• Fuzz testing and the mystery protocol

    Technics05/03/2015 at 14:14 0 comments

    Previously I discovered what looked like a TTL level serial output using the oscilloscope. I have since connected this output to a PC via an FTDI TTL-232R-5V USB to serial cable. I then ran RealTerm and configured the serial port for 9600bps 8-N-1. On powering up the varioscope we are greeted with the following.

    It speaks! Even if it doesn't have much to say. This is good news and quite encouraging. It looks like the M5 is powering up correctly and communicating at least. The yellow wire is clearly a serial output.

    The next step was to see if either the white or brown wire is a serial input to the M5. I first connected the white wire to the serial output from the PC. Unfortunately, sending random characters or command like "zoom" didn't elicit any response from the M5. There are no acknowledgements or error messages. This does not necessarily indicate that it's not a serial input. I may also indicate that it does not understand what is being sent and is ignoring the input. Without any protocol information it is difficult to know.

    Connecting up the brown wire was more interesting. Every time a character is sent the M5 responds with a sequence of "0" and "$" characters. For example sending a lower case "a" causes the device to respond with "000$" while sending "x" results in "00$". Receiving a multiple character response to a single character input is quite cryptic and it leads me to believe that this is not a serial input but an input for some other form of encoded data from the control box. Perhaps something that represents the state of the switches and controls on the control box.

    I decided to hook up a function generator to this input to see the effect of signals at various frequency and duty cycle settings.

    Feeding in a square wave at most frequencies between 1KHz and 10Khz seems to produce a long string of "0" characters from the serial output. Once the square wave is stopped the M5 sends back a "$" sign. Varying the duty cycle and frequency doesn't have any obvious effect. At this stage I have no way of feeding in a stream for a specific length of time but I have tried connecting and disconnecting the square wave signal at random. Doing this eventually resulted in something interesting. The M5 started producing three digit numbers continuously over the serial output.

      516
      514
      515
      515
      516
      515
      516
      515
      515
    

    At first the value seemed to have no meaning. However, placing my hand in front of the the microscope caused the number to increase and decrease corresponding to the distance between my hand and the M5. This must be measurements from the range-finder.

    More random connection/disconnection of the square wave signal resulted in the M5 whirring into life and executing some kind of self-test. This involved both the zoom and focus stepper motors racking in and out through their full range of movement. It also produced the following serial output.

    A§2§1§f Rf12 Lf12 k11 K11 k11 K11%

    After completing the self-test the M5 began to auto-focus. Placing a object in front of the varioscope causes the focus stepper motors to activate and adjust the focus on to the object. Moving the object back and forth causes it to re-focus. This is a pretty impressive device. I will try to record some video of it in action soon.

    So far no amount of fuzzing of the input has resulted in the ability to control the zoom. It is stuck on minimum magnification while auto-focus is enabled. Sending a long burst of 10KHz square wave does cause it to go to maximum zoom but it also disables the auto-focus.

    The are two possible ways forward. One would be to produce some hardware to send square waves at set frequencies for arbitrary periods and attempt to determine the behaviour that results from differing inputs. This could be done using an AVR/arduino or perhaps an MSP430 launchpad (I have tons of these spare) or even a PC sound card output.

    The other option would be to attempt to dump and reverse engineer the firmware from the M5. It clearly has a micro-controller...

    Read more »

  • The smoke test

    Technics04/25/2015 at 13:19 0 comments

    In order to power up the varioscope the correct supply voltage had to be determined. I had originally assumed that supply the voltage would be 4.8V based on a what seemed to be 4 cell NiMH pack in the manual. However, performing a Google image search for "3 pin switching regulator" turned up a device that looked exactly like unidentified module (marked with the number 1 in my previous update). It turned out to be a TI PT78ST100. The data-sheet showed that it has a minimum input voltage of 9V. This would seem to rule out 4.8V as a supply voltage. Upon revisiting the HM500 user manual it actually lists the voltage under the specifications as 9.6VDC under the specifications on page 50. I missed this section when originally looking over the manual. 9.6V seems to be a much more reasonable number. The original control box probably uses an 8 cell NiMH pack and this was not obvious from the photo.

    The next step is to see what happens when we apply 9.6V to the device. In order to do this I have decided to modify the data/power cable that came with the headset. It is fitted with a 10 pin LEMO K series connector at either end. These connectors are relatively easy to disassemble and it could be re-fitted if needed later. They are very high quality connectors and the matching socket costs well over $50. It didn't seem worthwhile buying one without knowing if the varioscope works or not.

    I removed the connector and stripped back enough of the outer jacket of the cable to allow connection to the individual wires. The colour coding of the wires in the cable matches that of the wiring inside the the unit. This was confirmed using the continuity buzzer in my multimeter.

    The power wires are red & green for + supply and black & grey for the - supply. These were paired together and connected up a a variable supply which has been set for 9.6V. The multimeter was connected in series to measure current and the supply switched on.

    When the power is allied the device draws about 40mA at 9.6V. Not much else exciting happened. This seems like a reasonable amount of current and it doesn't suggest that the device is damaged by this voltage. No smoke or unusual smells were emitted (which is always good). The next step was to disconnect the multimeter and measure the voltage on the three mystery wires (white, yellow and brown). It turns out that all three measure 5V. This suggests that they are either digital outputs or digital inputs (with pull-ups). I turned to my scope to see if anything interesting was occurring on any of these lines.

    The brown and white wires do not deviate from 5V when power is applied but the yellow wire was far more interesting. When power is first applied we see something that looks a lot like TTL serial data.

    Using the cursors on the scope I measure the period of individual bits to be around 100uS. This should equate to 9600bps serial. The next step will be to hook this up to my laptop via an FTDI USB to TTL serial cable and see what the the device is sending...

  • Voiding the warranty

    Technics04/19/2015 at 16:28 0 comments

    Okay it doesn't really have a warranty to begin with but I'd still prefer not to break it. Given the lack of information available it looks like it's time to tear this thing open. There are two major parts attached to the head mount. The microscope optics and mechanical components are in the front unit. The wiring from the front unit then connects to an enclosure at the back.

    As attacking the front optical/mechanical unit seemed to carry the greatest risk (possibly affecting the alignment of parts or allowing the ingress of dust etc.) I have decided to start with the electrical connections at the back. According to the manual, this small enclosure is designed to hold an a counter weight to balance the unit so it is not too front heavy. Weights can be added or removed as required and are held in by a small bolt running through an internal bulkhead. However, this weight does not occupy the entire volume of the enclosure. The connections run behind this bulkhead. Removing it (held by four small screws) reveals the enclosures other purpose. It holds a considerable portion of the electronics that drive the microscope.

    There are two stacked PCB's in this enclosure. The outer PCB contains what looks to be mostly power supply related circuity. It also has all of the electrical connections that run to the missing control box. The inner PCB is harder to see but at least one large IC is visible. The part number is obscured by a sticker that seems to indicate a firmware version so it is possibly a micro-controller.

    I've marked the interesting components in red and the external connections in blue.

    1. Unidentified module. Though it looks like a switch mode voltage regulator of some kind.
    2. Unknown module in yellow heat-shrink.
    3. ST LF33 3.3 Volt low drop-out linear voltage regulator
    4. 10 pin LEMO K-series connector for the control box.
    5. Wurth Electronics WE-SL2 common mode filter.
    6. Maxim MAX764 DC-DC inverter.
    7. A pair of shielded miniature coaxial cables terminated on the board (possibly S-Video)
    8. The other connections to the control box. These must include power and control signals.
    9. The connections to the front microscope motors and sensors.

    It's worth noting that the grey and black wires from the control box are connected together by a trace on the PCB. The red and green wires are also connected together by a trace. This suggests that they may be the power connections. This is backed up by the observation that these two connections run through the common mode filter.

    If the assumption about the mini-coax being for S-video is correct it really only leaves three wires (white, yellow and brown) for control of the microscope. The next step will be to attempt to power up the PCB and look at these signals on a scope to see if there is any activity.

  • Know thy enemy - The reseach phase

    Technics04/18/2015 at 13:55 0 comments

    As with any reverse engineering effort it's probably a good idea to get acquainted with whatever information is publicly available for this device before ripping it apart blindly.

    A Google search turned up a user manual but unfortunately no service manual. The manual shows that the microscope control box runs on a rechargeable Ni-MH battery. From the images it appears to be a 4-cell pack. This could be a clue to the operating voltage of the microscope (alternative there could be a boost or buck converter in the control box). It also details that the microscope optionally has a PAL or NTSC camera and that it outputs S-Video. So we can expect to find a video signal from the microscope.

    Google also turned up a press release from the company that produced the miniature stepper motors that are used to drive the focussing and zoom mechanisms. It goes as far as listing which specific motors are used. From this we can assume that device generates two phase unipolar stepper drive signals somewhere.

    A search on Google patents also turned up a couple of interesting patents relating to the device. These deal mostly with the optics and don't not provide a great deal of information regarding the electronics. They do mention that an Infra-red range finder is used to determine the distance to target for the auto-focus system. So that is another piece of the puzzle.

    Links:

    Leica HM500 user manual

    Micromo application/press release

    Micromo stepper motor data sheet

    Patent US7286287

    Patent US5971540