Syan.meDid I ever tell you the story of a project that went down a very intense rabbit whole of reverse engineering?
Well here goes...
About 4 years ago I got a decommissioned Polycom video meeting station, complete with its camera and mic array. I also got the control touchscreen, but that one never seemed to work, probably powered via PoE, which I don't yet have. That'll be for another time
At the time I only checked that everything worked fine. My goal was to be able to control that beautiful camera without having it connected to the station, or at least repurpose the station to remove all default software and only have a small deamon running on it to control the camera
I didn't have much time on my hand and given the potential amount of work it seemed a bit too much and I put it aside for years
Fast forward to last January. After having spent about a year recovering from burn out (don't do it kids, less fun that it sounds!) my dear friend from highschool, let's call them Roger, spent a week at home
While we spent a lot of time cooking, they were the first person with which I ever had fun being a nerd. After the NYE festivities we planned a couple days of staying in the dark, eating amazing leftovers, and geeking. They had some python scripts to fix, as one does, I was almost done finishing my Minitel makeover (let's talk about that one later, someday I'll have a blog and will say more about it, I promise)
And that's when I found that box. A simple card box with some shiny toy inside that I had completely forgotten. The next hours were spent opening that thingy open, just to find an SD card slot right near the main opening. After running a careful `dd` archive of the thingy I went out to explore it, just to find a standard Android 4.0 install. Yip. Really
After some back on forth between my. MacBook SD card reader and the main device, numerous side quests to including installing @AsahiLinux (seriously, that's some amazing tool, big congrats and thank you to you all over there!!) I had updated the SD card root files to enable ADB at boot time
Equipped with my newly found way inside Za Thingy™ I now had to resume my search for a deeper understanding of the whole thing.
I'll spare you the whole time trying to pry open and decompile the `polycom.service.legacyapi-1` and `PortController` services, only to find hours later that my interest was in `SourceManager`. That was very frustrating and I shan't relive it
I backtracked a bit to understand the situation better. By then all I had was an Android board connected to a camera via an unknown cable using the very forgotten HDCI phy interface.
What kind of signal was in there? How would I ever be able to send commands an receive an image?
Well, that's where docs come in handy, aint it. Some digging revealed that my cable, subtly named 2457-64356-100, contained 4 groups of TMDS-HDMI and 2 RS232 wires. Docs are amazing you guys, should have started by that maybe. Probably.
Checking `dmesg` while plugging the camera confirmed it used a ADV7604 chip, proudly advertising it detected a 1080p60 HDMI input.
Some more sniffing around lead me to running a simple `adb logcat` and realize the SourceManager service was outputting all its RS232 bytes, both transmitted and received, to the device's logs.
Reading the docs also told me about a small surprise, a legacy API over telnet...
You guessed it, I build a small script to run various camera-related commands while recording `adb logcat` outputs to a log file.
It basically loops over the whole range of commands, writes the command to telnet and to the log file, sleeps while the ADB logs come in, and goes to the next.
Camera commands included pan, tilt and zoom setting, either to a precise value or by moving until stopping manually, setting color calibration, reading the current position, etc.
After multiple days on this, I was now approaching my goal, understand the PTZ interface and writing my own client!
After some time cleaning up the logs, running them again because I had made mistakes after mistakes, didn't set a large enough sleep, etc, trying to train ChatGPT to extract valuable information from them, eating ice cream, running them again because the camera had went to sleep mid script, drinking rosé, and forgetting to sleep, I now had a comprehensive dataset.
Some PTZ commands were harder to decode, the get/set with precise values, bits aren't in the order I had expected
After multiple tries I now had all I needed to write some Swift code, since it's the only language in which I'm both quite fast at coding and I find easy enough to read.
Found an old USB-RS232 cable in my boxes, some soldering and whishful thinking later, it was now the much anticipated moment of talking to Za Thingy™
And that's when I got sad. Because Za Thingy™ didn't listen, and never talked :(
Seriously. I tried multiple commands, checked 10 times that I had pried the proper lines out of that massive cable (RX, TX, GND), and yet, communication went nowhere. Not fun. Much Sad
But... I realized I had a second RS232-USB cable.
I was determined, this wasn't gonna stop me. I soldered some pin wires on it, plugged it, and wrote a simple sniffing script, in the hopes of sniffing both the RX and TX lines independently, while the cable was put back in its original form and the camera received commands from its Android board.
Commands were sniffed alright, length was familiar, but you know what? Never had a single data similar to my former set. None.
Thinking that maybe the logs I had studied might show a raw value but i could transmit it encrypted, or maybe I had some different voltage expectations I tried to find a formulae that would link one set to the other, and yet, I never found such a thing. Adjusted my RS232 settings, triple checked the code, nothing.
So I did was anyone in my situation would have done. Edited my script, and ran the whole thing again to build myself a second data set and understand that new vocabulary!
Hours, maybe days later, I ended up with my new words, my new tools at communication, my new hope.
I plugged it in my Swift code, built it, moved some cables around (by then I had soldered cable that you could easily plug and unplug, yay me), and tried talking again to my friend.
And still, the silence persisted. Nothing. Not a peep. Camera didn't move. Its blue LED never turned on. Almost got worried I had fried it, but no, it still worked when connected to its former friend.
It just didn't care about me.
That's when things went into a new slumber. My theory was that my RS232 USB cable wasn't outputting the same voltages as the one that the Android box was. I had the words, just didn't know how to give them. Might have been speaking too loud, or not in the proper pitch.
I needed an oscilloscope to check that, but who has the time and the money for that eh? To bed I went, back in the box it slept
That was until tonight.
See, I spent the last couple of weeks trying to justify to myself that I really needed an oscilloscope. I could get a cheap one or a second one oldy, but I needed one.
Why you asked? Oh no, certainly not for that project. That wouldn't be responsible! How dare you!
It was obviously to understand why the backlight inverter of the old iMac G3 I was working on didn't seem to light up more than half a second.
It was to fix that old cassette tape player I had thrifted.
It was to fix that second cassette tape I had thrifted, also becaue It Looked Cute©.
After weeks (no) of careful (no) consideration (still not), I started that old dialup modem, waited for the tone and bought an Hanmatek HO52S oscilloscope.
Jump forward a couple of weeks, finally bringing us to tonight
(A careful reader would have by now noticed my ADHD meds wore off before I wrote this, it is now 3am, I just wanted to post a cute oscilloscope pic and go to bed, yet you now know half of my life)
I took that magnificent tool out if its box, played with it, tried to install The Software On The CD to see if I could pilot if from my computer, but since I don't own any x86 Windows box anymore I gave up (after 3hrs and discovering the way too much about Windows drivers mind you).
I then went to my closet, said hey to an old me (happy pride month), got the box and set up Za Thingy™ proudly on my table.
As the ceremony continued I pried open the carefully protected ground solder, attached my two probe's ground, unplugged the TX and RX cables just enough for each probe to grasp it securely, set up my triggers properly, and here we are.
I now know (I think)
After spending weeks manually reading megabytes of debug logs and RS232 sniffed data, after so much soldering, doc reading (albeit a bit too late), I’ve now tapped the RS232 lines and caught the signal in transit.
Now I know. 9600bps. 1V amplitude, centered on 0V.
I will go to sleep happy. Tomorrow is another day. It is the day I measure the amplitude of my USB RS232 signal, confirm that it isn't the same at all, and make a plan to fix it. Tomorrow gives me hope. Tomorrow is beautiful.
Finally finished ! Next thread here https://mastodon.social/@syan/113472972434170949