Hardware Protocol- Deep Dive

"Identification is easy. Understanding is power."

Why a signal is pulled high, how the bits are clocked on the wire, and exactly what happens inside the silicon when a voltage drops.

This guide is the electrical and logical breakdown of the protocols you will abuse. We are going to look at the waveforms, the timing, and the internal state machines.

---

1. The Fundamentals: Sync vs. Async & Logic Levels

Before dissecting specific protocols, we must define the rules of the road.

A. Synchronous vs. Asynchronous

• Asynchronous (e.g., UART): There is no shared "Clock" wire. Both sides must agree on a speed (Baud Rate) before talking. Data is recovered by timing the gaps between pulses.

  • Risk: If clocks drift (one side is 1% faster), data gets corrupted over long messages.

• Synchronous (e.g., SPI, I2C, JTAG): One side provides a Clock (CLK) signal.

  • Rule: "I will only read the Data line when the Clock line goes High (or Low)."

  • Benefit: Speed doesn't matter. The Master can pause the clock, go get a coffee, come back, and resume. The Slave waits.

B. Logic Levels & Drive Strength

• Push-Pull (Standard): The pin drives voltage to 3.3V 1 and drains to 0V for 0. It is always active.

• Open-Drain (e.g., I2C): The pin can pull down to 0V (GND), but it cannot push high. It simply "lets go" of the wire.

  • Requirement: An external Pull-Up Resistor is needed to pull the wire back to 3.3V when no one is talking. This prevents short circuits when multiple chips talk on the same wire.

---

2. UART (Universal Asynchronous Receiver-Transmitter)

The Structure: Asynchronous, Point-to-Point.

UART is essentially a Shift Register that pushes bits out at a specific timed interval.

The Frame Structure

The line is held High (Idle) by default. A transmission is a sequence of logic transitions:

1. Start Bit (1 bit): The line is pulled Low for one period. This wakes up the receiver and synchronizes its internal timer.

2. Data Bits (5-9 bits): Usually 8 bits (1 Byte), sent LSB (Least Significant Bit) First.

3. Parity Bit (Optional): A simple error check (Even/Odd).

4. Stop Bit (1-2 bits): The line is driven High. This resets the line for the next byte.

Technical Nuance:

The receiver samples the line in the middle of the bit period. If the Baud Rate is 115200, each bit lasts $8.68 \mu s$. The receiver waits after the Start Bit edge, then samples every $8.68 \mu s$.

---

3. SPI (Serial Peripheral Interface)

The Structure: Synchronous, Full-Duplex, Master-Slave.

SPI is technically a Circular Shift Register. Imagine the Master and Slave both have an 8-bit register connected in a ring.

The "Exchange" Mechanism

When the Clock (CLK) pulses 8 times:

• The Master pushes a bit out of its MOSI pin into the Slave's input.

• Simultaneously, the Slave pushes a bit out of its MISO pin into the Master's input.

• After 8 clocks, the contents of the registers have swapped.

Clock Polarity (CPOL) & Phase (CPHA)

SPI has 4 modes (Mode 0-3) defining when data is sampled. This is a common point of failure in hacking.

• CPOL (Polarity): Is the clock Idle High or Idle Low?

• CPHA (Phase): Do we read data on the Leading Edge (first transition) or the Trailing Edge (second transition)?

• Hacker Tip: If you are sniffing SPI and see garbage, flip your logic analyzer's SPI Mode.

---

4. I2C (Inter-Integrated Circuit)

The Structure: Synchronous, Half-Duplex, Multi-Master, Open-Drain.

I2C is complex because 127 devices share the same two wires (SDA, SCL). It relies on Addressing and ACKs.

The Protocol Flow

1. Start Condition: The Master pulls SDA Low while SCL remains High. (This is unique; normally, data only changes when the clock is Low.

2. Address (7 bits) + R/W Bit: The Master shouts, "I want to talk tothe device 0x50".

3. ACK (Acknowledge): The Master releases the SDA line. The Target device must pull SDA Low to say "I heard you." If the line stays High (NACK), no one is home.

4. Data Frames: 8 bits of data + 1 ACK bit.

5. Stop Condition: Master releases SDA High while SCL is High.

VCC (3.3V)
 |
 +-----+------+
 |     |      |
 R1    R2    (Pull-Up Resistors)
 |     |
 +-----|------------ SDA (Data) ----------------+
 |     +------------ SCL (Clock) ----------------+-------+
 |                                              |        |
 +-------------+                +-------------+ |        |
 | MASTER      |                | SLAVE (0x50)| |        |
 | (CPU)       |                | (EEPROM)    | |        |
 |   [FET]     |                |   [FET]     | |        |
 |     |__GND  |                |     |__GND  | |        |
 +-------------+                +-------------+ |        |
                                                |        |
                                         +-------------+
                                         | SLAVE (0x68)|
                                         | (Sensor)    |
                                         +-------------+

Why Open-Drain Matters:

Since devices only pull down, if the Master sends a 1 and the Slave sends a 0 at the same time, the line goes to 0 (Low wins). This is called "Clock Stretching" or arbitration, preventing short circuits.

---

5. JTAG (Joint Test Action Group)

The Structure: Synchronous, State-Machine Driven.

JTAG is not just a data pipe; it is a remote control for the chip's internal "Test Access Port" (TAP) Controller.

The TAP Controller (State Machine)

Inside every JTAG chip is a standard 16-state machine. You navigate this map using the TMS (Test Mode Select) pin.

• On every clock rising edge, if TMS is 1, you move one way. If 0you move the other.

• Key States:

  • Test-Logic-Reset: Everything is safe/off.

  • Shift-DR: We are loading data into a register (like toggling a pin).

  • Shift-IR: We are loading a command (like "IDCODE" or "BYPASS").

                  +------+
                  | TEST |<-----------------------------+
                  | RESET|                              |
                  +--+---+                              |
                     | (TMS=0)                          |
                     v                                  |
              +------+------+                           |
              |  RUN/IDLE   |                           |
              +------+------+                           |
                     | (TMS=1)                          |
                     v                                  |
              +------+------+                           |
              | SELECT-DR   |---------> [ SELECT-IR ] --+
              +------+------+
                     |
                     v
               [ CAPTURE-DR ]
                     |
                     v
                [ SHIFT-DR ]  <-- The "Action" State
                     |            (We toggle TCK to read/write data)
                     v
                [ EXIT1-DR ]
                     |
                     v
                [ UPDATE-DR ]

Boundary Scan Cells

How does JTAG "wiggle" a pin?

Between the CPU core and the physical pin, there is a Boundary Scan Cell. This cell can transparently let data pass through, OR it can hijack the pin to read/write a value regardless of what the CPU wants. This is why JTAG can control a "dead" or crashed chip.

---

6. SWD (Serial Wire Debug)

The Structure: Synchronous, Bi-Directional, Packet-Based.

ARM designed SWD to replace JTAG's 4 pins with 2 (SWCLK, SWDIO).

Because there is only one data wire (SWDIO), it is Time-Division Multiplexed.

HOST (Debugger)                    TARGET (CPU)
        |                                  |
        | --- Request (8 bits) ----------> | "I want to Read Register X"
        |                                  |
        |           (Turnaround)           | (Line floats for 1 cycle)
        |                                  |
        | <---------- ACK (3 bits) ------- | "OK" / "WAIT" / "FAULT."
        |                                  |
        | <--------- Data (32 bits) ------ | (The Register Value)
        |                                  |
        | <--------- Parity (1 bit) ------ |

The Transaction

1. Host Request (8 bits): The debugger sends a header: "I want to Write (AP/DP) Register 0x04."

2. Turnaround (Trn): One clock cycle where no one drives the line (handover).

3. Target ACK (3 bits): The chip replies: OK, WAIT, or FAULT.

4. Data (32 bits): The payload is transferred.

5. Parity (1 bit): Error check.

Hacker Note: SWD requires precise timing. Unlike JTAG (where you can just toggle pins), SWD requires a request/response structure. You cannot easily "bit-bang" SWD manually; you need a controller.