specialized for digital signal processing
     31 - coprocessor: microprocessor supporting main processor for specialized tasks
     32 
     33 ## Inspection tools
     34 Multimeter: measures voltage, current, resistance. Can be used to see if two pieces of metal on circuit are connected to each other.
     35 
     36 Logic analyzer: like a debugger, lets you measure and visualize digital signals. May even provide a decoder.
     37 
     38 Oscilloscope: measures and visualizes analog signals over time
     39 
     40 ## Protocols & interfaces
     41 ### Universal asynchronous receiver/transmitter (UART)
     42 Used for serial comms between two components
     43 
     44 Separate receive (RX) and transmit (TX) lines.
     45 
     46 Configurable data format and transmission speeds, agreed beforehand.
     47 
     48 - When idling, typically sends high signal.
     49 - On start, change signal from high to low
     50 - Data bits sent, 0 is low and 1 high
     51 - Stop means sending high again.
     52 
     53 ![UART electrical signal](uart-signal.png)
     54 
     55 Options and common choices:
     56 - baud rate (bits per second): 2400..115200
     57 - data bits in word (between start and stop): 5..8
     58 - parity bit (to check for transmission errors): none, even, odd
     59 - stop bit (how many high bits for stop): 1, 1.5, 2
     60 - bit order: LSB first, MSB first
     61 
     62 Discovering UART ports:
     63 1. Consult datasheet if possible
     64 2. Locate promising headers
     65 3. Identify grounded pins: continuity test
     66 4. Identify TX pin: if data transmission enabled, fluctuating voltage observable
     67 5. Identify RX pin: may require connection to all possible RX pins
     68 
     69 ### Serial peripheral interface (SPI)
     70 Synchronous serial bus protocol, connects two or more components on a bus.
     71 
     72 Controller/peripheral architecture, with four lines:
     73 - 2 for data
     74 - 1 for clock
     75 - 1 for chip select
     76 
     77 ![SPI electrical signal](spi-signal.png)
     78 
     79 Multi-peripheral configurations:
     80 - independent: each peripheral has connection to SPI controller, controller has several chip select pins
     81 - daisy chained: one chip select line, CIPO (controller in peripheral out) of one peripheral goes to the COPI (controller out peripheral in) of the next one
     82 
     83 ![SPI multi peripheral configuration](spi-multi-peripherals.png)
     84 
     85 Discovering SPI flashes:
     86 - typical device on SPI bus is flash memory, e.g. where BIOS is stored
     87 - most often visible by eye, likely has manufacturer and part ID on chip
     88 - open source tooling for SPI flash dumping available, e.g. [https://trmm.net/SPI_flash](https://trmm.net/SPI_flash)
     89 
     90 ### Inter-integrated circuit (I2C)
     91 Synchronous serial bus protocol, connects two or more components on a bus.
     92 
     93 Multi-controller/multi-target architecture, with two lines:
     94 - serial data (SDA)
     95 - serial clock (SCL)
     96 
     97 Uses messages:
     98 - start condition (S):
     99   - signalizes begin of message
    100   - SDA pulled low while SCL high
    101     - from here, SDA only allowed to change when SCL low
    102 - Address (7 or 10 bits)
    103   - determines target to communicate with
    104 - Read/write bit (RW):
    105   - 1: read from target
    106   - 0: write to target
    107 - ACK/NACK bit (A):
    108   - transmitter releases SDA
    109   - receiver pulls line low
    110   - transmitter reads stable low → ACK. if not, NACK.
    111 - Data (8 bits):
    112   - actual payload
    113   - for each frame, acknowledgment sent/received
    114   - can be arbitrary amount of frames
    115 - Stop condition (P)
    116   - end of message
    117   - SDA pulled high while SCL high
    118 
    119 ![I2C electrical signal](i2c-electrical-signal.png)
    120 
    121 Multi-target architectures:
    122 - single controller: uses address to see if it should respond with ACK
    123 - multi-controller: each controller checks if lines are free
    124 
    125 Discovering I2C bus:
    126 1. If available, consult datasheet, look for part IDs on components
    127 2. Find likely I2C pins, use multimeter to test connection between components
    128 3. Attach logic analyzer/oscilloscope, check for characteristic I2C comms
    129 
    130 ### Joint test action group (JTAG)
    131 Standardized debugging interface, present on almost every prototyping board, and sometimes on production.
    132 
    133 Defines:
    134 - stateful protocol
    135 - presence of instruction register and data registers
    136 
    137 JTAG test access port (TAP)
    138 - at least 4 lines:
    139   - TDI: test data in
    140   - TDO: test data out
    141   - TCK: test clock
    142   - TMS: test mode select
    143   - TRST: target reset
    144 - devices arranged in a chain
    145 
    146 JTAG state machine
    147 - driven by TMS signal
    148 - two primitive operations: scan DR, scan IR
    149 - data registers:
    150   - boundary scan register (BSR): main data register
    151   - BYPASS: used to bypass JTAG logic of specific device
    152   - IDCODE: has device-specific information
    153 - used data register is dependent on current instruction
    154 
    155 Discovering JTAG ports:
    156 - consult datasheet
    157 - locate promising headers
    158 - try bypass scan:
    159   1. guess pin configuration
    160   2. continuously send 1s on assumed TDI
    161   3. send BYPASS instruction to TAP
    162   4. wait to receive 1s on assumed TDO
    163   5. if not successful, repeated with other pin configuration
    164 - automated discovery tools (special boards) exist, such as JTAGulator, JTAGenum, Glasgow