Author Topic: EEVblog #1144 - Padauk Programmer Reverse Engineering  (Read 60470 times)

0 Members and 1 Guest are viewing this topic.

Offline js_12345678_55AA

  • Regular Contributor
  • *
  • Posts: 177
  • Country: ht
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #350 on: January 07, 2019, 10:22:19 am »
Hi,

Thanks @FrankBuss for the new captures and @tim_ for having a look at them. This confirms our previous findings of VDD/VPP sequence, CLK/DAT usage and some of the deciphered commands (READ/WRITE).
The only difference is that PMC150 just uses 12 bit address and 13 bit program words and that IC_DAT_IN and IC_DAT_OUT might be 2 different pins instead of 1 shared pin on PFS154.

JS

BTW: @tim_ (cpldcpu): Do you think it is ok to claim that this all your own work, based on captures from FrankBuss?
from page 2: > All of this work is solely based on analyzing datalogs of the programming sequence as provided here: https://www.eevblog.com/forum/blog/eevblog-1144-padauk-programmer-reverse-engineering/msg2096917/#msg2096917
Maybe next time you could also mention the work of the eevblog forums community members.
Easy PDK programmer and more: https://free-pdk.github.io
 

Offline js_12345678_55AA

  • Regular Contributor
  • *
  • Posts: 177
  • Country: ht
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #351 on: January 07, 2019, 10:48:37 am »

The different programming voltages shouldn't be a problem. The circuit diagram from @oPossum looks good, the ALM2402 can drive up to 400 mA, so maybe no external transistor amplifier is even needed. But it has only a gain bandwidth of 600 kHz, maybe would be good to use some additional 4051 for the high frequency data lines. Could be all controlled with a cheap Arduino nano, and a simple Python script to control it and send the programming file over serial port.

I wonder why they do all these tests. I guess they don't do much tests when they produce the ICs? So far I've used about 20 PMS150C for testing, programming little things etc. One IC was not programmable. Might be a good idea if a DIY programmer would do all the verifies at different voltage levels etc. as well.

Over the weekend I spent some time with a friend to create a simple and cheap programmer schematic based on all the suggestions from this thread :):
- we did it as an experiment to use only free tools and the cheap supply chain from LCSC / JLPCB
- so we used EASY-EDA with LCSC parts and plan to use JLPCB (they all belong together)
- PCB + all parts will be around $5
- the programmer does not require an external power supply (it creates +15V from USB)
- it uses a STM32F072 which has 2x 12 bit DAC outputs to generate reference voltage for VDD and VPP which are then supplied to an opamp
- stability and level of the output voltages is measured with 2 ADC channels and can be tuned live
- for input/output to IC, 5 volt tolerant pins are used on STM32F072 (max. 5.5V)
- after checking programing of several different IC types we are pretty sure that DAT from IC to WRITER never exceeds VDD and max VDD we saw was 5.6V (no level shifter required)

What do you think?

Have fun,

JS
Easy PDK programmer and more: https://free-pdk.github.io
 
The following users thanked this post: oPossum

Offline FrankBuss

  • Supporter
  • ****
  • Posts: 2256
  • Country: de
    • Frank Buss
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #352 on: January 07, 2019, 11:37:01 am »
The STM32 does only output 3.3V. It might work, but would be better to use a 4053, costs only 35 cent (probably cheaper at LCSC) and has 3 switches, with which you could select VDD or GND for the data lines. Maybe there are even low cost multi channel voltage converters, but you can get the 4053 everywhere. If it works with 5 V for VDD, then at least you don't need extra ICs when the IC sends data back, because the IOs of the STM32 are 5 V tolerant. But they might might not like the 6.5 V we've seen with the PMS150C. With your current schematic it is possible to set a higher voltage on VDD. Always good to design a circuit in a way that no matter how buggy the firmware is, the hardware doesn't get destroyed :)
So Long, and Thanks for All the Fish
Electronics, hiking, retro-computing, electronic music etc.: https://www.youtube.com/c/FrankBussProgrammer
 

Offline socram

  • Regular Contributor
  • *
  • Posts: 62
  • Country: es
    • Totodile!
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #353 on: January 07, 2019, 11:40:40 am »
I'm not sure using a STM32 is the best option if it's designed to be hand assembled by hobbyists. TSOP aren't particularly friendly.
 

Offline FrankBuss

  • Supporter
  • ****
  • Posts: 2256
  • Country: de
    • Frank Buss
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #354 on: January 07, 2019, 12:18:00 pm »
I'm not sure using a STM32 is the best option if it's designed to be hand assembled by hobbyists. TSOP aren't particularly friendly.

It is a LQFP package. For me it is easier and faster to solder than DIP packages. @EEVblog did a video about it:

So Long, and Thanks for All the Fish
Electronics, hiking, retro-computing, electronic music etc.: https://www.youtube.com/c/FrankBussProgrammer
 

Offline ali_asadzadeh

  • Frequent Contributor
  • **
  • Posts: 867
  • Country: ir
    • ASiD Designer
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #355 on: January 07, 2019, 12:28:25 pm »
STM32 is fine, but maybe a STMF0 or STMF1 would cost even lower! ;)
You can order parts from www.ASiDesigner.com
we are a wire-based company
 

Offline js_12345678_55AA

  • Regular Contributor
  • *
  • Posts: 177
  • Country: ht
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #356 on: January 07, 2019, 12:29:49 pm »
The STM32 does only output 3.3V. It might work, but would be better to use a 4053, costs only 35 cent (probably cheaper at LCSC) and has 3 switches, with which you could select VDD or GND for the data lines. Maybe there are even low cost multi channel voltage converters, but you can get the 4053 everywhere. If it works with 5 V for VDD, then at least you don't need extra ICs when the IC sends data back, because the IOs of the STM32 are 5 V tolerant. But they might might not like the 6.5 V we've seen with the PMS150C. With your current schematic it is possible to set a higher voltage on VDD. Always good to design a circuit in a way that no matter how buggy the firmware is, the hardware doesn't get destroyed :)

Hi,

from datasheet of STM32F072:  5 volt tolerant pin VMax = VDDIO + 4.0 V,  VDDIO = 3.3V ==> absolute maximum is 7.3 volt.

So should be no problem. Right ?

JS
Easy PDK programmer and more: https://free-pdk.github.io
 

Offline FrankBuss

  • Supporter
  • ****
  • Posts: 2256
  • Country: de
    • Frank Buss
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #357 on: January 07, 2019, 12:46:42 pm »
from datasheet of STM32F072:  5 volt tolerant pin VMax = VDDIO + 4.0 V,  VDDIO = 3.3V ==> absolute maximum is 7.3 volt.

So should be no problem. Right ?

This is for the absolute maximum ratings, which means the IC might not get damaged if below, but I wouldn't use this as a limit. In the table "general operation condition" the max value for the FT (5 V tolerant) pins is 5.5 V. And I'm not sure, if both conditions must be met, which would mean you can use VDDIO+4V, unless it is below 5.5 V. Might be worth to ask ST, they have a good customer support.
So Long, and Thanks for All the Fish
Electronics, hiking, retro-computing, electronic music etc.: https://www.youtube.com/c/FrankBussProgrammer
 

Offline socram

  • Regular Contributor
  • *
  • Posts: 62
  • Country: es
    • Totodile!
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #358 on: January 07, 2019, 12:51:20 pm »
You can just use two clamping diodes with low Vf from the data pins to VCC along with some low-value (100ohm) current-limiting resistors to ensure it never goes above the limit.

The STM already has such clamping diodes inside the MCU but I'm not sure if I'd trust them for other than short transients.
 

Offline FrankBuss

  • Supporter
  • ****
  • Posts: 2256
  • Country: de
    • Frank Buss
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #359 on: January 07, 2019, 01:01:21 pm »
Why a low resistor? I think something like attached would work perfectly, but might be not needed, if 5 V for VDD works.

Edit: for the bidirectional pins, you might need a 4052 to select VDD, GND and open or pullup.
« Last Edit: January 07, 2019, 01:03:50 pm by FrankBuss »
So Long, and Thanks for All the Fish
Electronics, hiking, retro-computing, electronic music etc.: https://www.youtube.com/c/FrankBussProgrammer
 

Offline socram

  • Regular Contributor
  • *
  • Posts: 62
  • Country: es
    • Totodile!
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #360 on: January 07, 2019, 01:11:53 pm »
Lower values means faster transitions and less ringing on the data lines. I always prefer to use the lowest value possible, just to ensure funny things doesn't happen because of that ringing. It's a bit too low specially since I realized it's 3.3V and then it'll be sinking more than the 20mA recommended by the STM datasheet.

10kOhm could work, that's the recommended value for 100kHz I2C buses. I'm guessing programming them at 100kHz is good enough.
 

Offline electronic_eel

  • Regular Contributor
  • *
  • Posts: 187
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #361 on: January 07, 2019, 03:24:06 pm »
I think something like attached would work perfectly, but might be not needed, if 5 V for VDD works.
I think your solution with the 4053 is a good idea.

But the 5V supply is directly from the VUSB. There are often polyfuses in the USB host port, wire resistance,... in the way, so VUSB is often more like 4.6V oder 4.5V in the end. While true 5V might work, I fear the lower real voltage won't.

So why not use a small linear regulator with variable output voltage, like an 1117-ADJ, to create the Vdd for the 4053 out of the 15V from the boost regulator? Then you can set the necessary voltage with a voltage divider. A cheap regulator that should work, available from LCSC, would be for example the MET1117FB3G. Others are available too, but some don't allow 15V input voltage.
 

Offline js_12345678_55AA

  • Regular Contributor
  • *
  • Posts: 177
  • Country: ht
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #362 on: January 07, 2019, 04:00:16 pm »
Hi,

When I checked STM32F072 was cheapest option:
LCSC:
 STM32F072C8T6: 1+ €1.2514, 10+ €1.2096, 100+ €1.0841
 STM32F103C8T6: 1+ €1.8233, 10+ €1.3186, 30+ €1.2260

Considering that the PADAUK IC can be operated with 2.0 V I don't know how the above mentioned circuit from FrankBuss would perform with lower 1 voltage levels.

I'm not sure how to enable/disable individual pins of the output level shifter to stop outputting 0 or 1 when the pins are in input mode for writer. ? ? ?

A level shifter can use the same VDD which is supplied to PADAUK IC.

JS
Easy PDK programmer and more: https://free-pdk.github.io
 

Offline spth

  • Regular Contributor
  • *
  • Posts: 78
  • Country: de
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #363 on: January 07, 2019, 04:42:36 pm »
But the 5V supply is directly from the VUSB. There are often polyfuses in the USB host port, wire resistance,... in the way, so VUSB is often more like 4.6V oder 4.5V in the end. While true 5V might work, I fear the lower real voltage won't.

The USB standard allows voltages down to 4.4V at the device side end of the cable. So any programmer powered from USB should be able to deal with that.

Philipp
 

Offline FrankBuss

  • Supporter
  • ****
  • Posts: 2256
  • Country: de
    • Frank Buss
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #364 on: January 07, 2019, 04:52:34 pm »
I'm not sure how to enable/disable individual pins of the output level shifter to stop outputting 0 or 1 when the pins are in input mode for writer. ? ? ?

You could use a 4051, cheap at LCSC:

https://lcsc.com/product-detail/4000-Series_NXP_HEF4051BT_HEF4051BT_C11351.html

You would need one 4051 per logic pin on the Padauk IC. You could then select 4 different things: VDD, GND, pullup to VDD and pulldown to GND. Would need 2 output pins from the STM32 and one input pin with the previous circuit with the resistor and diode to sense the voltage when the Padauk IC is sending back information, for each logic pin of the Padauk IC. It is no problem to switch voltages down to 2 V would work up to 15 V. But if it goes down to 2 V, the power supply for the IC would still need 3 V. So I would connect VDD of the 4053 to 15 V.

I guess only the VDD, pullup and GND would be needed, because the analysis from tim showed that the small pin count Padauk ICs like the PMS150C pulls down bidirectional lines, and the higher count ICs might use dedicated pins for in/out and no bidirectional pins. But this could be used to program chips from other manufacturers as well, where it might be useful to switch it to a pulldown resistor.
So Long, and Thanks for All the Fish
Electronics, hiking, retro-computing, electronic music etc.: https://www.youtube.com/c/FrankBussProgrammer
 

Offline tim_

  • Regular Contributor
  • *
  • Posts: 80
  • Country: de
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #365 on: January 07, 2019, 05:00:57 pm »
BTW: @tim_ (cpldcpu): Do you think it is ok to claim that this all your own work, based on captures from FrankBuss?
from page 2: > All of this work is solely based on analyzing datalogs of the programming sequence as provided here: https://www.eevblog.com/forum/blog/eevblog-1144-padauk-programmer-reverse-engineering/msg2096917/#msg2096917
Maybe next time you could also mention the work of the eevblog forums community members.

I think I should have been more clear in outlining the purpose of the disclaimer on page 2. I added it to emphasize that this is a clean room analysis of the protocol that is based only on behavioral observation and not on code reverse engineering. The latter may be illegal in some countries. I doubt Padauk cares much, but better safe than sorry. I would not like to see anyones effort be targeted by a C&D. It cleary was not meant to credit or discredit anyone.

JS, your work is extremely appreciated and this would have not been possible without yours and others prior work.

I update the wording on the slides a bit to avoid further confusion.
« Last Edit: January 07, 2019, 07:14:28 pm by tim_ »
 
The following users thanked this post: js_12345678_55AA

Offline FrankBuss

  • Supporter
  • ****
  • Posts: 2256
  • Country: de
    • Frank Buss
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #366 on: January 07, 2019, 05:16:47 pm »
Hi,

When I checked STM32F072 was cheapest option:
LCSC:
 STM32F072C8T6: 1+ €1.2514, 10+ €1.2096, 100+ €1.0841
 STM32F103C8T6: 1+ €1.8233, 10+ €1.3186, 30+ €1.2260


I guess Padauk looked at the same price list, because the original programmer uses a STM32F072 as well  :)



And it uses a few 4051, so maybe similar ideas which I have, but interestingly a 4066 CMOS switch, too:



The markings for the chip on the right side are difficult to read, I can't see it, but might be another of these multiplexers/switches:



PS: With a 4051, and switching to pullup, pulldown, VDD and GND, and in combination with regulated VDD and using the STM32 pins in analog input mode, it wouldn't be difficult to implement the open/close functionality in software.
« Last Edit: January 07, 2019, 05:18:42 pm by FrankBuss »
So Long, and Thanks for All the Fish
Electronics, hiking, retro-computing, electronic music etc.: https://www.youtube.com/c/FrankBussProgrammer
 

Offline tim_

  • Regular Contributor
  • *
  • Posts: 80
  • Country: de
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #367 on: January 07, 2019, 05:33:20 pm »
How about an Arduino based programmer?  :D
 

Offline js_12345678_55AA

  • Regular Contributor
  • *
  • Posts: 177
  • Country: ht
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #368 on: January 07, 2019, 05:42:13 pm »
PS: With a 4051, and switching to pullup, pulldown, VDD and GND, and in combination with regulated VDD and using the STM32 pins in analog input mode, it wouldn't be difficult to implement the open/close functionality in software.

Hi,

I'm not sure if the analog input is fast enough. If you use 14MHz analog clock and 1.5 analog clock cycles for conversion the result is very noisy. You start to get good results at 70+ cycles.

Today I will do some experiments to get WRITE working without a level shifter and check the result. I will use several voltages for VDD and check at which voltage the STM gets damaged. Then we can decide if lower part count or more stability is the way to go.
Adding several 4051 will use a lot of board space which I wanted to keep small initially.

JS
Easy PDK programmer and more: https://free-pdk.github.io
 

Offline js_12345678_55AA

  • Regular Contributor
  • *
  • Posts: 177
  • Country: ht
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #369 on: January 07, 2019, 05:43:13 pm »
I update the wording on the slides a bit to avoid further confusion.

All is fine. Big hug!

JS
Easy PDK programmer and more: https://free-pdk.github.io
 
The following users thanked this post: tim_

Offline electronic_eel

  • Regular Contributor
  • *
  • Posts: 187
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #370 on: January 07, 2019, 06:25:15 pm »
Adding several 4051 will use a lot of board space which I wanted to keep small initially.
I can understand that.

How about a solution with simple discrete mosfets like in the attached schematic?

Simple mosfet like BSS138 and BSS84 cost less than 2 cent at LCSC and allow +-20V Vgs without damage. They also switch low currents reliably at 3.3Vgs. They are in SOT-23, that doesn't take much space and is easy to solder. You can also get them in SOT-323 or two mosfets in one SOT-23-6 / SOT-323-6, but these are a few cents more.

You'd need 3 pins on the STM32 for each pin on the PADAUK, but I think the LQFP-48 of the STM32 has enough pins to spare.
« Last Edit: January 07, 2019, 06:30:45 pm by electronic_eel »
 

Offline DocBen

  • Regular Contributor
  • *
  • Posts: 111
  • Country: de
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #371 on: January 07, 2019, 06:29:53 pm »
Hi,

When I checked STM32F072 was cheapest option:
LCSC:
 STM32F072C8T6: 1+ €1.2514, 10+ €1.2096, 100+ €1.0841
 STM32F103C8T6: 1+ €1.8233, 10+ €1.3186, 30+ €1.2260


You do know that a whole board with STM32F103C8T6 can be had for $1.60 shipping included? Ready to run with arduino.

https://de.aliexpress.com/item/STM32F103C8T6-ARM-STM32-Minimum-System-Development-Board-Module-Forarduino/32342717171.html

Maybe create just a shield for that?
 

Offline electronic_eel

  • Regular Contributor
  • *
  • Posts: 187
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #372 on: January 07, 2019, 06:34:44 pm »
You do know that a whole board with STM32F103C8T6 can be had for $1.60 shipping included?
The STM32F103C8T6 doesn't have DACs, the STM32F072 has. You'd need to use PWM with feedback which makes reaching the desired voltages much slower.

 

Offline ali_asadzadeh

  • Frequent Contributor
  • **
  • Posts: 867
  • Country: ir
    • ASiD Designer
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #373 on: January 07, 2019, 06:43:39 pm »
Some ideas can be captured from j-link, especially the clone ones! us normal 74HC series to do the conversion and level shifting,it's cheap also ;)
You can order parts from www.ASiDesigner.com
we are a wire-based company
 

Offline socram

  • Regular Contributor
  • *
  • Posts: 62
  • Country: es
    • Totodile!
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #374 on: January 07, 2019, 06:55:37 pm »
How about an Arduino based programmer?  :D
That would be much easier, easily built in a breadboard and protoboard with only DIP parts, and it's probably the way I'm gonna try doing this.

My idea so far is using an external 12V supply for now (maybe later upgrade it to a SMPS feeding from the USB 5V), and use a few linear regulators with resistors for stepping down to a few preset voltages. It'll be a while until I try it though however, I still haven't even put the order for the PFS154 parts lol.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf