Embed Size (px)
Citation preview
HACKING OF ELECTRONIC EQUIPMENTS
CHAPTER 1
INTRODUCTION
1.1 Embedded Systems:
An embedded system is a combination of software and hardware to perform a
dedicated task. Some of the main devices used in embedded products are
Microprocessors and Microcontrollers. Microprocessors are commonly referred to as
general purpose processors as they simply accept the inputs, process it and give the
output. In contrast, a microcontroller not only accepts the data as inputs but also
manipulates it, interfaces the data with various devices, controls the data and thus finally
gives the result.
An embedded system can be defined as a computing device that does a specific
focused job. Appliances such as the air-conditioner, VCD player, DVD player, printer,
fax machine, mobile phone etc. are examples of embedded systems. Each of these
appliances will have a processor and special hardware to meet the specific requirement of
the application along with the embedded software that is executed by the processor for
meeting that specific requirement. The embedded software is also called “firm ware”.
The desktop/laptop computer is a general purpose computer. You can use it for a variety
of applications such as playing games, word processing, accounting, software
development and so on. In contrast, the software in the embedded systems is always fixed
listed below
Embedded systems do a very specific task they cannot be programmed to do
different things. Embedded systems have very limited resources, particularly the
memory. Generally, they do not have secondary storage devices such as the CDROM or
the floppy disk. Embedded systems have to work against some deadlines. A specific job
has to be completed within a specific time. In some embedded systems, called real-time
systems, the deadlines are stringent. Missing a deadline may cause a catastrophe-loss of
life or damage to property. As many embedded systems operate through a battery, the
power consumption has to be very low. Some embedded systems have to operate in
extreme environmental conditions such as very high temperatures and humidity.
ECE, SIETK 1
HACKING OF ELECTRONIC EQUIPMENTS
1.2Processor selection:
1.2.1 General factors that govern the selection are:
• Complexity of overall design
• Design reuse.
• Performance
• Power size
• Cost tools.
• OS Support and availability.
The design's complexity helps determine the CPU to use. If the design calls for
the deployment of a single state machine with interrupts from a small set of peripherals,
then a small CPU and/or micro controller such as the MCS51 or the Z80 could be the best
choice. Many systems such as industrial timer may fit this category, as the memory
footprint is small, the signal is slow and battery consumption must be extremely low. The
application and its interaction will dictate the design's complexity and may also determine
whether it requires a real-time operating system (RTOS). Typically, as the application
complexity increases, the need for a greater bit-width processor increases. The selection
of the CPU will greatly impact performance of the overall system. Specifically, features
like 8 / 16 / 24 / 32 bit architecture, RISC / CISC / DSP architecture, cache, MMU,
pipelining, branch prediction and super-scalar architecture, all affect the speed of a
system.Depending on system needs, these features may be necessary to achieve peak
performance of the system.
There are various benchmarking threshold data available for various 8/16/32 bit
processors like MIPS (Million Instructions per Second), EEMBC, Dhrystone, MIPS/MHz
etc, which can be taken as reference or comparison base.
CISC Vs RISC.
CISC is an acronym for Complex Instruction Set Computer and are chips that are
easy to program and which make efficient use of memory. Since the earliest machines
were programmed in assembly language and memory was slow and expensive, the CISC
philosophy made sense, and was commonly implemented in such large computers.
ECE, SIETK 2
HACKING OF ELECTRONIC EQUIPMENTS
Most common microprocessor designs such as the Intel 80x86 and Motorola 68K
series followed the CISC philosophy. But recent changes in software and hardware
technology have forced a re-examination of CISC and many modern CISC processors are
hybrids, implementing many RISC principles.
The design constraints that led to the development of CISC (small amounts of
slow memory and fact that most early machines were programmed in assembly language)
give CISC instructions sets some common characteristics:
A 2-operand format, where instructions have a source and a destination. Register
to register, register to memory, and memory to register commands.
Multiple addressing modes for memory, including specialized modes for indexing
through arrays
Variable length instructions where the length often varies according to the
addressing mode
Instructions which require multiple clock cycles to execute.
Most CISC hardware architectures have several characteristics in common:
Complex instruction-decoding logic, driven by the need for a single instruction to
support multiple addressing modes.
A small number of general purpose registers. This is the direct result of having
instructions which can operate directly on memory and the limited amount of chip
space not dedicated to instruction decoding, execution, and microcode storage.
Several special purpose registers. Many CTSC designs set aside special registers
for the stack pointer, interrupt handling, and so on. This can simplify the hardware
design somewhat, at the expense of making the instruction set more complex.
A 'Condition code" register which is set as a side-effect of most instructions. This
register reflects whether the result of the last operation is less than, equal to, or
greater than zero and records if certain error conditions occur.
At the time of their initial development, CISC machines used available
technologies to optimize computer performance.
Microprogramming is as easy as assembly language to implement, and much less
expensive than hardwiring a control unit.
ECE, SIETK 3
HACKING OF ELECTRONIC EQUIPMENTS
The ease of microcoding new instructions allowed designers to make CISC
machines upwardly compatible: a new computer could run the same programs as
earlier computers because the new computer would contain a superset of the
instructions of the earlier computers.
As each instruction became more capable, fewer instructions could be used to
implement a given task. This made more efficient use of the relatively slow main
memory.
Because microprogram instruction sets can be written to match the constructs of
high-level languages, the compiler does not have to be as complicated.
Designers soon realized that the CISC philosophy had its own problems,
including:
Earlier generations of a processor family generally were contained as a subset in
every new version - so instruction set & chip hardware become more complex
with each generation of computers.
So that as many instructions as possible could be stored in memory with the least
possible wasted space, individual instructions could be of almost any length - this
means that different instructions will take different amounts of clock time to
execute, slowing down the overall performance of the machine.
Many specialized instructions aren't used frequently enough to justify their
existence -approximately 20% of the available instructions are used in a typical
program.
CISC instructions typically set the condition codes as a side effect of the
instruction. Not only does setting the condition codes take time, but programmers
have to remember to examine the condition code bits before a subsequent
instruction changes them.
As memory speed increased, and high-level languages displaced assembly
language, the major reasons for CISC began to disappear, and computer designers began
to look at ways computer performance could be optimized beyond just making faster
hardware.One of their key realizations was that a sequence of simple instructions
produces the same results as a sequence of complex instructions, but can be implemented
ECE, SIETK 4
HACKING OF ELECTRONIC EQUIPMENTS
with a simpler (and faster) hardware design. (Assuming that memory can keep up.) RISC
(Reduced Instruction Set Computers) processors were the result. CISC and RISC
implementations are becoming more and more alike. Many of today’s RISC chips support
as many instructions as yesterday's CISC chips. And today's CISC chips use many
techniques formerly associated with RISC chips.
1.2.2 Application Areas:
Nearly 99 per cent of the processors manufactured end up in embedded systems.
The embedded system market is one of the highest growth areas as these systems are
used in very market segment- consumer electronics, office automation, industrial
automation, biomedical engineering, wireless communication, data communication,
telecommunications, transportation, military and so on.
1.2.3 Consumer appliances:
At home we use a number of embedded systems which include digital camera,
digital diary, DVD player, electronic toys, microwave oven, remote controls for TV and
air-conditioner, VCO player, video game consoles, video recorders etc. Today’s high-
tech car has about 20 embedded systems for transmission control, engine spark control,
air-conditioning, navigation etc. Even wrist watches are now becoming embedded
systems. The palmtops are powerful embedded systems using which we can carry out
many general-purpose tasks such as playing games and word processing.
1.2.4 Office automation:
The office automation products using embedded systems are copying machine,
fax machine, key telephone, modem, printer, scanner etc.
1.2.5 Industrial automation:
Today a lot of industries use embedded systems for process control. These include
pharmaceutical, cement, sugar, oil exploration, nuclear energy, electricity generation and
transmission. The embedded systems for industrial use are designed to carry out specific
tasks such as monitoring the temperature, pressure, humidity, voltage, current etc., and
then take appropriate action based on the monitored levels to control other devices or to
send information to a centralized monitoring station. In hazardous industrial environment,
ECE, SIETK 5
HACKING OF ELECTRONIC EQUIPMENTS
where human presence has to be avoided, robots are used, which are programmed to do
specific jobs. The robots are now becoming very powerful and carry out many interesting
and complicated tasks such as hardware assembly.
1.1.4.4 Medical electronics:
Almost every medical equipment in the hospital is an embedded system. These
equipments include diagnostic aids such as ECG, EEG, blood pressure measuring
devices, X-ray scanners equipment used in blood analysis, radiation, endoscopy etc.
Developments in medical electronics have paved way for more accurate diagnosis of
diseases.
1.2.6 Computer networking:
Computer networking products such as bridges, routers, Integrated Services
Digital Networks (ISDN), Asynchronous Transfer Mode (ATM), X.25 and frame relay
switches are embedded systems which implement the necessary data communication
protocols. For example, a router interconnects two networks. The two networks may be
running different protocol stacks. The router’s function is to obtain the data packets from
incoming pores, analyze the packets and send them towards the destination after doing
necessary protocol conversion. Most networking equipments, other than the end systems
(desktop computers) we use to access the networks, are embedded systems.
1.2.7 Telecommunications:
In the field of telecommunications, the embedded systems can be categorized as
subscriber terminals and network equipment. The subscriber terminals such as key
telephones, ISDN phones, terminal adapters, web cameras are embedded systems. The
network equipment includes multiplexers, multiple access systems, Packet Assemblers
Dissemblers (PADs), sate11ite modems etc. IP phone, IP gateway, IP gatekeeper etc. are
the latest embedded systems that provide very low-cost voice communication over the
Internet.
1.2.8 Wireless technologies:
Advances in mobile communications are paving way for many interesting
applications using embedded systems. The mobile phone is one of the marvels of the last
ECE, SIETK 6
HACKING OF ELECTRONIC EQUIPMENTS
decade of the 20’h century. It is a very powerful embedded system that provides voice
communication while we are on the move. The Personal Digital Assistants and the
palmtops can now be used to access multimedia services over the Internet. Mobile
communication infrastructure such as base station controllers, mobile switching centers
are also powerful embedded systems.
1.2.9 Insemination:
Testing and measurement are the fundamental requirements in all scientific and
engineering activities. The measuring equipment we use in laboratories to measure
parameters such as weight, temperature, pressure, humidity, voltage, current etc. are all
embedded systems.
Test equipment such as oscilloscope, spectrum analyzer, logic analyzer, protocol
analyzer, radio communication test set etc. are embedded systems built around powerful
processors. Thank to miniaturization, the test and measuring equipment are now
becoming portable facilitating easy testing and measurement in the field by field-
personnel.
1.2.10 Finance:
Financial dealing through cash and cheques are now slowly paving way for
transactions using smart cards and ATM (Automatic Teller Machine, also expanded as
Any Time Money) machines. Smart card, of the size of a credit card, has a small micro-
controller and memory; and it interacts with the smart card reader! ATM machine and
acts as an electronic wallet. Smart card technology has the capability of ushering in a
cashless society.
1.3 Overview of Embedded System Architecture:
Every embedded system consists of custom-built hardware built around a Central
Processing Unit (CPU). This hardware also contains memory chips onto which the
software is loaded. The software residing on the memory chip is also called the
‘firmware’. The operating system runs above the hardware, and the application software
runs above the operating system as shown in figure. The same architecture is applicable
to any computer including a desktop computer. However, there are significant
ECE, SIETK 7
HACKING OF ELECTRONIC EQUIPMENTS
differences. It is not compulsory to have an operating system in every embedded system.
For small appliances such as remote control units, air conditioners, toys etc., there is no
need for an operating system and you can write only the software specific to that
application. For applications involving complex processing, it is advisable to have an
operating system. In such a case, you need to integrate the application software with the
operating system and then transfer the entire software on to the memory chip. Once the
software is transferred to the memory chip, the software will continue to run for a long
time you don’t need to reload new software.
Fig 1.1 Embedded System Architecture
Now, let us see the details of the various building blocks of the hardware of an
embedded system.
As shown in Fig. the building blocks are;
· Central Processing Unit (CPU)
· Memory (Read-only Memory and Random Access Memory)
· Input Devices
· Output devices
· Communication interfaces
· Application-specific circuitry
ECE, SIETK 8
HACKING OF ELECTRONIC EQUIPMENTS
Fig 1.2 Building Blocks Embedded System
1.3.1 Central Processing Unit (CPU):
The Central Processing Unit (processor, in short) can be any of the following:
microcontroller, microprocessor or Digital Signal Processor (DSP). A micro-controller is
a low-cost processor. Its main attraction is that on the chip itself, there will be many other
components such as memory, serial communication interface, analog-to digital converter
etc. So, for small applications, a micro-controller is the best choice as the number of
external components required will be very less.
On the other hand, microprocessors are more powerful, but you need to use many
external components with them. D5P is used mainly for applications in which signal
processing is involved such as audio and video processing.
1.3.2 Memory:
The memory is categorized as Random Access 11emory (RAM) and Read Only
Memory (ROM). The contents of the RAM will be erased if power is switched off to the
ECE, SIETK 9
HACKING OF ELECTRONIC EQUIPMENTS
chip, whereas ROM retains the contents even if the power is switched off. So, the
firmware is stored in the ROM. When power is switched on, the processor reads the
ROM; the program is program is executed.
1.3.3 Input devices:
Unlike the desktops, the input devices to an embedded system have very limited
capability. There will be no keyboard or a mouse, and hence interacting with the
embedded system is no easy task. Many embedded systems will have a small keypad-you
press one key to give a specific command. A keypad may be used to input only the digits.
Many embedded systems used in process control do not have any input device for user
interaction; they take inputs from sensors or transducers 1’fnd produce electrical signals
that are in turn fed to other systems.
1.3.4 Output devices:
The output devices of the embedded systems also have very limited capability.
Some embedded systems will have a few Light Emitting Diodes (LEDs) to indicate the
health status of the system modules, or for visual indication of alarms. A small Liquid
Crystal Display (LCD) may also be used to display some important parameters.
1.3.5 Interfaces:
The embedded systems may need to, interact with other embedded systems at
they may have to transmit data to a desktop. To facilitate this, the embedded systems are
provided with one or a few communication interfaces such as RS232, RS422, RS485,
Universal Serial Bus (USB), IEEE 1394, Ethernet etc.
1.3.6 Application-specific circuitry:
Sensors, transducers, special processing and control circuitry may be required fat
an embedded system, depending on its application. This circuitry interacts with the
processor to carry out the necessary work. The entire hardware has to be given power
supply either through the 230 volts main supply or through a battery. The hardware has to
design in such a way that the power consumption is minimized.
ECE, SIETK 10
HACKING OF ELECTRONIC EQUIPMENTS
CHAPTER 2
HARDWARE COMPONENTS
2. 1 MEMS-Based Accelerometers:
The field of MEMS accelerometers can be segregated into two dominant
microsystem architectures: capacitive and piezoresistive.While both types of
accelerometers employ internal proof masses that are excited by acceleration, the
architectural differences are in the transduction mechanism used to correlate the
movement of the internal proof mass to acceleration. Capacitive accelerometers employ
a differential capacitor whose balance is disrupted by the movement of the proof mass.
Piezoresistive accelerometers generally rely on strain induced within a flexural element
that attaches the proof mass to the sensor housing for identification of the mass
movement. Capacitive-based MEMS accelerometers, such as the ADXL iMEMS series
from Analog Devices, have enjoyed more commercial success than piezoresistive
designs. This is a direct result of piezoresistive accelerometers having not been capable
of keeping pace with the reduced fabrication costs associated with capacitive
architectures (Maluf 2000). Problems associated with the temperature coefficients and
drift properties of piezoresistive materials have necessitated careful packaging and
compensation circuitry that have added to piezoresistive accelerometer costs.
Advances made in MEMS fabrication processes require a revisit of the
piezoresistive accelerometer. With new processes available and old processes improved,
a low-cost high-performance piezoresistive accelerometer is now possible. In particular,
deep reactive ion etching (DRIE) fabrication techniques could be used in the fabrication
of MEMS accelerometers. The low-noise property of piezoresistive accelerometers at
high frequencies, compared to those of capacitive accelerometers, is additional
motivation for a renewed interest in the piezoresistive accelerometer. While many
methods can be employed for the identification of damage in structures, the success of
these methods are limited to cases where damage is severe enough to result in significant
changes in the global modes of response of the structural system (Doebling et al. 1996).
ECE, SIETK 11
HACKING OF ELECTRONIC EQUIPMENTS
Most recently, researchers have explored the use of high-frequency local response
measurements of structural components to identify the onset of damage (Park et al.
2000). As a result, the success of these techniques will necessitate accelerometers that
exhibit superior performance in the high frequency bands of interest. With excellent
noise properties at high frequencies, the piezoresistive accelerometer can be applied to
this emerging class of damage detection problems.
2.2 Design of a Piezoresistive Accelerometer:
The use of piezoresistive materials in the design of MEMS-based accelerometers
was first proposed by Roylance and Angell (1979). Their design calls for a proof mass
attached to a silicon housing through a short flexural element. The implantation of a
piezoresistive material upon the upper surface of the flexural element was used for
measuring out-of-plane acceleration of the proof mass. The strain experienced by a
piezoresistive material causes a position change of its internal atoms resulting in the
change of its electrical resistance (Senturia 2001). Completing a Wheatstone bridge
around the piezoresistors of the accelerometer, a linear relationship between acceleration
and voltage can be derived.
A new approach to the design of piezoresistive accelerometers is explored.
Departing from the Roylance design, a lateral in-plane accelerometer that can exploit the
use of DRIE fabrication techniques is examined (Partridge et al. 2000). The design of the
planar accelerometer is straightforward. A pie-shaped proof mass, as shown in Fig. 1a, is
attached to the sensor housing through a slender cantilevering element. Acceleration in
the plane of the sensor will cause deflections in the proof mass and flexural element.
Implanted in the walls of the cantilevering element is a piezoresistive material that will
change resistance with strain. The flexural element is designed to concentrate strain in
the vicinity of the piezoresistive implant. The housing surrounding the proof mass is
instrumental in providing a lateral stop on the mass movement thereby setting the
maximum measurable acceleration (range). This housing is advantageous because it
prevents deflections that would result in nonlinear flexural responses in addition to
protection of the accelerometer from shock (exceedingly high accelerations such as those
above 1,000 g).
ECE, SIETK 12
HACKING OF ELECTRONIC EQUIPMENTS
The physical dimensions of the accelerometer, illustrated in Fig. 1b, can be varied
to deliver ideal performance specifications for a particular application. To maximize
sensor sensitivity (voltage per unit acceleration), the flexural width, w, is minimized
while the radial length, r, of the proof mass is maximized. The bandwidth of the
accelerometer is determined from the length of the flexure, l, with shorter flexural
elements increasing the lateral resonant frequency of the sensor. Since out-of-plane
vibrations of the proof mass are undesirable, the thickness, t, of the flexural element is
chosen to satisfy a 4 to 10 ratio between flexural thickness and width. In the process of
fabricating the piezoresistive accelerometers, different dimensions for the flexural
element and proof mass are selected.
Deep reactive ion etching (DRIE) and oblique ion implantation fabrication
processes are two enabling MEMS fabrication technologies chosen for the planar
piezoresistive accelerometer. Fabrication of the accelerometer begins with the creation of
a bonded etched silicon on insulator (BESOI) substrate created by oxidation and bonding
of standard wafer surfaces. An additional layer of low-temperature oxide (LTO) is grown
upon the top surface of the substrate in a pattern corresponding to the dimensions of the
flexural and proof mass elements. To precisely remove silicon exposed by the pattern in
the LTO layer, DRIE is used to remove substrate material until the internal oxide layer of
the substrate is reached. With the sides of the flexural element exposed, oblique ion
implantation is used to deposit a thin layer of boron within the sides of the flexural
element. One side is implanted with a moderate amount of boron to form a 4 kΩ
piezoresistor. A greater amount of boron is implanted on the opposite side of the flexural
element to yield a conduction return path of 200 Ω. Upon completion of implantation,
the LTO layer is removed and a thin layer of oxide is grown. Oxidation of silicon renders
silicon surfaces chemically and electronically stable (Lyshevski 2002). The backside of
the substrate is marked and DRIE etched to release the proof mass and flexural elements
of the accelerometer from the substrate. The sensor die is cut from the substrate and
placed in a ceramic package for sealing. Fig. 1c is a scanning electron microscope image
of the completed piezoresistive accelerometer.
The output of the accelerometer is a differential voltage signal linearly
proportional to acceleration. To provide an easy interface to low-cost microcontrollers, a
ECE, SIETK 13
HACKING OF ELECTRONIC EQUIPMENTS
differential voltage amplifier is used to convert the differential voltage to a single voltage
signal with amplification. Unlike some commercially produced accelerometers, an anti-
alias filter is not provided on-chip in the prototype accelerometer, necessitating a four-
pole Butterworth anti-alias filter to condition the accelerometer’s output before
interfacing to a data acquisition system
2.3 Micro-Electro-Mechanical Systems Inertial Measurement Units:
Introduction:
Tracking one’s location can be difficult without a spatial reference. However,
tracking can still be accomplished through dead reckoning. Dead reckoning is the process
of determining one’s position based on the direction, velocity, and time since the
previous position. To perform dead reckoning an Inertial Measurement Unit (IMU) can
be used. An IMU measures velocity, orientation, and gravitational forces. IMUs with
conventional gyroscopes and accelerometers have previously been out of reach for many
civilian and military uses due to bulky sizes and high costs; but with recent advances in
Micro-Electro-Mechanical Systems (MEMS) the prices and sizes have shrunk
significantly. MEMS IMUs can now be found in many systems—from smart phones for
the masses to smart munitions for the military.
Commercial Applications
Civilian:
In recent years the auto industry has adopted IMUs to aid anti-lock brake systems,
traction control schemes, and triggering air bags. Even entertainment systems such as the
Nintendo Wii now contain IMUs. The Wii system originally only used two ADXL330
accelerometers from Analog Devices; this system could not detect the rotation of the
controllers well. However, recently Nintendo added the Motion Plus, with the IDG-600
gyroscope from InvenSense , to implement a true IMU. The cost of the ADXL330 is less
than eight dollars when purchased in bulk and the IDG-600 is estimated to cost two
dollars. Personal GPS navigation companies have also started to integrate MEMS IMUs
into their products. When the GPS reception becomes temporarily unavailable, these
devices can revert to the IMU to calculate the approximate location and movement of the
ECE, SIETK 14
HACKING OF ELECTRONIC EQUIPMENTS
device . Tom Tom GO 920 is such a device and costs less than 200 dollars—only 30
dollars more compared to models without the IMU feature, such as the Tom Tom GO
720.
Military:
Honeywell, along with Rockwell Collins, produce an Integrated Guidance System
(IGS) for the future generation “projectiles, strike weapons, missiles and small unmanned
systems” of the military . This product combines GPS with an IMU to create a robust
system that has a spatial error of less than 4 meters, is difficult to jam, can withstand
more than 20,000 Gs, and weighs a little over half a kilogram . Honeywell also makes
MEMS IMUs for military dead reckoning without GPS integration. One example is the
HG1930 which weighs less than half a pound, measures two inches in diameter by one
and a half inches tall and can survive the shell shock of being fired out of an artillery gun
2.4 Analog-to-digital converter:
An analog-to-digital converter (abbreviated ADC, A/D or A to D) is a device that
converts a continuous quantity to a discrete time digital representation. An ADC may also
provide an isolated measurement. The reverse operation is performed by a digital-to-
analog converter (DAC).Typically, an ADC is an electronic device that converts an input
analog voltage or current to a digital number proportional to the magnitude of the voltage
or current. However, some non-electronic or only partially electronic devices, such as
rotary encoders, can also be considered ADCs.The digital output may use different
coding schemes. Typically the digital output will be a two's complement binary number
that is proportional to the input, but there are other possibilities. An encoder, for example,
might output a code. A/D converters for industrial applications are based on proprietary
Delta-Sigma technology and deliver high-precision analog-to-digital converter solutions
for industrial measurement applications, including industrial process control, analytical
instruments and consumer utility.
Features
• 12-bit resolution
• ± 1 LSB max DNL
ECE, SIETK 15
HACKING OF ELECTRONIC EQUIPMENTS
• ± 1 LSB max INL (MCP3204/3208-B)
• ± 2 LSB max INL (MCP3204/3208-C)
• 4 (MCP3204) or 8 (MCP3208) input channels
• Analog inputs programmable as single-ended or pseudo-differential pairs
• On-chip sample and hold
• SPI serial interface (modes 0,0 and 1,1)
• Single supply operation: 2.7V - 5.5V
• 100 ksps max. sampling rate at VDD = 5V
• 50 ksps max. sampling rate at VDD = 2.7V
• Low power CMOS technology:
- 500 nA typical standby current, 2 μA max.
- 400 μA max. active current at 5V
• Industrial temp range: -40°C to +85°C
• Available in PDIP, SOIC and TSSOP packages
Applications
• Sensor Interface
• Process Control
• Data Acquisition
• Battery Operated Systems
2.5 EEPROM:
Atmel is a leading supplier of Serial EEPROM devices and has shipped over 12
billion devices in the past decade. Because of the ability to alter single bytes of data,
Serial EEPROM devices are used to store personal preference and configuration data in a
wide spectrum of consumer, automotive, telecommunication, medical, industrial, and PC
applications. Atmel offers Serial EEPROM devices in I2C, Microwire and SPI compatible
protocols. The devices come in a number of industry-standard package types including
space saving DFN, VFBGA, SOT23, and WLCSP packages. Atmel Serial EEPROM
devices feature low pin count and are optimized for use in automotive and industrial
temperature applications where low-power and low-voltage operation are essential.
ECE, SIETK 16
HACKING OF ELECTRONIC EQUIPMENTS
EEPROM (electrically erasable programmable read-only memory) is user-
modifiable read-only memory (ROM) that can be erased and reprogrammed (written to)
repeatedly through the application of higher than normal electrical voltage. Unlike
EPROM chips, EEPROMs do not need to be removed from the computer to be modified.
However, an EEPROM chip has to be erased and reprogrammed in its entirety, not
selectively. It also has a limited life - that is, the number of times it can be reprogrammed
is limited to tens or hundreds of thousands of times. In an EEPROM that is frequently
reprogrammed while the computer is in use, the life of the EEPROM can be an important
design consideration.
Key Features
Broad Portfolio – Serial EEPROM devices are offered in 1-Kbit to 1-Mbit
densities in I2C, Microwire, and SPI compatible protocols available in voltages
from 1.7V to 5.5V.
Diverse packages options — The Serial EEPROM devices come in industry
standard PDIP, SOIC, and TSSOP package types, as well as space saving DFN,
VFBGA, SOT23, and WLCSP packages.
High performance — Atmel Serial EEPROM devices offer low active and
standby currents and operate at fast clock frequencies.
Easy migration — Atmel SPI Serial EEPROMs share the same I/O
configuration as Atmel’s AT25D Serial Flash family, allowing customers to
easily upgrade to the advanced, higher density Serial Flash devices.
Automotive designs — Atmel offers automotive-qualified Serial EEPROM
devices in environmentally friendly "green" versions designed to withstand broad
extended temperature ranges.
2.6 LCD
2.6.1 Introduction:
A liquid crystal display (LCD) is a thin, flat electronic visual display that uses the
light modulating properties of liquid crystals (LCs). LCs does not emit light directly.
ECE, SIETK 17
HACKING OF ELECTRONIC EQUIPMENTS
They are used in a wide range of applications including: computer monitors, television,
instrument panels, aircraft cockpit displays, signal, etc. They are common in consumer
devices such as video players, gaming devices, clocks, watches, calculators, and
telephones. LCDs have displaced cathode ray tube (CRT) displays in most applications.
They are usually more compact, lightweight, portable, less expensive, more reliable, and
easier on the eyes. They are available in a wider range of screen sizes than CRT and
plasma displays, and since they do not use phosphors, they cannot suffer image burn-in.
LCDs are more energy efficient and offer safer disposal than CRTs. Its low
electrical power consumption enables it to be used in battery-powered electronic
equipment.
It is an electronically-modulated optical device made up of any number of pixels
filled with liquid crystals and arrayed in front of a light source (backlight) or reflector to
produce images in color or monochrome. The earliest discovery leading to the
development of LCD technology, the discovery of liquid crystals, dates from 1888. By
2008, worldwide sales of televisions with LCD screens had surpassed the sale of CRT
units.
Each pixel of an LCD typically consists of a layer of molecules aligned between
two transparent electrodes, and two polarizing filters the axes of transmission of which
are (in most of the cases) perpendicular to each other. With no actual liquid crystal
between the polarizing filters, light passing through the first filter would be blocked by
the second (crossed) polarizer. In most of the cases the liquid crystal has double
refraction
Passive-matrix and active-matrix addressed LCDs:
Fig no :2.1 Visual view of LCD
ECE, SIETK 18
HACKING OF ELECTRONIC EQUIPMENTS
LCDs with a small number of segments, such as those used in digital watches and
pocket calculators, have individual electrical contacts for each segment. An external
dedicated circuit supplies an electric charge to control each segment. This display
structure is unwieldy for more than a few display elements.
The most commonly used Character based LCDs are based on Hitachi's HD44780
controller or other which are compatible with HD44580. In this tutorial, we will discuss
about character based LCDs, their interfacing with various microcontrollers, various
interfaces (8-bit/4-bit), programming, special stuff and tricks you can do with these
simple looking LCDs which can give a new look to your application.
2.6.2 Pin Description
The most commonly used LCDs found in the market today are 1 Line, 2 Line or 4
Line LCDs which have only 1 controller and support at most of 80 characters, whereas
LCDs supporting more than 80 characters make use of 2 HD44780 controllers.
Fig No:2.2 Pin diagram
Pin no. 1 VSS Power supply (GND)
Pin no. 2 VCC Power supply (+5V)
Pin no. 3 VEE Contrast adjust
Pin no. 4 RS 0 = Instruction input
1 = Data input
Pin no. 5 R/W 0 = Write to LCD module
1 = Read from LCD module
ECE, SIETK 19
HACKING OF ELECTRONIC EQUIPMENTS
Pin no. 6 EN Enable signal
Pin no. 7 D0 Data bus line 0 (LSB)
Pin no. 8 D1 Data bus line 1
Pin no. 9 D2 Data bus line 2
Pin no. 10 D3 Data bus line 3
Pin no. 11 D4 Data bus line 4
Pin no. 12 D5 Data bus line 5
Pin no. 13 D6 Data bus line 6
Pin no. 14 D7 Data bus line 7 (MSB)
2.6.3 Commands and Instruction set:
The instruction register (IR) and the data register (DR) of the LCD can be controlled
by the MCU. Before starting the internal operation of the LCD, control information is
temporarily stored into these registers to allow interfacing with various MCUs, which
operate at different speeds, or various peripheral control devices. The internal operation
of the LCD is determined by signals sent from the MCU. These signals, which include
register selection signal (RS), read/write signal (R/W), and the data bus (DB0 to DB7),
make up the LCD instructions (Table 3). There are four categories of instructions that:
Designate LCD functions, such as display format, data length, etc.
Set internal RAM addresses
Perform data transfer with internal RAM
Perform miscellaneous functions
Although looking at the table you can make your own commands and test them.
Below is a brief list of useful commands which are used frequently while working on the
LCD.
Instruction Hex Decimal
1.Function Set: 8-bit, 1 Line, 5x7 Dots 0x3048
2. Function Set: 8-bit, 2 Line, 5x7 Dots 0x3856
3. Function Set: 4-bit, 1 Line, 5x7 Dots 0x2032
4.Function Set: 4-bit, 2 Line, 5x7 Dot 0x2840
ECE, SIETK 20
HACKING OF ELECTRONIC EQUIPMENTS
Table No :2.1 Instruction And Command Set
ECE, SIETK 21
HACKING OF ELECTRONIC EQUIPMENTS
2.6.4Command Codes
Table no:2.2 LCD command codes
2.7 Crystal Oscillator
A crystal oscillator is a timing device that consists of a crystal and an oscillator
circuit, providing an output waveform at a specific frequency. When a crystal is placed
into an amplifier circuit (as shown in Figure 1), a small amount of energy is fed back to
the crystal, which causes it to vibrate. These vibrations act to stabilize the frequency of
the oscillator circuit.
ECE, SIETK 22
CODE(HEX) COMMAND TO LCD INSTRUCTION REGISTER
1 CLEAR DISPLAY SCREEN
2 RETURN HOME
4 DECREEMENT CURSOR (SHIFT CURSOR TO LEFT)
6 INCREEMENT CURSOR (SHIFT CURSOR TO RIGHT)
5 SHIFT DISPLAY RIGHT
7 SHIFT DISPLAY LEFT
8 DISPLAY OFF,CURSOR OFF
A DISPLAY OFF,CURSOR ON
C DISPLAY ON,CURSOR OFF
F DISPLAY ON,CURSOR BLINKING
10 SHIFT CURSOR POSIITION TO LEFT
14 SHIFT CURSOR POSIITION TO RIGHT
18 SHIFT THE ENTIRE DISPLAY TO THE LEFT
1C SHIFT THE ENTIRE DISPLAY TO THE RIGHT
C0 FORCE CURSOR TO BEGINNING OF SECOND LINE
38 2 LINES & 5X7 MATRIX
HACKING OF ELECTRONIC EQUIPMENTS
Target Frequency
The Target Frequency of an oscillator is the desired output frequency of an
oscillator, specified in MHz or kHz(megahertz or kilohertz) @ 25°C. A Frequency
Tolerance should be specified along with the Target Frequency.
Overall Frequency Tolerance
Overall Frequency Tolerance is the allowable frequency deviation from the Target
Frequency, specified as a maximum frequency deviation in ppm (parts per million). The
deviation is specified “inclusive” of a set of operating conditions such as Operating
Temperature Range, Supply Voltage, Output Load and Aging
Operating Temperature Range
The Operating Temperature Range is the specified range to which the device will
be exposed during oscillation. Allspecifications such as Overall Frequency Tolerance,
Symmetry and Supply Current will be met within the Operating Temperature Range and
is specified as a maximum and a minimum temperature in °C.
Storage Temperature Range
The Storage Temperature Range is the absolute limits of temperature to which the
device will be exposed in a nonoscillation state, without being damaged, and is specified
as a maximum and a minimum temperature in °C.
Supply Current (Icc)
Supply Current is the amount of current consumption by an oscillator from the
power supply, and is usually specified as a maximum current in milliamps (mA).
Supply Voltage (Vdd)
Supply Voltage is the DC input voltage range recommended for operation of an
oscillator, and is usually specified as a DC voltage with a percentage tolerance. For
example: 5.0 Vdc, ±10% is a typical specification. All specifications such as Overall
Frequency Tolerance, Symmetry and Supply Current will be met within the specified
Supply Voltage range.
ECE, SIETK 23
HACKING OF ELECTRONIC EQUIPMENTS
2.8 UART
UART (Universal Asynchronous Receiver Transmitter) or USART (Universal
Synchronous Asynchronous Receiver Transmitter) are one of the basic interfaces which
you will find in almost all the controllers available in the market till date. These
interfaces provide a cost effective simple and reliable communication between one
controller to another controller or between a controller and PC.
2.9 MAX 232
In telecommunications, RS-232 (Recommended Standard 232) is a standard for
serial binary single-ended data and control signals connecting between a DTE (Data
Terminal Equipment) and a DCE (Data Circuit-terminating Equipment). It is commonly
used in computer serial ports. The standard defines the electrical characteristics and
timing of signals, the meaning of signals, and the physical size and pin out of connectors.
Fig No:2.3Visual View Of MAX 232
Scope of the standard:
The Electronics Industries Association (EIA) standard RS-232 as of 1969 defines:
Electrical signal characteristics such as voltage levels, signaling rate, timing and
slew-rate of signals, voltage with stand level, short-circuit behavior, and
maximum load capacitance.
Interface mechanical characteristics, pluggable connectors and pin identification.
Functions of each circuit in the interface connector.
Standard subsets of interface circuits for selected telecom applications.
ECE, SIETK 24
HACKING OF ELECTRONIC EQUIPMENTS
The standard does not define such elements as Character (for example, ASCII,
Baudot code or EBCDIC)
Details of character format and transmission bit rate are controlled by the serial
port hardware, often a single integrated circuit called a UART that converts data from
parallel to asynchronous start-stop serial form. Details of voltage levels, slew rate, and
short-circuit behavior are typically controlled by a line-driver that converts from the
UART's logic levels to RS-232 compatible signal levels, and a receiver that converts
from RS-232 compatible signal levels to the UART's logic levels.
Role in modern personal computers:
In the book PC 97 Hardware Design Guide, Microsoft deprecated support for the
RS-232 compatible serial port of the original IBM PC design. Today, RS-232 has mostly
been replaced in personal computers by USB for local communications. Compared with
RS-232, USB is faster, uses lower voltages, and has connectors that are simpler to
connect and use. Both standards have software support in popular operating systems.
USB is designed to make it easy for device drivers to communicate with hardware.
However, there is no direct analog to the terminal programs used to let users
communicate directly with serial ports. USB is more complex than the RS-232 standard
because it includes a protocol for transferring data to devices. This requires more
software to support the protocol used. RS-232 only standardizes the voltage of signals
and the functions of the physical interface pins. Serial ports of personal computers are
also sometimes used to directly control various hardware devices, such as relays or
lamps, since the control lines of the interface can be easily manipulated by software. This
isn't feasible with USB, which requires some form of receiver to decode the serial data.
As an alternative, USB docking ports are available which can provide connectors
for a keyboard, mouse, one or more serial ports, and one or more parallel ports.
Corresponding device drivers are required for each USB-connected device to allow
programs to access these USB-connected devices as if they were the original directly-
connected peripherals. Devices that convert USB to RS-232 may not work with all
ECE, SIETK 25
HACKING OF ELECTRONIC EQUIPMENTS
software on all personal computers and may cause a reduction in bandwidth along with
higher latency.
Personal computers may use a serial port to interface to devices such as
uninterruptible power supplies. In some cases, serial data is not exchanged, but the
control lines are used to signal conditions such as loss of power or low battery alarms.
Many fields (for example, laboratory automation, surveying) provide a continued
demand for RS-232 I/O due to sustained use of very expensive but aging equipment. It is
often far cheaper to continue to use RS-232 than it is to replace the equipment.
Additionally, modern industrial automation equipment, such as PLCs, VFDs, servo
drives, and CNC equipment are programmable via RS-232. Some manufacturers have
responded to this demand: Toshiba re-introduced the DE-9M connector on the Tecra
laptop.
Voltage levels:
Fig No:2.4 : Different Voltage Level Wave Forms
Diagrammatic oscilloscope trace of voltage levels for an uppercase ASCII "K"
character (0x4b) with 1 start bit, 8 data bits, 1 stop bit.The RS-232 standard defines the
voltage levels that correspond to logical one and logical zero levels for the data
transmission and the control signal lines. Valid signals are plus or minus 3 to 15 volts; the
±3 V range near zero volts is not a valid RS-232 level. The standard specifies a maximum
ECE, SIETK 26
HACKING OF ELECTRONIC EQUIPMENTS
open-circuit voltage of 25 volts: signal levels of ±5 V, ±10 V, ±12 V, and ±15 V are all
commonly seen depending on the power supplies available within a device. RS-232
drivers and receivers must be able to withstand indefinite short circuit to ground or to any
voltage level up to ±25 volts. The slew rate, or how fast the signal changes between
levels, is also controlled.
For data transmission lines (TxD, RxD and their secondary channel equivalents)
logic one is defined as a negative voltage, the signal condition is called marking, and has
the functional significance. Logic zero is positive and the signal condition is termed
spacing. Control signals are logically inverted with respect to what one sees on the data
transmission lines. When one of these signals is active, the voltage on the line will be
between +3 to +15 volts. The inactive state for these signals is the opposite voltage
condition, between −3 and −15 volts. Examples of control lines include request to send
(RTS), clear to send (CTS), data terminal ready (DTR), and data set ready (DSR).
Because the voltage levels are higher than logic levels typically used by integrated
circuits, special intervening driver circuits are required to translate logic levels. These
also protect the device's internal circuitry from short circuits or transients that may appear
on the RS-232 interface, and provide sufficient current to comply with the slew rate
requirements for data transmission.
Because both ends of the RS-232 circuit depend on the ground pin being zero
volts, problems will occur when connecting machinery and computers where the voltage
between the ground pin on one end and the ground pin on the other is not zero. This may
also cause a hazardous ground loop. Use of a common ground limits RS-232 to
applications with relatively short cables. If the two devices are far enough apart or on
separate power systems, the local ground connections at either end of the cable will have
differing voltages; this difference will reduce the noise margin of the signals.
Balanced, differential, serial connections such as USB, RS-422 and RS-485 can
tolerate larger ground voltage differences because of the differential signaling.
Unused interface signals terminated to ground will have an undefined logic state.
Where it is necessary to permanently set a control signal to a defined state, it must be
connected to a voltage source that asserts the logic 1 or logic 0 level. Some devices
provide test voltages on their interface connectors for this purpose.
ECE, SIETK 27
HACKING OF ELECTRONIC EQUIPMENTS
2.10 RS 232
RS-232 devices may be classified as Data Terminal Equipment (DTE) or Data
Communication Equipment (DCE); this defines at each device which wires will be
sending and receiving each signal. The standard recommended but did not make
mandatory the D-subminiature 25 pin connector. In general and according to the
standard, terminals and computers have male connectors with DTE pin functions, and
modems have female connectors with DCE pin functions. Other devices may have any
combination of connector gender and pin definitions. Many terminals were manufactured
with female terminals but were sold with a cable with male connectors at each end; the
terminal with its cable satisfied the recommendations in the standard.
Presence of a 25 pin D-sub connector does not necessarily indicate an RS-232-C
compliant interface. For example, on the original IBM PC, a male D-sub was an RS-232-
C DTE port (with a non-standard current loop interface on reserved pins), but the female
D-sub connector was used for a parallel Centronics printer port. Some personal
computers put non-standard voltages or signals on some pins of their serial ports.
The standard specifies 20 different signal connections. Since most devices use
only a few signals, smaller connectors can often be used.
RS-232 WAVEFORM :
Fig No:2.5 TTL/CMOS Serial Logic Waveform
The diagram above shows the expected waveform from the UART when using the
common 8N1 format. 8N1 signifies 8 Data bits, No Parity and 1 Stop Bit. The RS-232
line, when idle is in the Mark State (Logic 1). A transmission starts with a start bit which
is (Logic 0). Then each bit is sent down the line, one at a time. The LSB (Least
Significant Bit) is sent first. A Stop Bit (Logic 1) is then appended to the signal to make
up the transmission.
ECE, SIETK 28
HACKING OF ELECTRONIC EQUIPMENTS
The data sent using this method, is said to be framed. That is the data is framed
between a Start and Stop Bit.
RS-232 Voltage levels
1. +3to+25voltstosignify"Space"(Logic0)
2. 2. -3 to -25 volts for a "Mark" (logic 1).
3. Any voltage in between these regions (i.e. between +3 and -3 Volts) is undefined.
The data byte is always transmitted least-significant-bit first.
The bits are transmitted at specific time intervals determined by the baud rate of the
serial signal.
This is the signal present on the RS-232 Port of your computer, shown below.
Fig No:2.6 RS-232 Logic Waveform
RS-232 LEVEL CONVERTER:
Standard serial interfacing of microcontroller (TTL) with PC or any RS232C
Standard device , requires TTL to RS232 Level converter . A MAX232 is used for this
purpose. It provides 2-channel RS232C port and requires external 10uF capacitors. The
driver requires single supply of +5v.
Pin Diagram of MAX 232:
Fig no :2.7 Pin diagram of MAX 232
ECE, SIETK 29
HACKING OF ELECTRONIC EQUIPMENTS
2.11 ZIGBEE
ZigBee-style networks began to be conceived around 1998, when many installers
realized that both Wi-Fi and Bluetooth were going to be unsuitable for many applications.
In particular, many engineers saw a need for self-organizing ad-hoc digital radio
networks.The IEEE 802.15.4-2003 standard was completed in May 2003 and has been
superseded by the publication of IEEE 802.15.4-2006.In the summer of 2003, Philips
Semiconductors, a major mesh network supporter, ceased the investment. Philips
Lighting has, however, continued Philips' participation, and Philips remains a promoter
member on the ZigBee Alliance Board of Directors.
The ZigBee Alliance announced in October 2004 that the membership had more
than doubled in the preceding year and had grown to more than 100 member companies,
in 22 countries. By April 2005 membership had grown to more than 150 companies, and
by December 2005 membership had passed 200 companies.The ZigBee specifications
were ratified on 14 December 2004.The ZigBee Alliance announced availability of
Specification 1.0 on 13 June 2005, known as ZigBee 2004 Specification. In September
2006, ZigBee 2006 Specification is announced. In 2007, ZigBee PRO, the enhanced
ZigBee specification was finalized.
The first stack release is now called ZigBee 2004. The second stack release is
called ZigBee 2006, and mainly replaces the MSG/KVP structure used in 2004 with a
"cluster library". The 2004 stack is now more or less obsolete.ZigBee 2007, now the
current stack release, contains two stack profiles, stack profile 1 (simply called ZigBee),
for home and light commercial use, and stack profile 2 (called ZigBee Pro). ZigBee Pro
offers more features, such as multi-casting, many-to-one routing and high security with
Symmetric-Key Key Exchange (SKKE), while ZigBee (stack profile 1) offers a smaller
footprint in RAM and flash. Both offer full mesh networking and work with all ZigBee
application profiles.ZigBee 2007 is fully backward compatible with ZigBee 2006
devices: A ZigBee 2007 device may join and operate on a ZigBee 2006 network and vice
versa. Due to differences in routing options, ZigBee Pro devices must become non-
routing ZigBee End-Devices (ZEDs) on a ZigBee 2006 network, the same as for ZigBee
2006 devices on a ZigBee 2007 network must become ZEDs on a ZigBee Pro network.
The applications running on those devices work the same, regardless of the stack profile
ECE, SIETK 30
HACKING OF ELECTRONIC EQUIPMENTS
beneath them.The ZigBee 1.0 specification was ratified on 14 December 2004 and is
available to members of the ZigBee Alliance. Most recently, the ZigBee 2007
specification was posted on 30 October 2007. The first ZigBee Application Profile, Home
Automation, was announced 2 November 2007.
Radio hardware
The radio design used by ZigBee has been carefully optimized for low cost in
large scale production. It has few analog stages and uses digital circuits wherever
possible. Though the radios themselves are in expensive, the ZigBee Qualification
Process involves a full validation of the requirements of the physical layer. All radios
derived from the same validated semiconductor mask set would enjoy the same RF
characteristics. An uncertified physical layer that malfunctions could cripple the battery
lifespan of other devices on a ZigBee network. ZigBee radios have very tight constraints
on power and bandwidth. Thus, radios are tested to the ISO 17025 standard with
guidance given by Clause 6 of the 802.15.4-2006 Standard. Most vendors plan to
integrate the radio and microcontroller onto a single chip[15] getting smaller devices.
This standard specifies operation in the unlicensed 2.4 GHz (worldwide),
915 MHz (Americas and Australia) and 868 MHz (Europe) ISM bands. In the 2.4 GHz
band there are 16 ZigBee channels, with each channel requiring 5 MHz of bandwidth.
The 2.4 GHz band provides up to 250 kbit/s, 915 MHz provides up to 40 kbit/s and
868 MHz provides a data rate up to 20 kbit/s. The actual data throughput will be less than
the maximum specified bit rate due to the packet overhead and processing delays.
The radios use direct-sequence spread spectrum coding, which is managed by the
digital stream into the modulator. Binary phase-shift keying (BPSK) is used in the 868
and 915 MHz bands, and Offset quadrature phase-shift keying (OQPSK) that transmits
two bits per symbol is used in the 2.4 GHz band. The output power of the radios is
generally 0 dBm (1 mW).
Software
The software is designed to be easy to develop on small, inexpensive
microprocessors.
ECE, SIETK 31
HACKING OF ELECTRONIC EQUIPMENTS
Network layer
The main functions of the network layer are to enable the correct use of the MAC
sub layer and provide a suitable interface for use by the next upper layer, namely the
application layer. Its capabilities and structure are those typically associated to such
network layers, including routing. On the one hand, the data entity creates and manages
network layer data units from the payload of the application layer and performs routing
according to the current topology. On the other hand, there is the layer control, which is
used to handle configuration of new devices and establish new networks: it can determine
whether a neighboring device belongs to the network and discovers new neighbors and
routers. The control can also detect the presence of a receiver, which allows direct
communication and MAC synchronization.
The routing protocol used by the Network layer is AODV. In order to find the
destination device, it broadcasts out a route request to all of its neighbors. The neighbors
then broadcast the request to their neighbors, etc. until the destination is reached. Once
the destination is reached, it sends its route reply via unicast transmission following the
lowest cost path back to the source. Once the source receives the reply, it will update its
routing table for the destination address with the next hop in the path and the path cost.
Application layer
The application layer is the highest-level layer defined by the specification, and is
the effective interface of the ZigBee system to its end users. It comprises the majority of
components added by the ZigBee specification: both ZDO and its management
procedures, together with application objects defined by the manufacturer, are considered
part of this layer.
Main components
The ZDO is responsible for defining the role of a device as either coordinator or
end device, as mentioned above, but also for the discovery of new (one-hop) devices on
the network and the identification of their offered services. It may then go on to establish
secure links with external devices and reply to binding requests accordingly.The
application support sublayer (APS) is the other main standard component of the layer,
and as such it offers a well-defined interface and control services. It works as a bridge
ECE, SIETK 32
HACKING OF ELECTRONIC EQUIPMENTS
between the network layer and the other components of the application layer: it keeps up-
to-date binding tables in the form of a database, which can be used to find appropriate
devices depending on the services that are needed and those the different devices offer.
As the union between both specified layers, it also routes messages across the layers of
the protocol stack.
Communication models
Fig No:2.9 ZigBee high-level communication model
An application may consist of communicating objects which cooperate to carry
out the desired tasks. The focus of ZigBee is to distribute work among many different
devices which reside within individual ZigBee nodes which in turn form a network (said
work will typically be largely local to each device, for instance the control of each
individual household appliance).The collection of objects that form the network
communicate using the facilities provided by APS, supervised by ZDO interfaces. The
application layer data service follows a typical request-confirm/indication-response
structure.
ECE, SIETK 33
HACKING OF ELECTRONIC EQUIPMENTS
Within a single device, up to 240 application objects can exist, numbered in the
range 1-240. 0 is reserved for the ZDO data interface and 255 for broadcast; the 241-254
range is not currently in use but may be in the future.There are two services available for
application objects to use (in ZigBee 1.0):
The key-value pair service (KVP) is meant for configuration purposes. It enables
description, request and modification of object attributes through a simple
interface based on get/set and event primitives, some allowing a request for
response. Configuration uses compressed XML (full XML can be used) to
provide an adaptable and elegant solution.
The message service is designed to offer a general approach to information
treatment, avoiding the necessity to adapt application protocols and potential
overhead incurred on by KVP. It allows arbitrary payloads to be transmitted over
APS frames.
Addressing is also part of the application layer. A network node consists of an
802.15.4-conformant radio transceiver and one or more device descriptions (basically
collections of attributes which can be polled or set, or which can be monitored through
events). The transceiver is the base for addressing, and devices within a node are
specified by an endpoint identifier in the range 1-240.
Communication and device discovery
In order for applications to communicate, their comprising devices must use a
common application protocol (types of messages, formats and so on); these sets of
conventions are grouped in profiles. Furthermore, binding is decided upon by matching
input and output cluster identifiers, unique within the context of a given profile and
associated to an incoming or outgoing data flow in a device. Binding tables contain
source and destination pairs.Depending on the available information, device discovery
may follow different methods. When the network address is known, the IEEE address can
be requested using unicast communication. When it is not, petitions are broadcast (the
IEEE address being part of the response payload). End devices will simply respond with
the requested address, while a network coordinator or a router will also send the
addresses of all the devices associated with it.
ECE, SIETK 34
HACKING OF ELECTRONIC EQUIPMENTS
This extended discovery protocol permits external devices to find out about
devices in a network and the services that they offer, which endpoints can report when
queried by the discovering device (which has previously obtained their addresses).
Matching services can also be used.
The use of cluster identifiers enforces the binding of complementary entities by
means of the binding tables, which are maintained by ZigBee coordinators, as the table
must be always available within a network and coordinators are most likely to have a
permanent power supply. Backups, managed by higher-level layers, may be needed by
some applications. Binding requires an established communication link; after it exists,
whether to add a new node to the network is decided, according to the application and
security policies.
Communication can happen right after the association. Direct addressing uses
both radio address and endpoint identifier, whereas indirect addressing uses every
relevant field (address, endpoint, cluster and attribute) and requires that they be sent to
the network coordinator, which maintains associations and translates requests for
communication. Indirect addressing is particularly useful to keep some devices very
simple and minimize their need for storage. Besides these two methods, broadcast to all
endpoints in a device is available, and group addressing is used to communicate with
groups of endpoints belonging to a set of devices.
2.11.1 Zigbee Technology
Zigbee Technology is one of such progression in wireless technology. Wireless is
not a new technology as wireless networking and wireless internet are already in use; yet
Zigbee technology set a new aspect in wireless technology. That’s why it’s usually
referred as Zigbee Wireless Technology. Day by day advancement in technology is
introducing novel and supportive devices which are used to make life easier and Zigbee
Technology is one of them.The ZigBee standard uses small very low-power devices to
connect together to form a wireless control. webZigBee protocol is optimized for very
long battery life measured in months to years from inexpensive, off-the-shelf non-
rechargeable batteries, and can control lighting, air conditioning and heating, smoke and
ECE, SIETK 35
HACKING OF ELECTRONIC EQUIPMENTS
fire alarms, and other security devices.ZigBee is a low data rate, two-way standard for
home automation and data networks. Real usage examples of ZigBee includes home
automation tasks such as turning lights on, turn up the heat, setting the home security
system, or starting the VCR.
With ZigBee all these tasks can be done from anywhere in the homeat the touch
of a button. ZigBee also allows for dial-in access via the Internet for automation control.
ZigBee technology is a low data rate, low power consumption, low cost, wireless
networking protocol targeted towards automation and remote control applications. IEEE
802.15.4 committee started working on a low data rate standard a short while later. Then
the ZigBee Alliance and the IEEE decided to join forces and ZigBee is the commercial
name for this technology.ZigBee is expected to provide low cost and low power
connectivity for equipment that needs battery life as long as several months to several
years but does not require data transfer rates as high as those enabled by Bluetooth. In
addition, ZigBee can be implemented in mesh networks larger 2 than is possible with
Bluetooth. ZigBee compliant wireless devices are expected to transmit 10-75 meters,
depending on the RF environment and the power output consumption required for a given
application, and will operate in the unlicensed RF worldwide(2.4GHz global, 915MHz
Americas or 868 MHz Europe). The data rate is 250kbps at 2.4GHz, 40kbps at 915MHz
and 20kbps at 868MHz IEEE and ZigBee Alliance have been working closely to specify
the entire protocol stack. IEEE 802.15.4 focuses on the specification of the lower two
layers of the protocol(physical and data link layer).
On the other hand, ZigBee Alliance aims to provide the upper layers of the
protocol stack (from network to the application layer) for interoperable data networking,
security services and a range of wireless home and building control solutions, provide
interoperability compliance testing, marketing of the standard, advanced engineering for
the evolution of the standard. This will assure consumers to buy products from different
manufacturers with confidence that the products will work together.IEEE 802.15.4 is now
detailing the specification of PHY and MAC by offering building blocksfor different
types of networking known as ”star, mesh, and cluster tree”. Network routingschemes are
designed to ensure power conservation, and low latency through guaranteed timeslots. A
unique feature of ZigBee network layer is communication redundancy eliminating ”single
ECE, SIETK 36
HACKING OF ELECTRONIC EQUIPMENTS
point of failure” in mesh networks. Key features of PHY include energy and link quality
detection, clear channel assessment for improved coexistence with other wireless
networks.
2.11.2 TECHINICAL OVERVIEW
ZigBee is a low-cost, low-power, wireless mesh network standard. The low cost
allows the technology to be widely deployed in wireless control and monitoring
applications. Low power-usage allows longer life with smaller batteries. Mesh
networking provides high reliability and more extensive range. ZigBee chip vendors
typically sell integrated radios and microcontrollers with between 60 KB and 256 KB
flash memory.
ZigBee operates in the industrial, scientific and medical (ISM) radio bands;
868 MHz in Europe, 915 MHz in the USA and Australia, and 2.4 GHz in most
jurisdictions worldwide. Data transmission rates vary from 20 to 900 kilobits/second.
The ZigBee network layer natively supports both star and tree typical networks,
and generic mesh networks. Every network must have one coordinator device, tasked
with its creation, the control of its parameters and basic maintenance. Within star
networks, the coordinator must be the central node. Both trees and meshes allows the use
of ZigBee routers to extend communication at the network level.
Fig No:2.9 ZigBee protocol stack
ECE, SIETK 37
HACKING OF ELECTRONIC EQUIPMENTS
ZigBee builds upon the physical layer and medium access control defined in IEEE
standard 802.15.4 (2003 version) for low-rate WPANs. The specification goes on to
complete the standard by adding four main components: network layer, application layer,
ZigBee device objects (ZDOs) and manufacturer-defined application objects which allow
for customization and favor total integration.
Besides adding two high-level network layers to the underlying structure, the
most significant improvement is the introduction of ZDOs. These are responsible for a
number of tasks, which include keeping of device roles, management of requests to join a
network, device discovery and security.ZigBee is not intended to support powerline
networking but to interface with it at least for smart metering and smart appliance
purposes.Because ZigBee nodes can go from sleep to active mode in 30 ms or less, the
latency can be low and devices can be responsive, particularly compared to Bluetooth
wake-up delays, which are typically around three seconds.Because ZigBee nodes can
sleep most of the time, average power consumption can be low, resulting in long battery
life.
Trademark and alliance
The ZigBee Alliance is a group of companies that maintain and publish the
ZigBee standard. The term ZigBee is a registered trademark of this group, not a single
technical standard. The Alliance publishes application profiles that allow multiple OEM
vendors to create interoperable products. The relationship between IEEE 802.15.4 and
ZigBee is similar to that between IEEE 802.11 and the Wi-Fi Alliance.
License
For non-commercial purposes, the ZigBee specification is available free to the
general public. An entry level membership in the ZigBee Alliance, called Adopter,
provides access to the as-yet unpublished specifications and permission to create products
for market using the specifications.The requirements for membership in the Zigbee
Alliance causes problems for open-source developers because the annual fee conflicts
with the GNU General Public Licence. The requirement for the developer to join the
ZigBee Alliance similarly conflicts with most other free software licenses.
ECE, SIETK 38
HACKING OF ELECTRONIC EQUIPMENTS
2.11.3 Applications of Zigbee Technology
Applications of Zigbee Technology is not limited to a certain level but because of
being cost-effective, low-power battery and wireless connectivity, this Zigbee technology
is used in almost every appliance if not in all. Zigbee technology is programmed in a chip
form and is used in many devices to function automatically. For controlling and
monitoring a whole factory unit while sitting in one cabin is possible by using Zigbee
technology. It centralizes all the units in one place and enables the remote monitoring.
In a similar way, a home can be centralized by increasing the security aspect.
Many small equipments are coming with embedded Zigbee technology chips and really
works like a miracle.Zigbee technology is swiftly prevail the market by introducing
devices like smoke and heat sensor, medical and scientific equipments, control units of
home and industry and wireless communication devices.The revolutionize turn in the
field of technology with the introduction of zigbee technology; the near future of Zigbee
technology will prevail in almost every walk of life.
Uses
ZigBee protocols are intended for embedded applications requiring low data rates
and low power consumption. The resulting network will use very small amounts of
power — individual devices must have a battery life of at least two years to pass ZigBee
certification.
Protocols
The protocols build on recent algorithmic research (Ad-hoc On-demand Distance
Vector, neuRFon) to automatically construct a low-speed ad-hoc network of nodes. In
most large network instances, the network will be a cluster of clusters. It can also form a
mesh or a single cluster. The current ZigBee protocols support beacon and non-beacon
enabled networks.In non-beacon-enabled networks, an unslotted CSMA/CA channel
access mechanism is used. In this type of network, ZigBee Routers typically have their
receivers continuously active, requiring a more robust power supply. However, this
allows for heterogeneous networks in which some devices receive continuously, while
others only transmit when an external stimulus is detected.
ECE, SIETK 39
HACKING OF ELECTRONIC EQUIPMENTS
The typical example of a heterogeneous network is a wireless light switch: The
ZigBee node at the lamp may receive constantly, since it is connected to the mains
supply, while a battery-powered light switch would remain asleep until the switch is
thrown. The switch then wakes up, sends a command to the lamp, receives an
acknowledgment, and returns to sleep.
In such a network the lamp node will be at least a ZigBee Router, if not the
ZigBee Coordinator; the switch node is typically a ZigBee End Device.
In beacon-enabled networks, the special network nodes called ZigBee Routers
transmit periodic beacons to confirm their presence to other network nodes. Nodes may
sleep between beacons, thus lowering their duty cycle and extending their battery life.
Beacon intervals depend on data rate; they may range from 15.36 milliseconds to
251.65824 seconds at 250 kbit/s, from 24 milliseconds to 393.216 seconds at 40 kbit/s
and from 48 milliseconds to 786.432 seconds at 20 kbit/s. However, low duty cycle
operation with long beacon intervals requires precise timing, which can conflict with the
need for low product cost.
In general, the ZigBee protocols minimize the time the radio is on, so as to reduce
power use. In beaconing networks, nodes only need to be active while a beacon is being
transmitted. In non-beacon-enabled networks, power consumption is decidedly
asymmetrical: some devices are always active, while others spend most of their time
sleeping.
Except for the Smart Energy Profile 2.0, ZigBee devices are required to conform
to the IEEE 802.15.4-2003 Low-Rate Wireless Personal Area Network (LR-WPAN)
standard. The standard specifies the lower protocol layers—the (physical layer) (PHY),
and the (media access control) portion of the (data link layer (DLL)). The basic channel
access mode is "carrier sense, multiple access/collision avoidance" (CSMA/CA). That is,
the nodes talk in the same way that people converse; they briefly check to see that no one
is talking before they start. There are three notable exceptions to the use of CSMA.
Beacons are sent on a fixed timing schedule, and do not use CSMA. Message
acknowledgments also do not use CSMA. Finally, devices in Beacon Oriented networks
that have low latency real-time requirements may also use Guaranteed Time Slots (GTS),
which by definition do not use CSMA.
ECE, SIETK 40
HACKING OF ELECTRONIC EQUIPMENTS
2.12 Piezoelectronic Buzzers
FEATURES:
• The PS series are high-performance buzzers that employ unimorph piezoelectric
elements and are designed for easy incorporation into various circuits.
• They feature extremely low power consumption in comparison to electromagnetic units.
• Because these buzzers are designed for external excitation, the same part can serve as
both a musical tone oscillator and a buzzer.
• They can be used with automated inserters. Moisture-resistant models are also
available.
• The lead wire type(PS1550L40N) with both-sided adhesive tape installed easily is
prepared.
Application of Buzzers:
Electric ranges,
washing machines,
computer terminals,
various
devices that require speech synthesis output.
2.13 Keypad
Keyboards and LCDs are the most widely used input/output devices of the 8051,
and a basic understanding of them is essential. In this section, we first discuss keyboard
fundamentals, along with key press and key detection mechanisms, Then we show how a
keyboard is interfaced to an 8051.
Interfacing the Keyboard to the 8051
At the lowest level, keyboards are organized in a matrix of rows and columns.
The CPU accesses both rows and column through ports; therefore, with two 8-bit ports,
an 8*8 matrix of keys can be connected to a microprocessor. When a key pressed, a row
and column make a connect; otherwise, there is no connection between row and column.
In IBM PC keyboards, a single microcontroller (consisting of microprocessor, RAM and
ECE, SIETK 41
HACKING OF ELECTRONIC EQUIPMENTS
EPROM, and several ports all on a single chip) takes care of software and hardware
interfacing of keyboard. In such systems it is the function of programs stored in the
EPROM of microcontroller to scan the keys continuously, identify which one has been
activated, and present it to the motherboard. In this section we look at the mechanism by
which the 8051 scans and identifies the key.
Scanning and identifying the key
The below Figure shows a 4*4 matrix connected to two ports. The rows are connected to
an output port and the columns are connected to an input port. If no key has been pressed,
reading the input port will yield 1s for all columns since they are all connected to high
(Vcc) If all the rows are grounded and a key is pressed, one of the columns will have 0
since the key pressed provides the path to ground. It is the function of the microcontroller
to scan the keyboard continuously to detect and identify the key pressed. How it is done
is explained next.
Fig No:2.10 Grounding rows and reading columns
ECE, SIETK 42
HACKING OF ELECTRONIC EQUIPMENTS
To detect a pressed key, the microcontroller grounds all rows by providing 0 to
the output latch, and then it reads the columns. If the data read from the columns is D3-
D0=1111, no key has been pressed and the process continues until a key press is detected.
However, if one of the column bits has a zero, this means that a key press has occurred.
For example, if D3-D0=1101, this means that a key in the D1 column has been pressed.
After a key press is detected, the microcontroller will go through the process of
identifying the key. Starting with the top row, the microcontroller grounds it by providing
a low to row D0 only; then it reads the columns. If the data read is all1s, no key in that
row is activated and the process is moved to the next row. It grounds the next row, reads
the columns, and checks for any zero. This process continues until the row is identified.
After identification of the row in which the key has been pressed, the next task is to find
out which column the pressed key belongs to. This should be easy since the
microcontroller knows at any time which row and column are being accessed.
Assembly language program for detection and identification of key activation is
given below. In this program, it is assumed that P1 and P2 are initialized as output and
input, respectively. Program13.1 goes through the following four major stages:To make
sure that the preceding key has been released, 0s are output to all rows at once, and the
columns are read and checked repeatedly until all the columns are high. When all
columns are found to be high, the program waits for a short amount of time before it goes
to the next stage of waiting for a key to be pressed.To see if any key is pressed, the
columns are scanned over and over in an infinite loop until one of them has a 0 on it.
Remember that the output latches connected to rows still have their initial zeros
(provided in stage 1), making them grounded. After the key press detection, it waits 20ms
for the bounce and then scans the columns again. This serves two functions: (a) it ensures
that the first key press detection was not an erroneous one due to spike noise, and(b) the
20ms delay prevents the same key press from being interpreted as a multiple key press. If
after the 20-ms delay the key is still pressed, it goes to the next stage to detect which row
it belongs to; otherwise, it goes back into the loop to detect a real key press
To detect which row the key press belongs to, it grounds one row at a time,
reading the columns each time. If it finds that all columns are high, this means that the
key press cannot belong to that row; therefore, it grounds the next row and continues until
ECE, SIETK 43
HACKING OF ELECTRONIC EQUIPMENTS
it finds the row the key press belongs to. Upon finding the row that the key press belongs
to, it sets up the starting address for the look-up table holding the scan codes (or the
ASCII value) for that row and goes to the next stage to identify the key.
2.14 Micro Conrollers:
Microprocessors and microcontrollers are widely used in embedded systems
products. Microcontroller is a programmable device. A microcontroller has a CPU in
addition to a fixed amount of RAM, ROM, I/O ports and a timer embedded all on a single
chip. The fixed amount of on-chip ROM, RAM and number of I/O ports in
microcontrollers makes them ideal for many applications in which cost and space are
critical.
The Intel 8052 is Harvard architecture, single chip microcontroller (µC) which
was developed by Intel in 1980 for use in embedded systems. It was popular in the 1980s
and early 1990s, but today it has largely been superseded by a vast range of enhanced
devices with 8052-compatible processor cores that are manufactured by more than 20
independent manufacturers including Atmel, Infineon Technologies and Maxim
Integrated Products.
8052 is an 8-bit processor, meaning that the CPU can work on only 8 bits of
data at a time. Data larger than 8 bits has to be broken into 8-bit pieces to be processed by
the CPU. 8052 is available in different memory types such as UV-EPROM, Flash and
NV-RAM.
The present project is implemented on Keil uVision. In order to program the device,
proload tool has been used to burn the program onto the microcontroller.
FEATURES:
• Compatible with MCS-51® Products
• 8K Bytes of In-System Programmable (ISP) Flash Memory
– Endurance: 1000 Write/Erase Cycles
• 4.0V to 5.5V Operating Range
• Fully Static Operation: 0 Hz to 33 MHz
• Three-level Program Memory Lock
• 256 x 8-bit Internal RAM
ECE, SIETK 44
HACKING OF ELECTRONIC EQUIPMENTS
• 32 Programmable I/O Lines
• Three 16-bit Timer/Counters
• Eight Interrupt Sources
• Full Duplex UART Serial Channel
• Low-power Idle and Power-down Modes
• Interrupt Recovery from Power-down Mode
• Watchdog Timer
• Dual Data Pointer
• Power-off Flag
Fig 2.11 AT89S52 Micro Controller
DESCRIPTION:
The AT89S52 is a low-power, high-performance CMOS 8-bit microcontroller
with 8K bytes of in-system programmable Flash memory. The device is manufactured
using Atmel’s high-density nonvolatile memory technology and is compatible with the
industry- standard 80C51 instruction set and pinout. The on-chip Flash allows the
program memory to be reprogrammed in-system or by a conventional nonvolatile
memory programmer. By combining a versatile 8-bit CPU with in-system programmable
Flash on a monolithic chip, the Atmel AT89S52 is a powerful microcontroller which
provides a highly-flexible and cost-effective solution to many embedded control
applications. The AT89S52 provides the following standard features: 8K bytes of Flash,
ECE, SIETK 45
HACKING OF ELECTRONIC EQUIPMENTS
256 bytes of RAM, 32 I/O lines, Watchdog timer, two data pointers, three 16-bit
timer/counters, a six-vector two-level interrupt architecture, a full duplex serial port, on-
chip oscillator, and clock circuitry. In addition, the AT89S52 is designed with static logic
for operation down to zero frequency and supports two software selectable power saving
modes.The Idle Mode stops the CPU while allowing the RAM, timer/counters, serial
port, and interrupt system to continue functioning. The Power-down mode saves the
RAM contents but freezes the oscillator, disabling all other chip functions until the next
interrupt or hardware reset.
2.13.1 PIN CONFIGURATION:
Fig 2.12 Pin diagram of AT89S52 Micro Controller
VCC:
Supply voltage.
GND:
Ground.
ECE, SIETK 46
HACKING OF ELECTRONIC EQUIPMENTS
Port 0:
Port 0 is an 8-bit open drain bidirectional I/O port. As an output port, each pin
can sink eight TTL inputs. When 1s are written to port 0 pins, the pins can be used as
high impedance inputs. Port 0 can also be configured to be the multiplexed low order
address/data bus during accesses to external program and data memory. In this mode, P0
has internal pullups. Port 0 also receives the code bytes during Flash programming and
outputs the code bytes during program verification. External pullups are required during
program verification.
Port 1:
Port 1 is an 8-bit bidirectional I/O port with internal pullups. The Port 1 output
buffers can sink/source four TTL inputs. When 1s are written to Port 1 pins, they are
pulled high by the internal pullups and can be used as inputs. As inputs, Port 1 pins that
are externally being pulled low will source current (IIL) because of the internal pullups.
In addition, P1.0 and P1.1 can be configured to be the timer/counter 2 external count
input (P1.0/T2) and the timer/counter 2 trigger input (P1.1/T2EX), respectively, as shown
in the following table. Port 1 also receives the low-order address bytes during Flash
programming and verification.
Port 2:
Port 2 is an 8-bit bidirectional I/O port with internal pull-ups. The Port 2
output buffers can sink/source four TTL inputs. When 1s are written to Port 2 pins, they
are pulled high by the internal pull-ups and can be used as inputs. As inputs, Port 2 pins
that are externally being pulled low will source current (IIL) because of the internal pull-
ups. Port 2 emits the high-order address byte during fetches from external program
memory and during accesses to external data memory that uses 16-bit addresses (MOVX
@ DPTR). In this application, Port 2 uses strong internal pull-ups when emitting 1s.
During accesses to external data memories that use 8-bit addresses (MOVX @ RI), Port 2
emits the contents of the P2 Special Function Register. Port 2 also receives the high-order
address bits and some control signals during Flash programming and verification.
ECE, SIETK 47
HACKING OF ELECTRONIC EQUIPMENTS
Table 2.3: Port 1 Pin Description
Port Pin Alternate Functions
P1.0 T2(external count input to timer/counter 2),
Clock out
P1.1 T2EX(timer/counter 2 capture/reload trigger
And direction control)
P1.5 MOSI(used for in-system programming)
P1.6 MISO(used for in-system programming)
P1.7 SCK (used for in-system programming)
Port 3:
Port 3 is an 8-bit bidirectional I/O port with internal pull-ups. The Port 3
output buffers can sink/source four TTL inputs. When 1s are written to Port 3 pins, they
are pulled high by the internal pull-ups and can be used as inputs. As inputs, Port 3 pins
that are externally being pulled low will source current (IIL) because of the pull-ups. Port
3 also serves the functions of various special features of the AT89S52, as shown in the
following table.
Table 2.4: Port 3 Pin Description
Port Pin Alternate FunctionsP3.0 RXD(Serial input port)
P3.1 TXD(Serial output port)
P3.2INT0(External interrupt 0)
P3.3INT1(External interrupt 1)
P3.4T0(Timer 0 external input)
ECE, SIETK 48
HACKING OF ELECTRONIC EQUIPMENTS
RST:
Reset input. A high on this pin for two machine cycles while the oscillator is
running resets the device. This pin drives High for 96 oscillator periods after the
Watchdog times out. The DISRTO bit in SFR AUXR (address 8EH) can be used to
disable this feature. In the default state of bit DISRTO, the RESET HIGH out feature is
enabled.
ALE/PROG:
Address Latch Enable (ALE) is an output pulse for latching the low byte of
the address during accesses to external memory. This pin is also the program pulse input
(PROG) during Flash programming. In normal operation, ALE is emitted at a constant
rate of 1/6 the oscillator frequency and may be used for external timing or clocking
purposes. Note, however, that one ALE pulse is skipped during each access to external
data memory. If desired, ALE operation can be disabled by setting bit 0 of SFR location
8EH. With the bit set, ALE is active only during a MOVX or MOVC instruction.
Otherwise, the pin is weakly pulled high. Setting the ALE-disable bit has no effect if the
microcontroller is in external execution mode.
PSEN:
Program Store Enable (PSEN) is the read strobe to external program memory.
When the AT89S52 is executing code from external program memory, PSEN is activated
twice each machine cycle, except that two PSEN activations are skipped during each
access to external data memory.
EA/VPP:
External Access Enable. EA must be strapped to GND in order to enable the
device to fetch code from external program memory locations starting at 0000H up to
FFFFH. Note, however, that if lock bit 1 is programmed, EA will be internally latched on
reset.EA should be strapped to VCC for internal program executions. This pin also
receives the 12-volt programming enable voltage (VPP) during Flash programming.
ECE, SIETK 49
HACKING OF ELECTRONIC EQUIPMENTS
XTAL1:
Input to the inverting oscillator amplifier and input to the internal clock
operating circuit.
XTAL2:
Output from the inverting oscillator amplifier.XTAL1 and XTAL2 are the
input and output, respectively, of an inverting amplifier that can be configured for use as
an on-chip oscillator, as shown in Figure. Either a quartz crystal or ceramic resonator
may be used. To drive the device from an external clock source, XTAL2 should be left
unconnected while XTAL1 is driven, as shown in the below figure. There are no
requirements on the duty cycle of the external clock signal, since the input to the internal
clocking circuitry is through a divide-by-two flip-flop, but minimum and maximum
voltage high and low time specifications must be observed.
ECE, SIETK 50
HACKING OF ELECTRONIC EQUIPMENTS
CHAPTER 3
SOFTWARE DESCRIPTION
3.1 KEIL SOFTWARE:
Keil compiler is a software used where the machine language code is written and
compiled. After compilation, the machine source code is converted into hex code which
is to be dumped into the microcontroller for further processing. Keil compiler also
supports C language code.
STEPS TO WRITE AN ASSEMBLY LANGUAGE PROGRAM IN KEIL AND
HOW TO COMPILE IT:
1. Install the Keil Software in the PC in any of the drives.
2. After installation, an icon will be created with the name “Keil uVision3”. Just
drag this icon onto the desktop so that it becomes easy whenever you try to write
programs in keil.
3. Double click on this icon to start the keil compiler.
4. A page opens with different options in it showing the project workspace at the
leftmost corner side, output window in the bottom and an ash coloured space for
the program to be written.
5. Now to start using the keil, click on the option “project”.
6. A small window opens showing the options like new project, import project, open
project etc. Click on “New project”.
7. A small window with the title bar “Create new project” opens. The window asks
the user to give the project name with which it should be created and the
destination location. The project can be created in any of the drives available. You
can create a new folder and then a new file or can create directly a new file.
8. After the file is saved in the given destination location, a window opens where a
list of vendors will be displayed and you have to select the device for the target
you have created.
ECE, SIETK 51
HACKING OF ELECTRONIC EQUIPMENTS
9. The most widely used vendor is Atmel. So click on Atmel and now the family of
microcontrollers manufactured by Atmel opens. You can select any one of the
microcontrollers according to the requirement.
10. When you click on any one of the microcontrollers, the features of that particular
microcontroller will be displayed on the right side of the page. The most
appropriate microcontroller with which most of the projects can be implemented
is the AT89C51. Click on this microcontroller and have a look at its features.
Now click on “OK” to select this microcontroller.
11. A small window opens asking whether to copy the startup code into the file you
have created just now. Just click on “No” to proceed further.
12. Now you can see the TARGET and SOURCE GROUP created in the project
workspace.
13. Now click on “File” and in that “New”. A new page opens and you can start
writing program in it.
14. After the program is completed, save it with any name but with the .asm
extension. Save the program in the file you have created earlier.
15. You can notice that after you save the program, the predefined keywords will be
highlighted in bold letters.
16. Now add this file to the target by giving a right click on the source group. A list of
options open and in that select “Add files to the source group”. Check for this file
where you have saved and add it.
17. Right click on the target and select the first option “Options for target”. A window
opens with different options like device, target, output etc. First click on “target”.
18. Since the set frequency of the microcontroller is 11.0592 MHz to interface with
the PC, just enter this frequency value in the Xtal (MHz) text area and put a tick
on the Use on-chip ROM. This is because the program what we write here in the
keil will later be dumped into the microcontroller and will be stored in the inbuilt
ROM in the microcontroller.
19. Now click the option “Output” and give any name to the hex file to be created in
the “Name of executable” text area and put a tick to the “Create HEX file” option
ECE, SIETK 52
HACKING OF ELECTRONIC EQUIPMENTS
present in the same window. The hex file can be created in any of the drives. You
can change the folder by clicking on “Select folder for Objects”.
20. Now to check whether the program you have written is errorless or not, click on
the icon exactly below the “Open file” icon which is nothing but Build Target
icon. You can even use the shortcut key F7 to compile the program written.
21. To check for the output, there are several windows like serial window, memory
window, project window etc. Depending on the program you have written, select
the appropriate window to see the output by entering into debug mode.
22. The icon with the letter “d” indicates the debug mode.
23. Click on this icon and now click on the option “View” and select the appropriate
window to check for the output.
24. After this is done, click the icon “debug” again to come out of the debug mode.
The hex file created as shown earlier will be dumped into the microcontroller with
the help of another software called Proload
3.2 PROLOAD
Proload is software which accepts only hex files. Once the machine code is
converted into hex code, that hex code has to be dumped into the microcontroller and this
is done by the Proload. Proload is a programmer which itself contains a microcontroller
in it other than the one which is to be programmed. This microcontroller has a program in
it written in such a way that it accepts the hex file from the Keil compiler and dumps this
hex file into the microcontroller which is to be programmed. As the Proload programmer
kit requires power supply to be operated, this power supply is given from the power
supply circuit designed above. It should be noted that this programmer kit contains a
power supply section in the board itself but in order to switch on that power supply, a
source is required. Thus this is accomplished from the power supply board with an output
of 12volts.
ECE, SIETK 53
HACKING OF ELECTRONIC EQUIPMENTS
Fig 3.1 Atmel 8051 device programmer
Features
Supports major Atmel 89 series devices
Auto Identify connected hardware and devices
Error checking and verification in-built
Lock of programs in chip supported to prevent program copying
20 and 40 pin ZIF socket on-board
Auto Erase before writing and Auto Verify after writing
Informative status bar and access to latest programmed file
Simple and Easy to use
Works on 57600 speed
Description
It is simple to use and low cost, yet powerful flash microcontroller programmer
for the Atmel 89 series. It will Program, Read and Verify Code Data, Write Lock Bits,
Erase and Blank Check. All fuse and lock bits are programmable. This programmer has
intelligent onboard firmware and connects to the serial port. It can be used with any type
of computer and requires no special hardware. All that is needed is a serial
communication ports which all computers have.All devices have signature bytes that the
programmer reads to automatically identify the chip. No need to select the device type,
just plug it in and go! All devices also have a number of lock bits to provide various
levels of software and programming protection. These lock bits are fully programmable
using this programmer. Lock bits are useful to protect the program to be read back from
microcontroller only allowing erase to reprogram the microcontroller. The programmer
ECE, SIETK 54
HACKING OF ELECTRONIC EQUIPMENTS
connects to a host computer using a standard RS232 serial port. All the programming
'intelligence' is built into the programmer so you do not need any special hardware to run
it. Programmer comes with window based software for easy programming of the devices.
PROGRAMMING SOFTWARE
Computer side software called 'Proload V4.1' is executed that accepts the Intel
HEX format file generated from compiler to be sent to target microcontroller. It auto
detects the hardware connected to the serial port. It also auto detects the chip inserted and
bytes used. Software is developed in Delphi 7 and requires no overhead of any external
DLL.
3.3 Advantages
Easy to implement
Low power consumption
Cost effective
Directions
ECE, SIETK 55
HACKING OF ELECTRONIC EQUIPMENTS
Fig no:3.2 Writing the Program bytes on to the Microcontroller
3.4APPLICATIONS
Asset tracking
Passports
Security and access control
Government library
Document , people tracking
Health care
Transportation payments
Supply chain management
Retailing
ECE, SIETK 56
HACKING OF ELECTRONIC EQUIPMENTS
CHAPTER 4
PROJECT IMPLEMENTATION
4.1Block Diagram of Transmitter:
Fig 4.1 Transmitter block diagram
The main parts in the Hacking of Electronics Equipments are
1. MEMS Sensor
2. ZIGBEE Module
ECE, SIETK 57
MICRO CONTROLLER
LCD
MAX 232 ZIGBEE MODULE
MEMS sensor ADC
EEPROM
CRYSTAL OSC
RESET
HACKING OF ELECTRONIC EQUIPMENTS
3. ADC
4. LCD
5. EEPROM
6. MAX232
7. Crystal oscillator
8. Keypad
9. Micro controller
10.Reset
Description:
The project Hacking of electronic equipments consists of MEMS Sensor, power
supply, and ZIGBEE module. If any body is going to theft any of the electronic
equipment like Pc, Mobile e.t.c. The MEMS Sensor will detect the vibration of that
equipment and sends the signal to microcontroller.ADC is present between MEMS sensor
and microcontroller which is used to convert voltage in to 0’s and 1’s.The controller
compares the voltages of the Signal and transmit through the Zigbee communication.
The output of the microcontroller is displayed on the LCD and MAX 232 acts as an
interfacing between microcontroller and Zigbee module. EPROM is used to store the data
and it is a non volatile memory. Here MEMS accelerometer, Serial EEPROM memory,
serial LCD display acts as Slave devices.
In this Project three Individual keys are used to perform operations like
1.City Road Guiding Equipment
2.Preventing Train Accident
3.Hacking of Electronic Equipments
1. City Road Guide Equipment
In city road guide equipment, the device aims at informing people about the City
Bus numbers for the places they wish to go. By pressing City road guiding key, the
system performs the respected operation.
2. Preventing Train Accidents
ECE, SIETK 58
HACKING OF ELECTRONIC EQUIPMENTS
In this operation if any damage occurs to bridge or Railway track the MEMS
sensor sends the voltage of signals and then send to ZIGBEE receiver and it displays on
the LCD.
4.2 Block Diagram of Receiver:
The zig bee
Fig 4.2 Receiver block diagram
Description
The ZIGBEE receiver receives the data and it will show on the
LCD.Microcontroller reads the status of LCD, if any moment in an unauthorized way,
ECE, SIETK 59
Zigbee Module
MAX 232
Micro controller
LCD
Keypad
RESET
Crystal Oscillator
Buzzer
HACKING OF ELECTRONIC EQUIPMENTS
intiates a sequence of events like audible alert through a buzzer, Disable further operation
of the system. After receiving the data system can easily lock through keypad by pressing
key. The system remains in this state until the remote control unit transmits an emergency
password.
4.3 REGULATED POWER SUPPLY:
Fig 4.3 Regulated power supply
The input to the circuit is applied from the regulated power supply. The a.c.
input i.e., 230V from the mains supply is step down by the transformer to 12V and is fed
to a rectifier. The output obtained from the rectifier is a pulsating d.c voltage. So in order
to get a pure d.c voltage, the output voltage from the rectifier is fed to a filter to remove
any a.c components present even after rectification. Now, this voltage is given to a
voltage regulator to obtain a pure constant dc voltage.
Transformer:
Usually, DC voltages are required to operate various electronic equipment and
these voltages are 5V, 9V or 12V. But these voltages cannot be obtained directly. Thus
the a.c input available at the mains supply i.e., 230V is to be brought down to the
required voltage level. This is done by a transformer. Thus, a step down transformer is
employed to decrease the voltage to a required level.
ECE, SIETK 60
Regulator FilterBridge
Rectifier
Step down
transformer
230V AC 50Hz
D.C
Output
HACKING OF ELECTRONIC EQUIPMENTS
Fig 4.4 Transformer
Rectifier:
The output from the transformer is fed to the rectifier. It converts A.C. into
pulsating D.C. The rectifier may be a half wave or a full wave rectifier. In this project, a
bridge rectifier is used because of its merits like good stability and full wave rectification.
Fig 4.5 Bridge rectifier circuit
The Bridge rectifier is a circuit, which converts an ac voltage to dc voltage
using both half cycles of the input ac voltage. The Bridge rectifier circuit is shown in the
figure. The circuit has four diodes connected to form a bridge. The ac input voltage is
applied to the diagonally opposite ends of the bridge. The load resistance is connected
between the other two ends of the bridge.For the positive half cycle of the input ac
voltage, diodes D1 and D3 conduct, whereas diodes D2 and D4 remain in the OFF state.
The conducting diodes will be in series with the load resistance RL and hence the load
current flows through RL.For the negative half cycle of the input ac voltage, diodes D2
and D4 conduct whereas, D1 and D3 remain OFF. The conducting diodes D2 and D4 will
be in series with the load resistance RL and hence the current flows through RL in the
same direction as in the previous half cycle. Thus a bi-directional wave is converted into
a unidirectional wave.
ECE, SIETK 61
HACKING OF ELECTRONIC EQUIPMENTS
Filter:
Capacitive filter is used in this project. It removes the ripples from the output
of rectifier and smoothens the D.C. Output received from this filter is constant until the
mains voltage and load is maintained constant. However, if either of the two is varied,
D.C. voltage received at this point changes.
CHAPERT 5
RESULT
5.1 Transmitter Section
The “HACKING OF ELECTRONIC EQUIPMENTS” consist of three modes of
operation and it perfoms remaining two operations by using switches ane reset button is
used to exit from one state to another and it automatically perfoms the first operation.
Fig No:5.1 Transmitter section
ECE, SIETK 62
HACKING OF ELECTRONIC EQUIPMENTS
The above figure perfoms the operation of hacking of electronic equipments.Here
the MEMS sensor senses the changes in the position of the device and sends the data to
the zigbee module through the interfacing i.e,MAX232.In LCD it displays the voltage of
the signals.
It perfoms another two operations along with hacking of electronic
equipments.The operation is perfoming “ CITY ROADGUIDING ” and another
operation is “ PREVENTION OF TRAIN ACCIDENTS “
Fig No:5.2 City road guiding
In city road guiding four switches are used and data is already stored by using the
keil software.By pressing the first key it displays the message on the LCD which is
already dumped into the program.Like this pressing the remaining keys it displays the
message related to that switch.
ECE, SIETK 63
HACKING OF ELECTRONIC EQUIPMENTS
Fig No 5.3:Prvention of train accidents
In prevention of train accidents,the message displays on the receiver section i.e,
the bridge is weak.It receives the information from the transmitter section.
5.2 Receiver Section
ECE, SIETK 64
HACKING OF ELECTRONIC EQUIPMENTS
Fig No 5.4: Receiver section
The above figure displays the output of the project.It means the Zigbee
receiver receives the data and it will show in the LCD.After receiving data th ststem
can lock through Keypad by pressing key and it produces a buzzer sound.
CONCLUSION
As modern electronic goods such as computers, mobile phones, portable players,
laptops and palmtops are becoming smaller and more sophisticated, they can be more
easily targeted for theft in the home and business environment.In existing system,the
devices used are bulkier and it cannot be easily integrated with the existing compact
electronic systems.
Our project overcomes the drawbacks of present systems. It takes advantage of
the dramatic advances in micro machined semiconductor product technology and
employs a tri axis micro machined accelerometer integrated on a chip which is mounted
into the system to be protected. MEMS accelerometer can sense motion on all the 3 axes.
The main advantage of our project is, The system remains in this state until the remote
control unit transmits an emergency password which must match the 10 digit device
identification number stored in the nonvolatile memory space.
Advantages
ECE, SIETK 65
HACKING OF ELECTRONIC EQUIPMENTS
• Automated operation.
• Easy to find out the thief , who was thefted our equipment.
• Costless.
• Alert a control unit at a remote location through a zigbee wireless modem.
• Inbuilt
• Small in size
Applications
• Office automation.
• Milatary.
• Security.
• Medical field.
• Finance.
• Prevention of accidents
• Public places
Future Scope
ECE, SIETK 66
HACKING OF ELECTRONIC EQUIPMENTS
BIBILOGRAPHY
ECE, SIETK 67
HACKING OF ELECTRONIC EQUIPMENTS
APPENDECIES
Microelectromechanical systems (MEMS)
The technology of very small mechanical devices driven by electricity; it merges
at the nano-scale into nanoelectromechanical systems (NEMS) and nanotechnology.
MEMS are also referred to as micromachines (in Japan), or micro systems technology –
MST (in Europe).
MEMS are separate and distinct from the hypothetical vision of molecular
nanotechnology or molecular electronics. MEMS are made up of components between 1
to 100 micrometres in size (i.e. 0.001 to 0.1 mm) and MEMS devices generally range in
size from 20 micrometres (20 millionths of a metre) to a millimetre. They usually consist
of a central unit that processes data, the microprocessor and several components that
interact with the outside such as microsensors.[1] At these size scales, the standard
constructs of classical physics are not always useful. Because of the large surface area to
ECE, SIETK 68
HACKING OF ELECTRONIC EQUIPMENTS
volume ratio of MEMS, surface effects such as electrostatics and wetting dominate
volume effects such as inertia or thermal mass.
The potential of very small machines was appreciated before the technology existed that
could make them—see, for example, Richard Feynman's famous 1959 lecture There's
Plenty of Room at the Bottom. MEMS became practical once they could be fabricated
using modified semiconductor device fabrication technologies, normally used to make
electronics. These include molding and plating, wet etching (KOH, TMAH) and dry
etching (RIE and DRIE), electro discharge machining (EDM), and other technologies
capable of manufacturing small devices. An early example of a MEMS device is the
resonistor – an electromechanical monolithic resonator.
Materials for MEMS manufacturing
The fabrication of MEMS derived from the process technology in semiconductor
device fabrication, i.e. the basic techniques are deposition of material layers, patterning
by photolithography and etching to produce the required shapes.
Silicon
Silicon is the material used to create most integrated circuits used in consumer
electronics in the modern world. The economies of scale, ready availability of cheap
high-quality materials and ability to incorporate electronic functionality make silicon
attractive for a wide variety of MEMS applications. Silicon also has significant
advantages engendered through its material properties. In single crystal form, silicon is an
almost perfect Hookean material, meaning that when it is flexed there is virtually no
hysteresis and hence almost no energy dissipation. As well as making for highly
repeatable motion, this also makes silicon very reliable as it suffers very little fatigue and
can have service lifetimes in the range of billions to trillions of cycles without breaking.
Polymers
ECE, SIETK 69
HACKING OF ELECTRONIC EQUIPMENTS
Even though the electronics industry provides an economy of scale for the silicon
industry, crystalline silicon is still a complex and relatively expensive material to
produce. Polymers on the other hand can be produced in huge volumes, with a great
variety of material characteristics. MEMS devices can be made from polymers by
processes such as injection molding, embossing or stereolithography and are especially
well suited to microfluidic applications such as disposable blood testing cartridges.
Metals
Metals can also be used to create MEMS elements. While metals do not have
some of the advantages displayed by silicon in terms of mechanical properties, when used
within their limitations, metals can exhibit very high degrees of reliability. Metals can be
deposited by electroplating, evaporation, and sputtering processes.
Ceramics
The nitrides of silicon, aluminium and titanium as well as silicon carbide and
other ceramics are increasingly applied in MEMS fabrication due to advantageous
combinations of material properties. AlN crystallizes in the wurtzite structure and thus
shows pyroelectric and piezoelectric properties enabling sensors, for instance, with
sensitivity to normal and shear forces.[5] TiN, on the other hand, exhibits a high electrical
conductivity and large elastic modulus allowing to realize electrostatic MEMS actuation
schemes with ultrathin membranes.[6] Moreover, the high resistance of TiN against
biocorrosion qualifies the material for applications in biogenic environments and in
biosensors.
MEMS basic processes
Deposition processes
One of the basic building blocks in MEMS processing is the ability to deposit thin
films of material with a thickness anywhere between a few nanometres to about 100
micrometres.
ECE, SIETK 70
HACKING OF ELECTRONIC EQUIPMENTS
Physical deposition
There are two types of physical deposition processes.They are as follows.
Physical vapor deposition (PVD)
Physical vapor deposition consists of a process in which a material is removed
from a target, and deposited on a surface. Techniques to do this include the process of
sputtering, in which an ion beam liberates atoms from a target, allowing them to move
through the intervening space and deposit on the desired substrate, and Evaporation
(deposition), in which a material is evaporated from a target using either heat (thermal
evaporation) or an electron beam (e-beam evaporation) in a vacuum system.
Chemical deposition
Chemical deposition techniques include chemical vapor deposition ("CVD"), in
which a stream of source gas reacts on the substrate to grow the material desired. This
can be further divided into categories depending on the details of the technique, for
example, LPCVD (Low Pressure chemical vapor deposition) and PECVD (Plasma
Enhanced chemical vapor deposition).
Oxide films can also be grown by the technique of thermal oxidation, in which the
(typically silicon) wafer is exposed to oxygen and/or steam, to grow a thin surface layer
of silicon dioxide.
Embedded C language
Embedded C is a set of language extensions for the C Programming language by
the C Standards committee to address commonality issues that exist between C
extensions for different embedded systems. Historically, embedded C programming
requires nonstandard extensions to the C language in order to support exotic features such
as fixed-point arithmetic, multiple distinct memory banks, and basic I/O operations.
ECE, SIETK 71
HACKING OF ELECTRONIC EQUIPMENTS
The C programming language is perhaps the most popular programming language for
programming embedded systems. We mentioned other popular programming languages).
Most C programmers are spoiled because they program in environments where not only
there is a standard library implementation, but there are frequently a number of other
libraries available for use. The cold fact is, that in embedded systems, there rarely are
many of the libraries that programmers have grown used to, but occasionally an
embedded system might not have a complete standard library, if there is a standard
library at all. Few embedded systems have capability for dynamic linking, so if standard
library functions are to be available at all, they often need to be directly linked into the
executable. Oftentimes, because of space concerns, it is not possible to link in an entire
library file, and programmers are often forced to "brew their own" standard c library
implementations if they want to use them at all. While some libraries are bulky and not
well suited for use on microcontrollers, many development systems still include the
standard libraries which are the most common for C programmers.
C remains a very popular language for micro-controller developers due to the
code efficiency and reduced overhead and development time. C offers low-level control
and is considered more readable than assembly. Many free C compilers are available for
a wide variety of development platforms. The compilers are part of an IDEs with ICD
support, breakpoints, single-stepping and an assembly window. The performance of C
compilers has improved considerably in recent years, and they are claimed to be more or
less as good as assembly, depending on who you ask. Most tools now offer options for
customizing the compiler optimization. Additionally, using C increases portability, since
C code can be compiled for different types of processors.
ECE, SIETK 72
HACKING OF ELECTRONIC EQUIPMENTS
Special Function Registers
A map of the on-chip memory area called the Special Function Register (SFR)
space is shown in the following table. It should be noted that not all of the addresses are
occupied and unoccupied addresses may not be implemented on the chip. Read accesses
to these addresses will in general return random data, and write accesses will have an
indeterminate effect.
User software should not write 1s to these unlisted locations, since they may be
used in future products to invoke new features. In that case, the reset or inactive values of
the new bits will always be 0.
Timer 2 Registers
Control and status bits are contained in registers T2CON and T2MOD for Timer
2. The register pair (RCAP2H, RCAP2L) is the Capture/Reload register for Timer 2 in
16-bit capture mode or 16-bit auto-reload mode.
Dual Data Pointer Registers
To facilitate accessing both internal and external data memory, two banks of 16-
bit Data Pointer Registers are provided: DP0 at SFR address locations 82H-83H and DP1
at 84H and 85H. Bit DPS = 0 in SFR AUXR1 selects DP0 and DPS = 1 selects DP1. The
user should ALWAYS initialize the DPS bit to the appropriate value before accessing the
respective Data Pointer Register.
ECE, SIETK 73
HACKING OF ELECTRONIC EQUIPMENTS
Memory Organization
MCS-51 devices have a separate address space for Program and Data Memory.
Up to 64K bytes each of external Program and Data Memory can be addressed.
Program Memory
If the EA pin is connected to GND, all program fetches are directed to external
memory. On the AT89S52, if EA is connected to VCC, program fetches to addresses
0000H through 1FFFH are directed to internal memory and fetches to addresses 2000H
through FFFFH are to external memory.
Data Memory
The AT89S52 implements 256 bytes of on-chip RAM. The upper 128 byte
occupy a parallel address space to the Special Function Registers. This means that the
upper 128 bytes have the same addresses as the SFR space but are physically separate
from SFR space.
When an instruction accesses an internal location above address 7FH, the address
mode used in the instruction specifies whether the CPU accesses the upper 128 bytes of
RAM or the SFR space. Instructions which use direct addressing access the SFR space.
UART
The Atmel 8051 Microcontrollers implement three general purpose, 16-bit timers/
counters. They are identified as Timer 0, Timer 1 and Timer 2 and can be independently
configured to operate in a variety of modes as a timer or as an event counter. When
operating as a timer, the timer/counter runs for a programmed length of time and then
issues an interrupt request. When operating as a counter, the timer/counter counts
negative transitions on an external pin. After a preset number of counts, the counter
issues an interrupt request. The various operating modes of each timer/counter are
described in the following sections.
A basic operation consists of timer registers THx and TLx (x= 0, 1) connected in
cascade to form a 16-bit timer. Setting the run control bit (TRx) in TCON register turns
the timer on by allowing the selected input to increment TLx. When TLx overflows it
ECE, SIETK 74
HACKING OF ELECTRONIC EQUIPMENTS
increments THx; when THx overflows it sets the timer overflow flag (TFx) in TCON
register. Setting the TRx does not clear the THx and TLx timer registers. Timer registers
can be accessed to obtain the current count or to enter preset values. They can be read at
any time but TRx bit must be cleared to preset their values, otherwise the behavior of the
timer/counter is unpredictable.
Since it takes 2 cycles (12 peripheral clock periods) to recognize a negative
transition, the maximum count rate is FPER / 12, i.e. FOSC / 24 in standard mode or
FOSC / 12 in X2 mode. There are no restrictions on the duty cycle of the external input
signal, but to ensure that a given level is sampled at least once before it changes, it should
be held for at least one full peripheral cycle. In addition to the “timer” or “counter”
selection, Timer 0 and Timer 1 have four operating modes from which to select which are
selected by bit-pairs (M1, M0) in TMOD. Modes 0, 1and 2 are the same for both
timer/counters. Mode 3 is different.
The four operating modes are described below. Timer 2, has three modes of
operation: ‘capture’, ‘auto-reload’ and ‘baud rate generator’.
Timer 0
Timer 0 functions as either a timer or event counter in four modes of operation.
Timer 0 is controlled by the four lower bits of the TMOD register and bits 0, 1, 4 and 5 of
the TCON register. TMOD register selects the method of timer gating (GATE0), timer or
counter operation (T/C0#) and mode of operation (M10 and M00). The TCON register
provides timer 0 control functions: overflow flag (TF0), run control bit (TR0), interrupt
flag (IE0) and interrupt type control bit (IT0). For normal timer operation (GATE0= 0),
setting TR0 allows TL0 to be incremented by the selected input. Setting GATE0 and TR0
allows external pin INT0# to control timer operation.
Timer 0 overflow (count rolls over from all 1s to all 0s) sets TF0 flag, generating
an interrupt request. It is important to stop timer/counter before changing mode.
Timer 1
Timer 1 is identical to timer 0, except for mode 3, which is a hold-count mode.
The following comments help to understand the differences:
ECE, SIETK 75
HACKING OF ELECTRONIC EQUIPMENTS
• Timer 1 functions as either a timer or event counter in three modes of operation. Timer
1’s mode 3 is a hold-count mode.
• Timer 1 is controlled by the four high-order bits of the TMOD register and bits 2, 3, 6
and 7 of the TCON register. The TMOD register selects the method of timer gating
(GATE1), timer or counter operation (C/T1#) and mode of operation (M11 and M01).
The TCON register provides timer 1 control functions: overflow flag (TF1), run control
bit (TR1), interrupt flag (IE1) and interrupt type control bit (IT1).
• Timer 1 can serve as the baud rate generator for the serial port. Mode 2 is best suited for
this purpose.
Timer 2
Timer 2 is a 16-bit Timer/Counter that can operate as either a timer or an event
counter. The type of operation is selected by bit C/T2 in the SFR T2CON. Timer 2 has
three operating modes: capture, auto-reload (up or down counting), and baud rate
generator. The modes are selected by bits in T2CON. Timer 2 consists of two 8-bit
registers, TH2 and TL2. In the Timer function, the TL2 register is incremented every
machine cycle. Since a machine cycle consists of 12 oscillator periods, the count rate is
1/12 of the oscillator frequency.
ECE, SIETK 76
