mwahidAfter identifying as many components as I could, it is time see how things work. So, I got my $10 logic analyzer and $20 FT4232-56Q module out and got to work.
I connected the three I2C buses to the logic analyzer and the two UART ports to the FT4232 module, then turned on the device. I turned ON/OFF some relays while recording everything, and below are the logs.
UART_LOG
- The file "bootlog.txt" is a log when the device boots up, and after turning ON/OFF some relays.
- The status message is sent every time a relay is switched `Update relay state, 1,1,0,0,0`
- The message format is: <Overall status>,<Relay1>,<Relay2>,<Relay3>,<Relay4>
1 = ON , 0 = OFF
- When you press enter in the UART console, a "#" appears, but it seems nothing else happen.
I2C1 & I2C2
- The two I2C buses transmit messages every 3 seconds whether a relay is ON or OFF.
- I am still unable to understand the meaning of the bytes, but I think they are related to the current measurements.
- The same pattern appears on both buses.
- The files "PowerPlug_I2C1_capture_CTRL_PCB_with_Power_PCB_InitialState.csv" and "PowerPlug_I2C2_capture_CTRL_PCB_with_Power_PCB_InitialState.csv" contain the decoded bytes.
LED-I2C
- This is that controls the relays and indicator LEDs.
- When one of the four keys on the Power board is pressed, the SoC detect the input and sends the corresponding command over this bus.
- The files "I2C_RelayX_OFF.csv" and "I2C_RelayX_ON.csv" show the frames for controlling each of the four relays.
WiFi
- Remember, this is an IoT device and it supports Access Point mode by default. So, I connected to the access point and fired nmap.
- I scanned the entire ports range and found only port 30300 that is opened. It is the port the mobile app is using to communicate with the device.
Firmware
- Since this an ARM based device, I thought of dumping the firmware especially that the JTAG pins are exposed and labeled on the test pads.
- The SoC is very old and is not natively supported in OpenOCD, but thanks to "greatlevi", the config file "rtl8710.ocd" worked fine and I dumped the firmware.
- Check the dumped binary file shows that the device is running the FreeRTOS system, with many of the FreeRTOS libraries used as is.
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.