Tmphack: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
Hacking the Amano timecard system device. Inspecting AGX-100 and AGX-10 devices. | Hacking the Amano timecard system device. Inspecting AGX-100 and AGX-10 devices. | ||
| Line 166: | Line 165: | ||
04 OK | 04 OK | ||
05 EOR EndOfRequest? | 05 EOR EndOfRequest? | ||
0d ? | |||
0e more data to follow? | |||
01 Part1.. 02 Part2.. 03 Part3 | 01 Part1.. 02 Part2.. 03 Part3 | ||
10-30 | 10-30 Status code "0"? | ||
10-31 Status code "1"? | |||
Requests (04-request-05) | Requests (04-request-05) | ||
0900 status and number of entries? | 0900 status and number of entries? | ||
0700 | 0700 empty for agx-100, and 0001070024200000000000000 for agx-10 | ||
0600 send the entries | 0600 send the entries, 8 at a time | ||
1901 clear the entries? | |||
Revision as of 02:44, 29 December 2008
Hacking the Amano timecard system device. Inspecting AGX-100 and AGX-10 devices.
Firmware analysis
The device seems to communicate on port 1441.
The bytes captured are:
host <<=>> minidevice Run 1
======================
>> port 1441 Syn?
<< Syn!
>> 04 "0900" 05 # 04 = new request ? The response seems to be, 01 stuff, 02 stuff, 03 stuff, 04 end
<< 01 "0001" 02 "09000021800000000080000000 " 03 09 # This says "8" and there are 8 records
# possibly read as 09 00002 18 00" as the 18 might be the 17 digits after
>> 10 30 # something
<< 04 # 04 = ok?
>> 04 "0700" 05 # new request ?
<< "0700" 04 # empty?
>> 04 "0600" 05 # ?
<< 01 "0001" 02 "longstringofdata" 03 0d # lots of data
>> 10 30 # something? (clear?)
<< 04 # ok
>> 04 "1901" 05 # request for 1901?
<< 10 30
>> 01 "0002" 02 "1911 " 03 0b # spaces, normal 01,02,03 reply, but what is it
<< 10 31 # 10 31 now
>> 04 # ok
>> 04 "0600" 05 # again, give me 0600 again?
<< "0600" 04 # now its empty
>> Fin
<< Fin
The longstring of data, appears to contain:
01 30 3030 31 "0001" 02 #Start of record, total of 8 records this time 3331 "31" 3230 3038 3130 3033 3038 3436 "200810030846" # known 3030 3031 "0001" 3030 3030 3030 3132 3232 "0000001222" # known 3030 3031 "0001" #Start of next record 3331 "31" ... etc .. 3030 3031 "0001" # end 03 0d
Later on, around noon:
01 "0001" 02 "31" "200810031243" "0003" "0000001148" "8901" "31" # etc # Follow by 8 other "0003" and "8901". We have one: "31" "200810031323" "0004" "0000001139" "0001"
Afternoon:
"31" "200810031602" "0002" "0000001469" "0001"
host <<=>> minidevice Run 2 ====================== >> 04 "0900" 05 << 01 "0001" 02 "09000021800000000240000000 " 03 07 # This says 24 and there are 24 records >> 10 30 << 04 >> 04 "0700" 05 << "0700" 04 >> 04 "0600" 05 << 01 "0001" << 02 "longstringdata" 03 0e # 8 records >> 10 30 << 01 "0001" << 02 "more long data" 03 0e # 8 records >> 10 30 << 01 "0001" << 02 "more long data" 03 04 # 8 records >> 10 30 << 04 >> 04 "1901" 05 << 10 30 >> 01 "0002" 02 "1911 " 03 0b << 10 31 >> 04 >> 04 "0600" 05 << "0600" 04 >> Fin << Fin
AGX-10
Picked up an older device for 1 yen on the auction. Seems to be of a similar design, except the main card reader has only serial, then they have bolted on a serial-to-ethernet adaptor device. When you connect to port 80 it displays the settings that it is redirecting serial 9600 to port 1441.
Testing from my code:
< sent to device : hex of received bytes > string of received bytes
<04"0900"05 :01 30 30 30 31 02 30 39 30 30 30 30 32 30 35 30 :30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 :30 30 31 36 20 20 20 20 20 20 20 20 20 20 03 >'0001090000205000000000000000000016 ' :05 > >10 30 :04 > >04 "0700" 05 :01 30 30 30 31 02 30 37 30 30 32 34 32 30 30 30 :30 30 30 30 30 30 30 30 30 30 30 20 20 20 17 >'0001070024200000000000000 ' :05 > :05 > :04 > >04 "0600" 05 :30 36 30 30 04 >'0600'
This makes me think:
04 OK 05 EOR EndOfRequest? 0d ? 0e more data to follow? 01 Part1.. 02 Part2.. 03 Part3 10-30 Status code "0"? 10-31 Status code "1"?
Requests (04-request-05)
0900 status and number of entries? 0700 empty for agx-100, and 0001070024200000000000000 for agx-10 0600 send the entries, 8 at a time 1901 clear the entries?