Serial Communications Protocol
From Wij vertrouwen stemcomputers niet
[edit] Talking to the Programming unit (and the ES3b?)
What we've learned so far (all numbers are hex representations bytes as sent over the serial line):
* Line protocol 9600,n,8,2 (yes, 2!) * No handshaking, afaict * A lot of data (all?) is returned as lowercase hex-strings (is that called BCD?)
[edit] Rough Protocol
To start a command, send DC2 (12) Wait for DC4 (14), if you get NAK (15), send DC2 again. Send: STX Command CommandChecksum ETX Wait for ACK (06) Wait for DC2 (12) Send DC4 (14) You will receive a block of data: STX (02) data checksum ETX (03) Send ACK (06) If you receive DC2(12), send DC4 to receive more data.
[edit] Checksum
Add all bytes in the command string together modulo 0x100, take each nibble, prefix with '3'.
For example command A, hex 41 has the check digits 34 31
[edit] Commands
All commands seen sofar are single Capital letters, the command response is a lowercase letter.
[edit] A: Serial, type and version info
no parameters
Our machine responds XX123456NNV2BU, where XX123456 is the serial number.
NN list the availability of a Modem and Blind support. N means 'Not available', the first N is likely the modem. 'A' means available
V: ... probably systemstatus, can also be 'B'
2B likely means Version 2.11.
- yes, the 2.12 rom has 2C here.
U means 'Uitleeseenheid' (reader unit), S means 'Stemcomputer' (voting computer).
[edit] B: Machine status info
no parameters
Reports current activity of the machine, 'locked' status.
| 1 | D or O | D=election in progress |
| 2 | D or O | D=in results menu |
| 3 | D or O | D=mode 5 |
| 4 | D or O | ? tests bits from ioport with boardlevel bits |
| 5 | D or O | ? tests bits from ioport with boardlevel bits |
| 6 | V or B | B=machine blocked |
| 7 | S,F,P,V,N | S=voting, F=results, V=config, P=?, N=? |
| 8 | B,V,H,C | ? depends on 0x40546C |
[edit] C: read module info
C or CS
returns info like:
- erase count
- module id
- vote closed
- computer id
- voting date
[edit] D: read candidates from module
2 variants: 'D' or 'DS'
[edit] E: read candidate entry
"ES%04x%04x" or "Ex%04x%04x"
[edit] F: returns party totals
F or FS
returns 'value totaal generaal'
[edit] G: return all candidate totals for a party
needs 1 params format:
"GS%04x" or "Gx%04x"
[edit] H: returns vote-closed state
H or HS
[edit] I: set voting date
needs a 8 character string as parameter
I07-03-06
Write the election date to voting memory module?
Used during voting module preparation.
"PROGRAMMERING GEHEUGENMODULE IN" "PROGRAMMEERSLOT ONDER PC-BESTURING."
[edit] J: set candidate entries
takes an char[2][31][36] array,
where char[0][party][cand] contains the partynr
and char[1][party][cand] contains the candidate nr
"PROGRAMMERING GEHEUGENMODULE IN" "PROGRAMMEERSLOT ONDER PC-BESTURING."
[edit] K: Programs a candidate.
00010000Party name 00020000Party 2 00010001Party 1, candidate 1 00010002P1, c2 00020001p2, c1 etc.
format:
sprintf("K%04x%04x%79s", party_number, candidate_number, name)
[edit] L: init memmodule
erases the memory module, and sets the module-id
needs 12 ignored characters, and a 8 char ascii string
format:
sprintf("L%12s%8s")
[edit] M: Programs Election name
e.g. 'Verkiezing Gemeenteraad 2006'
needs 79 ascii characters as parameter
[edit] N: return event history
needs one hex parameter
[edit] O: return error history
needs one hex parameter
[edit] P: set system parameters
format:
"P%8sAA...U"
[edit] Q: copy between modules
no parameters
"PROGRAMMERING GEHEUGENMODULE IN" "PROGRAMMEERSLOT ONDER PC-BESTURING."
looking at the code, i think this copies data from one module to the other module
[edit] R: Read machine memory
R003C0000 will give bytes 3C0000 through 3C03FF (1024 bytes) in the result.
[edit] T: get election type
returns the value of byte_4048C4
[edit] U: select programming slot
needs 1 byte parameter, taking values 0 - 3. it stores this value in byte_4048C4
* values 0 and 2 return an error, * value 1 -> programming slot 1 * value 3 -> programming slot 2
[edit] V: get election type
V or VS
[edit] W: set election type
1 byte parameter, allowed values 0 .. 3
see ES3B_V02_12_disassembly#Election_types
[edit] X: get module type
X or XS
[edit] Y: set module type
Y or YN or Y2
[edit] Dump Data
The 'R' Command initiates a dump: 12 02 52 30 30 33 43 30 30 30 30 3E 38 03 14 ..R003C0000>8..
will give bytes 003C0000 to 003C0400.
12 02 52 30 30 33 43 30 30 30 30 3E 38 03 14 06 ..R003C0000>8... 12 02 52 30 30 33 43 30 34 30 30 3E 3C 03 14 06 ..R003C0400><... 12 02 52 30 30 33 43 30 38 30 30 3F 30 03 14 06 ..R003C0800?0... 12 02 52 30 30 33 43 30 43 30 30 3F 3B 03 14 06 ..R003C0C00?;... 12 02 52 30 30 33 43 31 30 30 30 3E 39 03 14 06 ..R003C1000>9... 12 02 52 30 30 33 43 31 34 30 30 3E 3D 03 14 06 ..R003C1400>=... 12 02 52 30 30 33 43 31 38 30 30 3F 31 03 14 06 ..R003C1800?1... 12 02 52 30 30 33 43 31 43 30 30 3F 3C 03 14 06 ..R003C1C00?<... 12 02 52 30 30 33 43 32 30 30 30 3E 3A 03 14 06 ..R003C2000>:... 12 02 52 30 30 33 43 32 34 30 30 3E 3E 03 14 06 ..R003C2400>>... 12 02 52 30 30 33 43 32 38 30 30 3F 32 03 14 06 ..R003C2800?2... 12 02 52 30 30 33 43 32 43 30 30 3F 3D 03 14 06 ..R003C2C00?=... 12 02 52 30 30 33 43 33 30 30 30 3E 3B 03 14 06 ..R003C3000>;... 12 02 52 30 30 33 43 33 34 30 30 3E 3F 03 14 06 ..R003C3400>?... 12 02 52 30 30 33 43 33 38 30 30 3F 33 03 14 06 ..R003C3800?3... 12 02 52 30 30 33 43 33 43 30 30 3F 3E 03 14 06 ..R003C3C00?>... 12 02 52 30 30 33 43 34 30 30 30 3E 3C 03 14 06 ..R003C4000><... 12 02 52 30 30 33 43 34 34 30 30 3F 30 03 14 06 ..R003C4400?0... 12 02 52 30 30 33 43 34 38 30 30 3F 34 03 14 06 ..R003C4800?4... 12 02 52 30 30 33 43 34 43 30 30 3F 3F 03 14 06 ..R003C4C00??... 12 02 52 30 30 33 43 35 30 30 30 3E 3D 03 14 06 ..R003C5000>=... 12 02 52 30 30 33 43 35 34 30 30 3F 31 03 14 06 ..R003C5400?1... 12 02 52 30 30 33 43 35 38 30 30 3F 35 03 14 06 ..R003C5800?5... 12 02 52 30 30 33 43 35 43 30 30 30 30 03 14 06 ..R003C5C0000...
Itsme 18:19, 25 August 2006 (CEST)
probably this is handled in the rom at 0x171e (execute_remote_command) where the first jumptable executes the subroutine at 0x1470 (hexdump_memory) for 'R'