Single Use Temperature Logger Hacking

[Adler]

I recently got my hands on a DeltaTRAK temperature logger. This type of device is normally used to ensure the temperature of sensitive materials stays within a certain range during transport. As I understand it, they are designed to be used once and then reset by the company.



I used it to track the temperature of my luggage during a flight and now I'd like to play around with resetting it. I dont know much about microcontrollers but I'd like to use this as an opportunity to learn.

I cracked it open, one screw.



The most interesting part seems to be the six points along the top labelled: MCR, PVD, GND, PGD, PGC, and PGM. My research points to MCR referring to a reset of some kind. PVD
may be some programming voltage. GND needs no introduction. PGD, PGC, and PGM seem to be part of some PIC microcontroller programming system.

Heres a closer shot of the mc



Its a PIC18F14K50 8-bit microcontroller.

The other chip on the board is a FM24C64A. Not sure what it is.



I have tried shorting MCR to GND, it didnt seem to do anything. Do I need to buy some programmer to play with this?

[ElectricGuy]

I recently got my hands on a DeltaTRAK temperature logger. This type of device is normally used to ensure the temperature of sensitive materials stays within a certain range during transport. As I understand it, they are designed to be used once and then reset by the company.

I used it to track the temperature of my luggage during a flight and now I'd like to play around with resetting it. I dont know much about microcontrollers but I'd like to use this as an opportunity to learn.

I cracked it open, one screw.

The most interesting part seems to be the six points along the top labelled: MCR, PVD, GND, PGD, PGC, and PGM. My research points to MCR referring to a reset of some kind. PVD
may be some programming voltage. GND needs no introduction. PGD, PGC, and PGM seem to be part of some PIC microcontroller programming system.

Heres a closer shot of the mc

Its a PIC18F14K50 8-bit microcontroller.

The other chip on the board is a FM24C64A. Not sure what it is.

I have tried shorting MCR to GND, it didnt seem to do anything. Do I need to buy some programmer to play with this?

The 24C64 its an eeprom to store data.

That device, the PIC, needs a programmer like PICKit 3 to read the firmware( if note code protected ), or write a new one to the device.

The 6 points is to connect to the programmer.

Shorting MCLR to GND only cause the PIC to RESET/Restart, but it will not loose any data. Probably the MCLR function is disable in the firmware on that device.

[Kilrah]

I'd expect any "reset" procedure to happen through the USB connector with some proprietary software which would tell the device to wipe its storage memory (the 24C64) and initialise itself again, wouldn't make sense to expect a shipper/logistics department to open up a device and whip a PIC programmer to get it on to the next job.

[JimRemington]

The DeltaTrak web page offers software to handle the device, but the reset function doesn't seem to be described. http://www.deltatrak.com/products/usb-data-loggers?id=317#overview

[Adler]

The 24C64 its an eeprom to store data.

That device, the PIC, needs a programmer like PICKit 3 to read the firmware( if note code protected ), or write a new one to the device.

The 6 points is to connect to the programmer.

Shorting MCLR to GND only cause the PIC to RESET/Restart, but it will not loose any data. Probably the MCLR function is disable in the firmware on that device.

I am willing to get a PICkit (or at least a clone) to play with this. How likely am I to find the code protected?

I'd expect any "reset" procedure to happen through the USB connector with some proprietary software which would tell the device to wipe its storage memory (the 24C64) and initialise itself again, wouldn't make sense to expect a shipper/logistics department to open up a device and whip a PIC programmer to get it on to the next job.

I dont think its designed to be reset by the shipper, it's supposed to be single use.
The USB idea might be how they designed it though, is that something I could hack, I wouldn't even know where to start with USB.

The DeltaTrak web page offers software to handle the device, but the reset function doesn't seem to be described. http://www.deltatrak.com/products/usb-data-loggers?id=317#overview

That model is designed to be reused this one is similar but different.

http://www.deltatrak.com/flashlink-usb-logger-in-transit-data-logger

[Kilrah]

How likely am I to find the code protected?

Very likely I'd say, most consumer products especially those with hardware that is that easy to copy would protect their FW to avoid simplifying the job of whoever would want to start making clones.

I dont think its designed to be reset by the shipper, it's supposed to be single use.

Ah, if that one is meant to be single use then it likely doesn't have the required routines to start fresh.
Best bet I would say would be to poke at the 24C64, read it as backup, try to erase it, if unsuccessful try to figure out the contents and see if something could be used to store a state separately from the data.

But then the state could also be stored in the PIC's internal EEPROM, which you might be able to read or not again based on the read protect configuration bit.

So basically your investigation toolset should include a PIC programmer and a serial EEPROM programmer... and no guarantees you can do anything with it in the end (besides rewriting a firmware from scratch, that's of course always possible).

Note that there is an "RST" test pad on the board, could be interesting to see where that trace goes.

[ElectricGuy]

Yep, it is very probably that is code protected. But you can always code your own firmware, by reverse engineering the circuit. 

The data must be in the eeprom. Its a 64kbit/8kB eeprom, so it can record lots of data. They say in the website 3823 points. I assume they only need one byte, because the range of the reading are from -40F to 149F, so it can even be able to record even more Data.

Erasing the EEPROM canno't solve your problem, because the pointer to the next address is probably in the microcontroller.

Since the PIC only has 256Bytes of EEPROM i dought that the data are getting stored there, but that pic can also use ROM space to save readings, but i don't think so.

My opinion!

[Brutte]

I dont know much about microcontrollers but I'd like to use this as an opportunity to learn.

Reverse-engineering such product to learn programming is pointless IMHO. It is doable but that is just too many challenges. Get some decent eval instead if you want to learn embedded.

This miserable PIC8 has 8k of program words and tiny SRAM. With crippled XC8 compiler you won't be able to fit anything more than USB stack inside. So in this case PICKit3 won't help much - you need an XC8 license or USB stack ported to SDCC (not a task for noobs).

There are bigger user-friendly USB PICs available (some PIC32MX or perhaps even PIC18F4550 which works with PICKit2 if you cannot afford PICKit3).