The main microcontroller used is Renesas R5F21258SN.
The programming and debug interface is supposedly done via 6 pins: VCC, GND, RX, TX, RST, MODE
Most of it is plain UART, however it looks like MODE and RST has to be used in a specific way to trigger the programming features.
ToorCon 13 badge provides some instructions. It should be possible to use a simple FTDI FT232 3.3V adapter to interface with the chip.
A quick glance at the datasheet shows that it is possible to "protect" chip from being read via 7 byte (56 bit) key. Obvious keys that should be tried are 00:00:00:00:00:00:00 and FF:FF:FF:FF:FF:FF:FF. If a different key is used, then an effort should be made to attempt to figure out the key, however as it is 56 bits, brute force will not be practical. A way to poke memory via modbus should be investigated in this case to extract or at worst overwrite the key.
If firmware binaries can be obtained from working units, this will enable upgrading early models to a newer firmware and further study its functions via inspecting the assembled binary. Also it might enable cross-flashing application 116/130 unit to application 131 if one wanted.
The main microcontroller used is Renesas R5F21258SN.
The programming and debug interface is supposedly done via 6 pins: VCC, GND, RX, TX, RST, MODE
Most of it is plain UART, however it looks like MODE and RST has to be used in a specific way to trigger the programming features.
ToorCon 13 badge provides some instructions. It should be possible to use a simple FTDI FT232 3.3V adapter to interface with the chip.
A quick glance at the datasheet shows that it is possible to "protect" chip from being read via 7 byte (56 bit) key. Obvious keys that should be tried are
00:00:00:00:00:00:00andFF:FF:FF:FF:FF:FF:FF. If a different key is used, then an effort should be made to attempt to figure out the key, however as it is 56 bits, brute force will not be practical. A way to poke memory via modbus should be investigated in this case to extract or at worst overwrite the key.If firmware binaries can be obtained from working units, this will enable upgrading early models to a newer firmware and further study its functions via inspecting the assembled binary. Also it might enable cross-flashing application 116/130 unit to application 131 if one wanted.