Close

Fuzz testing and the mystery protocol

A project log for Reverse engineering a Life Optics M5/Leica HM500

My attempt to get a Life Optics M5 (aka Leica HM500) head mounted microscope/varioscope running.

technicsTechnics 05/03/2015 at 14:140 Comments

Previously I discovered what looked like a TTL level serial output using the oscilloscope. I have since connected this output to a PC via an FTDI TTL-232R-5V USB to serial cable. I then ran RealTerm and configured the serial port for 9600bps 8-N-1. On powering up the varioscope we are greeted with the following.

It speaks! Even if it doesn't have much to say. This is good news and quite encouraging. It looks like the M5 is powering up correctly and communicating at least. The yellow wire is clearly a serial output.

The next step was to see if either the white or brown wire is a serial input to the M5. I first connected the white wire to the serial output from the PC. Unfortunately, sending random characters or command like "zoom" didn't elicit any response from the M5. There are no acknowledgements or error messages. This does not necessarily indicate that it's not a serial input. I may also indicate that it does not understand what is being sent and is ignoring the input. Without any protocol information it is difficult to know.

Connecting up the brown wire was more interesting. Every time a character is sent the M5 responds with a sequence of "0" and "$" characters. For example sending a lower case "a" causes the device to respond with "000$" while sending "x" results in "00$". Receiving a multiple character response to a single character input is quite cryptic and it leads me to believe that this is not a serial input but an input for some other form of encoded data from the control box. Perhaps something that represents the state of the switches and controls on the control box.

I decided to hook up a function generator to this input to see the effect of signals at various frequency and duty cycle settings.

Feeding in a square wave at most frequencies between 1KHz and 10Khz seems to produce a long string of "0" characters from the serial output. Once the square wave is stopped the M5 sends back a "$" sign. Varying the duty cycle and frequency doesn't have any obvious effect. At this stage I have no way of feeding in a stream for a specific length of time but I have tried connecting and disconnecting the square wave signal at random. Doing this eventually resulted in something interesting. The M5 started producing three digit numbers continuously over the serial output.

  516
  514
  515
  515
  516
  515
  516
  515
  515

At first the value seemed to have no meaning. However, placing my hand in front of the the microscope caused the number to increase and decrease corresponding to the distance between my hand and the M5. This must be measurements from the range-finder.

More random connection/disconnection of the square wave signal resulted in the M5 whirring into life and executing some kind of self-test. This involved both the zoom and focus stepper motors racking in and out through their full range of movement. It also produced the following serial output.

A§2§1§f Rf12 Lf12 k11 K11 k11 K11%

After completing the self-test the M5 began to auto-focus. Placing a object in front of the varioscope causes the focus stepper motors to activate and adjust the focus on to the object. Moving the object back and forth causes it to re-focus. This is a pretty impressive device. I will try to record some video of it in action soon.

So far no amount of fuzzing of the input has resulted in the ability to control the zoom. It is stuck on minimum magnification while auto-focus is enabled. Sending a long burst of 10KHz square wave does cause it to go to maximum zoom but it also disables the auto-focus.

The are two possible ways forward. One would be to produce some hardware to send square waves at set frequencies for arbitrary periods and attempt to determine the behaviour that results from differing inputs. This could be done using an AVR/arduino or perhaps an MSP430 launchpad (I have tons of these spare) or even a PC sound card output.

The other option would be to attempt to dump and reverse engineer the firmware from the M5. It clearly has a micro-controller that drives everything. I don't yet know what type it is or who manufactured it. Unfortunately it is difficult to get to. Being located on the lower PCB. It also seems to be difficult to liberate the PCB's from their enclosure and I would not want to risk damage to the device.

I'd love to hear some other thoughts on possible approaches or if you happened to be from the team in Austria who developed the hardware a few hints would not go astray. :) In the mean time I will try and see what else I can get the M5 to do while I consider the next step.

Discussions