Saturday, November 16, 2013

Hacking the MSP430 - Part 1

A while back, I left my glucometer at home one day when I went to work. To get by through the day, I ran to Walgreens and purchased a cheap replacement that included a few strips and a finger-poker, with the meter actually attached to the cap of the test strip tube. After I used it for a day, I dropped it into my desk drawer and forgot about it for the better part of a year.

Then I started fooling around with Atmel AVRs.

On a recent project, I was fumbling about looking for a low power, cost effective display that didn't suck down the juice as fast as LEDs. I remembered I had this little gem in my drawer and promptly disassembled it to scavenge its LCD display so I could muck about with it.

However, once I got it opened up I was pleasantly surprised to see the QFN packaged microcontroller on the board instead of a BGA covered in epoxy.


The MSP430FG4270 is all its low-powered glory

It was a TI MSP430! And to top that off, the board has a very nice set of test points broken out that are nice and fat and easily probed with a meter or scope. Not bad for $10!



At this point I had only really been exposed to AVRs, and I knew of a handful of motorola, parallax, microchip, and other micros, but I had never heard of TI's line. I promptly got distracted from my original goal of cannibalizing the LCD and got down to business looking up the microcontroller.

On the datasheet I found the programming methods included either a serial bootstrap loader protocol or JTAG. I'm not experienced with JTAG, but I started wondering if I might be able to play with the bootloader. The datasheet identified pins 21 and 22 on the QFN package to be the rx and tx lines. I was considering the near impossibility of soldering wires to those pins to break them out so I could interface the bootloader with an arduino, when the test points came back to mind... could it be? Did the manufacturer make them accessible? Could I reprogram this chip? Or even better, could I dump the flash, break down the original meter program, and then reprogram this chip? Time to do some ringing out!

I immediately went to the 3x2 array of pins that looked to be JTAG, wondering if perhaps the JTAG and bootstrap loader pins were shared on this chip. No dice. The other test points were all over the board and I was about to give up when I found TP7 rang out when I probed pin 21 on the chip. Bingo! And the adjacent T9 rang out to pin 22. I had found the bootloader interface pins!
Those are the droids I'm looking for!

Now, after reading the bootstrap literature I found, disconcertingly, that the TI BSL restricts access to most BSL commands until a password is supplied. The password is formed by the first 16 interrupt vectors... 32 bytes will make for hard brute forcing. That possibility might await me in the future, but I'm going to hope that the firmware designers for this board were not concerned about the password protection and only defined a few interrupt vectors, if any, strictly for the functioning of the device. That could be much easier to brute force, especially given the fairly restricted address range of the programmable flash.

I can, however, perform a mass erase which will blow away the contents of all memory on the chip, leaving the bootstrap intact with the password at a default value. I hope I can read out the original flash program first.

In my next post I will delve into interfacing the bootstrap with an arduino.

No comments:

Post a Comment