Tmphack: Difference between revisions

From Lundman Wiki
No edit summary
No edit summary
Line 178: Line 178:
  0600 send the entries, 8 at a time
  0600 send the entries, 8 at a time
  1901 clear the entries?
  1901 clear the entries?
It is entirely possible that "0900" and "1901" are read, and write, operations for the same information. 0900 reads the number of records, and 1901 writes 01 records back, in this case, blanks to clear it? You could guess then that 0600 reads entries, and 1601 writes one?

Revision as of 03:02, 29 December 2008

Hacking the Amano timecard system device. Inspecting AGX-100 and AGX-10 devices.


Firmware analysis

The device seems to communicate on port 1441.


The bytes captured are:


host <<=>> minidevice  Run 1
======================
>> port 1441 Syn?
<< Syn!

>> 04 "0900" 05     # 04 = new request ? The response seems to be, 01 stuff, 02 stuff, 03 stuff, 04 end
<< 01 "0001" 02 "09000021800000000080000000              " 03 09    # This says "8" and there are 8 records
                      # possibly read as 09 00002 18 00" as the 18 might be the 17 digits after
>> 10 30            # something
<< 04               # 04 = ok?

>> 04 "0700" 05     # new request  ?
<< "0700" 04        # empty?
>> 04 "0600" 05     #    ?
<< 01 "0001" 02 "longstringofdata" 03 0d     # lots of data
>> 10 30            # something? (clear?)
<< 04               # ok

>> 04 "1901" 05     # request for 1901?
<< 10 30            
>> 01 "0002" 02 "1911            " 03 0b   # spaces, normal 01,02,03 reply, but what is it
<< 10 31            # 10 31 now
>> 04               # ok

>> 04 "0600" 05     # again, give me 0600 again?
<< "0600" 04        # now its empty
>> Fin
<< Fin


The longstring of data, appears to contain:

01
30 3030 31                    "0001"
02 
#Start of record, total of 8 records this time
3331                          "31"
3230 3038 3130 3033 3038 3436 "200810030846"   # known
3030 3031                     "0001"
3030 3030 3030 3132 3232      "0000001222"     # known
3030 3031                     "0001" 
#Start of next record
3331                          "31"
... etc ..
3030 3031                     "0001" 
# end
03 0d

Later on, around noon:

01 "0001" 02 "31"
"200810031243"
"0003"
"0000001148"
"8901"
"31"  # etc
# Follow by 8 other "0003" and "8901". We have one:
"31"
"200810031323"
"0004"
"0000001139"
"0001"

Afternoon:

"31"
"200810031602"
"0002"
"0000001469"
"0001"


host <<=>> minidevice  Run 2
======================

>> 04 "0900" 05
<< 01 "0001" 02 "09000021800000000240000000              " 03 07  # This says 24 and there are 24 records
>> 10 30
<< 04

>> 04 "0700" 05
<< "0700" 04

>> 04 "0600" 05
<< 01 "0001"
<< 02 "longstringdata" 03 0e   # 8 records
>> 10 30
<< 01 "0001" 
<< 02 "more long data" 03 0e   # 8 records
>> 10 30
<< 01 "0001" 
<< 02 "more long data" 03 04   # 8 records
>> 10 30
<< 04

>> 04 "1901" 05
<< 10 30

>> 01 "0002" 02 "1911            " 03 0b
<< 10 31
>> 04

>> 04 "0600" 05
<< "0600" 04

>> Fin
<< Fin


AGX-10

Picked up an older device for 1 yen on the auction. Seems to be of a similar design, except the main card reader has only serial, then they have bolted on a serial-to-ethernet adaptor device. When you connect to port 80 it displays the settings that it is redirecting serial 9600 to port 1441.

Testing from my code:

< sent to device
: hex of received bytes
> string of received bytes
<04"0900"05

:01 30 30 30 31 02 30 39 30 30 30 30 32 30 35 30 
:30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 
:30 30 31 36 20 20 20 20 20 20 20 20 20 20 03 
>'0001090000205000000000000000000016          '

:05 
>
>10 30

:04 
>
>04 "0700" 05

:01 30 30 30 31 02 30 37 30 30 32 34 32 30 30 30 
:30 30 30 30 30 30 30 30 30 30 30 20 20 20 17 
>'0001070024200000000000000   '

:05 
>

:05 
>

:04 
>
>04 "0600" 05

:30 36 30 30 04 
>'0600'
 

This makes me think:

04 OK
05 EOR EndOfRequest?
0d ?
0e more data to follow?
01 Part1..  02 Part2..  03 Part3
10-30 Status code "0"?
10-31 Status code "1"?
15 Error, bad crc, or just bad request


Requests (04-request-05)

0900 status and number of entries?
0700 empty for agx-100, and 0001070024200000000000000 for agx-10
0600 send the entries, 8 at a time
1901 clear the entries?

It is entirely possible that "0900" and "1901" are read, and write, operations for the same information. 0900 reads the number of records, and 1901 writes 01 records back, in this case, blanks to clear it? You could guess then that 0600 reads entries, and 1601 writes one?