BASIC
ELECTRONICS COURSE
THE SCHMITT TRIGGER
Page 49 INDEX

One of the most universal chips is the Hex Schmitt Trigger, known as the 74C14. It is also marketed as 40106, 40014, and 74HC14. These are CMOS chips and are characterised by low current consumption, high input impedance and a supply voltage from 5v to 15v. (Do not substitute 7414 or  74LS14. They are TTL chips and operate on 4.5v to 5.5v and have low impedance inputs.)

Fig: 1 shows the six Schmitt gates in a 74c14 chip. 

Fig: 2 shows the symbol for a single input Schmitt Trigger Inverter with power rails: 

Fig 3 shows the Schmitt Trigger characteristic incorporated into other gates:

We will concentrate on the single-input Schmitt Trigger gate as contained in the 74c14 IC. 
Fig: 4 shows the Schmitt Trigger Characteristic:  

The output is HIGH until the input rises to 66% of rail voltage. 
The output goes LOW when the input goes above 66%.
The output remains HIGH until the input fall to 33%. 

A Schmitt Trigger gate can be wired as an oscillator, delay, inverter (and other functions, depending on the surrounding components). 
Fig: 5 shows the Schmitt Trigger wired as an oscillator, delay and inverter:

Each of the 6 gates in the 74c14 can be used to create a separate "building block" and this gives the chip a wide range of capabilities. 

THE FREQUENCY OF AN OSCILLATOR
When a capacitor and resistor are added to a Schmitt Trigger gate, as shown in the first circuit 
of Fig: 5 above, the result is an oscillator called a MULTIVIBRATOR. A multivibrator has the feature of producing a square wave and this waveshape can have equal high and low periods (called 50:50 mark:space ratio) or any ratio of high and low periods. The HIGH period is called the MARK and the LOW is called the SPACE. 
The frequency of an oscillator depends on the value of R and C. There is no fixed "ratio" for these components however it is best to refer to sample circuits to see the values needed for a particular frequency - otherwise you may arrive at "unusual" combinations such as very large capacitors and very small resistors to achieve a high frequency. 
The frequency of a Schmitt oscillator is determined by the following equation: 
    
An easier equation to work with is:

Oscillator circuits for the 74c14 can be separated into three categories:
1. Low frequency
2. Medium frequency, and
3. High frequency. 
Low frequency oscillators are below 1Hz and can also be classified as DELAY circuits or TIMING circuits. 
Medium frequency oscillators range from 1Hz to about 500kHz. 
High frequency oscillators are above 500kHz. 
We separate circuits into three categories due to the value of capacitor needed. 
For low frequency oscillators the capacitor is an electrolytic, ranging from 1u to 220u.
For medium frequency circuits the capacitor is a ceramic 1n to 100n
For high frequency circuits the capacitor is a ceramic 47p to 1n
The value of R should be in the range 10k to 4M7 in all cases. 
The maximum frequency for a particular chip will depend on the supply voltage and the type of chip. 
Some chips do not like supply voltages below 5v (maximum supply voltage is 15v for all chips in this discussion) while other chips (HS) are especially made for high speed operation. All chips will operate up to 500kHz with a 5v to 12v supply. Requirements outside this range will need special investigation. Some chips are designed to operate down to 2-3v.
  
Fig: 6 shows sample oscillator circuits with approximate values for R and C.
 

Fig: 6 Low, Medium and High frequency Schmitt Trigger Oscillators

 
FREQUENCY CALCULATORS

Zte H2640 Firmware Today

# In extracted squashfs-root/etc/init.d/telnet echo "::respawn:/usr/sbin/telnetd -l /bin/sh" >> /etc/inittab After modifications, repack with:

# Extract firmware binwalk -Me firmware.bin mksquashfs squashfs-root/ new.sqsh -comp lzma Flash via U-Boot (serial) tftp 0x80000000 custom.bin; nand erase 0x200000 0x600000; nand write 0x80000000 0x200000 0x600000 Enable telnet (persistent) echo "/usr/sbin/telnetd -l /bin/sh &" >> /etc/rc.local zte h2640 firmware

mksquashfs squashfs-root/ newroot.sqsh -comp xz -b 256k cat kernel.uImage newroot.sqsh > custom_firmware.bin Must match original partition boundaries and checksum algorithm (often CRC32 or custom XOR). Some older firmware versions do not verify signatures. On newer versions, hardware-backed secure boot prevents unsigned code. Attackers use serial console (UART) or flash programmer to directly write modified flash contents. 6. Known Vulnerabilities (CVE Examples) | CVE | Description | |-----|-------------| | CVE-2020-10101 | Command injection in web interface (ZTE H2640) | | CVE-2020-10102 | Hardcoded backdoor credentials | | CVE-2019-3412 | Buffer overflow in DHCP client | # In extracted squashfs-root/etc/init

Analysis of ZTE H2640 Firmware: Architecture, Security Implications, and Modification Vectors Abstract The ZTE H2640 is a widely deployed home gateway device (fiber optic ONT/ONU) used in Fiber-to-the-Home (FTTH) networks. This paper presents a technical analysis of its firmware, including the filesystem structure, boot process, encryption methods (if any), common vulnerabilities, and methods for extracting, modifying, and repacking firmware. The goal is to inform security researchers, network administrators, and embedded system developers about potential risks and customization opportunities. 1. Introduction The ZTE H2640 series (including variants like H2640V9, H2640R) runs a Linux-based operating system. The firmware controls broadband access, Wi-Fi, VoIP, and TR-069 remote management. Despite its prevalence, little public documentation exists on its internal firmware design. This paper provides a systematic review based on reverse engineering and analysis of publicly available firmware update files. 2. Firmware Acquisition and Structure 2.1 Obtaining Firmware Official firmware is distributed as .bin or .zip files via ISP portals or ZTE’s support site. Example filename: ZTE_H2640V9_UPGRADE_BOOT_v2.0.1.bin 2.2 Initial Analysis with Binwalk Using binwalk on a sample firmware image reveals: Attackers use serial console (UART) or flash programmer

$ binwalk ZTE_H2640V9.bin 0 0x0 uImage header, header size: 64 bytes, ... 64 0x40 LZMA compressed data, properties: ... 2097152 0x200000 Squashfs filesystem, little endian, ...

Each gate of a 74c14 is capable of delivering up to 20mA with a 12v supply, 15mA with a 9v supply and 10mA with a 5v supply. A buffer transistor can be used to increase the output current if needed. 
Fig: 7 shows how a buffer transistor is connected to the output of a gate:

The voltage and current (called the "supply") for the 6 gates in a 74c14 comes from pin 14. The ground pin for the chip is pin 7. Each gate on a circuit diagram is normally shown without the power rails. It is understood they are present.
Fig: 8 shows the power rails for a 74c14 and the individual gates:
 

HOW A GATE WORKS
The next diagram (it is a repeat of Fig: 4 above) shows how the output of a Schmitt gate jumps from HIGH-to-LOW and LOW-to-HIGH as the input voltage rises and falls:

The output of a Schmitt Trigger gate is the opposite of the input. When the input is LOW, the output is HIGH.
As the input rises to 66% of rail voltage, the output instantly goes LOW and the input has to fall to 33% of rail voltage for the output to go HIGH. 
The gap between 33% and 66% is called the HYSTERESIS GAP and this has been specially designed so that the input does not detect small fluctuations.

Fig: 9 shows a voltage being applied to the Schmitt gate. The voltage is 55% of rail and this is not sufficient to change the output: 

The following figure shows a normal gates. It changes when the input rises above about 53% of rail voltage and changes back when the input falls below 47%.

  

The following diagram shows the very small gap for a normal chip, where the output jumps from HIGH-to-LOW in an uncontrolled manner:

 

Here's the secret of a Schmitt gate: Any noise (up to 60%) entering a Schmitt Trigger will not alter the condition of the gate. Any noise up to 55% entering a normal gate will change the output:

 

There is one other problem with a normal gate. When the input is in the range of about 47% to 53%, the output goes high/low very rapidly. This is called the INTERMEDIATE ZONE and the output does not know if it should be HIGH or LOW. 
Fig: 10 shows the input voltage varying in this intermediate zone and the output fluctuating very rapidly:

Even a fixed voltage in the intermediate zone will cause the output to fluctuate:

This is due to the high gain of the amplifier in the gate and it does not know if the output should be high or low.  It is essential for the input voltage to pass through this zone very quickly to prevent the gate "oscillating."
The output will only fluctuate when the input voltage is rising slowly or sits in the zone, as it takes a short period of time for the gate to start oscillating. 
For this reason a normal gate is not suitable for low frequency (slow-rising waveforms).
The Schmitt gate does not have this problem. 
If the voltage on the input of a Schmitt Trigger rises very slowly, the output changes at 66% and it will only change back to its original state when the voltage drops to 33% of rail voltage. At no time does the gate self-oscillate. This is one of the advantages of the Schmitt Trigger. 

Fig: 12 shows how a Schmitt gate can be considered to be similar to a common-emitter NPN transistor:

The similarity is only approximate and you can see the general operation of each circuit has some similarities. It is important to note that the two circuits cannot be interchanged without modifying the surrounding components. 

SWITCH DEBOUNCE
A Schmitt gate can be used to eliminate noise from a switch.  When any type of mechanical switch is closed, the contacts "bounce" due to the dirt and an oxide coating on the contacts and this puts noise on the line. Sometimes this noise is seen as additional pulses by high-speed digital circuits with the result of "false-counting." The Schmitt gate circuit below prevents multiple pulses from being passed to a circuit:

Mouseover to see switch action

SIGNAL CONDITIONING
The Schmitt Trigger can be used to improve the quality of a signal by speeding up the rise and fall times. The rise and fall time is called the TRANSITION TIME. The Schmitt trigger will reshape a waveform into a square wave. 
It will also convert a SINEWAVE or ANALOGUE waveform to a SQUAREWAVE. 
Any form of improving a signal to a square wave is called SIGNAL CONDITIONING. 
This is also called RISE-TIME improving. The Schmitt Trigger produces a fast-switching digital output suitable for edge triggering.
Fig: 14 shows waveforms improved by a Schmitt Trigger.  Only excursions above 66% will appear in the output:

SWITCHING THRESHOLD 
The SWITCHING THRESHOLD is the point where a signal changes logic states. 
A Schmitt Trigger has two thresholds - or TRIP POINTS. A positive going threshold (Vt+) and a negative going threshold (Vt-). 
The positive going threshold is also called the UPPER THRESHOLD and occurs at 66% of rail voltage. The LOWER THRESHOLD occurs at 33% rail voltage. 
The difference between the two thresholds is called the HYSTERESIS ZONE.
A signal will not change the state of the gate until it passes the positive going threshold. A high signal that enters the Hysteresis Zone will not change the state of the gate until it reaches the negative going threshold.
Besides preventing unwanted oscillation, the Hysteresis Zone also provides noise immunity.

THE 4093 IC
Another common Schmitt Trigger IC is the 4093. This is a Quad 2-Input Schmitt Trigger.

The CD 4093 is sometimes used for its gating capability. One of the inputs of the gate can used to turn the gate on and off.  This is called GATING. This feature can be achieved with a single-input Schmitt Trigger with a diode. This allows the 74c14 IC to be used. 
Fig: 16 shows how to substitute a 4093 NAND gate for a single-input gate:

SUBSTITUTING THE 555
The 555 can be replaced by the 74c15 in almost every case, with the advantage of lower quiescent current and the availability of 6 building blocks. The 74c14 Schmitt gate is comparable with the 7555 (the CMOS version of the 555).
Fig 17 shows a 10 MINUTE TIMER. The circuit is also called a DELAY circuit:

The 555 replaced by a Schmitt gate and a transistor to provide the drive-current:

SUMMARY
A Schmitt Trigger is a bistable (two-state) device used to square-up waveforms with slow rise and fall times. The most common applications are THRESHOLD DETECTION and SIGNAL CONDITIONING. Speeding up the TRANSITION (rise and fall) time affects the shape of the waveform, turning poor signals into reliable waveforms capable of driving digital ICs.
The THRESHOLD DETECTION feature will prevent signals with insufficient amplitude (such as noise) from activating the clock lines of digital chips.

See Page 76 for more discussion on the Hex Schmitt Trigger

NEXT page of this course