Digi Connect ME Discovery

Posted on 10/24/2008 by John

I have a Digi Connect ME powered device that I’ve been trying to interface with from Mac OS X, the only platform Digi does not provide their RealPort drivers for. The Digi Connect ME is a serial to ethernet bridge that runs embedded Linux on an ARM processor. Their RealPort driver that doesn’t exist for OS X is a virtual serial port driver which routes data over a TCP connection to the Connect ME where it is de-muxed and sent over TTL serial to your device.

In typical fashion I decided to simply reverse engineer the so called “Advanced Digi Discovery Protocol” or ADDP in able to discover devices on the network. ADDP makes use of UDP broadcast packets sent to port 2362. The packets take the form of a magic character sequence of ‘DIGI’ followed by a two byte sequence number and a series of elements. These elements are of the form: one byte element ID, one byte element length and then element length bytes of data. In the data below, magic characters are in red, sequence numbers are in orange, packet length is in green, element IDs are in blue, element lengths are in purple and element data is in yellow.

The ADDP discovery broadcast UDP packet is structured as follows:

0000   44 49 47 49 00 01 00 06 ff ff ff ff ff ff       DIGI..........

This packet has sequence 0001 and element 0 has length of 6 with data as six 0xFF bytes.

A network device that implements ADDP data will respond to the device that sent the broadcast on port 1181 with something like the following:

0000   44 49 47 49 00 02 00 60 01 06 00 40 9d 33 d2 94 DIGI...`...@.3..
0010   02 04 XX XX 70 07 03 04 ff ff 00 00 0b 04 00 00 ....p...........
0020   00 00 0d 0f 44 69 67 69 20 43 6f 6e 6e 65 63 74 ....Digi Connect
0030   20 4d 45 10 01 01 07 01 00 08 1e 56 65 72 73 69  ME........Versi
0040   6f 6e 20 38 32 30 30 30 38 35 36 5f 46 36 20 30 on 82000856_F6 0
0050   37 2f 32 31 2f 32 30 30 36 0e 04 00 00 03 03 13 7/21/2006.......
0060   04 00 00 04 03 12 01 01                         ........

This packet has sequence 0002 and has a length of 0×0060 or 96 bytes – not including the bytes up to this point. Element 1 has length 6 and is the MAC address of the device. Element 2 has length 4 bytes and is the device’s IP. Element 3 has length 4 and is the device’s Netmask. Element 0xB has length 4 and is the device’s Gateway. Element 0xd has 15 bytes and is the device’s name. Element 10 has length 1 and I think it is the number of serial devices. Element 7 has length 1 and is unknown. Element 8 has length 30 and is the device’s Firmware version. Element 0xe has 4 bytes and is has unknown value 0×00000303. Element 0×13 has length 4 and unknown value 0×0000403. Element 0×12 has length 1 and unknown value 1.

I have attached a simple python script that I have written to find DIGI Connect ME enabled devices on your network. Note that it requires that you have the netifaces Python library installed. This should also detect the Connect WI-ME and possibly other DIGI network enabled products.

Posted in Coding, Hacking | 5 Comments

Esquire 75th Anniversary E-Ink Teardown

Posted on 9/8/2008 by John

Back in July, Joel Johnson of BoingBoing Gadgets interviewed Peter Griffin, a Deputy Editor for Esquire. The interview focuses on how Esquire will use E-Ink in it’s October 2008, 75th Anniversary edition. Peter speaks about how they are looking forward to seeing what hackers will do to the display, saying The data will be baked into the circuitry. Figuring out how to reprogram the e-paper controller or installing an entirely new one will be up to the hackers.” The issue just hit newsstands today and like many other hackers across the country I dutifully snagged a copy and proceeded to slice it up and mess with its innards.

Upon first glance, especially when looking at lo-res web videos of the display in action it appears as if Esquire has magically procured a full color E-Ink display. Alas, Esquire just overlaid a transparent coloured overlay on top of the monochrome E-Ink display.

The second E-Ink display is located on the inside cover, in an ad for the Ford Flex. This display makes the image of the Flex appear to be moving – or at least it tries to.

We gain access to the displays and the board that runs them by running a knife along the top, inside and bottom of the cover which then folds out to the left. Removing the foam insert reveals the bottom E-Ink display.

Looking at the board we see that it’s a very simple, 2-layer PCB made by Zuhai Forewin with only 3 main ICs of which 2 are the same chip – an 8-stage shift-and-store bus register IC (NXP HEF4094BT) made by NXT Philips with the other chip being an 8-bit PIC microcontroller (PIC 12F629 – 4.8mb PDF) made by Microchip. The board and displays are powered by six 3v Lithium Coin batteries (model CR2016) which according to Esquire should provide you with around 90 days of blinking goodness.

As you may have assumed from the pin count and look of the displays – they appear to be segmented. That is, they are not made up of a grid of addressable pixels that can be turned on and off individually but are instead made up of several regions that may be turned on and off independently. This essentially means that for our purposes these displays are useless junk unless your project entails blinking “The 21st century begins now :) ” on and off. Since I have no real interest in such a device this is where my analysis will stop. Those of you who wish to play with this for purely educational purposes you should be able to reprogram the PIC controller to change the blink order and timing of both displays, although it will probably require a chip programmer of some sort.

For a few more pictures of this teardown check out my SmugMug Gallery.

Posted in Hacking | 2 Comments

When hard disks go boom

Posted on 7/21/2008 by John

I’d been wondering lately why I’ve been getting “Semaphore timeouts” when reading/writing to one of my NAS volumes over NFS from my Vista machine. Today I found out why.

I came back in from BBQing some hamburgers to a shrill beep emanating from my office – I instantly thought the power had gone out and it was my Belkin UPS shouting. I was wrong, it was actually the RocketRAID 2310 in my NAS telling me that one of the Seagate 500GB Barracudas that I’ve recently pressed into use after them sitting dormant in my NAS machine for 9mos had died.

I’m currently filling out the Seagate RMA form and trying to decide whether I’m going to go to Frys and pick up a replacement drive to use until the replacement gets here or if I want to go out and buy four 1TB drives and upgrade my capacity.

Will post a followup documenting the hopefully easy steps to get my RAID-5 array working again.

Posted in General | Leave a comment

FUSE for Windows

Posted on 5/23/2008 by John

Many times in the past I’ve had want for the most excellent FUSE to have a Windows equivalent. There are many internet posts on the issue and why it is roughly a million times more complex to do on Windows than on *nix/BSD/OS X and hence why it hasn’t been done by the OSS community.

After my most recent need for a FUSE equivalent on Windows I came across this paper which was written in 2007 by Evan Driscoll, Jonathan Beavers and Hidetoshi Tokuda from the University of Wisconsin-Madison. Unfortunately they come to the same conclusion as everyone else and fall back to implementing a FUSE compatibility layer on top of FIFS which implements a SMB server to provide access to other filesystems.

UPDATE: as Frederico resports in the comments, Dokan is a capable Windows equivalent to FUSE.

Posted in Coding, General | 2 Comments

Funny Google Ad

Posted on 5/19/2008 by John

So I found the following Google Ad in GMail today:

Hedge Fund Jobs – www.hedgehogjobs.com – Global Hedge Fund Positions Search for the latest jobs

People who know me will find this funny as my nickname is ‘Hedgehog’ or ‘Hedge’ for short and I’ve been searching for jobs lately. Oddly appropriate eh?

Posted in General | Leave a comment