Deep in the weeds (Posts about reverse engineering)

Interesting-ish finds

Mike Mattice — Thu, 04 May 2017 22:31:15 GMT

I found out from a fellow Techlahoman on the slack that those connectors in my last post are JST-SSH. Luckily, Digikey carries both genders of these connectors. They also carry some SSH jumpers that can be hacked up for our purposes. I ended up soldering a 6 pin header onto the board to match the other JST connectors.

I also prepped a few sets of cables with JST "connector housings" on one end and male header pins on the other end.

In other news, in doing some digging, it appears as though the Cypress CY7C68013 on this board is connected A0-A15 to the flash chip, which has 8 times the address space of the 8051 in the 68013. To that end, they have some GPIO stuck to the highest three bits of the flash.

U1<->U2 connections
U1	U2
PD5/FD13	A16
PD6/FD14	A17
PD7/FD15	A18

The EA pin of the 68013 is also tied strongly to ground, which means it's using the internal 16KB of RAM is being used for code and data. I also found that the I2C bus was connected to a 64KB SOIC flash chip. I hot-aired that off the board and wired it up to some ribbon cable with a 10pin IDC connector on it that fits directly into my BusPirate 3.6.

Dumping the chip seems to give me 4 copies of the same 16KB of data. I'm not sure if they've programmed it 4 times or if I have the part number wrong and it's only a 16KB flash chip. In either case, I'll be trying to determine what the code is doing.

Raritan is helping us out some

Mike Mattice — Wed, 26 Apr 2017 22:30:51 GMT

In the spirit of other RE people, I've heard that you should always have three of the thing you're tearing apart. One to break, one to RE and one to have a known good to test against.

I also just wanted a few more devices to connect to the KX2-416 eventually anyway, so I'd ordered a couple more D2CIM-DVUSB's. I popped them open and...

Now, these two connectors look exactly like the connector they're using on the end of the board and here's the plug for that.

So now, I just need to figure out what kind of connector this is.

Tearing open a Raritan D2CIM-DVUSB

Mike Mattice — Sat, 22 Apr 2017 17:39:14 GMT

I got a KX2-416 from a popular auction site on the internet a few days ago plus a cheap (seemingly unused to boot) D2CIM-DVUSB from another seller. The DVUSB arrived well before the 416 and I got curious, so I opened it up to see what makes it tick.

After poking at it a bit, I found a few potentially useful doors into the chips and some circuit paths that look interesting.

The chip on the left is a TI CD4053B (triple 2-channel multiplexer) and the one on the right is a Microchip 24LCS22A (2K VESA E_EDID Serial EEPROM).

U12<->U13 connections
U12	U13
A Com(14)	SDA(5)
B Com(15)	SCL(6)
C Com(4)	VCLK(7)

So, it appears as though something wants to switch the EDID EEPROM between a couple of things.

I traced a couple of connections through to the VGA connector.

VGA<->U12 connections
VGA	U12
DDC CLK(15)	By(1)
DDC DAT(12)	Ay(13)

It also appears as though the JTAG pins are brought out to unpopulated headers for both the AT90USB646 and the Altera EP2C5.

I'm waiting on some headers from the next state over to attach with some wirewrap wire to those ports.