Need help decoding UART signal with Logic Analyzer for IoT “Man-in-the-Middle” project

Josch · October 29, 2024, 8:37am

Hi everyone,

I’m hoping you can help me with a current issue in my IoT project. I’m working on understanding more about “man-in-the-middle” techniques, where I try to intercept and decode the data traffic of a device. For this, I’m using a microcontroller flashed with ESPHome and an AZDelivery Logic Analyzer in combination with Saleae Logic2 software. Unfortunately, I seem to be making a mistake somewhere because I can’t read the sent UART signal correctly.

Project Setup:

Microcontroller: ESP8266 with a NodeMCU V2 board
Logic Analyzer: AZDelivery USB Logic Analyzer, connected via Saleae Logic2
ESPHome Configuration: Here’s the relevant excerpt from my YAML code:

substitutions:
  name: mitm-intex-swg
  friendly_name: MITM Intex SWG

esphome:
  name: ${name}
  friendly_name: ${friendly_name}
  comment: Proof of concept
  min_version: 2024.6.0

uart:
  id: uart_bus
  tx_pin: GPIO15
  rx_pin: GPIO13
  baud_rate: 9600
  debug:
    direction: BOTH
    after:
      delimiter: "\n"

switch:
  - platform: template
    name: "Test U"
    turn_on_action:
      - uart.write:
          id: uart_bus
          data: [0x55]

Issue:

I’ve captured the UART data traffic at 9600 baud asynchronously in ASCII format, with these settings:

Tx channel: Channel 0
Rx channel: Channel 1

However, I’m not seeing clear 0x55 (or ASCII “U”) characters in the Logic Analyzer output when I trigger the switch. Here are some outputs:

Without trigger, without level shifter:

V\0\xEF(\x18o\x84m(\xFF\xE9\xA9\x99!xC1\xFF\xE3\xD7\x91\xA9\x99\x11\xE1F

With trigger, without level shifter:

\xA8o\xFD\x98@)\xE8\xFD\xA3M\xFA\xA5+\x98\xCEKJ\xC2\xAC\xF4

With level shifter, without trigger:

R\x10\xFF[\xEF\xFF\xCC!(\xFFRs\xD7\x

With level shifter and trigger:

\x98\xDF\xEF(\x18n\x04m(\xFFR\xB8\x16\x04\xFB\xC2\x10\x85\xFD-\xCE\xA5\x1A\x95\x80\x08i

In the ESPHome web server log, the command is shown as sent (Test U Turning ON), but the Logic Analyzer output doesn’t match what I’m sending.

Question:

Could I have a wrong setting in the Logic Analyzer software, or am I missing an adjustment in the ESPHome YAML setup? Are there any specific tips for asynchronous UART capture (9600 baud) that I may have overlooked?

I’d appreciate any tips on the correct settings in the Logic Analyzer or advice for debugging the signal.

Thanks in advance!
Joscha

FloatingBoater · October 29, 2024, 9:10am

Hi,
Just as it’s not a good idea to parachute into the wilderness without testing your boots on a path first, don’t try debugging/ learning how to use both a new hardware toolchain and reverse engineer a device at once.

Break the task into parts - and get at least the first few to work first.

Attach the analyser to a known serial device and get clean data. USB serial adapter on a PC with a terminal emulator would be a start.

Oh, and don’t sit in front of a screen and STARE for hours. Go for a walk. I realised an odd wireline protocol was just Manchester encoding whilst on a bike.

Does the analyser have analogue inputs? If so, look at the actual voltages - mark/space might show you inversion, check 3V3 / 5V / 12V, and bad ringing. Again, start with a known good RS232 port and 'scope that so you understand timebase, one-shot triggers, etc.

If this helps, this post!

Josch · November 9, 2024, 10:42am

Thank you @FloatingBoater for the great suggestions!

I’ve now got a Bus Pirate and a Logic Analyzer, and I’m trying to get familiar with them. Since I’m still at the beginning, the information on dangerousprototypes.com from Manchman is a bit complex for me at the moment. I’ve also found very few tutorials on YouTube or similar resources to help me dive deeper into this – maybe I’m using the wrong keywords.

So far, I haven’t been able to successfully read data from my SWG using either UART or I2C. If anyone has any tips on how to proceed, I’d really appreciate it!

I’m also looking to try out a different device for reverse engineering to expand my knowledge. Does anyone have recommendations for simple, well-documented devices or projects that would be good for starting out?

Thanks
Joscha

FloatingBoater · November 9, 2024, 2:28pm

Something based on an ESP32, possibly Arduino or ESPhome perhaps?

There’s a load of I2C devices out there with a plug-and-play interface originally developed for conference badge add-ons, but now produced for general modular sensor boards from folk like Pimoroni or Adafruit - STEMMA QT or Qwiic is the general term to look for. Air quality sensors, GPSr, GPIO, LEDs, all via I2C.

Another way in is something ready-made like a Sonoff TH16 or Shelly device compatible with Tasmota alternate firmware or ESPhome. Get a USB serial adaptor, find the flashing pins, get the device flashed, then watch the process via the same serial console. I’ve turned generic relay modules into complex heating controllers with my own firmware - not much hardware needed. Again, many have unused pins ideal for DS18X20 temp sensors or I2C stuff (although the power supply may be at MAINS VOLTAGE above ground so BE CAREFUL! - Blakadder and Shelly tend to call this out so beware)…

I’m suggesting projects with serial or I2C so you get used to what the clock/data should look like on a “known working” interface.

If this helps, this post!