Download Reverse Engineering

Reverse Engineering #1
Reverse Engineering
Introduction
(예: SUN사 Optical Mouse)
의료IT공학과 조용석 교수
인체의 팔 역설계로 부터 만들어 지고 있는 로봇트팔
절 차
1. 역설계기기 선택
2. 사진찍기(분해과정포함)
3. 부품목록작성
4. Break Down Structure 구성도작성
5. 관련문서 확보
6. 전자회로 역설계(PCB포함)
7. JIG 제작
8. 역설계장치 기능분석
9. 소프트웨어 역설계
10. 전체장치 기능 확인
11. 기구장치 역설계
12. 역설계자료 도면화
13. know-How 확인을 위한 제작 14. 성능확인 및 평가
15. 문제점 보완
16. 기술자료 작성
 Reverse Engineering Process
 Reverse Engineering Process
The process of analyzing a subject system with two goals in mind:
1. to identify the system's components and their interrelationships;
and,
2. to create representations of the system in another form or at a
higher level of abstraction.
Observe that reverse engineering is a process of examination only: the
software system under consideration is not modified (which would make
it
Reverse Engineering : the art of disassembling and analyzing an
existing product for the purpose of generating documentation.
Reverse engineering is a general process of analyzing a product to
determine how it was designed and how it operates.
This information can be used for many purposes.
1. Many times this is used for the purpose of duplicating an
existing component, subassembly, or product, without the
aid of drawings or documentation. Or,
2. to improve an existing product to surpass competitors.
3. Often, the resulting documentation is used to analyze if a
product is infringing on patent rights for claims analysis.
Reverse engineering involves examining a product to see how it operates.
Then taking the product apart to determine
1. what components are used to make it work,
2. how they are interconnected,
3. and how they operate together.
We can even reverse engineer a printed circuit board to determine
1. how the components are interconnected.
2. Multi-layer boards are no problem, they can be examined with an
X-Ray viewer to determine how the inner traces are routed.
Software and firmware can be disassembled to observe
1. how it functions.
2. Sometimes the operation of a microprocessor or a PLD/FPGA can
be determined solely by observing the inputs and outputs,
3. at other times, we have to get into the machine code itself.
 Reverse engineering primary output
1. circuit board layout
2. schematic diagram
3. block diagram
4. Flowchart
5. operations manual
역설계 장치 선택
O
Sun 사 Optical Mouse 선택
http://www.telltronics.org/hardware/SunMouse.html
- 주어진 역설계 시간과 man power 내에서 장치선택
- 참여자의 기술 수준 눈높이에 적합하도록 선택
O
1980년대 Sun 사의 work station에
사용했던 Optical Mouse 선택
Classical Optical Mouse
광패드와 8-pin mini-DIN connector을 사용하는
광마우스 (SUN-4 Mouse) 외관
사진찍기(분해과정포함)
관찰#1
관찰#2
At first glance, the connector on the Sun-4 mouse's tail looks similar to th
at on a "PS/2" mouse. But its not: the Sun-4 mouse has an 8-pin mini-DI
N connector, while the PS/2 mouse/keyboard connector has 6 pins.
The pinout of this connector is widely described on the web, but the elec
trical signaling details for the Sun mouse are not so widely known.
Mouse Guts
Removing two screws lets the top cover lift off.
Notice the two mirrors on the inside of the top cover, and the spherical lenses
below the PC board.
The lenses are only held in by the board, so be careful not to lose them if you
decide to disassemble your mouse.
Notice also the paper-and-foil shield which is the only connection to the braide
d outer conductor of the cable. This probably provides both EMI shielding and
a path for electrostatic discharge - notice how the foil shield folds up near the
buttons. When a charged finger approaches the mouse, the static shock will pro
bably go to the foil shield, and not jump over to the electrical connections and
cause damage or unintended operation.
Besides the shield, there are only three wires in the mouse cable. For completen
ess, here is a table of how they are wired:
Din-8 pin
wire color
3-pin connector function
shield bare braid to foil shield only ESD/EMI shield
black 1 power supply ground
3 brown 2 +5v power
4 red 3 data
Since the board is single-sided, it is quite easy to trace out the relev
ant part of its schematic. I've omitted the connections from the butt
ons and optical sensors to the processor chip. Nothing particularly s
urprising here. The circuit reveals why we didn't see any data stream
- the output is driven by an open-collector 2n3904 transistor, obvio
usly expecting the far end to provide a pullup resistor.
Figuring out the electrical Signaling
To start reverse-engineering the signaling, we build an adaptor to let
us conveniently plug the 8-pin mini-din connector into a solderless br
eadboard. Since I had PCB-mounted 8-pin mini-din female connector
s in my junk box, I attached one to a DIP header.
I connected a 5v power supply to pins 3 and 8, with ground on pin 1
and 2, and noticed that the red LED in the mouse lit up. But no data
stream was observable at pin 4. It was time to take a look inside the
mouse.
컴퓨터와 접속을 위한 JIG 제작
Once we add a pullup to our breadboard, we see a data stream on the scope.
Carefully pushing a mouse button without moving it yields the scope trace sho
wn here, which appears to be smallest unit of data it can send. When the mou
se is still, the data stream stays at 0 volts. Bits are sent by turning off the transi
stor to let the pullup raise the signal to the higher voltage.
The smallest pulse seen in the trace is about 840 microseconds; the reciprocal
of that is almost exactly 1200 bits per second. The pattern of the bits is consist
ent with the teletype-style asynchronous serial data format sent by the commo
n PC uart, if we assume that idle, "mark," or 1 is represented by 0 volts, and "s
pace" or 0 is represented by a more positive voltage.
A little web research shows that many PC "serial" mice operate at 1200 bits per
second, and that there is a "five byte mouse systems protocol." Mouse links:
http://privatewww.essex.ac.uk/~nbb/mice-pc.html
http://www.itacsystems.com/rs232mousespec.htm
That trace on the scope sure looks like it could be a sequence of 5 serial byte
s. Indeed, the bits near the left change when different mouse buttons are pre
ssed, and seems to match the specification where the button bits are in the fi
rst byte.
While a signal that swings between 0 and +5 volts isn't quite legal RS-232, it i
s good enough to be accepted by most PC serial ports. Once we hook it up,
we find that it works - we're getting 5-byte packets.
Testing with GPM software
To confirm that existing software can interpret the byte stream
without requiring a special driver, we try to fire up the linux
console mouse tool, GPM. I used these commands:
gpm -k
# shut down any existing gpm process
gpm -b 1200 -m /dev/ttyS12 -t msc
# run gpm for mouse-systems mouse
Users that other PC operating system will have to dig up a serial
mouse driver for the Mouse Systems 5-byte protocol.
마우스로부터 전송된 5바이트 데이터 스트림
This hex-mode screen capture (from sgsterm) shows the result of pressing
and releasing the left button: 10 bytes total, in two groups of 5.
오실로 스코프로 본 마우스의 직렬데이터 파형(5바이트)
Building a permanent Sun Mouse to PC-Serial adaptor
Given that it works, I designed and built a more permanent adaptor cable ass
embly to give this old rodent a serious trial on a 2005 linux machine.
The biggest problem is getting power for the mouse. My multimeter says tha
t the mouse draws 28 milliamps of +5v power, which is more than we can ste
al from a PC serial port. The typical RS232 port's control lines limit their curre
nt to 10mA, so even using both DTR and RTS together doesn't provide enoug
h current. I actually tried, but the supposed "12 volts" of the RS232 control lin
es fell to 4.25 volts when powering the mouse. (While trying this I used a 5.1v
zener diode to prevent excessive voltage from damaging the mouse in case t
he port actually could supply enough voltage.)
So I resigned myself to using two connections to the PC, one for power, and
the other to the serial port. I borrowed +5v from the 15-pin game port; drawi
ng power from USB or PS/2 mouse connectors also would have been a possi
bility.
마우스포트와 컴퓨터의 게임포트, RS-232 포트 연결 회로도
A schematic of the adaptor cable assembly is at the right. We're pulling up
the mouse data output with the serial port's transmit data output, which re
sults in a slightly higher signal voltage than would pulling up to the +5v po
wer supply.
For safety, I always use a current-limiting device when borrowing supply cur
rent from a PC to power an external device. A typical PC power supply can
source as much as 20 amps of +5v, plenty enough to melt small-diameter
wires, vaporize tiny PC-board traces, or even start a fire if you're particularly
unlucky.
Here, I'm using a "self-reseting fuse," a positive-temperature-coeficient ther
mistor. At room temperature these devices have a very small resistance, but
draw too much current and they heat up, which causes their resistance to ri
se dramaticly. This limits the short-circuit current to a safe value. I used the
MF-R030 from Bourns, purchased from Digi-Key. They're available in a variet
y of current ratings; this one is designed to carry 300mA and trip at 600mA
.
마우스 코넥트 연결 JIG(브레드보드)
The finished adaptor cable
I've used shielded twisted pair cable for both power and data connection
s, and been careful to connect the shield throughout but keep it seperat
e from the power-supply return "Ground". Since my junk box only had pl
astic hoods for the DA-15 and DE-9 connectors, I used a bit of copper fo
il tape to connect the shield wire to the connetor shell. This photograph
shows both D-sub connector ends, with the PTC "fuse" in the game-port
DA-15, and the pullup resistor in the RS-232 DE-9.
9핀, 15핀 Type 코넥터 연결(전자파방지를 위해 Shield Cable 사용)
Wiring the female mini-din was interesting because I only had a PCBmount jack available. I began by cutting off the pins I didn't need to
get them out of the way. I then soldered a loop of 18-guage solid wi
re to the shield tabs, to use as a handle and strain relief.
Pins 3 and 8, for +5v, are far apart, so I jumpered them with wire-wra
p wrie first, and then soldered the power lead to pin 8. Pins 1 and 2,
for power-supply ground, are adjacent so they were relatively easy.
female mini-din 코넥터 연결
기구 도면
구성 : 위덮개, 아래판으로 구성
Thank You!
PCB회로 역설계 과정
Reverse Engineering of a Digital Monitor Model VR299
for use with IBM Personal Computers.