General Tips on Reverse Engineering a Communications Protocol with an OScope

[AaronC]

So I'm working on a project that will be using the somewhat popular Firmata communications protocol. It's a method of transferring information over USB to a microcontroller like an Arduino. The Firmata Protocol emulates MIDI/SysEx messages to transport their messages. I've been reading up on the protocol but I just can't visualize it in my head so I thought it would be a good idea to check out what it's sending on an Oscilloscope. However, I'm not having much luck brute forcing it and writing down each bit manually. I tried using the cursors to measure a single peak and then see how long some of the larger pulses were based on that, but it's hard to tell, for example, whether it represents 7 or 8 bits. I only have access to a Rigol 1054Z, so here's an example of what came out.



So I'm using the Johnny-Five Javascript library on top of Firmata, so for now I can only assume what it's sending, but I'll be digging into the source code today. The oscilloscope image was generated by sending the command `Led.on()` and monitoring over the RX pin. So if I were to guess it would be what they call 'Set Digital Pin Value' which is 3 bytes. The first is the command flag of 0xF5, then the pin number, which is 0x06 in my case, and then the value, which should be '1' or HIGH. I can't seem to find that in the image though.

Do you have any advice on brute forcing a protocol like this? I obviously can't use the decode functions because it's not a standard format (although I was tempted to generate a clock signal and attempt to use the Parallel decoder). Advice?

[Fungus]

To find out where the data is you can send repeated led.on(), led.off() commands. Look for what changes in the packet.

Now do it with a different pin.

etc.

[hexreader]

Hard to read accurate timings, but it looks to me like 57600 baud, 7 bit, odd parity, 1 stop bit, idle low.

start-0110011p-stop-start-1111111p-stop-start-1000000p-stop

Hexadecimal 66, 7F, 01

.... or maybe 8 bit and no parity???

start-01100111-stop-start-11111110-stop-start-10000000-stop

Hexadecimal E6, 7F, 01

start bit is a zero, stop bit is a one

- could be wrong though -

[AaronC]

To find out where the data is you can send repeated led.on(), led.off() commands. Look for what changes in the packet.

Now do it with a different pin.

I did this on a single pin and just saved as many transmissions as possible. Dunno. I guess I'll comb through the source code today of both the Johnny-Five and the Firmata.js libraries to see how they handle it. Change the pin number, and then compare packets to what I have now. Thanks.

[Elasia]

To find out where the data is you can send repeated led.on(), led.off() commands. Look for what changes in the packet.

Now do it with a different pin.

I did this on a single pin and just saved as many transmissions as possible. Dunno. I guess I'll comb through the source code today of both the Johnny-Five and the Firmata.js libraries to see how they handle it. Change the pin number, and then compare packets to what I have now. Thanks.

If you have access to them.. the reference standards are the best way to learn along with the source code.  Or rather i should say maybe other peoples explanation work (like books/wiki) based on the reference material.  Anything with a protocol flow and breakdown chart (bits, bit groups, structs, crcs, etc etc) think like what makes up a packet of data?. Once you got that it can become trivial to manually decode but without its a real pain in the ass.

Once you got a handle on what it is you are looking at, then you can use the scope to look for anomalies etc.. otherwise your kinda just flying blind less your scope decodes that particular protocol.. which i dont think the rigol does?

[abraxa]

otherwise your kinda just flying blind less your scope decodes that particular protocol.. which i dont think the rigol does?

sigrok has a MIDI decoder and the DS1074z is supported, so that might be an option.

[Fungus]

otherwise your kinda just flying blind less your scope decodes that particular protocol.. which i dont think the rigol does?

sigrok has a MIDI decoder and the DS1074z is supported, so that might be an option.

MIDI is just RS232 at 31250 baud with 8 data bits, one stop bit.

If it's using the crappy USB midi protocol thing then it always sends packets of 32 bits.

[AaronC]

MIDI is just RS232 at 31250 baud with 8 data bits, one stop bit.

If it's using the crappy USB midi protocol thing then it always sends packets of 32 bits.

I don't think it does. Essentially Firmata is just the same Messaging format/structure. I.E. the messages are the same but how they are transported is different. You could be right though. When I initially tried to decode a different image I ended up with my expected 3 bytes and 5 leftover bits so wasn't confident in my interpretation.

I might just try to create a grid in photoshop that is the width of a single peak so that I can slide it along and see where each bit begins, then depending on where I start reading, It will be more obvious due to limited permutations. Read the source code for one of the libraries and it's making sense, but I still need to comb over the Firmata Arduino source.

[bitwelder]

So, you are talking about this Firmata protocol?
https://github.com/firmata/protocol