Let’s suppose you’re reverse-engineering a serial protocol. You already know the correct configuration for the serial port (baudrate etc.) and you assume the protocol is built from frames of equal length.
For simplicity we will also assume that the device sends the data without the necessity to request data from it first. If this is not the case, you can use a different and much simpler approach (just send the request character and se
The next step is to determine the the frame length of the protocol. This post not only details two variants of one of the algorithms you can use in order to do this, but also provides a ready-to-use Python script you can use for your own protocols.
Approach 1: Autocorrelation with argmax
We will use a simple mathematical approach in order to find out what the most likely frame length will be. This is based on the assumption that frames will have a high degree of self similarity, i.e. many of the bytes in a single frame will match the corresponding bytes in the next frame.
It is not required that all bytes are the same in every frame, but if you have entirely different bytes in every frame, the approach will likely not deduce the correct frame length.
This approach is based on autocorrelation. Although it sounds complicated, it means nothing more Compare a sequence by a delayed/shifted version of itself.
This means we will perform the following steps:
- Read a set of characters from the serial device
- Correlate the set of characters with shifted versions of itself
- The framelength is the shift where the maximum similarity occurs (using
As similiarity score, we’ll use
1 if the bytes equal or 0 else. For specific protocols, it might be a more viable approach to introduce individual bit matching, but this will also introduce noise into the process.
For most simple protocols I’ve seen, this approach works very well for both ASCII and binary.
Plotting the correlation looks like this:
Approach 2: Multiple-shift aware Autocorrelation
This modified algorithms works well for protocols where there is insignificant similarity between any two frames or if there is a lot of noise. For such protocol, the maximum score approach does not yield the correct result.
However, we can use the property of constant-framelength protocols that we get high matching scores by shifting a frame by an integer multiple of the (unknown) framelength. Instead of just taking one maximum peak, we multiply all the scores for the integer-multiples of any length.
While this approach doesn’t sound too complicated compared to the first one, it has more caveats and pitfalls, e.g. that there are no integer multiples within the data array for the second half of the correlation result array, and the second quarter is not very significant as there are not many multiples to multiply.
The script (see below) works around these issues by only computing the first quarter of the possible result space. Use the
-n parameter in order to increase the number of characters read by the script.
After computing the multiple-shift aware correlation, we can use argmax just like in the first approach to find the best correlation. Sometimes this identifies a multiple of the frame length due to noise. You can look at the plot (use
-p) and manually determine the frame length in order to find the correct frame length.
As you can see from the result, the “noise” (in between the frame-length shift matches, caused by random matches between characters) is mostly gone.
In many real usecases, this algorithm will produce a more distinct signal in the plot, but the automatically calculated frame size will not be correct as several effects tend to increase the lobe height for multiples of the frame height. Therefore, it is adviseable to have a look at the plot (
-p in the script) before taking the result as granted.
Automating the algorithm
Here’s the Python3 script to this article which works well without modification, but for some protocols you might need to adjust it to fit your needs:
#!/usr/bin/env python3 """ ProtocolFrameLength.py Determine the frame length of an unknown serial protocol with constant-length frames containing similar bytes in every frame. For an explanation, see
python3 ProtocolFrameLength.py -b 115200 /dev/ttyACM0
You can use
-m to use the multiple-shift aware approach.
-p to plot the results as shown above. If one of the approaches does not work, it is advisable to plot the result in order to see if there is something visible in the plot which has not been detected by the
As the results depend on the actual data read, it is advisable to perform multiple runs and see if the results vary.