Embedded Systems:: Hacking of Electronic Equipments
Uploaded by
Kailashi Chandra SekharEmbedded Systems:: Hacking of Electronic Equipments
Uploaded by
Kailashi Chandra SekharHACKING OF ELECTRONIC EQUIPMENTS
CHAPTER 1 INTRODUCTION
1.1 Embedded Systems: An embedded system is a combination of software and hardware to perform a dedicated task. Some of the main devices used in embedded products are Microprocessors and Microcontrollers. Microprocessors are commonly referred to as general purpose processors as they simply accept the inputs, process it and give the output. In contrast, a microcontroller not only accepts the data as inputs but also manipulates it, interfaces the data with various devices, controls the data and thus finally gives the result. An embedded system can be defined as a computing device that does a specific focused job. Appliances such as the air-conditioner, VCD player, DVD player, printer, fax machine, mobile phone etc. are examples of embedded systems. Each of these appliances will have a processor and special hardware to meet the specific requirement of the application along with the embedded software that is executed by the processor for meeting that specific requirement. The embedded software is also called firm ware. The desktop/laptop computer is a general purpose computer. You can use it for a variety of applications such as playing games, word processing, accounting, software development and so on. In contrast, the software in the embedded systems is always fixed listed below Embedded systems do a very specific task they cannot be programmed to do different things. Embedded systems have very limited resources, particularly the memory. Generally, they do not have secondary storage devices such as the CDROM or the floppy disk. Embedded systems have to work against some deadlines. A specific job has to be completed within a specific time. In some embedded systems, called real-time systems, the deadlines are stringent. Missing a deadline may cause a catastrophe-loss of life or damage to property. As many embedded systems operate through a battery, the power consumption has to be very low. Some embedded systems have to operate in extreme environmental conditions such as very high temperatures and humidity.
1.2Processor selection:
ECE, SIETK
HACKING OF ELECTRONIC EQUIPMENTS
1.2.1 General factors that govern the selection are:
Complexity of overall design Design reuse. Performance Power size Cost tools. OS Support and availability. The design's complexity helps determine the CPU to use. If the design calls for the deployment of a single state machine with interrupts from a small set of peripherals, then a small CPU and/or micro controller such as the MCS51 or the Z80 could be the best choice. Many systems such as industrial timer may fit this category, as the memory footprint is small, the signal is slow and battery consumption must be extremely low. The application and its interaction will dictate the design's complexity and may also determine whether it requires a real-time operating system (RTOS). Typically, as the application complexity increases, the need for a greater bit-width processor increases. The selection of the CPU will greatly impact performance of the overall system. Specifically, features like 8 / 16 / 24 / 32 bit architecture, RISC / CISC / DSP architecture, cache, MMU, pipelining, branch prediction and super-scalar architecture, all affect the speed of a system.Depending on system needs, these features may be necessary to achieve peak performance of the system. There are various benchmarking threshold data available for various 8/16/32 bit processors like MIPS (Million Instructions per Second), EEMBC, Dhrystone, MIPS/MHz etc, which can be taken as reference or comparison base. CISC Vs RISC. CISC is an acronym for Complex Instruction Set Computer and are chips that are easy to program and which make efficient use of memory. Since the earliest machines were programmed in assembly language and memory was slow and expensive, the CISC philosophy made sense, and was commonly implemented in such large computers. Most common microprocessor designs such as the Intel 80x86 and Motorola 68K series followed the CISC philosophy. But recent changes in software and hardware technology have forced a re-examination of CISC and many modern CISC processors are ECE, SIETK 2
HACKING OF ELECTRONIC EQUIPMENTS
hybrids, implementing many RISC principles. The design constraints that led to the development of CISC (small amounts of slow memory and fact that most early machines were programmed in assembly language) give CISC instructions sets some common characteristics: A 2-operand format, where instructions have a source and a destination. Register to register, register to memory, and memory to register commands. Multiple addressing modes for memory, including specialized modes for indexing through arrays Variable length instructions where the length often varies according to the addressing mode Instructions which require multiple clock cycles to execute. Most CISC hardware architectures have several characteristics in common: Complex instruction-decoding logic, driven by the need for a single instruction to support multiple addressing modes. A small number of general purpose registers. This is the direct result of having instructions which can operate directly on memory and the limited amount of chip space not dedicated to instruction decoding, execution, and microcode storage. Several special purpose registers. Many CTSC designs set aside special registers for the stack pointer, interrupt handling, and so on. This can simplify the hardware design somewhat, at the expense of making the instruction set more complex. A 'Condition code" register which is set as a side-effect of most instructions. This register reflects whether the result of the last operation is less than, equal to, or greater than zero and records if certain error conditions occur. At the time of their initial development, CISC machines used available technologies to optimize computer performance. Microprogramming is as easy as assembly language to implement, and much less expensive than hardwiring a control unit. The ease of microcoding new instructions allowed designers to make CISC machines upwardly compatible: a new computer could run the same programs as
ECE, SIETK
HACKING OF ELECTRONIC EQUIPMENTS
earlier computers because the new computer would contain a superset of the instructions of the earlier computers. As each instruction became more capable, fewer instructions could be used to implement a given task. This made more efficient use of the relatively slow main memory. Because microprogram instruction sets can be written to match the constructs of high-level languages, the compiler does not have to be as complicated. Designers soon realized that the CISC philosophy had its own problems, including: Earlier generations of a processor family generally were contained as a subset in every new version - so instruction set & chip hardware become more complex with each generation of computers. So that as many instructions as possible could be stored in memory with the least possible wasted space, individual instructions could be of almost any length - this means that different instructions will take different amounts of clock time to execute, slowing down the overall performance of the machine. Many specialized instructions aren't used frequently enough to justify their existence -approximately 20% of the available instructions are used in a typical program. CISC instructions typically set the condition codes as a side effect of the instruction. Not only does setting the condition codes take time, but programmers have to remember to examine the condition code bits before a subsequent instruction changes them. As memory speed increased, and high-level languages displaced assembly language, the major reasons for CISC began to disappear, and computer designers began to look at ways computer performance could be optimized beyond just making faster hardware.One of their key realizations was that a sequence of simple instructions produces the same results as a sequence of complex instructions, but can be implemented with a simpler (and faster) hardware design. (Assuming that memory can keep up.) RISC (Reduced Instruction Set Computers) processors were the result. CISC and RISC implementations are becoming more and more alike. Many of todays RISC chips support ECE, SIETK 4
HACKING OF ELECTRONIC EQUIPMENTS
as many instructions as yesterday's CISC chips. And today's CISC chips use many techniques formerly associated with RISC chips.
1.2.2 Application Areas:
Nearly 99 per cent of the processors manufactured end up in embedded systems. The embedded system market is one of the highest growth areas as these systems are used in very market segment- consumer electronics, office automation, industrial automation, biomedical engineering, wireless communication, data communication, telecommunications, transportation, military and so on.
1.2.3 Consumer appliances:
At home we use a number of embedded systems which include digital camera, digital diary, DVD player, electronic toys, microwave oven, remote controls for TV and air-conditioner, VCO player, video game consoles, video recorders etc. Todays high-tech car has about 20 embedded systems for transmission control, engine spark control, airconditioning, navigation etc. Even wrist watches are now becoming embedded systems. The palmtops are powerful embedded systems using which we can carry out many generalpurpose tasks such as playing games and word processing.
1.2.4 Office automation:
The office automation products using embedded systems are copying machine, fax machine, key telephone, modem, printer, scanner etc.
1.2.5 Industrial automation:
Today a lot of industries use embedded systems for process control. These include pharmaceutical, cement, sugar, oil exploration, nuclear energy, electricity generation and transmission. The embedded systems for industrial use are designed to carry out specific tasks such as monitoring the temperature, pressure, humidity, voltage, current etc., and then take appropriate action based on the monitored levels to control other devices or to send information to a centralized monitoring station. In hazardous industrial environment, where human presence has to be avoided, robots are used, which are programmed to do specific jobs. The robots are now becoming very powerful and carry out many interesting and complicated tasks such as hardware assembly. ECE, SIETK 5
HACKING OF ELECTRONIC EQUIPMENTS
1.1.4.4 Medical electronics:
Almost every medical equipment in the hospital is an embedded system. These equipments include diagnostic aids such as ECG, EEG, blood pressure measuring devices, X-ray scanners equipment used in blood analysis, radiation, endoscopy etc. Developments in medical electronics have paved way for more accurate diagnosis of diseases.
1.2.6 Computer networking:
Computer networking products such as bridges, routers, Integrated Services Digital Networks (ISDN), Asynchronous Transfer Mode (ATM), X.25 and frame relay switches are embedded systems which implement the necessary data communication protocols. For example, a router interconnects two networks. The two networks may be running different protocol stacks. The routers function is to obtain the data packets from incoming pores, analyze the packets and send them towards the destination after doing necessary protocol conversion. Most networking equipments, other than the end systems (desktop computers) we use to access the networks, are embedded systems.
1.2.7 Telecommunications:
In the field of telecommunications, the embedded systems can be categorized as subscriber terminals and network equipment. The subscriber terminals such as key telephones, ISDN phones, terminal adapters, web cameras are embedded systems. The network equipment includes multiplexers, multiple access systems, Packet Assemblers Dissemblers (PADs), sate11ite modems etc. IP phone, IP gateway, IP gatekeeper etc. are the latest embedded systems that provide very low-cost voice communication over the Internet.
1.2.8 Wireless technologies:
Advances in mobile communications are paving way for many interesting applications using embedded systems. The mobile phone is one of the marvels of the last decade of the 20h century. It is a very powerful embedded system that provides voice communication while we are on the move. The Personal Digital Assistants and the palmtops can now be used to access multimedia services over the Internet. Mobile
ECE, SIETK
HACKING OF ELECTRONIC EQUIPMENTS
communication infrastructure such as base station controllers, mobile switching centers are also powerful embedded systems.
1.2.9 Insemination:
Testing and measurement are the fundamental requirements in all scientific and engineering activities. The measuring equipment we use in laboratories to measure parameters such as weight, temperature, pressure, humidity, voltage, current etc. are all embedded systems. Test equipment such as oscilloscope, spectrum analyzer, logic analyzer, protocol analyzer, radio communication test set etc. are embedded systems built around powerful processors. Thank to miniaturization, the test and measuring equipment are now becoming portable facilitating easy testing and measurement in the field by field-personnel.
1.2.10 Finance:
Financial dealing through cash and cheques are now slowly paving way for transactions using smart cards and ATM (Automatic Teller Machine, also expanded as Any Time Money) machines. Smart card, of the size of a credit card, has a small microcontroller and memory; and it interacts with the smart card reader! ATM machine and acts as an electronic wallet. Smart card technology has the capability of ushering in a cashless society.
1.3 Overview of Embedded System Architecture:
Every embedded system consists of custom-built hardware built around a Central Processing Unit (CPU). This hardware also contains memory chips onto which the software is loaded. The software residing on the memory chip is also called the firmware. The operating system runs above the hardware, and the application software runs above the operating system as shown in figure. The same architecture is applicable to any computer including a desktop computer. However, there are significant differences. It is not compulsory to have an operating system in every embedded system. For small appliances such as remote control units, air conditioners, toys etc., there is no need for an operating system and you can write only the software specific to that application. For applications involving complex processing, it is advisable to have an operating system. In such a case,
ECE, SIETK
HACKING OF ELECTRONIC EQUIPMENTS
you need to integrate the application software with the operating system and then transfer the entire software on to the memory chip. Once the software is transferred to the memory chip, the software will continue to run for a long time you dont need to reload new software.
Fig 1.1 Embedded System Architecture Now, let us see the details of the various building blocks of the hardware of an embedded system. As shown in Fig. the building blocks are; Central Processing Unit (CPU) Memory (Read-only Memory and Random Access Memory) Input Devices Output devices Communication interfaces Application-specific circuitry
ECE, SIETK
HACKING OF ELECTRONIC EQUIPMENTS
Fig 1.2 Building Blocks Embedded System
1.3.1 Central Processing Unit (CPU):
The Central Processing Unit (processor, in short) can be any of the following: microcontroller, microprocessor or Digital Signal Processor (DSP). A micro-controller is a low-cost processor. Its main attraction is that on the chip itself, there will be many other components such as memory, serial communication interface, analog-to digital converter etc. So, for small applications, a micro-controller is the best choice as the number of external components required will be very less. On the other hand, microprocessors are more powerful, but you need to use many external components with them. D5P is used mainly for applications in which signal processing is involved such as audio and video processing.
1.3.2 Memory:
The memory is categorized as Random Access 11emory (RAM) and Read Only Memory (ROM). The contents of the RAM will be erased if power is switched off to the
ECE, SIETK
HACKING OF ELECTRONIC EQUIPMENTS
chip, whereas ROM retains the contents even if the power is switched off. So, the firmware is stored in the ROM. When power is switched on, the processor reads the ROM; the program is program is executed.
1.3.3 Input devices:
Unlike the desktops, the input devices to an embedded system have very limited capability. There will be no keyboard or a mouse, and hence interacting with the embedded system is no easy task. Many embedded systems will have a small keypad-you press one key to give a specific command. A keypad may be used to input only the digits. Many embedded systems used in process control do not have any input device for user interaction; they take inputs from sensors or transducers 1fnd produce electrical signals that are in turn fed to other systems.
1.3.4 Output devices:
The output devices of the embedded systems also have very limited capability. Some embedded systems will have a few Light Emitting Diodes (LEDs) to indicate the health status of the system modules, or for visual indication of alarms. A small Liquid Crystal Display (LCD) may also be used to display some important parameters.
1.3.5 Interfaces:
The embedded systems may need to, interact with other embedded systems at they may have to transmit data to a desktop. To facilitate this, the embedded systems are provided with one or a few communication interfaces such as RS232, RS422, RS485, Universal Serial Bus (USB), IEEE 1394, Ethernet etc.
1.3.6 Application-specific circuitry:
Sensors, transducers, special processing and control circuitry may be required fat an embedded system, depending on its application. This circuitry interacts with the processor to carry out the necessary work. The entire hardware has to be given power supply either through the 230 volts main supply or through a battery. The hardware has to design in such a way that the power consumption is minimized.
ECE, SIETK
10
HACKING OF ELECTRONIC EQUIPMENTS
CHAPTER 2 HARDWARE COMPONENTS 2. 1 MEMS-Based Accelerometers:
The field of MEMS accelerometers can be segregated into two dominant microsystem architectures: capacitive and piezoresistive.While both types of accelerometers employ internal proof masses that are excited by acceleration, the architectural differences are in the transduction mechanism used to correlate the movement of the internal proof mass to acceleration. Capacitive accelerometers employ a differential capacitor whose balance is disrupted by the movement of the proof mass. Piezoresistive accelerometers generally rely on strain induced within a flexural element that attaches the proof mass to the sensor housing for identification of the mass movement. Capacitivebased MEMS accelerometers, such as the ADXL iMEMS series from Analog Devices, have enjoyed more commercial success than piezoresistive designs. This is a direct result of piezoresistive accelerometers having not been capable of keeping pace with the reduced fabrication costs associated with capacitive architectures (Maluf 2000). Problems associated with the temperature coefficients and drift properties of piezoresistive materials have necessitated careful packaging and compensation circuitry that have added to piezoresistive accelerometer costs. Advances made in MEMS fabrication processes require a revisit of the piezoresistive accelerometer. With new processes available and old processes improved, a low-cost high-performance piezoresistive accelerometer is now possible. In particular, deep reactive ion etching (DRIE) fabrication techniques could be used in the fabrication of MEMS accelerometers. The low-noise property of piezoresistive accelerometers at high frequencies, compared to those of capacitive accelerometers, is additional motivation for a renewed interest in the piezoresistive accelerometer. While many methods can be employed for the identification of damage in structures, the success of these methods are limited to cases where damage is severe enough to result in significant changes in the global modes of response of the structural system (Doebling et al. 1996).
ECE, SIETK
11
HACKING OF ELECTRONIC EQUIPMENTS
Most recently, researchers have explored the use of high-frequency local response measurements of structural components to identify the onset of damage (Park et al. 2000). As a result, the success of these techniques will necessitate accelerometers that exhibit superior performance in the high frequency bands of interest. emerging class of damage detection problems. With excellent noise properties at high frequencies, the piezoresistive accelerometer can be applied to this
2.2 Design of a Piezoresistive Accelerometer:
The use of piezoresistive materials in the design of MEMS-based accelerometers was first proposed by Roylance and Angell (1979). Their design calls for a proof mass attached to a silicon housing through a short flexural element. The implantation of a piezoresistive material upon the upper surface of the flexural element was used for measuring out-of-plane acceleration of the proof mass. The strain experienced by a piezoresistive material causes a position change of its internal atoms resulting in the change of its electrical resistance (Senturia 2001). Completing a Wheatstone bridge around the piezoresistors of the accelerometer, a linear relationship between acceleration and voltage can be derived. A new approach to the design of piezoresistive accelerometers is explored. Departing from the Roylance design, a lateral in-plane accelerometer that can exploit the use of DRIE fabrication techniques is examined (Partridge et al. 2000). The design of the planar accelerometer is straightforward. A pie-shaped proof mass, as shown in Fig. 1a, is attached to the sensor housing through a slender cantilevering element. Acceleration in the plane of the sensor will cause deflections in the proof mass and flexural element. Implanted in the walls of the cantilevering element is a piezoresistive material that will change resistance with strain. The flexural element is designed to concentrate strain in the vicinity of the piezoresistive implant. The housing surrounding the proof mass is This housing is advantageous because it instrumental in providing a lateral stop on the mass movement thereby setting the maximum measurable acceleration (range). prevents deflections that would result in nonlinear flexural responses in addition to protection of the accelerometer from shock (exceedingly high accelerations such as those above 1,000 g).
ECE, SIETK
12
HACKING OF ELECTRONIC EQUIPMENTS
The physical dimensions of the accelerometer, illustrated in Fig. 1b, can be varied to deliver ideal performance specifications for a particular application. To maximize sensor sensitivity (voltage per unit acceleration), the flexural width, w, is minimized while the radial length, r, of the proof mass is maximized. The bandwidth of the accelerometer is determined from the length of the flexure, l, with shorter flexural elements increasing the lateral resonant frequency of the sensor. Since out-of-plane vibrations of the proof mass are undesirable, the thickness, t, of the flexural element is chosen to satisfy a 4 to 10 ratio between flexural thickness and width. In the process of fabricating the piezoresistive accelerometers, different dimensions for the flexural element and proof mass are selected. Deep reactive ion etching (DRIE) and oblique ion implantation fabrication processes are two enabling MEMS fabrication technologies chosen for the planar piezoresistive accelerometer. Fabrication of the accelerometer begins with the creation of a bonded etched silicon on insulator (BESOI) substrate created by oxidation and bonding of standard wafer surfaces. An additional layer of low-temperature oxide (LTO) is grown upon the top surface of the substrate in a pattern corresponding to the dimensions of the flexural and proof mass elements. To precisely remove silicon exposed by the pattern in the LTO layer, DRIE is used to remove substrate material until the internal oxide layer of the substrate is reached. With the sides of the flexural element exposed, oblique ion implantation is used to deposit a thin layer of boron within the sides of the flexural element. One side is implanted with a moderate amount of boron to form a 4 k piezoresistor. A greater amount of boron is implanted on the opposite side of the flexural element to yield a conduction return path of 200 . Upon completion of implantation, the LTO layer is removed and a thin layer of oxide is grown. Oxidation of silicon renders silicon surfaces chemically and electronically stable (Lyshevski 2002). The backside of the substrate is marked and DRIE etched to release the proof mass and flexural elements of the accelerometer from the substrate. The sensor die is cut from the substrate and placed in a ceramic package for sealing. Fig. 1c is a scanning electron microscope image of the completed piezoresistive accelerometer. The output of the accelerometer is a differential voltage signal linearly proportional to acceleration. To provide an easy interface to low-cost microcontrollers, a differential voltage amplifier is used to convert the differential voltage to a single voltage signal with ECE, SIETK 13
HACKING OF ELECTRONIC EQUIPMENTS
amplification. Unlike some commercially produced accelerometers, an anti-alias filter is not provided on-chip in the prototype accelerometer, necessitating a four-pole Butterworth anti-alias filter to condition the accelerometers output before interfacing to a data acquisition system
2.3 Micro-Electro-Mechanical Systems Inertial Measurement Units: Introduction:
Tracking ones location can be difficult without a spatial reference. However, tracking can still be accomplished through dead reckoning. Dead reckoning is the process of determining ones position based on the direction, velocity, and time since the previous position. To perform dead reckoning an Inertial Measurement Unit (IMU) can be used. An IMU measures velocity, orientation, and gravitational forces. IMUs with conventional gyroscopes and accelerometers have previously been out of reach for many civilian and military uses due to bulky sizes and high costs; but with recent advances in Micro-ElectroMechanical Systems (MEMS) the prices and sizes have shrunk significantly. MEMS IMUs can now be found in many systemsfrom smart phones for the masses to smart munitions for the military.
Commercial Applications Civilian:
In recent years the auto industry has adopted IMUs to aid anti-lock brake systems, traction control schemes, and triggering air bags. Even entertainment systems such as the Nintendo Wii now contain IMUs. The Wii system originally only used two ADXL330 accelerometers from Analog Devices; this system could not detect the rotation of the controllers well. However, recently Nintendo added the Motion Plus, with the IDG-600 gyroscope from InvenSense , to implement a true IMU. The cost of the ADXL330 is less than eight dollars when purchased in bulk and the IDG-600 is estimated to cost two dollars. Personal GPS navigation companies have also started to integrate MEMS IMUs into their products. When the GPS reception becomes temporarily unavailable, these devices can revert to the IMU to calculate the approximate location and movement of the device . Tom
ECE, SIETK
14
HACKING OF ELECTRONIC EQUIPMENTS
Tom GO 920 is such a device and costs less than 200 dollarsonly 30 dollars more compared to models without the IMU feature, such as the Tom Tom GO 720.
Military:
Honeywell, along with Rockwell Collins, produce an Integrated Guidance System (IGS) for the future generation projectiles, strike weapons, missiles and small unmanned systems of the military . This product combines GPS with an IMU to create a robust system that has a spatial error of less than 4 meters, is difficult to jam, can withstand more than 20,000 Gs, and weighs a little over half a kilogram . Honeywell also makes MEMS IMUs for military dead reckoning without GPS integration. One example is the HG1930 which weighs less than half a pound, measures two inches in diameter by one and a half inches tall and can survive the shell shock of being fired out of an artillery gun
2.4 Analog-to-digital converter:
An analog-to-digital converter (abbreviated ADC, A/D or A to D) is a device that converts a continuous quantity to a discrete time digital representation. An ADC may also provide an isolated measurement. The reverse operation is performed by a digital-to-analog converter (DAC).Typically, an ADC is an electronic device that converts an input analog voltage or current to a digital number proportional to the magnitude of the voltage or current. However, some non-electronic or only partially electronic devices, such as rotary encoders, can also be considered ADCs.The digital output may use different coding schemes. Typically the digital output will be a two's complement binary number that is proportional to the input, but there are other possibilities. An encoder, for example, might output a code. A/D converters for industrial applications are based on proprietary DeltaSigma technology and deliver high-precision analog-to-digital converter solutions for industrial measurement applications, including industrial process control, analytical instruments and consumer utility.
Features
12-bit resolution 1 LSB max DNL 1 LSB max INL (MCP3204/3208-B)
ECE, SIETK
15
HACKING OF ELECTRONIC EQUIPMENTS
2 LSB max INL (MCP3204/3208-C) 4 (MCP3204) or 8 (MCP3208) input channels Analog inputs programmable as single-ended or pseudo-differential pairs On-chip sample and hold SPI serial interface (modes 0,0 and 1,1) Single supply operation: 2.7V - 5.5V 100 ksps max. sampling rate at VDD = 5V 50 ksps max. sampling rate at VDD = 2.7V Low power CMOS technology: - 500 nA typical standby current, 2 A max. - 400 A max. active current at 5V Industrial temp range: -40C to +85C Available in PDIP, SOIC and TSSOP packages
Applications
Sensor Interface Process Control Data Acquisition Battery Operated Systems
2.5 EEPROM:
Atmel is a leading supplier of Serial EEPROM devices and has shipped over 12 billion devices in the past decade. Because of the ability to alter single bytes of data, Serial EEPROM devices are used to store personal preference and configuration data in a wide spectrum of consumer, automotive, telecommunication, medical, industrial, and PC applications. Atmel offers Serial EEPROM devices in I2C, Microwire and SPI compatible protocols. The devices come in a number of industry-standard package types including space saving DFN, VFBGA, SOT23, and WLCSP packages. Atmel Serial EEPROM devices feature low pin count and are optimized for use in automotive and industrial temperature applications where low-power and low-voltage operation are essential. EEPROM (electrically erasable programmable read-only memory) is usermodifiable read-only memory (ROM) that can be erased and reprogrammed (written to) ECE, SIETK 16
HACKING OF ELECTRONIC EQUIPMENTS
repeatedly through the application of higher than normal electrical voltage. Unlike EPROM chips, EEPROMs do not need to be removed from the computer to be modified. However, an EEPROM chip has to be erased and reprogrammed in its entirety, not selectively. It also has a limited life - that is, the number of times it can be reprogrammed is limited to tens or hundreds of thousands of times. In an EEPROM that is frequently reprogrammed while the computer is in use, the life of the EEPROM can be an important design consideration.
Key Features
Broad Portfolio Serial EEPROM devices are offered in 1-Kbit to 1-Mbit
densities in I2C, Microwire, and SPI compatible protocols available in voltages from 1.7V to 5.5V.
Diverse packages options The Serial EEPROM devices come in industry
standard PDIP, SOIC, and TSSOP package types, as well as space saving DFN, VFBGA, SOT23, and WLCSP packages.
High performance Atmel Serial EEPROM devices offer low active and
standby currents and operate at fast clock frequencies.
Easy migration Atmel SPI Serial EEPROMs share the same I/O configuration
as Atmels AT25D Serial Flash family, allowing customers to easily upgrade to the advanced, higher density Serial Flash devices.
Automotive designs Atmel offers automotive-qualified Serial EEPROM
devices in environmentally friendly "green" versions designed to withstand broad extended temperature ranges.
2.6 LCD 2.6.1 Introduction:
A liquid crystal display (LCD) is a thin, flat electronic visual display that uses the light modulating properties of liquid crystals (LCs). LCs does not emit light directly. They are used in a wide range of applications including: computer monitors, television, instrument panels, aircraft cockpit displays, signal, etc. They are common in consumer devices such as video players, gaming devices, clocks, watches, calculators, and telephones. LCDs have displaced cathode ray tube (CRT) displays in most applications. ECE, SIETK 17
HACKING OF ELECTRONIC EQUIPMENTS
They are usually more compact, lightweight, portable, less expensive, more reliable, and easier on the eyes. They are available in a wider range of screen sizes than CRT and plasma displays, and since they do not use phosphors, they cannot suffer image burn-in. LCDs are more energy efficient and offer safer disposal than CRTs. Its low electrical power consumption enables it to be used in battery-powered electronic equipment. It is an electronically-modulated optical device made up of any number of pixels filled with liquid crystals and arrayed in front of a light source (backlight) or reflector to produce images in color or monochrome. The earliest discovery leading to the development of LCD technology, the discovery of liquid crystals, dates from 1888. By 2008, worldwide sales of televisions with LCD screens had surpassed the sale of CRT units. Each pixel of an LCD typically consists of a layer of molecules aligned between two transparent electrodes, and two polarizing filters the axes of transmission of which are (in most of the cases) perpendicular to each other. With no actual liquid crystal between the polarizing filters, light passing through the first filter would be blocked by the second (crossed) polarizer. In most of the cases the liquid crystal has double refraction
Passive-matrix and active-matrix addressed LCDs:
Fig no :2.1 Visual view of LCD LCDs with a small number of segments, such as those used in digital watches and pocket calculators, have individual electrical contacts for each segment. An external dedicated circuit supplies an electric charge to control each segment. This display structure is unwieldy for more than a few display elements. The most commonly used Character based LCDs are based on Hitachi's HD44780 controller or other which are compatible with HD44580. In this tutorial, we will discuss ECE, SIETK 18
HACKING OF ELECTRONIC EQUIPMENTS
about character based LCDs, their interfacing with various microcontrollers, various interfaces (8-bit/4-bit), programming, special stuff and tricks you can do with these simple looking LCDs which can give a new look to your application.
2.6.2 Pin Description
The most commonly used LCDs found in the market today are 1 Line, 2 Line or 4 Line LCDs which have only 1 controller and support at most of 80 characters, whereas LCDs supporting more than 80 characters make use of 2 HD44780 controllers.
Fig No:2.2 Pin diagram Pin no. 1 VSS Pin no. 2 VCC Pin no. 3 VEE Pin no. 4 RS Pin no. 5 R/W Pin no. 6 EN Pin no. 7 D0 Pin no. 8 D1 Pin no. 9 D2 Pin no. 10 D3 Pin no. 11 D4 ECE, SIETK Power supply (GND) Power supply (+5V) Contrast adjust 0 = Instruction input 1 = Data input 0 = Write to LCD module 1 = Read from LCD module Enable signal Data bus line 0 (LSB) Data bus line 1 Data bus line 2 Data bus line 3 Data bus line 4 19
HACKING OF ELECTRONIC EQUIPMENTS
Pin no. 12 D5 Pin no. 13 D6 Pin no. 14 D7
Data bus line 5 Data bus line 6 Data bus line 7 (MSB)
2.6.3 Commands
and Instruction
set:
The instruction register (IR) and the data register (DR) of the LCD can be controlled by
the MCU. Before starting the internal operation of the LCD, control information is temporarily
stored into these registers to allow interfacing with various MCUs, which operate at different speeds, or various peripheral control devices. The internal operation of the LCD is determined by signals sent from the MCU. These signals, which include register selection signal (RS), read/write signal (R/W), and the data bus (DB0 to DB7), make up the LCD instructions (Table 3). There are four categories of instructions that:
Designate LCD functions, such as display format, data length, etc. Set internal RAM addresses Perform data transfer with internal RAM Perform miscellaneous functions Although looking at the table you can make your own commands and test them.
Below is a brief list of useful commands which are used frequently while working on the LCD.
Instruction
1.Function Set: 8-bit, 1 Line, 5x7 Dots 2. Function Set: 8-bit, 2 Line, 5x7 Dots 3. Function Set: 4-bit, 1 Line, 5x7 Dots 4.Function Set: 4-bit, 2 Line, 5x7 Dot
Hex Decimal
0x3048 0x3856 0x2032 0x2840
Table No :2.1 Instruction And Command Set
ECE, SIETK
20
HACKING OF ELECTRONIC EQUIPMENTS
2.6.4Command Codes
Table no:2.2 LCD command codes ECE, SIETK 21
HACKING OF ELECTRONIC EQUIPMENTS
CODE(HEX) 1 2 4 6 5 7 8 A C F 10 14 18 1C C0 38
COMMAND TO LCD INSTRUCTION REGISTER CLEAR DISPLAY SCREEN RETURN HOME DECREEMENT CURSOR (SHIFT CURSOR TO LEFT) INCREEMENT CURSOR (SHIFT CURSOR TO RIGHT) SHIFT DISPLAY RIGHT SHIFT DISPLAY LEFT DISPLAY OFF,CURSOR OFF DISPLAY OFF,CURSOR ON DISPLAY ON,CURSOR OFF DISPLAY ON,CURSOR BLINKING SHIFT CURSOR POSIITION TO LEFT SHIFT CURSOR POSIITION TO RIGHT SHIFT THE ENTIRE DISPLAY TO THE LEFT SHIFT THE ENTIRE DISPLAY TO THE RIGHT FORCE CURSOR TO BEGINNING OF SECOND LINE 2 LINES & 5X7 MATRIX
ECE, SIETK
22
HACKING OF ELECTRONIC EQUIPMENTS
2.7 Crystal Oscillator
A crystal oscillator is a timing device that consists of a crystal and an oscillator circuit, providing an output waveform at a specific frequency. When a crystal is placed into an amplifier circuit (as shown in Figure 1), a small amount of energy is fed back to the crystal, which causes it to vibrate. These vibrations act to stabilize the frequency of the oscillator circuit.
Target Frequency
The Target Frequency of an oscillator is the desired output frequency of an oscillator, specified in MHz or kHz(megahertz or kilohertz) @ 25C. A Frequency Tolerance should be specified along with the Target Frequency.
Overall Frequency Tolerance
Overall Frequency Tolerance is the allowable frequency deviation from the Target Frequency, specified as a maximum frequency deviation in ppm (parts per million). The deviation is specified inclusive of a set of operating conditions such as Operating Temperature Range, Supply Voltage, Output Load and Aging
Operating Temperature Range
The Operating Temperature Range is the specified range to which the device will be exposed during oscillation. Allspecifications such as Overall Frequency Tolerance, Symmetry and Supply Current will be met within the Operating Temperature Range and is specified as a maximum and a minimum temperature in C.
Storage Temperature Range
ECE, SIETK
23
HACKING OF ELECTRONIC EQUIPMENTS
The Storage Temperature Range is the absolute limits of temperature to which the device will be exposed in a nonoscillation state, without being damaged, and is specified as a maximum and a minimum temperature in C.
Supply Current (Icc)
Supply Current is the amount of current consumption by an oscillator from the power supply, and is usually specified as a maximum current in milliamps (mA).
Supply Voltage (Vdd)
Supply Voltage is the DC input voltage range recommended for operation of an oscillator, and is usually specified as a DC voltage with a percentage tolerance. For example: 5.0 Vdc, 10% is a typical specification. All specifications such as Overall Frequency Tolerance, Symmetry and Supply Current will be met within the specified Supply Voltage range.
2.8 UART
UART (Universal Asynchronous Receiver Transmitter) or USART (Universal Synchronous Asynchronous Receiver Transmitter) are one of the basic interfaces which you will find in almost all the controllers available in the market till date. These interfaces provide a cost effective simple and reliable communication between one controller to another controller or between a controller and PC.
2.9 MAX 232
In telecommunications, RS-232 (Recommended Standard 232) is a standard for serial binary single-ended data and control signals connecting between a DTE (Data Terminal Equipment) and a DCE (Data Circuit-terminating Equipment). It is commonly used in computer serial ports. The standard defines the electrical characteristics and timing of signals, the meaning of signals, and the physical size and pin out of connectors.
ECE, SIETK
24
HACKING OF ELECTRONIC EQUIPMENTS
Fig No:2.3Visual View Of MAX 232
Scope of the standard:
The Electronics Industries Association (EIA) standard RS-232 as of 1969 defines:
Electrical signal characteristics such as voltage levels, signaling rate, timing and slew-rate of signals, voltage with stand level, short-circuit behavior, and maximum load capacitance.
Interface mechanical characteristics, pluggable connectors and pin identification. Functions of each circuit in the interface connector. Standard subsets of interface circuits for selected telecom applications. The standard does not define such elements as Character (for example, ASCII, Baudot code or EBCDIC) Details of character format and transmission bit rate are controlled by the serial port
hardware, often a single integrated circuit called a UART that converts data from parallel to asynchronous start-stop serial form. Details of voltage levels, slew rate, and short-circuit behavior are typically controlled by a line-driver that converts from the UART's logic levels to RS-232 compatible signal levels, and a receiver that converts from RS-232 compatible signal levels to the UART's logic levels.
Role in modern personal computers:
In the book PC 97 Hardware Design Guide, Microsoft deprecated support for the RS-232 compatible serial port of the original IBM PC design. Today, RS-232 has mostly been replaced in personal computers by USB for local communications. Compared with ECE, SIETK 25
HACKING OF ELECTRONIC EQUIPMENTS
RS-232, USB is faster, uses lower voltages, and has connectors that are simpler to connect and use. Both standards have software support in popular operating systems. USB is designed to make it easy for device drivers to communicate with hardware. However, there is no direct analog to the terminal programs used to let users communicate directly with serial ports. USB is more complex than the RS-232 standard because it includes a protocol for transferring data to devices. This requires more software to support the protocol used. RS-232 only standardizes the voltage of signals and the functions of the physical interface pins. Serial ports of personal computers are also sometimes used to directly control various hardware devices, such as relays or lamps, since the control lines of the interface can be easily manipulated by software. This isn't feasible with USB, which requires some form of receiver to decode the serial data. As an alternative, USB docking ports are available which can provide connectors for a keyboard, mouse, one or more serial ports, and one or more parallel ports. Corresponding device drivers are required for each USB-connected device to allow programs to access these USB-connected devices as if they were the original directlyconnected peripherals. Devices that convert USB to RS-232 may not work with all software on all personal computers and may cause a reduction in bandwidth along with higher latency. Personal computers may use a serial port to interface to devices such as uninterruptible power supplies. In some cases, serial data is not exchanged, but the control lines are used to signal conditions such as loss of power or low battery alarms. Many fields (for example, laboratory automation, surveying) provide a continued demand for RS-232 I/O due to sustained use of very expensive but aging equipment. It is often far cheaper to continue to use RS-232 than it is to replace the equipment. Additionally, modern industrial automation equipment, such as PLCs, VFDs, servo drives, and CNC equipment are programmable via RS-232. Some manufacturers have responded to this demand: Toshiba re-introduced the DE-9M connector on the Tecra laptop.
Voltage levels:
ECE, SIETK
26
HACKING OF ELECTRONIC EQUIPMENTS
Fig No:2.4 : Different Voltage Level Wave Forms Diagrammatic oscilloscope trace of voltage levels for an uppercase ASCII "K" character (0x4b) with 1 start bit, 8 data bits, 1 stop bit.The RS-232 standard defines the voltage levels that correspond to logical one and logical zero levels for the data transmission and the control signal lines. Valid signals are plus or minus 3 to 15 volts; the 3 V range near zero volts is not a valid RS-232 level. The standard specifies a maximum open-circuit voltage of 25 volts: signal levels of 5 V, 10 V, 12 V, and 15 V are all commonly seen depending on the power supplies available within a device. RS-232 drivers and receivers must be able to withstand indefinite short circuit to ground or to any voltage level up to 25 volts. The slew rate, or how fast the signal changes between levels, is also controlled. For data transmission lines (TxD, RxD and their secondary channel equivalents) logic one is defined as a negative voltage, the signal condition is called marking, and has the functional significance. Logic zero is positive and the signal condition is termed spacing. Control signals are logically inverted with respect to what one sees on the data transmission lines. When one of these signals is active, the voltage on the line will be between +3 to +15 volts. The inactive state for these signals is the opposite voltage condition, between 3 and 15 volts. Examples of control lines include request to send (RTS), clear to send (CTS), data terminal ready (DTR), and data set ready (DSR). Because the voltage levels are higher than logic levels typically used by integrated circuits, special intervening driver circuits are required to translate logic levels. These also protect the device's internal circuitry from short circuits or transients that may appear on ECE, SIETK 27
HACKING OF ELECTRONIC EQUIPMENTS
the RS-232 interface, and provide sufficient current to comply with the slew rate requirements for data transmission. Because both ends of the RS-232 circuit depend on the ground pin being zero volts, problems will occur when connecting machinery and computers where the voltage between the ground pin on one end and the ground pin on the other is not zero. This may also cause a hazardous ground loop. Use of a common ground limits RS-232 to applications with relatively short cables. If the two devices are far enough apart or on separate power systems, the local ground connections at either end of the cable will have differing voltages; this difference will reduce the noise margin of the signals. Balanced, differential, serial connections such as USB, RS-422 and RS-485 can tolerate larger ground voltage differences because of the differential signaling. Unused interface signals terminated to ground will have an undefined logic state. Where it is necessary to permanently set a control signal to a defined state, it must be connected to a voltage source that asserts the logic 1 or logic 0 level. Some devices provide test voltages on their interface connectors for this purpose.
2.10 RS 232
RS-232 devices may be classified as Data Terminal Equipment (DTE) or Data Communication Equipment (DCE); this defines at each device which wires will be sending and receiving each signal. The standard recommended but did not make mandatory the Dsubminiature 25 pin connector. In general and according to the standard, terminals and computers have male connectors with DTE pin functions, and modems have female connectors with DCE pin functions. Other devices may have any combination of connector gender and pin definitions. Many terminals were manufactured with female terminals but were sold with a cable with male connectors at each end; the terminal with its cable satisfied the recommendations in the standard. Presence of a 25 pin D-sub connector does not necessarily indicate an RS-232-C compliant interface. For example, on the original IBM PC, a male D-sub was an RS-232-C DTE port (with a non-standard current loop interface on reserved pins), but the female Dsub connector was used for a parallel Centronics printer port. Some personal computers put non-standard voltages or signals on some pins of their serial ports.
ECE, SIETK
28
HACKING OF ELECTRONIC EQUIPMENTS
The standard specifies 20 different signal connections. Since most devices use only a few signals, smaller connectors can often be used.
RS-232 WAVEFORM :
Fig No:2.5 TTL/CMOS Serial Logic Waveform The diagram above shows the expected waveform from the UART when using the common 8N1 format. 8N1 signifies 8 Data bits, No Parity and 1 Stop Bit. The RS-232 line, when idle is in the Mark State (Logic 1). A transmission starts with a start bit which is (Logic 0). Then each bit is sent down the line, one at a time. The LSB (Least Significant Bit) is sent first. A Stop Bit (Logic 1) is then appended to the signal to make up the transmission. The data sent using this method, is said to be framed. That is the data is framed between a Start and Stop Bit. RS-232 Voltage levels 1. +3to+25voltstosignify"Space"(Logic0) 2. 2. -3 to -25 volts for a "Mark" (logic 1). 3. Any voltage in between these regions (i.e. between +3 and -3 Volts) is undefined. The data byte is always transmitted least-significant-bit first. The bits are transmitted at specific time intervals determined by the baud rate of the serial signal. This is the signal present on the RS-232 Port of your computer, shown below.
Fig No:2.6 RS-232 Logic Waveform
RS-232 LEVEL CONVERTER:
ECE, SIETK 29
HACKING OF ELECTRONIC EQUIPMENTS
Standard serial interfacing of microcontroller (TTL) with PC or any RS232C Standard device , requires TTL to RS232 Level converter . A MAX232 is used for this purpose. It provides 2-channel RS232C port and requires external 10uF capacitors. The driver requires single supply of +5v.
Pin Diagram of MAX 232:
Fig no :2.7 Pin diagram of MAX 232
2.11 ZIGBEE
ZigBee-style networks began to be conceived around 1998, when many installers realized that both Wi-Fi and Bluetooth were going to be unsuitable for many applications. In particular, many engineers saw a need for self-organizing ad-hoc digital radio networks.The IEEE 802.15.4-2003 standard was completed in May 2003 and has been superseded by the publication of IEEE 802.15.4-2006.In the summer of 2003, Philips Semiconductors, a major mesh network supporter, ceased the investment. Philips Lighting has, however, continued Philips' participation, and Philips remains a promoter member on the ZigBee Alliance Board of Directors. The ZigBee Alliance announced in October 2004 that the membership had more than doubled in the preceding year and had grown to more than 100 member companies, in 22 countries. By April 2005 membership had grown to more than 150 companies, and by December 2005 membership had passed 200 companies.The ZigBee specifications were ratified on 14 December 2004.The ZigBee Alliance announced availability of Specification 1.0 on 13 June 2005, known as ZigBee 2004 Specification. In September 2006, ZigBee
ECE, SIETK
30
HACKING OF ELECTRONIC EQUIPMENTS
2006 Specification is announced. In 2007, ZigBee PRO, the enhanced ZigBee specification was finalized. The first stack release is now called ZigBee 2004. The second stack release is called ZigBee 2006, and mainly replaces the MSG/KVP structure used in 2004 with a "cluster library". The 2004 stack is now more or less obsolete.ZigBee 2007, now the current stack release, contains two stack profiles, stack profile 1 (simply called ZigBee), for home and light commercial use, and stack profile 2 (called ZigBee Pro). ZigBee Pro offers more features, such as multi-casting, many-to-one routing and high security with Symmetric-Key Key Exchange (SKKE), while ZigBee (stack profile 1) offers a smaller footprint in RAM and flash. Both offer full mesh networking and work with all ZigBee application profiles.ZigBee 2007 is fully backward compatible with ZigBee 2006 devices: A ZigBee 2007 device may join and operate on a ZigBee 2006 network and vice versa. Due to differences in routing options, ZigBee Pro devices must become non-routing ZigBee EndDevices (ZEDs) on a ZigBee 2006 network, the same as for ZigBee 2006 devices on a ZigBee 2007 network must become ZEDs on a ZigBee Pro network. The applications running on those devices work the same, regardless of the stack profile beneath them.The ZigBee 1.0 specification was ratified on 14 December 2004 and is available to members of the ZigBee Alliance. Most recently, the ZigBee 2007 specification was posted on 30 October 2007. The first ZigBee Application Profile, Home Automation, was announced 2 November 2007.
Radio hardware
The radio design used by ZigBee has been carefully optimized for low cost in large scale production. It has few analog stages and uses digital circuits wherever possible. Though the radios themselves are in expensive, the ZigBee Qualification Process involves a full validation of the requirements of the physical layer. All radios derived from the same validated semiconductor mask set would enjoy the same RF characteristics. An uncertified physical layer that malfunctions could cripple the battery lifespan of other devices on a ZigBee network. ZigBee radios have very tight constraints on power and bandwidth. Thus, radios are tested to the ISO 17025 standard with guidance given by Clause 6 of the
ECE, SIETK
31
HACKING OF ELECTRONIC EQUIPMENTS
802.15.4-2006 Standard. Most vendors plan to integrate the radio and microcontroller onto a single chip[15] getting smaller devices. This standard specifies operation in the unlicensed 2.4 GHz (worldwide), 915 MHz (Americas and Australia) and 868 MHz (Europe) ISM bands. In the 2.4 GHz band there are 16 ZigBee channels, with each channel requiring 5 MHz of bandwidth. The 2.4 GHz band provides up to 250 kbit/s, 915 MHz provides up to 40 kbit/s and 868 MHz provides a data rate up to 20 kbit/s. The actual data throughput will be less than the maximum specified bit rate due to the packet overhead and processing delays. The radios use direct-sequence spread spectrum coding, which is managed by the digital stream into the modulator. Binary phase-shift keying (BPSK) is used in the 868 and 915 MHz bands, and Offset quadrature phase-shift keying (OQPSK) that transmits two bits per symbol is used in the 2.4 GHz band. The output power of the radios is generally 0 dBm (1 mW).
Software
The software is designed to be easy to develop on small, inexpensive microprocessors.
Network layer
The main functions of the network layer are to enable the correct use of the MAC sub layer and provide a suitable interface for use by the next upper layer, namely the application layer. Its capabilities and structure are those typically associated to such network layers, including routing. On the one hand, the data entity creates and manages network layer data units from the payload of the application layer and performs routing according to the current topology. On the other hand, there is the layer control, which is used to handle configuration of new devices and establish new networks: it can determine whether a neighboring device belongs to the network and discovers new neighbors and routers. The control can also detect the presence of a receiver, which allows direct communication and MAC synchronization. The routing protocol used by the Network layer is AODV. In order to find the destination device, it broadcasts out a route request to all of its neighbors. The neighbors then broadcast the request to their neighbors, etc. until the destination is reached. Once the
ECE, SIETK
32
HACKING OF ELECTRONIC EQUIPMENTS
destination is reached, it sends its route reply via unicast transmission following the lowest cost path back to the source. Once the source receives the reply, it will update its routing table for the destination address with the next hop in the path and the path cost.
Application layer
The application layer is the highest-level layer defined by the specification, and is the effective interface of the ZigBee system to its end users. It comprises the majority of components added by the ZigBee specification: both ZDO and its management procedures, together with application objects defined by the manufacturer, are considered part of this layer.
Main components
The ZDO is responsible for defining the role of a device as either coordinator or end device, as mentioned above, but also for the discovery of new (one-hop) devices on the network and the identification of their offered services. It may then go on to establish secure links with external devices and reply to binding requests accordingly.The application support sublayer (APS) is the other main standard component of the layer, and as such it offers a well-defined interface and control services. It works as a bridge between the network layer and the other components of the application layer: it keeps up-to-date binding tables in the form of a database, which can be used to find appropriate devices depending on the services that are needed and those the different devices offer. As the union between both specified layers, it also routes messages across the layers of the protocol stack.
Communication models
ECE, SIETK
33
HACKING OF ELECTRONIC EQUIPMENTS
Fig No:2.9 ZigBee high-level communication model An application may consist of communicating objects which cooperate to carry out the desired tasks. The focus of ZigBee is to distribute work among many different devices which reside within individual ZigBee nodes which in turn form a network (said work will typically be largely local to each device, for instance the control of each individual household appliance).The collection of objects that form the network communicate using the facilities provided by APS, supervised by ZDO interfaces. The application layer data service follows a typical request-confirm/indication-response structure. Within a single device, up to 240 application objects can exist, numbered in the range 1-240. 0 is reserved for the ZDO data interface and 255 for broadcast; the 241-254 range is not currently in use but may be in the future.There are two services available for application objects to use (in ZigBee 1.0):
The key-value pair service (KVP) is meant for configuration purposes. It enables description, request and modification of object attributes through a simple interface based on get/set and event primitives, some allowing a request for response.
ECE, SIETK
34
HACKING OF ELECTRONIC EQUIPMENTS
Configuration uses compressed XML (full XML can be used) to provide an adaptable and elegant solution.
The message service is designed to offer a general approach to information treatment, avoiding the necessity to adapt application protocols and potential overhead incurred on by KVP. It allows arbitrary payloads to be transmitted over APS frames. Addressing is also part of the application layer. A network node consists of an
802.15.4-conformant radio transceiver and one or more device descriptions (basically collections of attributes which can be polled or set, or which can be monitored through events). The transceiver is the base for addressing, and devices within a node are specified by an endpoint identifier in the range 1-240.
Communication and device discovery
In order for applications to communicate, their comprising devices must use a common application protocol (types of messages, formats and so on); these sets of conventions are grouped in profiles. Furthermore, binding is decided upon by matching input and output cluster identifiers, unique within the context of a given profile and associated to an incoming or outgoing data flow in a device. Binding tables contain source and destination pairs.Depending on the available information, device discovery may follow different methods. When the network address is known, the IEEE address can be requested using unicast communication. When it is not, petitions are broadcast (the IEEE address being part of the response payload). End devices will simply respond with the requested address, while a network coordinator or a router will also send the addresses of all the devices associated with it. This extended discovery protocol permits external devices to find out about devices in a network and the services that they offer, which endpoints can report when queried by the discovering device (which has previously obtained their addresses). Matching services can also be used. The use of cluster identifiers enforces the binding of complementary entities by means of the binding tables, which are maintained by ZigBee coordinators, as the table must be always available within a network and coordinators are most likely to have a permanent power supply. Backups, managed by higher-level layers, may be needed by ECE, SIETK 35
HACKING OF ELECTRONIC EQUIPMENTS
some applications. Binding requires an established communication link; after it exists, whether to add a new node to the network is decided, according to the application and security policies. Communication can happen right after the association. Direct addressing uses both radio address and endpoint identifier, whereas indirect addressing uses every relevant field (address, endpoint, cluster and attribute) and requires that they be sent to the network coordinator, which maintains associations and translates requests for communication. Indirect addressing is particularly useful to keep some devices very simple and minimize their need for storage. Besides these two methods, broadcast to all endpoints in a device is available, and group addressing is used to communicate with groups of endpoints belonging to a set of devices.
2.11.1 Zigbee Technology
Zigbee Technology is one of such progression in wireless technology. Wireless is not a new technology as wireless networking and wireless internet are already in use; yet Zigbee technology set a new aspect in wireless technology. Thats why its usually referred as Zigbee Wireless Technology. Day by day advancement in technology is introducing novel and supportive devices which are used to make life easier and Zigbee Technology is one of them.The ZigBee standard uses small very low-power devices to connect together to form a wireless control. webZigBee protocol is optimized for very long battery life measured in months to years from inexpensive, off-the-shelf non-rechargeable batteries, and can control lighting, air conditioning and heating, smoke and fire alarms, and other security devices.ZigBee is a low data rate, two-way standard for home automation and data networks. Real usage examples of ZigBee includes home automation tasks such as turning lights on, turn up the heat, setting the home security system, or starting the VCR. With ZigBee all these tasks can be done from anywhere in the homeat the touch of a button. ZigBee also allows for dial-in access via the Internet for automation control. ZigBee technology is a low data rate, low power consumption, low cost, wireless networking protocol targeted towards automation and remote control applications. IEEE 802.15.4 committee started working on a low data rate standard a short while later. Then ECE, SIETK 36
HACKING OF ELECTRONIC EQUIPMENTS
the ZigBee Alliance and the IEEE decided to join forces and ZigBee is the commercial name for this technology.ZigBee is expected to provide low cost and low power connectivity for equipment that needs battery life as long as several months to several years but does not require data transfer rates as high as those enabled by Bluetooth. In addition, ZigBee can be implemented in mesh networks larger 2 than is possible with Bluetooth. ZigBee compliant wireless devices are expected to transmit 10-75 meters, depending on the RF environment and the power output consumption required for a given application, and will operate in the unlicensed RF worldwide(2.4GHz global, 915MHz Americas or 868 MHz Europe). The data rate is 250kbps at 2.4GHz, 40kbps at 915MHz and 20kbps at 868MHz IEEE and ZigBee Alliance have been working closely to specify the entire protocol stack. IEEE 802.15.4 focuses on the specification of the lower two layers of the protocol(physical and data link layer). On the other hand, ZigBee Alliance aims to provide the upper layers of the protocol stack (from network to the application layer) for interoperable data networking, security services and a range of wireless home and building control solutions, provide interoperability compliance testing, marketing of the standard, advanced engineering for the evolution of the standard. This will assure consumers to buy products from different manufacturers with confidence that the products will work together.IEEE 802.15.4 is now detailing the specification of PHY and MAC by offering building blocksfor different types of networking known as star, mesh, and cluster tree. Network routingschemes are designed to ensure power conservation, and low latency through guaranteed timeslots. A unique feature of ZigBee network layer is communication redundancy eliminating single point of failure in mesh networks. Key features of PHY include energy and link quality detection, clear channel assessment for improved coexistence with other wireless networks.
2.11.2 TECHINICAL OVERVIEW
ZigBee is a low-cost, low-power, wireless mesh network standard. The low cost allows the technology to be widely deployed in wireless control and monitoring applications. Low power-usage allows longer life with smaller batteries. Mesh networking provides high reliability and more extensive range. ZigBee chip vendors typically sell integrated radios and microcontrollers with between 60 KB and 256 KB flash memory. ECE, SIETK 37
HACKING OF ELECTRONIC EQUIPMENTS
ZigBee operates in the industrial, scientific and medical (ISM) radio bands; 868 MHz in Europe, 915 MHz in the USA and Australia, and 2.4 GHz in most jurisdictions worldwide. Data transmission rates vary from 20 to 900 kilobits/second. The ZigBee network layer natively supports both star and tree typical networks, and generic mesh networks. Every network must have one coordinator device, tasked with its creation, the control of its parameters and basic maintenance. Within star networks, the coordinator must be the central node. Both trees and meshes allows the use of ZigBee routers to extend communication at the network level.
Fig No:2.9 ZigBee protocol stack ZigBee builds upon the physical layer and medium access control defined in IEEE standard 802.15.4 (2003 version) for low-rate WPANs. The specification goes on to complete the standard by adding four main components: network layer, application layer, ZigBee device objects (ZDOs) and manufacturer-defined application objects which allow for customization and favor total integration. Besides adding two high-level network layers to the underlying structure, the most significant improvement is the introduction of ZDOs. These are responsible for a number of tasks, which include keeping of device roles, management of requests to join a network, device discovery and security.ZigBee is not intended to support powerline networking but to interface with it at least for smart metering and smart appliance purposes.Because ZigBee nodes can go from sleep to active mode in 30 ms or less, the latency can be low and devices can be responsive, particularly compared to Bluetooth wake-up delays, which are
ECE, SIETK
38
HACKING OF ELECTRONIC EQUIPMENTS
typically around three seconds.Because ZigBee nodes can sleep most of the time, average power consumption can be low, resulting in long battery life.
Trademark and alliance
The ZigBee Alliance is a group of companies that maintain and publish the ZigBee standard. The term ZigBee is a registered trademark of this group, not a single technical standard. The Alliance publishes application profiles that allow multiple OEM vendors to create interoperable products. The relationship between IEEE 802.15.4 and ZigBee is similar to that between IEEE 802.11 and the Wi-Fi Alliance.
License
For non-commercial purposes, the ZigBee specification is available free to the general public. An entry level membership in the ZigBee Alliance, called Adopter, provides access to the as-yet unpublished specifications and permission to create products for market using the specifications.The requirements for membership in the Zigbee Alliance causes problems for open-source developers because the annual fee conflicts with the GNU General Public Licence. The requirement for the developer to join the ZigBee Alliance similarly conflicts with most other free software licenses.
2.11.3 Applications of Zigbee Technology
Applications of Zigbee Technology is not limited to a certain level but because of being cost-effective, low-power battery and wireless connectivity, this Zigbee technology is used in almost every appliance if not in all. Zigbee technology is programmed in a chip form and is used in many devices to function automatically. For controlling and monitoring a whole factory unit while sitting in one cabin is possible by using Zigbee technology. It centralizes all the units in one place and enables the remote monitoring.
ECE, SIETK
39
HACKING OF ELECTRONIC EQUIPMENTS
In a similar way, a home can be centralized by increasing the security aspect. Many small equipments are coming with embedded Zigbee technology chips and really works like a miracle.Zigbee technology is swiftly prevail the market by introducing devices like smoke and heat sensor, medical and scientific equipments, control units of home and industry and wireless communication devices.The revolutionize turn in the field of technology with the introduction of zigbee technology; the near future of Zigbee technology will prevail in almost every walk of life.
Uses
ZigBee protocols are intended for embedded applications requiring low data rates and low power consumption. The resulting network will use very small amounts of power individual devices must have a battery life of at least two years to pass ZigBee certification.
Protocols
The protocols build on recent algorithmic research (Ad-hoc On-demand Distance Vector, neuRFon) to automatically construct a low-speed ad-hoc network of nodes. In most large network instances, the network will be a cluster of clusters. It can also form a mesh or a single cluster. The current ZigBee protocols support beacon and non-beacon enabled networks.In non-beacon-enabled networks, an unslotted CSMA/CA channel access mechanism is used. In this type of network, ZigBee Routers typically have their receivers continuously active, requiring a more robust power supply. However, this allows for heterogeneous networks in which some devices receive continuously, while others only transmit when an external stimulus is detected. The typical example of a heterogeneous network is a wireless light switch: The ZigBee node at the lamp may receive constantly, since it is connected to the mains supply, while a battery-powered light switch would remain asleep until the switch is thrown. The switch then wakes up, sends a command to the lamp, receives an acknowledgment, and returns to sleep. In such a network the lamp node will be at least a ZigBee Router, if not the ZigBee Coordinator; the switch node is typically a ZigBee End Device.
ECE, SIETK
40
HACKING OF ELECTRONIC EQUIPMENTS
In beacon-enabled networks, the special network nodes called ZigBee Routers transmit periodic beacons to confirm their presence to other network nodes. Nodes may sleep between beacons, thus lowering their duty cycle and extending their battery life. Beacon intervals depend on data rate; they may range from 15.36 milliseconds to 251.65824 seconds at 250 kbit/s, from 24 milliseconds to 393.216 seconds at 40 kbit/s and from 48 milliseconds to 786.432 seconds at 20 kbit/s. However, low duty cycle operation with long beacon intervals requires precise timing, which can conflict with the need for low product cost. In general, the ZigBee protocols minimize the time the radio is on, so as to reduce power use. In beaconing networks, nodes only need to be active while a beacon is being transmitted. In non-beacon-enabled networks, power consumption is decidedly asymmetrical: some devices are always active, while others spend most of their time sleeping. Except for the Smart Energy Profile 2.0, ZigBee devices are required to conform to the IEEE 802.15.4-2003 Low-Rate Wireless Personal Area Network (LR-WPAN) standard. The standard specifies the lower protocol layersthe (physical layer) (PHY), and the (media access control) portion of the (data link layer (DLL)). The basic channel access mode is "carrier sense, multiple access/collision avoidance" (CSMA/CA). That is, the nodes talk in the same way that people converse; they briefly check to see that no one is talking before they start. There are three notable exceptions to the use of CSMA. Beacons are sent on a fixed timing schedule, and do not use CSMA. Message acknowledgments also do not use CSMA. Finally, devices in Beacon Oriented networks that have low latency real-time requirements may also use Guaranteed Time Slots (GTS), which by definition do not use CSMA.
2.12 Piezoelectronic Buzzers FEATURES:
The PS series are high-performance buzzers that employ unimorph piezoelectric elements and are designed for easy incorporation into various circuits. They feature extremely low power consumption in comparison to electromagnetic units.
ECE, SIETK
41
HACKING OF ELECTRONIC EQUIPMENTS
Because these buzzers are designed for external excitation, the same part can serve as both a musical tone oscillator and a buzzer. They can be used with automated inserters. Moisture-resistant models are also available. The lead wire type(PS1550L40N) with both-sided adhesive tape installed easily is prepared.
Application of Buzzers:
Electric ranges, washing machines, computer terminals, various devices that require speech synthesis output.
2.13 Keypad
Keyboards and LCDs are the most widely used input/output devices of the 8051, and a basic understanding of them is essential. In this section, we first discuss keyboard fundamentals, along with key press and key detection mechanisms, Then we show how a keyboard is interfaced to an 8051.
Interfacing the Keyboard to the 8051
At the lowest level, keyboards are organized in a matrix of rows and columns. The CPU accesses both rows and column through ports; therefore, with two 8-bit ports, an 8*8 matrix of keys can be connected to a microprocessor. When a key pressed, a row and column make a connect; otherwise, there is no connection between row and column. In IBM PC keyboards, a single microcontroller (consisting of microprocessor, RAM and EPROM, and several ports all on a single chip) takes care of software and hardware interfacing of keyboard. In such systems it is the function of programs stored in the EPROM of microcontroller to scan the keys continuously, identify which one has been activated, and present it to the motherboard. In this section we look at the mechanism by which the 8051 scans and identifies the key. Scanning and identifying the key
ECE, SIETK
42
HACKING OF ELECTRONIC EQUIPMENTS
The below Figure shows a 4*4 matrix connected to two ports. The rows are connected to an output port and the columns are connected to an input port. If no key has been pressed, reading the input port will yield 1s for all columns since they are all connected to high (Vcc) If all the rows are grounded and a key is pressed, one of the columns will have 0 since the key pressed provides the path to ground. It is the function of the microcontroller to scan the keyboard continuously to detect and identify the key pressed. How it is done is explained next.
Fig No:2.10 Grounding rows and reading columns
To detect a pressed key, the microcontroller grounds all rows by providing 0 to the output latch, and then it reads the columns. If the data read from the columns is D3D0=1111, no key has been pressed and the process continues until a key press is detected. However, if one of the column bits has a zero, this means that a key press has occurred. For example, if D3-D0=1101, this means that a key in the D1 column has been pressed. After a key press is detected, the microcontroller will go through the process of identifying the key. Starting with the top row, the microcontroller grounds it by providing a low to row D0 ECE, SIETK 43
HACKING OF ELECTRONIC EQUIPMENTS
only; then it reads the columns. If the data read is all1s, no key in that row is activated and the process is moved to the next row. It grounds the next row, reads the columns, and checks for any zero. This process continues until the row is identified. After identification of the row in which the key has been pressed, the next task is to find out which column the pressed key belongs to. This should be easy since the microcontroller knows at any time which row and column are being accessed. Assembly language program for detection and identification of key activation is given below. In this program, it is assumed that P1 and P2 are initialized as output and input, respectively. Program13.1 goes through the following four major stages:To make sure that the preceding key has been released, 0s are output to all rows at once, and the columns are read and checked repeatedly until all the columns are high. When all columns are found to be high, the program waits for a short amount of time before it goes to the next stage of waiting for a key to be pressed.To see if any key is pressed, the columns are scanned over and over in an infinite loop until one of them has a 0 on it. Remember that the output latches connected to rows still have their initial zeros (provided in stage 1), making them grounded. After the key press detection, it waits 20ms for the bounce and then scans the columns again. This serves two functions: (a) it ensures that the first key press detection was not an erroneous one due to spike noise, and(b) the 20ms delay prevents the same key press from being interpreted as a multiple key press. If after the 20-ms delay the key is still pressed, it goes to the next stage to detect which row it belongs to; otherwise, it goes back into the loop to detect a real key press To detect which row the key press belongs to, it grounds one row at a time, reading the columns each time. If it finds that all columns are high, this means that the key press cannot belong to that row; therefore, it grounds the next row and continues until it finds the row the key press belongs to. Upon finding the row that the key press belongs to, it sets up the starting address for the look-up table holding the scan codes (or the ASCII value) for that row and goes to the next stage to identify the key.
2.14 Micro Conrollers:
Microprocessors and microcontrollers are widely used in embedded systems products. Microcontroller is a programmable device. A microcontroller has a CPU in addition to a fixed amount of RAM, ROM, I/O ports and a timer embedded all on a single ECE, SIETK 44
HACKING OF ELECTRONIC EQUIPMENTS
chip. The fixed amount of on-chip ROM, RAM and number of I/O ports in microcontrollers makes them ideal for many applications in which cost and space are critical. The Intel 8052 is Harvard architecture, single chip microcontroller (C) which was developed by Intel in 1980 for use in embedded systems. It was popular in the 1980s and early 1990s, but today it has largely been superseded by a vast range of enhanced devices with 8052-compatible processor cores that are manufactured by more than 20 independent manufacturers including Atmel, Infineon Technologies and Maxim Integrated Products. 8052 is an 8-bit processor, meaning that the CPU can work on only 8 bits of data at a time. Data larger than 8 bits has to be broken into 8-bit pieces to be processed by the CPU. 8052 is available in different memory types such as UV-EPROM, Flash and NVRAM. The present project is implemented on Keil uVision. In order to program the device, proload tool has been used to burn the program onto the microcontroller.
FEATURES:
Compatible with MCS-51 Products 8K Bytes of In-System Programmable (ISP) Flash Memory Endurance: 1000 Write/Erase Cycles 4.0V to 5.5V Operating Range Fully Static Operation: 0 Hz to 33 MHz Three-level Program Memory Lock 256 x 8-bit Internal RAM 32 Programmable I/O Lines Three 16-bit Timer/Counters Eight Interrupt Sources Full Duplex UART Serial Channel Low-power Idle and Power-down Modes Interrupt Recovery from Power-down Mode Watchdog Timer Dual Data Pointer ECE, SIETK 45
HACKING OF ELECTRONIC EQUIPMENTS
Power-off Flag
Fig 2.11 AT89S52 Micro Controller
DESCRIPTION:
The AT89S52 is a low-power, high-performance CMOS 8-bit microcontroller with 8K bytes of in-system programmable Flash memory. The device is manufactured using Atmels high-density nonvolatile memory technology and is compatible with the industry- standard 80C51 instruction set and pinout. The on-chip Flash allows the program memory to be reprogrammed in-system or by a conventional nonvolatile memory programmer. By combining a versatile 8-bit CPU with in-system programmable Flash on a monolithic chip, the Atmel AT89S52 is a powerful microcontroller which provides a highly-flexible and cost-effective solution to many embedded control applications. The AT89S52 provides the following standard features: 8K bytes of Flash, 256 bytes of RAM, 32 I/O lines, Watchdog timer, two data pointers, three 16-bit timer/counters, a six-vector two-level interrupt architecture, a full duplex serial port, on-chip oscillator, and clock circuitry. In addition, the AT89S52 is designed with static logic for operation down to zero frequency and supports two software selectable power saving modes.The Idle Mode stops the CPU while allowing the RAM, timer/counters, serial port, and interrupt system to continue functioning. The Power-down mode saves the RAM contents but freezes the oscillator, disabling all other chip functions until the next interrupt or hardware reset.
ECE, SIETK
46
HACKING OF ELECTRONIC EQUIPMENTS
2.13.1 PIN CONFIGURATION:
Fig 2.12 Pin diagram of AT89S52 Micro Controller
VCC:
Supply voltage.
GND:
Ground.
Port 0:
Port 0 is an 8-bit open drain bidirectional I/O port. As an output port, each pin can sink eight TTL inputs. When 1s are written to port 0 pins, the pins can be used as high impedance inputs. Port 0 can also be configured to be the multiplexed low order address/data bus during accesses to external program and data memory. In this mode, P0 has internal pullups. Port 0 also receives the code bytes during Flash programming and outputs the code bytes during program verification. External pullups are required during program verification.
Port 1:
ECE, SIETK 47
HACKING OF ELECTRONIC EQUIPMENTS
Port 1 is an 8-bit bidirectional I/O port with internal pullups. The Port 1 output buffers can sink/source four TTL inputs. When 1s are written to Port 1 pins, they are pulled high by the internal pullups and can be used as inputs. As inputs, Port 1 pins that are externally being pulled low will source current (IIL) because of the internal pullups. In addition, P1.0 and P1.1 can be configured to be the timer/counter 2 external count input (P1.0/T2) and the timer/counter 2 trigger input (P1.1/T2EX), respectively, as shown in the following table. Port 1 also receives the low-order address bytes during Flash programming and verification.
Port 2:
Port 2 is an 8-bit bidirectional I/O port with internal pull-ups. The Port 2 output buffers can sink/source four TTL inputs. When 1s are written to Port 2 pins, they are pulled high by the internal pull-ups and can be used as inputs. As inputs, Port 2 pins that are externally being pulled low will source current (IIL) because of the internal pull-ups. Port 2 emits the high-order address byte during fetches from external program memory and during accesses to external data memory that uses 16-bit addresses (MOVX @ DPTR). In this application, Port 2 uses strong internal pull-ups when emitting 1s. During accesses to external data memories that use 8-bit addresses (MOVX @ RI), Port 2 emits the contents of the P2 Special Function Register. Port 2 also receives the high-order address bits and some control signals during Flash programming and verification.
Table 2.3: Port 1 Pin Description
Port Pin
P1.0
Alternate Functions
T2(external count input to timer/counter 2), Clock out
P1.1
T2EX(timer/counter 2 capture/reload trigger And direction control) MOSI(used for in-system programming)
P1.5
ECE, SIETK
48
HACKING OF ELECTRONIC EQUIPMENTS
P1.6 P1.7
MISO(used for in-system programming) SCK (used for in-system programming)
Port 3:
Port 3 is an 8-bit bidirectional I/O port with internal pull-ups. The Port 3 output buffers can sink/source four TTL inputs. When 1s are written to Port 3 pins, they are pulled high by the internal pull-ups and can be used as inputs. As inputs, Port 3 pins that are externally being pulled low will source current (IIL) because of the pull-ups. Port 3 also serves the functions of various special features of the AT89S52, as shown in the following table. Table 2.4: Port 3 Pin Description
Port Pin
P3.0 P3.1 P3.2 P3.3
Alternate Functions
RXD(Serial input port) TXD(Serial output port) INT0(External interrupt 0) INT1(External interrupt 1)
P3.4 T0(Timer 0 external input)
RST:
Reset input. A high on this pin for two machine cycles while the oscillator is running resets the device. This pin drives High for 96 oscillator periods after the Watchdog times out. The DISRTO bit in SFR AUXR (address 8EH) can be used to disable this feature. In the default state of bit DISRTO, the RESET HIGH out feature is enabled.
ALE/PROG:
Address Latch Enable (ALE) is an output pulse for latching the low byte of the address during accesses to external memory. This pin is also the program pulse input (PROG) during Flash programming. In normal operation, ALE is emitted at a constant rate ECE, SIETK 49
HACKING OF ELECTRONIC EQUIPMENTS
of 1/6 the oscillator frequency and may be used for external timing or clocking purposes. Note, however, that one ALE pulse is skipped during each access to external data memory. If desired, ALE operation can be disabled by setting bit 0 of SFR location 8EH. With the bit set, ALE is active only during a MOVX or MOVC instruction. Otherwise, the pin is weakly pulled high. Setting the ALE-disable bit has no effect if the microcontroller is in external execution mode.
PSEN:
Program Store Enable (PSEN) is the read strobe to external program memory. When the AT89S52 is executing code from external program memory, PSEN is activated twice each machine cycle, except that two PSEN activations are skipped during each access to external data memory.
EA/VPP:
External Access Enable. EA must be strapped to GND in order to enable the device to fetch code from external program memory locations starting at 0000H up to FFFFH. Note, however, that if lock bit 1 is programmed, EA will be internally latched on reset.EA should be strapped to VCC for internal program executions. This pin also receives the 12-volt programming enable voltage (VPP) during Flash programming.
XTAL1:
Input to the inverting oscillator amplifier and input to the internal clock operating circuit.
XTAL2:
Output from the inverting oscillator amplifier.XTAL1 and XTAL2 are the input and output, respectively, of an inverting amplifier that can be configured for use as an onchip oscillator, as shown in Figure. Either a quartz crystal or ceramic resonator may be used. To drive the device from an external clock source, XTAL2 should be left unconnected while XTAL1 is driven, as shown in the below figure. There are no ECE, SIETK 50
HACKING OF ELECTRONIC EQUIPMENTS
requirements on the duty cycle of the external clock signal, since the input to the internal clocking circuitry is through a divide-by-two flip-flop, but minimum and maximum voltage high and low time specifications must be observed.
CHAPTER 3 SOFTWARE DESCRIPTION 3.1 KEIL SOFTWARE:
Keil compiler is a software used where the machine language code is written and compiled. After compilation, the machine source code is converted into hex code which is to be dumped into the microcontroller for further processing. Keil compiler also supports C language code.
STEPS TO WRITE AN ASSEMBLY LANGUAGE PROGRAM IN KEIL AND HOW TO COMPILE IT:
ECE, SIETK 51
HACKING OF ELECTRONIC EQUIPMENTS
1. Install the Keil Software in the PC in any of the drives. 2. After installation, an icon will be created with the name Keil uVision3. Just drag this icon onto the desktop so that it becomes easy whenever you try to write programs in keil. 3. Double click on this icon to start the keil compiler. 4. A page opens with different options in it showing the project workspace at the leftmost corner side, output window in the bottom and an ash coloured space for the program to be written. 5. Now to start using the keil, click on the option project. 6. A small window opens showing the options like new project, import project, open project etc. Click on New project. 7. A small window with the title bar Create new project opens. The window asks the user to give the project name with which it should be created and the destination location. The project can be created in any of the drives available. You can create a new folder and then a new file or can create directly a new file. 8. After the file is saved in the given destination location, a window opens where a list of vendors will be displayed and you have to select the device for the target you have created. 9. The most widely used vendor is Atmel. So click on Atmel and now the family of microcontrollers manufactured by Atmel opens. You can select any one of the microcontrollers according to the requirement. 10. When you click on any one of the microcontrollers, the features of that particular microcontroller will be displayed on the right side of the page. The most appropriate microcontroller with which most of the projects can be implemented is the AT89C51. Click on this microcontroller and have a look at its features. Now click on OK to select this microcontroller. 11. A small window opens asking whether to copy the startup code into the file you have created just now. Just click on No to proceed further. 12. Now you can see the TARGET and SOURCE GROUP created in the project workspace.
ECE, SIETK
52
HACKING OF ELECTRONIC EQUIPMENTS
13. Now click on File and in that New. A new page opens and you can start writing program in it. 14. After the program is completed, save it with any name but with the .asm extension. Save the program in the file you have created earlier. 15. You can notice that after you save the program, the predefined keywords will be highlighted in bold letters. 16. Now add this file to the target by giving a right click on the source group. A list of options open and in that select Add files to the source group. Check for this file where you have saved and add it. 17. Right click on the target and select the first option Options for target. A window opens with different options like device, target, output etc. First click on target. 18. Since the set frequency of the microcontroller is 11.0592 MHz to interface with the PC, just enter this frequency value in the Xtal (MHz) text area and put a tick on the Use on-chip ROM. This is because the program what we write here in the keil will later be dumped into the microcontroller and will be stored in the inbuilt ROM in the microcontroller. 19. Now click the option Output and give any name to the hex file to be created in the Name of executable text area and put a tick to the Create HEX file option present in the same window. The hex file can be created in any of the drives. You can change the folder by clicking on Select folder for Objects. 20. Now to check whether the program you have written is errorless or not, click on the icon exactly below the Open file icon which is nothing but Build Target icon. You can even use the shortcut key F7 to compile the program written. 21. To check for the output, there are several windows like serial window, memory window, project window etc. Depending on the program you have written, select the appropriate window to see the output by entering into debug mode. 22. The icon with the letter d indicates the debug mode. 23. Click on this icon and now click on the option View and select the appropriate window to check for the output. 24. After this is done, click the icon debug again to come out of the debug mode.
ECE, SIETK
53
HACKING OF ELECTRONIC EQUIPMENTS
The hex file created as shown earlier will be dumped into the microcontroller with the help of another software called Proload
3.2 PROLOAD
Proload is software which accepts only hex files. Once the machine code is converted into hex code, that hex code has to be dumped into the microcontroller and this is done by the Proload. Proload is a programmer which itself contains a microcontroller in it other than the one which is to be programmed. This microcontroller has a program in it written in such a way that it accepts the hex file from the Keil compiler and dumps this hex file into the microcontroller which is to be programmed. As the Proload programmer kit requires power supply to be operated, this power supply is given from the power supply circuit designed above. It should be noted that this programmer kit contains a power supply section in the board itself but in order to switch on that power supply, a source is required. Thus this is accomplished from the power supply board with an output of 12volts.
Fig 3.1 Atmel 8051 device programmer
Features
Supports major Atmel 89 series devices Auto Identify connected hardware and devices Error checking and verification in-built Lock of programs in chip supported to prevent program copying 20 and 40 pin ZIF socket on-board Auto Erase before writing and Auto Verify after writing Informative status bar and access to latest programmed file
ECE, SIETK
54
HACKING OF ELECTRONIC EQUIPMENTS
Simple and Easy to use Works on 57600 speed
Description
It is simple to use and low cost, yet powerful flash microcontroller programmer for the Atmel 89 series. It will Program, Read and Verify Code Data, Write Lock Bits, Erase and Blank Check. All fuse and lock bits are programmable. This programmer has intelligent onboard firmware and connects to the serial port. It can be used with any type of computer and requires no special hardware. All that is needed is a serial communication ports which all computers have.All devices have signature bytes that the programmer reads to automatically identify the chip. No need to select the device type, just plug it in and go! All devices also have a number of lock bits to provide various levels of software and programming protection. These lock bits are fully programmable using this programmer. Lock bits are useful to protect the program to be read back from microcontroller only allowing erase to reprogram the microcontroller. The programmer connects to a host computer using a standard RS232 serial port. All the programming 'intelligence' is built into the programmer so you do not need any special hardware to run it. Programmer comes with window based software for easy programming of the devices.
ECE, SIETK
55
HACKING OF ELECTRONIC EQUIPMENTS
PROGRAMMING SOFTWARE
Computer side software called 'Proload V4.1' is executed that accepts the Intel HEX format file generated from compiler to be sent to target microcontroller. It auto detects the hardware connected to the serial port. It also auto detects the chip inserted and bytes used. Software is developed in Delphi 7 and requires no overhead of any external DLL.
3.3 Advantages
Easy to implement Low power consumption Cost effective Directions
ECE, SIETK
56
HACKING OF ELECTRONIC EQUIPMENTS
Fig no:3.2 Writing the Program bytes on to the Microcontroller
3.4APPLICATIONS
Asset tracking Passports Security and access control Government library Document , people tracking Health care Transportation payments Supply chain management Retailing
CHAPTER 4
ECE, SIETK 57
HACKING OF ELECTRONIC EQUIPMENTS
PROJECT IMPLEMENTATION 4.1Block Diagram of Transmitter:
MEMS sensor
ADC
LCD
Fig 4.1 Transmitter block diagram CRYSTAL MICRO OSC CONTROLLER Equipments are The main parts in the Hacking of Electronics RESET 1. MEMS Sensor 2. ZIGBEE Module 3. ADC 4. LCD 5. EEPROM 6. MAX232 7. Crystal oscillator 8. Keypad 9. Micro controller 10. Reset MAX 232 ZIGBEE MODULE
EEPROM
Description:
The project Hacking of electronic equipments consists of MEMS Sensor, power supply, and ZIGBEE module. If any body is going to theft any of the electronic equipment like Pc, Mobile e.t.c. The MEMS Sensor will detect the vibration of that equipment and ECE, SIETK 58
HACKING OF ELECTRONIC EQUIPMENTS
sends the signal to microcontroller.ADC is present between MEMS sensor and microcontroller which is used to convert voltage in to 0s and 1s.The controller compares the voltages of the Signal and transmit through the Zigbee communication. The output of the microcontroller is displayed on the LCD and MAX 232 acts as an interfacing between microcontroller and Zigbee module. EPROM is used to store the data and it is a non volatile memory. Here MEMS accelerometer, Serial EEPROM memory, serial LCD display acts as Slave devices. In this Project three Individual keys are used to perform operations like 1.City Road Guiding Equipment 2.Preventing Train Accident 3.Hacking of Electronic Equipments
1. City Road Guide Equipment
In city road guide equipment, the device aims at informing people about the City Bus numbers for the places they wish to go. By pressing City road guiding key, the system performs the respected operation.
2. Preventing Train Accidents
In this operation if any damage occurs to bridge or Railway track the MEMS sensor sends the voltage of signals and then send to ZIGBEE receiver and it displays on the LCD.
4.2 Block Diagram of Receiver:
LCD
Keypad
RESET
MAX 232 Micro controller
Zigbee Module
The zig bee
Crystal ECE, SIETK Oscillator Buzzer 59
HACKING OF ELECTRONIC EQUIPMENTS
Fig 4.2 Receiver block diagram
Description
The ZIGBEE receiver receives the data and it will show on the
LCD.Microcontroller reads the status of LCD, if any moment in an unauthorized way, intiates a sequence of events like audible alert through a buzzer, Disable further operation of the system. After receiving the data system can easily lock through keypad by pressing key. The system remains in this state until the remote control unit transmits an emergency password.
4.3 REGULATED POWER SUPPLY:
230V AC 50Hz
D.C Output
Step down transformer
Bridge Rectifier
Filter
Regulator
Fig 4.3 Regulated power supply The input to the circuit is applied from the regulated power supply. The a.c. input i.e., 230V from the mains supply is step down by the transformer to 12V and is fed to a rectifier. The output obtained from the rectifier is a pulsating d.c voltage. So in order to get a pure d.c voltage, the output voltage from the rectifier is fed to a filter to remove any a.c components present even after rectification. Now, this voltage is given to a voltage regulator to obtain a pure constant dc voltage.
Transformer:
ECE, SIETK 60
HACKING OF ELECTRONIC EQUIPMENTS
Usually, DC voltages are required to operate various electronic equipment and these voltages are 5V, 9V or 12V. But these voltages cannot be obtained directly. Thus the a.c input available at the mains supply i.e., 230V is to be brought down to the required voltage level. This is done by a transformer. Thus, a step down transformer is employed to decrease the voltage to a required level.
Fig Transformer
4.4
Rectifier:
The output from the transformer is fed to the rectifier. It converts A.C. into pulsating D.C. The rectifier may be a half wave or a full wave rectifier. In this project, a bridge rectifier is used because of its merits like good stability and full wave rectification.
Fig 4.5 Bridge rectifier circuit The Bridge rectifier is a circuit, which converts an ac voltage to dc voltage using both half cycles of the input ac voltage. The Bridge rectifier circuit is shown in the figure. The circuit has four diodes connected to form a bridge. The ac input voltage is applied to the diagonally opposite ends of the bridge. The load resistance is connected between the other two ends of the bridge.For the positive half cycle of the input ac voltage, diodes D1 and D3 conduct, whereas diodes D2 and D4 remain in the OFF state. The conducting ECE, SIETK 61
HACKING OF ELECTRONIC EQUIPMENTS
diodes will be in series with the load resistance RL and hence the load current flows through RL.For the negative half cycle of the input ac voltage, diodes D2 and D4 conduct whereas, D1 and D3 remain OFF. The conducting diodes D2 and D4 will be in series with the load resistance RL and hence the current flows through RL in the same direction as in the previous half cycle. Thus a bi-directional wave is converted into a unidirectional wave.
Filter:
Capacitive filter is used in this project. It removes the ripples from the output of rectifier and smoothens the D.C. Output voltage received at this point changes. received from this filter is constant until the mains voltage and load is maintained constant. However, if either of the two is varied, D.C.
CHAPERT 5 RESULT 5.1 Transmitter Section
The HACKING OF ELECTRONIC EQUIPMENTS consist of three modes of operation and it perfoms remaining two operations by using switches ane reset button is used to exit from one state to another and it automatically perfoms the first operation.
ECE, SIETK
62
HACKING OF ELECTRONIC EQUIPMENTS
Fig No:5.1 Transmitter section The above figure perfoms the operation of hacking of electronic equipments.Here the MEMS sensor senses the changes in the position of the device and sends the data to the zigbee module through the interfacing i.e,MAX232.In LCD it displays the voltage of the signals. It perfoms another two operations along with hacking of electronic equipments.The operation is perfoming CITY ROADGUIDING and another operation is PREVENTION OF TRAIN ACCIDENTS
ECE, SIETK
63
HACKING OF ELECTRONIC EQUIPMENTS
Fig No:5.2 City road guiding In city road guiding four switches are used and data is already stored by using the keil software.By pressing the first key it displays the message on the LCD which is already dumped into the program.Like this pressing the remaining keys it displays the message related to that switch.
Fig No 5.3:Prvention of train accidents In prevention of train accidents,the message displays on the receiver section i.e, the bridge is weak.It receives the information from the transmitter section. ECE, SIETK 64
HACKING OF ELECTRONIC EQUIPMENTS
5.2 Receiver Section
Fig No 5.4: Receiver section The above figure displays the output of the project.It means the Zigbee receiver receives the data and it will show in the LCD.After receiving data th ststem can lock through Keypad by pressing key and it produces a buzzer sound.
ECE, SIETK
65
HACKING OF ELECTRONIC EQUIPMENTS
CONCLUSION
As modern electronic goods such as computers, mobile phones, portable players, laptops and palmtops are becoming smaller and more sophisticated, they can be more easily targeted for theft in the home and business environment.In existing system,the devices used are bulkier and it cannot be easily integrated with the existing compact electronic systems. Our project overcomes the drawbacks of present systems. It takes advantage of the dramatic advances in micro machined semiconductor product technology and employs a tri axis micro machined accelerometer integrated on a chip which is mounted into the system to be protected. MEMS accelerometer can sense motion on all the 3 axes. The main advantage of our project is, The system remains in this state until the remote control unit transmits an emergency password which must match the 10 digit device identification number stored in the nonvolatile memory space.
Advantages
Automated operation. Easy to find out the thief , who was thefted our equipment. Costless. Alert a control unit at a remote location through a zigbee wireless modem. Inbuilt Small in size
Applications
Office automation. Milatary. Security. Medical field. Finance. Prevention of accidents Public places 66
ECE, SIETK
HACKING OF ELECTRONIC EQUIPMENTS
Future Scope
ECE, SIETK
67
HACKING OF ELECTRONIC EQUIPMENTS
BIBILOGRAPHY
ECE, SIETK
68
HACKING OF ELECTRONIC EQUIPMENTS
APPENDECIES Microelectromechanical systems (MEMS)
The technology of very small mechanical devices driven by electricity; it merges at the nano-scale into nanoelectromechanical systems (NEMS) and nanotechnology. MEMS are also referred to as micromachines (in Japan), or micro systems technology MST (in Europe). MEMS are separate and distinct from the hypothetical vision of molecular nanotechnology or molecular electronics. MEMS are made up of components between 1 to 100 micrometres in size (i.e. 0.001 to 0.1 mm) and MEMS devices generally range in size from 20 micrometres (20 millionths of a metre) to a millimetre. They usually consist of a central unit that processes data, the microprocessor and several components that interact with the outside such as microsensors.[1] At these size scales, the standard constructs of classical physics are not always useful. Because of the large surface area to volume ratio of MEMS, surface effects such as electrostatics and wetting dominate volume effects such as inertia or thermal mass. The potential of very small machines was appreciated before the technology existed that could make themsee, for example, Richard Feynman's famous 1959 lecture There's Plenty of Room at the Bottom. MEMS became practical once they could be fabricated using modified semiconductor device fabrication technologies, normally used to make electronics. These include molding and plating, wet etching (KOH, TMAH) and dry etching (RIE and DRIE), electro discharge machining (EDM), and other technologies capable of manufacturing small devices. An early example of a MEMS device is the resonistor an electromechanical monolithic resonator.
Materials for MEMS manufacturing
The fabrication of MEMS derived from the process technology in semiconductor device fabrication, i.e. the basic techniques are deposition of material layers, patterning by photolithography and etching to produce the required shapes. ECE, SIETK 69
HACKING OF ELECTRONIC EQUIPMENTS
Silicon
Silicon is the material used to create most integrated circuits used in consumer electronics in the modern world. The economies of scale, ready availability of cheap highquality materials and ability to incorporate electronic functionality make silicon attractive for a wide variety of MEMS applications. Silicon also has significant advantages engendered through its material properties. In single crystal form, silicon is an almost perfect Hookean material, meaning that when it is flexed there is virtually no hysteresis and hence almost no energy dissipation. As well as making for highly repeatable motion, this also makes silicon very reliable as it suffers very little fatigue and can have service lifetimes in the range of billions to trillions of cycles without breaking.
Polymers
Even though the electronics industry provides an economy of scale for the silicon industry, crystalline silicon is still a complex and relatively expensive material to produce. Polymers on the other hand can be produced in huge volumes, with a great variety of material characteristics. MEMS devices can be made from polymers by processes such as injection molding, embossing or stereolithography and are especially well suited to microfluidic applications such as disposable blood testing cartridges.
Metals
Metals can also be used to create MEMS elements. While metals do not have some of the advantages displayed by silicon in terms of mechanical properties, when used within their limitations, metals can exhibit very high degrees of reliability. Metals can be deposited by electroplating, evaporation, and sputtering processes.
Ceramics
The nitrides of silicon, aluminium and titanium as well as silicon carbide and other ceramics are increasingly applied in MEMS fabrication due to advantageous combinations of material properties. AlN crystallizes in the wurtzite structure and thus shows ECE, SIETK 70
HACKING OF ELECTRONIC EQUIPMENTS
pyroelectric and piezoelectric properties enabling sensors, for instance, with sensitivity to normal and shear forces.[5] TiN, on the other hand, exhibits a high electrical conductivity and large elastic modulus allowing to realize electrostatic MEMS actuation schemes with ultrathin membranes.[6] Moreover, the high resistance of TiN against biocorrosion qualifies the material for applications in biogenic environments and in biosensors.
MEMS basic processes Deposition processes
One of the basic building blocks in MEMS processing is the ability to deposit thin films of material with a thickness anywhere between a few nanometres to about 100 micrometres.
Physical deposition
There are two types of physical deposition processes.They are as follows.
Physical vapor deposition (PVD)
Physical vapor deposition consists of a process in which a material is removed from a target, and deposited on a surface. Techniques to do this include the process of sputtering, in which an ion beam liberates atoms from a target, allowing them to move through the intervening space and deposit on the desired substrate, and Evaporation (deposition), in which a material is evaporated from a target using either heat (thermal evaporation) or an electron beam (e-beam evaporation) in a vacuum system.
Chemical deposition
Chemical deposition techniques include chemical vapor deposition ("CVD"), in which a stream of source gas reacts on the substrate to grow the material desired. This can be further divided into categories depending on the details of the technique, for example,
ECE, SIETK
71
HACKING OF ELECTRONIC EQUIPMENTS
LPCVD (Low Pressure chemical vapor deposition) and PECVD (Plasma Enhanced chemical vapor deposition). Oxide films can also be grown by the technique of thermal oxidation, in which the (typically silicon) wafer is exposed to oxygen and/or steam, to grow a thin surface layer of silicon dioxide.
Embedded C language
Embedded C is a set of language extensions for the C Programming language by the C Standards committee to address commonality issues that exist between C extensions for different embedded systems. Historically, embedded C programming requires nonstandard extensions to the C language in order to support exotic features such as fixedpoint arithmetic, multiple distinct memory banks, and basic I/O operations. The C programming language is perhaps the most popular programming language for programming embedded systems. We mentioned other popular programming languages). Most C programmers are spoiled because they program in environments where not only there is a standard library implementation, but there are frequently a number of other libraries available for use. The cold fact is, that in embedded systems, there rarely are many of the libraries that programmers have grown used to, but occasionally an embedded system might not have a complete standard library, if there is a standard library at all. Few embedded systems have capability for dynamic linking, so if standard library functions are to be available at all, they often need to be directly linked into the executable. Oftentimes, because of space concerns, it is not possible to link in an entire library file, and programmers are often forced to "brew their own" standard c library implementations if they want to use them at all. While some libraries are bulky and not well suited for use on microcontrollers, many development systems still include the standard libraries which are the most common for C programmers. C remains a very popular language for micro-controller developers due to the code efficiency and reduced overhead and development time. C offers low-level control and is considered more readable than assembly. Many free C compilers are available for a wide variety of development platforms. The compilers are part of an IDEs with ICD support, ECE, SIETK 72
HACKING OF ELECTRONIC EQUIPMENTS
breakpoints, single-stepping and an assembly window. The performance of C compilers has improved considerably in recent years, and they are claimed to be more or less as good as assembly, depending on who you ask. Most tools now offer options for customizing the compiler optimization. Additionally, using C increases portability, since C code can be compiled for different types of processors.
Special Function Registers
A map of the on-chip memory area called the Special Function Register (SFR) space is shown in the following table. It should be noted that not all of the addresses are occupied and unoccupied addresses may not be implemented on the chip. Read accesses to these addresses will in general return random data, and write accesses will have an indeterminate effect. User software should not write 1s to these unlisted locations, since they may be used in future products to invoke new features. In that case, the reset or inactive values of the new bits will always be 0.
Timer 2 Registers
Control and status bits are contained in registers T2CON and T2MOD for Timer 2. The register pair (RCAP2H, RCAP2L) is the Capture/Reload register for Timer 2 in 16-bit capture mode or 16-bit auto-reload mode.
ECE, SIETK
73
HACKING OF ELECTRONIC EQUIPMENTS
Dual Data Pointer Registers
To facilitate accessing both internal and external data memory, two banks of 16-bit Data Pointer Registers are provided: DP0 at SFR address locations 82H-83H and DP1 at 84H and 85H. Bit DPS = 0 in SFR AUXR1 selects DP0 and DPS = 1 selects DP1. The user should ALWAYS initialize the DPS bit to the appropriate value before accessing the respective Data Pointer Register.
Memory Organization
MCS-51 devices have a separate address space for Program and Data Memory. Up to 64K bytes each of external Program and Data Memory can be addressed.
Program Memory
If the EA pin is connected to GND, all program fetches are directed to external memory. On the AT89S52, if EA is connected to VCC, program fetches to addresses 0000H through 1FFFH are directed to internal memory and fetches to addresses 2000H through FFFFH are to external memory.
Data Memory
The AT89S52 implements 256 bytes of on-chip RAM. The upper 128 byte occupy a parallel address space to the Special Function Registers. This means that the upper 128 bytes have the same addresses as the SFR space but are physically separate from SFR space. When an instruction accesses an internal location above address 7FH, the address mode used in the instruction specifies whether the CPU accesses the upper 128 bytes of RAM or the SFR space. Instructions which use direct addressing access the SFR space.
UART
The Atmel 8051 Microcontrollers implement three general purpose, 16-bit timers/ counters. They are identified as Timer 0, Timer 1 and Timer 2 and can be independently configured to operate in a variety of modes as a timer or as an event counter. When operating as a timer, the timer/counter runs for a programmed length of time and then issues an interrupt request. When operating as a counter, the timer/counter counts negative ECE, SIETK 74
HACKING OF ELECTRONIC EQUIPMENTS
transitions on an external pin. After a preset number of counts, the counter issues an interrupt request. The various operating modes of each timer/counter are described in the following sections. A basic operation consists of timer registers THx and TLx (x= 0, 1) connected in cascade to form a 16-bit timer. Setting the run control bit (TRx) in TCON register turns the timer on by allowing the selected input to increment TLx. When TLx overflows it increments THx; when THx overflows it sets the timer overflow flag (TFx) in TCON register. Setting the TRx does not clear the THx and TLx timer registers. Timer registers can be accessed to obtain the current count or to enter preset values. They can be read at any time but TRx bit must be cleared to preset their values, otherwise the behavior of the timer/counter is unpredictable. Since it takes 2 cycles (12 peripheral clock periods) to recognize a negative transition, the maximum count rate is FPER / 12, i.e. FOSC / 24 in standard mode or FOSC / 12 in X2 mode. There are no restrictions on the duty cycle of the external input signal, but to ensure that a given level is sampled at least once before it changes, it should be held for at least one full peripheral cycle. In addition to the timer or counter selection, Timer 0 and Timer 1 have four operating modes from which to select which are selected by bitpairs (M1, M0) in TMOD. Modes 0, 1and 2 are the same for both timer/counters. Mode 3 is different. The four operating modes are described below. Timer 2, has three modes of operation: capture, auto-reload and baud rate generator.
Timer 0
Timer 0 functions as either a timer or event counter in four modes of operation. Timer 0 is controlled by the four lower bits of the TMOD register and bits 0, 1, 4 and 5 of the TCON register. TMOD register selects the method of timer gating (GATE0), timer or counter operation (T/C0#) and mode of operation (M10 and M00). The TCON register provides timer 0 control functions: overflow flag (TF0), run control bit (TR0), interrupt flag (IE0) and interrupt type control bit (IT0). For normal timer operation (GATE0= 0), setting TR0 allows TL0 to be incremented by the selected input. Setting GATE0 and TR0 allows external pin INT0# to control timer operation.
ECE, SIETK
75
HACKING OF ELECTRONIC EQUIPMENTS
Timer 0 overflow (count rolls over from all 1s to all 0s) sets TF0 flag, generating an interrupt request. It is important to stop timer/counter before changing mode.
Timer 1
Timer 1 is identical to timer 0, except for mode 3, which is a hold-count mode. The following comments help to understand the differences: Timer 1 functions as either a timer or event counter in three modes of operation. Timer 1s mode 3 is a hold-count mode. Timer 1 is controlled by the four high-order bits of the TMOD register and bits 2, 3, 6 and 7 of the TCON register. The TMOD register selects the method of timer gating (GATE1), timer or counter operation (C/T1#) and mode of operation (M11 and M01). The TCON register provides timer 1 control functions: overflow flag (TF1), run control bit (TR1), interrupt flag (IE1) and interrupt type control bit (IT1). Timer 1 can serve as the baud rate generator for the serial port. Mode 2 is best suited for this purpose.
Timer 2
Timer 2 is a 16-bit Timer/Counter that can operate as either a timer or an event counter. The type of operation is selected by bit C/T2 in the SFR T2CON. Timer 2 has three operating modes: capture, auto-reload (up or down counting), and baud rate generator. The modes are selected by bits in T2CON. Timer 2 consists of two 8-bit registers, TH2 and TL2. In the Timer function, the TL2 register is incremented every machine cycle. Since a machine cycle consists of 12 oscillator periods, the count rate is 1/12 of the oscillator frequency.
ECE, SIETK
76
You might also like
- Unit-1 - 6703 Embedded and Real Time Systems100% (5)Unit-1 - 6703 Embedded and Real Time Systems167 pages
- Embedded and Real-Time Operating Systems: Course Code: 70439No ratings yetEmbedded and Real-Time Operating Systems: Course Code: 7043976 pages
- 67.remote Home Security System Based On WSN and GSM TechnologyNo ratings yet67.remote Home Security System Based On WSN and GSM Technology80 pages
- Embedded System - Question Bank (BE-ECE, VII Semester, R2008)100% (2)Embedded System - Question Bank (BE-ECE, VII Semester, R2008)52 pages
- CISC Is An Acronym For Complex Instruction Set ComputerNo ratings yetCISC Is An Acronym For Complex Instruction Set Computer44 pages
- Unit-1 - Embedded System - Dr. M. R. ArunNo ratings yetUnit-1 - Embedded System - Dr. M. R. Arun164 pages
- Embedded Systems Btcse-Oe43: By: Naved Alam Assistant Professor (ECE) SEST, Jamia HamdardNo ratings yetEmbedded Systems Btcse-Oe43: By: Naved Alam Assistant Professor (ECE) SEST, Jamia Hamdard42 pages
- Finger Print Based Electronic Voting Machine100% (1)Finger Print Based Electronic Voting Machine88 pages
- Unit I Part 1 Introduction Design MethodologiesNo ratings yetUnit I Part 1 Introduction Design Methodologies46 pages
- Face Recognization Based Car Security SystemNo ratings yetFace Recognization Based Car Security System86 pages
- What Is An Embedded System?: Laser PrinterNo ratings yetWhat Is An Embedded System?: Laser Printer9 pages
- Embedded Systems: C.Sathyanathan J.Siddarth 9003841021No ratings yetEmbedded Systems: C.Sathyanathan J.Siddarth 900384102122 pages
- Ece Vii Embedded System Design (10ec74) Notes75% (8)Ece Vii Embedded System Design (10ec74) Notes110 pages
- Embedded System Development Trends: December 2006No ratings yetEmbedded System Development Trends: December 200611 pages
- CLASS 1-Complex Systems and Micro ProcessorsNo ratings yetCLASS 1-Complex Systems and Micro Processors21 pages
- An Embedded System Is A Computer System Designed To Perform One or A Few Dedicated FunctionsNo ratings yetAn Embedded System Is A Computer System Designed To Perform One or A Few Dedicated Functions13 pages
- Digital Electronics, Computer Architecture and Microprocessor Design PrinciplesFrom EverandDigital Electronics, Computer Architecture and Microprocessor Design PrinciplesNo ratings yet
- Embedded Systems Programming with C++: Real-World TechniquesFrom EverandEmbedded Systems Programming with C++: Real-World TechniquesNo ratings yet
- Embedded Systems Programming with C: Writing Code for MicrocontrollersFrom EverandEmbedded Systems Programming with C: Writing Code for MicrocontrollersNo ratings yet
- Mastering Embedded C: The Ultimate Guide to Building Efficient SystemsFrom EverandMastering Embedded C: The Ultimate Guide to Building Efficient SystemsNo ratings yet
- Principles of Information Security, Fourth EditionNo ratings yetPrinciples of Information Security, Fourth Edition54 pages
- Imagerunner Advance 6500 Iii Series: Black-And-White - Mid-To High-Volume - MultifunctionNo ratings yetImagerunner Advance 6500 Iii Series: Black-And-White - Mid-To High-Volume - Multifunction4 pages
- Cloud Resource Management and SchedulingNo ratings yetCloud Resource Management and Scheduling22 pages
- Cloud Computing Identity As A Service (IDaaS)No ratings yetCloud Computing Identity As A Service (IDaaS)4 pages
- Planning Engineer or Business Analyst or Data Analyst or PlanninNo ratings yetPlanning Engineer or Business Analyst or Data Analyst or Plannin2 pages
- How To Guide Business Object Layer Programming PDFNo ratings yetHow To Guide Business Object Layer Programming PDF48 pages
- Top 10 Java Interview Questions On Final KeywordNo ratings yetTop 10 Java Interview Questions On Final Keyword3 pages
- 09 - 5780 - Embedded System Design L1 - 2upNo ratings yet09 - 5780 - Embedded System Design L1 - 2up9 pages
- Perancangan Sistem Basis Data Offline Dokumen AkreNo ratings yetPerancangan Sistem Basis Data Offline Dokumen Akre8 pages
- Pizza Ordering Chatbot Using Amazon LexNo ratings yetPizza Ordering Chatbot Using Amazon Lex13 pages
- Topological diagram:: Báo cáo môn chuyên đề 1 Nguyễn Lê Trùng DươngNo ratings yetTopological diagram:: Báo cáo môn chuyên đề 1 Nguyễn Lê Trùng Dương11 pages
- Embedded and Real-Time Operating Systems: Course Code: 70439Embedded and Real-Time Operating Systems: Course Code: 70439
- 67.remote Home Security System Based On WSN and GSM Technology67.remote Home Security System Based On WSN and GSM Technology
- Embedded System - Question Bank (BE-ECE, VII Semester, R2008)Embedded System - Question Bank (BE-ECE, VII Semester, R2008)
- CISC Is An Acronym For Complex Instruction Set ComputerCISC Is An Acronym For Complex Instruction Set Computer
- Embedded Systems Btcse-Oe43: By: Naved Alam Assistant Professor (ECE) SEST, Jamia HamdardEmbedded Systems Btcse-Oe43: By: Naved Alam Assistant Professor (ECE) SEST, Jamia Hamdard
- Embedded Systems: C.Sathyanathan J.Siddarth 9003841021Embedded Systems: C.Sathyanathan J.Siddarth 9003841021
- An Embedded System Is A Computer System Designed To Perform One or A Few Dedicated FunctionsAn Embedded System Is A Computer System Designed To Perform One or A Few Dedicated Functions
- Digital Electronics, Computer Architecture and Microprocessor Design PrinciplesFrom EverandDigital Electronics, Computer Architecture and Microprocessor Design Principles
- Embedded Systems Programming with C++: Real-World TechniquesFrom EverandEmbedded Systems Programming with C++: Real-World Techniques
- Embedded Systems Programming with C: Writing Code for MicrocontrollersFrom EverandEmbedded Systems Programming with C: Writing Code for Microcontrollers
- Mastering Embedded C: The Ultimate Guide to Building Efficient SystemsFrom EverandMastering Embedded C: The Ultimate Guide to Building Efficient Systems
- Principles of Information Security, Fourth EditionPrinciples of Information Security, Fourth Edition
- Imagerunner Advance 6500 Iii Series: Black-And-White - Mid-To High-Volume - MultifunctionImagerunner Advance 6500 Iii Series: Black-And-White - Mid-To High-Volume - Multifunction
- Planning Engineer or Business Analyst or Data Analyst or PlanninPlanning Engineer or Business Analyst or Data Analyst or Plannin
- How To Guide Business Object Layer Programming PDFHow To Guide Business Object Layer Programming PDF
- Perancangan Sistem Basis Data Offline Dokumen AkrePerancangan Sistem Basis Data Offline Dokumen Akre
- Topological diagram:: Báo cáo môn chuyên đề 1 Nguyễn Lê Trùng DươngTopological diagram:: Báo cáo môn chuyên đề 1 Nguyễn Lê Trùng Dương