Tmphack

From Lundman Wiki
Revision as of 02:57, 29 December 2008 by Lundman (talk | contribs)

Hacking the Amano timecard system device. Inspecting AGX-100 and AGX-10 devices.


Firmware analysis

The device seems to communicate on port 1441.


The bytes captured are: 


host <<=>> minidevice  Run 1
======================
>> port 1441 Syn?
<< Syn!

>> 04 "0900" 05     # 04 = new request ? The response seems to be, 01 stuff, 02 stuff, 03 stuff, 04 end
<< 01 "0001" 02 "09000021800000000080000000              " 03 09    # This says "8" and there are 8 records
                      # possibly read as 09 00002 18 00" as the 18 might be the 17 digits after
>> 10 30            # something
<< 04               # 04 = ok?

>> 04 "0700" 05     # new request  ?
<< "0700" 04        # empty?
>> 04 "0600" 05     #    ?
<< 01 "0001" 02 "longstringofdata" 03 0d     # lots of data
>> 10 30            # something? (clear?)
<< 04               # ok

>> 04 "1901" 05     # request for 1901?
<< 10 30            
>> 01 "0002" 02 "1911            " 03 0b   # spaces, normal 01,02,03 reply, but what is it
<< 10 31            # 10 31 now
>> 04               # ok

>> 04 "0600" 05     # again, give me 0600 again?
<< "0600" 04        # now its empty
>> Fin
<< Fin


The longstring of data, appears to contain: 

01
30 3030 31                    "0001"
02 
#Start of record, total of 8 records this time
3331                          "31"
3230 3038 3130 3033 3038 3436 "200810030846"   # known
3030 3031                     "0001"
3030 3030 3030 3132 3232      "0000001222"     # known
3030 3031                     "0001" 
#Start of next record
3331                          "31"
... etc ..
3030 3031                     "0001" 
# end
03 0d

Later on, around noon: 

01 "0001" 02 "31"
"200810031243"
"0003"
"0000001148"
"8901"
"31"  # etc
# Follow by 8 other "0003" and "8901". We have one:
"31"
"200810031323"
"0004"
"0000001139"
"0001"

Afternoon: 

"31"
"200810031602"
"0002"
"0000001469"
"0001"



host <<=>> minidevice  Run 2
======================

>> 04 "0900" 05
<< 01 "0001" 02 "09000021800000000240000000              " 03 07  # This says 24 and there are 24 records
>> 10 30
<< 04

>> 04 "0700" 05
<< "0700" 04

>> 04 "0600" 05
<< 01 "0001"
<< 02 "longstringdata" 03 0e   # 8 records
>> 10 30
<< 01 "0001" 
<< 02 "more long data" 03 0e   # 8 records
>> 10 30
<< 01 "0001" 
<< 02 "more long data" 03 04   # 8 records
>> 10 30
<< 04

>> 04 "1901" 05
<< 10 30

>> 01 "0002" 02 "1911            " 03 0b
<< 10 31
>> 04

>> 04 "0600" 05
<< "0600" 04

>> Fin
<< Fin


AGX-10

Picked up an older device for 1 yen on the auction. Seems to be of a similar design, except the main card reader has only serial, then they have bolted on a serial-to-ethernet adaptor device. When you connect to port 80 it displays the settings that it is redirecting serial 9600 to port 1441.

Testing from my code: 

< sent to device
: hex of received bytes
> string of received bytes

<04"0900"05

:01 30 30 30 31 02 30 39 30 30 30 30 32 30 35 30 
:30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 
:30 30 31 36 20 20 20 20 20 20 20 20 20 20 03 
>'0001090000205000000000000000000016          '

:05 
>
>10 30

:04 
>
>04 "0700" 05

:01 30 30 30 31 02 30 37 30 30 32 34 32 30 30 30 
:30 30 30 30 30 30 30 30 30 30 30 20 20 20 17 
>'0001070024200000000000000   '

:05 
>

:05 
>

:04 
>
>04 "0600" 05

:30 36 30 30 04 
>'0600'

This makes me think: 

04 OK
05 EOR EndOfRequest?
0d ?
0e more data to follow?
01 Part1..  02 Part2..  03 Part3
10-30 Status code "0"?
10-31 Status code "1"?
15 Error, bad crc, or just bad request


Requests (04-request-05) 

0900 status and number of entries?
0700 empty for agx-100, and 0001070024200000000000000 for agx-10
0600 send the entries, 8 at a time
1901 clear the entries?
Retrieved from "http://lundman.net/wiki/index.php?title=Tmphack&oldid=2999"