Tigard

by SecuringHardware.com

An open source FT2232H-based, multi-protocol, multi-voltage tool for hardware hacking

View all updates Nov 05, 2020

[Video] The History of Tigard's Design Process

by Joe Fitz

Tigard is fully funded!

Well, our goal was only $1 for a few reasons, but we also surpassed all the other goals we considered.

There was no doubt in our mind that we were going to manufacture Tigard. We need it for SecuringHardware.com’s training classes as well as our own work. The question we wanted to know is who else might need it - and whether we should have them made in larger quantity. We already have the first production run in hand, but at this rate we’ll need a second production run to fulfill all pledges.

For this update, I have an overview of the Design process we went through for Tigard, but you should also check out a technical review of the design from Tom Fleet at Hackster.io

Design process

As I mentioned previously, Tigard was designed based on years of brainstorming and experience with using other I/O boards. For a long time, the Bus Pirate was the tool of choice for hacking low-speed protocols. On the one hand - it can do almost anything. On the other - it’s excellent at almost nothing. Over the past few years I’ve phased out my use of a Bus Pirate in favor of a logic analyzer + I/O device combo - specifically a Cypress FX2 based logic analyzer and an FT232H based I/O device.

I’ve used Adafruit’s FT232H breakout board for 5 years now. It’s affordable, reliable, and simple - but I’ve wished for a few ease-of-use features:

  • Level shifting to 1.8 and 5V
  • I2C and SWD without additional components
  • Labeled headers
  • LED indicators

Previously, I also used separate, standalone USB-to-TTL serial cables. These were inexpensive and readily available for barely a dollar for a long time, but in the past 2 years, I’ve had a difficult time sourcing inexpensive reliable ones - my last batch had over 40% failure, and those that did work were very sensitive to baud rate jitter. Rather than switch to more expensive, reliable cables - incorporating it into one tool made more sense. Tigard has one port of the FT2232H dedicated for UART use, complete with level shifting and activity LEDs.

Changes through the versions

TIMEP

TIMEP served as a proof-of-concept for lots of these ideas. @Matir worked through a few revisions, incorporating some ideas from other FTDI boards. (If you’re looking to hand-assemble a board, TIMEP is likely a better choice than Tigard).

Tigard V0.0

The first Tigard prototype took the core concepts from TIMEP and reimplemented them, optimizing for a small size and high volume automated assembly. Several mode jumpers were replaced in favor of switches for only the most common modes. A square board allowed placing all the headers on the outer edge for ease of use.

Testing revealed three major issues:

I2C Circuitry

The FT2232H doesn’t support open-drain or bidirectional I/O, but the additional components interfered with other components using those pins. The components were removed, sacrificing better I2C support for more reliable use of other protocols. The separate 8-pin I2C header was removed in favor of sharing with the SPI header.

Pinout order

There’s no single standard for JTAG or UART headers. V0.0 kept compatibility with TIMEP, but we decided that for future versions, we’d leave pins in the order defined by FTDI so that Tigard would be pin-compatible with basic breakout boards like the Adafruit and CJMCU.

VTGT LED

There was a minor design mistake and missing component causing the VTGT LED to illuminate without being connected.

Tigard V0.1

The second prototype for Tigard worked well enough that it has been used in production and multiple training classes successfully. In addition to fixing the issues from V0.0, there were a few enhancements:

  • Added a Logic Analyzer port - a 14-pin header with connections to all target-voltage I/O pins so you can debug your protocol
  • Added a ground testpoint
  • Enlarged mounting holes to be M3 compatible

There were two minor issues discovered:

  • Ground pins on the LA port were not connected
  • There are cases where the VTGT LED incorrectly lights; This is a level shifter silicon limitation and is documented errata

Tigard V1.0

This was the production candidate. In addition to minor and aesthetic fixes, two low-risk features were added (and later tested good):

The end result

While we were lucky to have all our prototypes work on the first try, the odds were in our favor because Tigard is fundamentally a simple design. There’s no software or firmware to bring up, and the necessary circuitry are well documented. Next week, we’ll share more about the manufacturing and assembly adventure.

Until then, here’s a quick demo of using Tigard to speak to a serial console:

How To: Serial Console

About the Author

Joe Fitz

securelyfitz  ·  securelyfitz  ·   Portland, OR


$28,242 raised

of $1 goal

Funded!

Pledge Now

$39

Tigard

One Tigard board with wiring harnesses


$69

Tigard + Bitmagic

Combine Tigard (with wiring harnesses) with a Bitmagic Logic Analyzer for live debugging of serial protocols


$1,337

Applied Physical Attacks Online Kit

Toolkit with Tigard, Bitmagic, and more - everything you need for the self-paced "Applied Physical Attacks on Embedded and IoT Systems" online course which covers the basics of hardware hacking on embedded systems. Includes access to all online lectures, labs, and supporting materials.

Credits

SecuringHardware.com

SecuringHardware.com offers hands-on training on hardware hacking skills geared towards security testers and product security developers.


Joseph FitzPatrick

Piotr Esden-Tempski

Franklin Harding

See Also

Subscribe to the Crowd Supply newsletter, highlighting the latest creators and projects: