Firmware Reverse Engineering II (Briot Example)

In this post I will continue what I started in the previous post in which I presented how to import and prepare Ghidra to analyze the Biot Tracer firmware, whose circuit was also reversed engineered.

The Briot Tracer is used as an example to show (at least partially) the firmware reverse engineering process. Since it uses an external memory (EPROM) the process for obtaining the firmware is simple which makes it ideal as a test case.

As it is not the purpose of this post to study the complete firmware, only the RS232 communication is analyzed in order to gain some insight into how this communication occurs.

Firmware Reverse Engineering I (Briot Example)

Understanding how a device's firmware work could be helpfull for many activities: to discover features that you were not aware of, to find the way to enable a device feature you should otherwise paid for, to discover how to install an alternative firmware, to conduct a security audit, etc.

You can also do this to identify the cause of a strange failure in a device as it provides the full picture of a device operation priciple from a logic point of view. This is the case of the Briot Tracer as this was my first contact with this device and I had absolutelly no clue how it operates or what its normal behaviour is.

In this post I will use the Briot Tracer as an example to show (at least partially) the firmware reverse engineering process and what information we can expect from it. It is selected as it uses an external memory (EPROM type) so the process of obtaining the firmware is straight forward, in other cases the process required to obtain the firmware could me more complicated.

Schmitt Trigger Switch Debouncer (Briot Tracer)

In a recent post I've explained how I repaired a faulty Briot Tracer. One of the faults, despite not being directly related to the switch debouncer circuitry, required the reverse engineer of it to study if the signal was reaching the microprocessor correctly.

As the switch debouncer used in the Tracer is not the basic or classic Schmitt trigger circuit, it makes sense to take a moment to analyze it. In this post I will explain how this circuit works and it's differences with a conventional Schmitt trigger debouncer.

Reverse Engineering the Briot Tracer: Hardware II

In the post Reverse Engineering the Briot Tracer: Hardware I promised to post a hierarchical schematic of the Briot Tracer. The time has come.

You can find in this post the complete hierarchical schematic in PDF as well as the Kicad project, have fun!.

Reverse Engineering the Briot Tracer: Hardware

While I was repairing a Briot Tracer, certain sections of the main PCB circuit were reverse engineered. Mostly the power supply and the circuits associated with the debouncers of the rotary switches. Some time later the scanner broke again, this time the fault was not obvious and to try to find the problem it was necessary to reverse engineer other parts of the circuit. While I was waiting for an IC to arrive I took the opportunity to do a complete reverse engineering of the whole system.

In this entry I will share the complete schematic of the Briot Tracer.

Repairing a Faulty Briot Tracer

Some time ago I was asked to take a look to a machine from an optical laboratory with a non trivial type of fault to solve: an intermittent fault in a machine with moving parts. It is a thermal problem? It is a unstable solder? It is a bad cable?

I will show the problem encountered and how I'd solved it. In future entries I will share more information reverse engineering about the Briot Tracer, stay nearby.