Firmware Reverse Engineering II (Briot Example)

In this post I will continue what I started in the previous post in which I presented how to import and prepare Ghidra to analyze the Biot Tracer firmware, whose circuit was also reversed engineered.

The Briot Tracer is used as an example to show (at least partially) the firmware reverse engineering process. Since it uses an external memory (EPROM) the process for obtaining the firmware is simple which makes it ideal as a test case.

As it is not the purpose of this post to study the complete firmware, only the RS232 communication is analyzed in order to gain some insight into how this communication occurs.

Firmware Reverse Engineering I (Briot Example)

Understanding how a device's firmware work could be helpfull for many activities: to discover features that you were not aware of, to find the way to enable a device feature you should otherwise paid for, to discover how to install an alternative firmware, to conduct a security audit, etc.

You can also do this to identify the cause of a strange failure in a device as it provides the full picture of a device operation priciple from a logic point of view. This is the case of the Briot Tracer as this was my first contact with this device and I had absolutelly no clue how it operates or what its normal behaviour is.

In this post I will use the Briot Tracer as an example to show (at least partially) the firmware reverse engineering process and what information we can expect from it. It is selected as it uses an external memory (EPROM type) so the process of obtaining the firmware is straight forward, in other cases the process required to obtain the firmware could me more complicated.

Upgrade the TL-21 Test Lead (DE-5000 LCR Meter)

I have 6 multimeters. A couple of them very good, others are simply good or just for simple checks like "is this battery dead?". Some of them can measure capacitors, but none of them are able to measure inductors or measure important parameters of these components, such as ESR (Equivalent Series Resistance) or Q factor, among others.

For this reason, after spending some time reading reviews and searching, I decided and purchased a DE-5000 LCR meter with some accessories. This is what I consider sufficient for my needs, and it seems to do a pretty good job for a fair amount of money.

One thing I do not like (I'm not the only one) is the length of the TL-21 test lead wires, something like 4 centimeters. I decided to improve it with a pair of long Kelvin alligator clip cables and in this post I show how to make such modification.

Battery Life Calculator: Theory and Java Software

When faced with the design of a battery-powered device the first question we must answer is: How much the batteries will last?

The answer to the above question determines how often the battery will need to be replaced, and even allows you to distinguish a viable design or product from one that is not. Suppose you have installed a couple of thousand sensors and some time later you find out that the batteries last only a couple of weeks. Congratulations, you've just messed up your life.

For a device with only one consumption state (constant current consumption) this is relativelly straight forward, but for devices with multiple consumption states it is not.

In this post I present how to estimate battery life and a JavaFX software to not only obtain the battery life given different consumption states of a device, but also to evaluate how much a variation of one of the two parameters (time or current) of each state will affect the battery life.

Schmitt Trigger Switch Debouncer (Briot Tracer)

In a recent post I've explained how I repaired a faulty Briot Tracer. One of the faults, despite not being directly related to the switch debouncer circuitry, required the reverse engineer of it to study if the signal was reaching the microprocessor correctly.

As the switch debouncer used in the Tracer is not the basic or classic Schmitt trigger circuit, it makes sense to take a moment to analyze it. In this post I will explain how this circuit works and it's differences with a conventional Schmitt trigger debouncer.