Author Topic: EEVblog #1144 - Padauk Programmer Reverse Engineering  (Read 391303 times)

0 Members and 3 Guests are viewing this topic.

Offline tim_

  • Regular Contributor
  • *
  • Posts: 237
  • Country: de
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #375 on: January 07, 2019, 07:05:10 pm »
Well, you could use a very simple boost converter that is driven by a PWM output of a microcontroller... Seems to work well.

Note that VPP can be controlled by the frequency and duty cycle of V1. No need for a DAC and OPAMP.


« Last Edit: January 07, 2019, 07:23:12 pm by tim_ »
 

Offline DocBen

  • Regular Contributor
  • *
  • Posts: 111
  • Country: de
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #376 on: January 07, 2019, 07:22:32 pm »
You do know that a whole board with STM32F103C8T6 can be had for $1.60 shipping included?
The STM32F103C8T6 doesn't have DACs, the STM32F072 has. You'd need to use PWM with feedback which makes reaching the desired voltages much slower.

The board has more than enough IO pins > 30 if i rember correctly.
We already concluded that VDD only needs .1 V steps over the range from 2 to 5.6V thats ~ 6 pins necessary. Vpp can be very coarse from 5.6 to 12 V lets say 3 pins.
Feedback by analog converter is only needed once (on startup for example) to save on precision resistors.
 

Offline DocBen

  • Regular Contributor
  • *
  • Posts: 111
  • Country: de
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #377 on: January 07, 2019, 07:28:19 pm »
FWIW I started building and successfully tested a charge pump / PWM based voltage supply for both Vdd and Vpp with feedback by ADC on an arduino.
Its to slow to work without transistors to switch the supplies on/off but otherwise works quite nicely. Even with a simple breadboard.
 

Offline tim_

  • Regular Contributor
  • *
  • Posts: 237
  • Country: de
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #378 on: January 07, 2019, 07:50:06 pm »
FWIW I started building and successfully tested a charge pump / PWM based voltage supply for both Vdd and Vpp with feedback by ADC on an arduino.
Its to slow to work without transistors to switch the supplies on/off but otherwise works quite nicely. Even with a simple breadboard.

A charg pump or boost converter? Note that in both cases your could use a (software-) PD controller to speed up the step response significantly.
 

Offline DocBen

  • Regular Contributor
  • *
  • Posts: 111
  • Country: de
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #379 on: January 07, 2019, 07:55:09 pm »
A charg pump or boost converter? Note that in both cases your could use a (software-) PD controller to speed up the step response significantly.

charge pump with I should say trivial software right now, however the problem is getting from 0 to target voltage which takes ~ 50 ms I think and thats something a pd controller cant help with ;)
Thats why I just switch the output.
« Last Edit: January 07, 2019, 07:57:12 pm by DocBen »
 

Offline tim_

  • Regular Contributor
  • *
  • Posts: 237
  • Country: de
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #380 on: January 08, 2019, 11:35:53 pm »
I had some success with a programmer based on an Arduino Nano, see image. It is using a simple boost converter that is controlled by a PWM output and monitored with the integrated ADC, similar to the PIC programmer that someone linked earlier in this thread. You can find the actual circuit I use in the LTspice simulation I posted above. The PWM duty cycle can be used to control VPP between 4.3V and >12V. VCC is directly connected to a GPIO, so VCC is always 5V. MISO/MOSI/SCLK are directly connected to GPIO.

What works:
  • Reading ID
  • Reading memory
  • Writing to memory

See below for a log. The cells below <0x40 have been writte to by the programmer. Device is a PMS150C, btw.

Open:
- The control of the boost converter is not optimzed yet. By using a closed loop controller it should be possible to improve settling time.
- It appears that data needs to be written twice. I am not sure whether this is some kind of initialization issue or whether VCC needs to be increased to 6V as in the original programmer for more reliable programming.
- I have not tested writing actualy code to the device.

I noticed some oversights in my earlier analysis, which have been corrected in the attached pdf.

I also attached a part of the source, for reference. It's basically only some disconnected routines with prinft debugging.. What is still completly missing is the interaction with a host computer, so this is still very far from a proper programmer.



Code: [Select]
Initializing...
DeviceID: A16   Vpp Standby: 376
Dumping memory...
Vpp read mode: 547
0000: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0010: 01AA 0155 1FFF 1FFF 1A5A 15A5 1FFF 1FFF 1A5A 15A5 1A5A 15A5 1FFF 1FFF 1FFF 1FFF
0020: 1A5A 15A5 1A5A 15A5 1A5A 15A5 1A5A 15A5 1A5A 15A5 1A5A 15A5 1A5A 15A5 1A5A 15A5
0030: 1A5A 15A5 1A5A 15A5 1A5A 15A5 1A5A 15A5 1A5A 15A5 1A5A 15A5 1A5A 15A5 1A5A 15A5
0040: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0050: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0060: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0070: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0080: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0090: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
00A0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
00B0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
00C0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
00D0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
00E0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
00F0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0100: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0110: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0120: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0130: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0140: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0150: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0160: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0170: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0180: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0190: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
01A0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
01B0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
01C0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
01D0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
01E0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
01F0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0200: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0210: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0220: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0230: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0240: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0250: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0260: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0270: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0280: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0290: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
02A0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
02B0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
02C0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
02D0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
02E0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
02F0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0300: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0310: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0320: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0330: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0340: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0350: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0360: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0370: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0380: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
0390: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
03A0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
03B0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
03C0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
03D0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
03E0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF
03F0: 1FFF 1FFF 1FFF 1FFF 1FFF 1FFF 018A 1FFF 1FFF 1FFF 1FFF 1FFF 0FFF 1FFF 1FFF 0FFD
Writing to memory...
Vpp initial: 541        PWM: 10
Vpp write mode: 792     PWM: 42
Vpp after writing: 793
Vpp off: 396

« Last Edit: January 08, 2019, 11:38:14 pm by tim_ »
 
The following users thanked this post: js_12345678_55AA

Offline js_12345678_55AA

  • Frequent Contributor
  • **
  • Posts: 337
  • Country: ht
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #381 on: January 09, 2019, 12:02:22 pm »
Thanks for your findings and implementation.  :clap:

In fact it matches my experiments but for some reason it does not work on PFS154 yet. After I converted my project to support also the small 13 bit devices I was able to program PMC150 immediately like you did.
So only the shared DAT pin for input and output on PFS154 still troubles me a bit.

JS

EDIT: What you call "Device-ID" seems to be the "ACK" we seen on PFS154.
on PFS154:

after a command is sent you need to send some dummy clocks (4) for the IC to process the command
-> maybe some more clocks are required on PMC150 which you call "dummy write"
then direction changes and and ACK is sent back (12 bit): 0xAA1
-> maybe on PMC150 it is 0xA1
then again a dummy clock is required before you can start sending data
-> maybe the "6" is just garbage since only 4 dummy clocks are needed.

« Last Edit: January 09, 2019, 01:54:44 pm by js_12345678_55AA »
Easy PDK programmer and more: https://free-pdk.github.io
 

Offline js_12345678_55AA

  • Frequent Contributor
  • **
  • Posts: 337
  • Country: ht
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #382 on: January 09, 2019, 12:41:28 pm »
Hi,

I made some progress on the "easy pdk prog" programmer.

Based an the suggestions from you I added the transistor solution to shift the logic output voltage of the STM32.

I also created a PCB and sent the Gerber production files to JLPCB. They will manufacture 10 pcs for USD 2.00  :)
All the parts can be ordered from LCSC so I was able to combine this 2 orders which usually reduces shipping cost.
But I also got a discount for first time order which eliminated shipping cost at all.  ;D

The PCB only uses one side for components for better assembly but the size is still very small: 58mm x 22mm (slightly larger than arduino nano).

Features:
 - USB powered device (no extra power supply)
 - variable and monitored IC VPP (0-15V) to support all models (OTP and flash)
 - variable and monitored IC VDD (0-6V) for calibration of Padauk IC
 - output voltage level shift to support communication with any IC VDD (up to 6 V)
 - extra 8 MHz oscillator for calibration of Padauk IC
 - 3 user LED to show status
 - 1 button to start operations from programmer directly

Price for PCB + components is also very attractive (depends on how many pcs. you want to make):
 1  pcs: PCB: $ 2.00 , BOM: $ 2.39   => $ 4.39
10 pcs: PCB: $ 2.00 , BOM: $ 19.78  => $ 2.19 / pcs

Now need to wait 9-14 days for the stuff to arrive.

JS

BTW: The only thing I miss in EasyEDA is the feature to show components on the 3D rendering of the PCB. Everything else was easy to learn and very intuitive. Great job from them.
« Last Edit: January 09, 2019, 12:51:50 pm by js_12345678_55AA »
Easy PDK programmer and more: https://free-pdk.github.io
 

Offline ali_asadzadeh

  • Super Contributor
  • ***
  • Posts: 1896
  • Country: ca
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #383 on: January 09, 2019, 01:00:02 pm »
The HT7991 that you have used, can boost to 12V, it can not make 15V, simply replace it with MT3608, it can go upto 28v and it's super cheap ;)
ASiDesigner, Stands for Application specific intelligent devices
I'm a Digital Expert from 8-bits to 64-bits
 

Offline lucas.hartmann

  • Contributor
  • Posts: 16
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #384 on: January 09, 2019, 01:15:59 pm »
Things are looking awesome on all fronts!

Just a couple suggestions on the pcb:
- maybe leave unpopulated target footprints on the back, so we can program the most common parts by holding against those.
- maybe add a few pin connectors to the sides of the usb for mechanical support. This would allow target sockets to be firmly mounted on a shield-like pcb on top/bottom of the programmer.

Enviado de meu SM-N910C usando o Tapatalk

 

Offline js_12345678_55AA

  • Frequent Contributor
  • **
  • Posts: 337
  • Country: ht
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #385 on: January 09, 2019, 01:40:23 pm »
The HT7991 that you have used, can boost to 12V, it can not make 15V, simply replace it with MT3608, it can go upto 28v and it's super cheap ;)

Great find. It also looks pin compatible and we can save $0.02 :)  I will test it.

Just a couple suggestions on the pcb:
- maybe leave unpopulated target footprints on the back, so we can program the most common parts by holding against those.
- maybe add a few pin connectors to the sides of the usb for mechanical support. This would allow target sockets to be firmly mounted on a shield-like pcb on top/bottom of the programmer.

This is just a test PCB. Usually the first try always contains some mistakes (wrong foot prints in library, bad component spacing, something not working as expected, ... ). But since it costs $ 2.00 only... so what :)

I really like the idea to put a SOT foot print. We only need to decided which part we want to support since pins do shift a lot between different IC. I would vote for the flash parts (PFS...) since they might be the most popular for hobbyists.

My plan was to use some of this SOT to DIP sockets and connect jumper wires for different types easily:
https://detail.tmall.com/item.htm?id=522621435705
https://www.aliexpress.com/item/SOP28-Adapter-Socket-DIP28-to-SOP16-SOP20-300mil-Chip-Programmer-20pin-Feet/32900927477.html


JS
Easy PDK programmer and more: https://free-pdk.github.io
 

Offline electronic_eel

  • Regular Contributor
  • *
  • Posts: 201
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #386 on: January 09, 2019, 02:37:07 pm »
My plan was to use some of this SOT to DIP sockets and connect jumper wires for different types easily:
https://detail.tmall.com/item.htm?id=522621435705
https://www.aliexpress.com/item/SOP28-Adapter-Socket-DIP28-to-SOP16-SOP20-300mil-Chip-Programmer-20pin-Feet/32900927477.html
Yes, I think something like this is cheap & conveniant and much more reliable than just a footprint to hold the ic against.

Regarding the different Padauk types and their footprints: Why not use exchangeable adapter pcbs like this:
- Take the 8 pins of your programmer board and solder pin header sockets on them
(like these: https://lcsc.com/product-detail/Female-Header_2-54mm-1-8P-Straight-Female-header_C27438.html)
- Make several small adapter pcbs which route the 8 programmer pins to the correct pin numbers of the Padauk-IC pinout you are targeting with this adapter pcb.
- The adapter pcb has pin header sockets on it in standard dip 2.54mm raster
- You plug one of the sockets linked above into the pin header sockets of the adapter pcb

That way you don't need to fiddle with jumper wires, you just have to plug in the correct adapter pcb. LCSC allows you to create panels with several different small pcbs in one 10x10cm pcb for the regular 2$ price. You just have to separate them with small milled slots and keep them together with tabs. So the programmer and adapter pcbs could be made together in one go without added cost.

BTW, as I'm mostly interested in the Padauks in SOT-23-6, does anybody know of a cheap SOT-23-6 adapter? The cheapest I could find were these
https://www.aliexpress.com/item//32851813673.html
https://www.aliexpress.com/item//32811278237.html
« Last Edit: January 09, 2019, 02:42:00 pm by electronic_eel »
 

Offline FrankBuss

  • Supporter
  • ****
  • Posts: 2365
  • Country: de
    • Frank Buss
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #387 on: January 09, 2019, 02:58:08 pm »
BTW, as I'm mostly interested in the Padauks in SOT-23-6, does anybody know of a cheap SOT-23-6 adapter? The cheapest I could find were these
https://www.aliexpress.com/item//32851813673.html
https://www.aliexpress.com/item//32811278237.html

Looks like a good price. When I bought the adapter from Padauk, they sold it for USD 30.

I think the idea with the header sockets is the best, like the PICkit. For in-circuit flash ICs, you could just add some pin headers on your board, or use pogo pins. And if you want to program it standalone, then you can make some custom boards for it, even with the adapters soldered on it.

BTW, with JLCPCB you can select "Panel By JLCPCB". If you have like a small adapter board which fits multiple times on a 10 cm x 10 cm board, they do the panelization for you, without additional cost. This way one adapter would cost $2, but you might get like 40 mini boards for it, enough for everyone following this thread :)
So Long, and Thanks for All the Fish
Electronics, hiking, retro-computing, electronic music etc.: https://www.youtube.com/c/FrankBussProgrammer
 

Offline DocBen

  • Regular Contributor
  • *
  • Posts: 111
  • Country: de
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #388 on: January 09, 2019, 03:08:08 pm »


Good job!

Regarding the pdf: on page 18 you write that the data is clocked out after the first write cycle and believe that its verification data.
I dont think so. The data comes from the internal shift register being used for SPI. The default value seems to be the device ID, after that the bits you shifted in are simply shifted out. Its very unlikely that this is intended for verification purposes.
 

Offline ali_asadzadeh

  • Super Contributor
  • ***
  • Posts: 1896
  • Country: ca
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #389 on: January 09, 2019, 03:46:11 pm »
Regarding the IC adapters, if the chips can be in circuit programmed, then they are useless ;D
ASiDesigner, Stands for Application specific intelligent devices
I'm a Digital Expert from 8-bits to 64-bits
 

Offline electronic_eel

  • Regular Contributor
  • *
  • Posts: 201
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #390 on: January 09, 2019, 03:52:38 pm »
Regarding the IC adapters, if the chips can be in circuit programmed, then they are useless ;D
I don't think you want 10V programming voltage anywhere on your regular circuit.
 

Offline DocBen

  • Regular Contributor
  • *
  • Posts: 111
  • Country: de
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #391 on: January 09, 2019, 03:58:12 pm »
Regarding the IC adapters, if the chips can be in circuit programmed, then they are useless ;D
I don't think you want 10V programming voltage anywhere on your regular circuit.

Actually the pfs173, pfs154 and probably others are
http://www.padauk.com.tw/upload/doc/PFS173_datasheet_v101_EN_20181113.pdf
page 100 ff

PMS150C as well
http://www.padauk.com.tw/upload/doc/PMS150C%20datasheet%20V105_EN_20181128.pdf
page 68

Just have to take the necessary precautions ;)
« Last Edit: January 09, 2019, 04:17:25 pm by DocBen »
 

Offline ali_asadzadeh

  • Super Contributor
  • ***
  • Posts: 1896
  • Country: ca
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #392 on: January 09, 2019, 04:50:33 pm »
Quote
I don't think you want 10V programming voltage anywhere on your regular circuit.
hopefully the 10v is on the reset pin and it can be isolated from other parts of the circuit ;)
ASiDesigner, Stands for Application specific intelligent devices
I'm a Digital Expert from 8-bits to 64-bits
 

Offline anxzhu

  • Newbie
  • Posts: 3
  • Country: cn
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #393 on: January 09, 2019, 05:02:33 pm »
 

Offline tim_

  • Regular Contributor
  • *
  • Posts: 237
  • Country: de
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #394 on: January 09, 2019, 06:31:32 pm »
Thanks for your findings and implementation.  :clap:

In fact it matches my experiments but for some reason it does not work on PFS154 yet. After I converted my project to support also the small 13 bit devices I was able to program PMC150 immediately like you did.
So only the shared DAT pin for input and output on PFS154 still troubles me a bit.

Interesting, so there is something about the PFS154. I'll give it a try.

I think it could be very helpful to take an analog log of the PFS154 writes sequence. Most likely it will also be possible to deduce the write direction from the analog voltages.
Frank, do you think you have a chance to do this? If you don't have any PFS154 I could send some to you.

EDIT: What you call "Device-ID" seems to be the "ACK" we seen on PFS154.
on PFS154:

after a command is sent you need to send some dummy clocks (4) for the IC to process the command
-> maybe some more clocks are required on PMC150 which you call "dummy write"
then direction changes and and ACK is sent back (12 bit): 0xAA1
-> maybe on PMC150 it is 0xA1
then again a dummy clock is required before you can start sending data
-> maybe the "6" is just garbage since only 4 dummy clocks are needed.

Well, there is a lot of evidence that this actually is some kind of device ID.

- The code is read in the first step of the programming sequence (phase 0)
- The code is 0xA16 for the PMS150C. This bit sequence does not appear in the magic key (0XA5A5A5A7). Therefore it is unlikely that this is garbage information from the SPI shift register.
- Also, the signaling scheme to read it is exactly identical to the programmin sequence, except that the "write execution sequence" is not sent.

It would be interesting to read this code from other devices as well.

« Last Edit: January 09, 2019, 06:33:44 pm by tim_ »
 

Offline tim_

  • Regular Contributor
  • *
  • Posts: 237
  • Country: de
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #395 on: January 09, 2019, 06:32:38 pm »

Regarding the pdf: on page 18 you write that the data is clocked out after the first write cycle and believe that its verification data.
I dont think so. The data comes from the internal shift register being used for SPI. The default value seems to be the device ID, after that the bits you shifted in are simply shifted out. Its very unlikely that this is intended for verification purposes.

Indeed, you are right. This is the most likely explanation - and also the easiest way of implementing a device-ID, taking zero additional logic gates :)

 

Offline FrankBuss

  • Supporter
  • ****
  • Posts: 2365
  • Country: de
    • Frank Buss
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #396 on: January 09, 2019, 07:46:11 pm »
I think it could be very helpful to take an analog log of the PFS154 writes sequence. Most likely it will also be possible to deduce the write direction from the analog voltages.
Frank, do you think you have a chance to do this? If you don't have any PFS154 I could send some to you.

Yes, I can do this. I have only PMS150C and PMS154B, but I guess a flash version can be very different. If you want to send me a few, my address is on my impressum page: http://www.frank-buss.de/impressum.html Would be faster than when I'm ordering it at lcsc, if you have already some. How many signals should I sample? Just asking in case I need to solder the second board, for a full 8 channel version of my ADC.
So Long, and Thanks for All the Fish
Electronics, hiking, retro-computing, electronic music etc.: https://www.youtube.com/c/FrankBussProgrammer
 

Offline tim_

  • Regular Contributor
  • *
  • Posts: 237
  • Country: de
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #397 on: January 10, 2019, 12:59:12 am »
So I did some experiments with the PFS154. The protocol is slightly different indeed.

- As you described, the PSF154 needs to be clocked for 4+12=16 cycles after the magic-key/command. This sequence is not needed in the PMS150C.
- The response seems to be 0xFAA1 for a write or 0x1AA1 for a read. It is possible that the upmost 4 bit of this word are indeed random data.
- Address and command are both 14 bit.
- The device-id sequence of the PMS150 is missing in the PFS154. This is obvious, since the same scheme would not be supported with a single data line.
- The write instruction writes 4 instead of 2 words at once.

I was able to write to the memory, as you can see in the dump below. However, for some reason the data came out garbled. Only bits 4-11 were written to and the data was shifted by one bit. Really weird, since the address was actually correct. The write was 1A5A 15A5 0000 0000 to 0x38 and 0x40.

I also encountered a weird issue with the power up sequence. It appears the PFS154 was drawing a lot of power when VDD was grounded and VPP was ramped up. I was able to solve this by floating VDD during the VPP ramp and only pulling it to ground for a short time to reset the MCU. This reason for this could be latch up.

Tomorrow I will send some devices to Frank. It will be very helpful to get another datalog.

Code: [Select]
Initializing...
372 400 425 449 472 491 510 527 543 ACK: FAA1
DeviceID: 0     Vpp Standby: 373
Dumping memory...
372 400 425 449 472 492 510 527 543 ACK: 1AA1
Vpp read mode: 560
0000: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0010: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0020: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0030: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 34BF 3B4F 300F 300F 3FFF 3FFF 3FFF 3FFF
0040: 34BF 3B4F 300F 300F 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0050: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0060: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0070: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0080: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0090: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
00A0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
00B0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
00C0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
00D0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
00E0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
00F0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0100: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0110: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0120: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0130: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0140: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0150: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0160: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0170: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0180: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0190: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
01A0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
01B0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
01C0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
01D0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
01E0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
01F0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0200: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0210: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0220: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0230: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0240: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0250: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0260: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0270: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0280: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0290: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
02A0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
02B0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
02C0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
02D0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
02E0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
02F0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0300: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0310: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0320: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0330: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0340: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0350: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0360: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0370: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0380: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0390: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
03A0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
03B0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
03C0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
03D0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
03E0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
03F0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0400: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0410: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0420: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0430: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0440: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0450: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0460: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0470: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0480: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0490: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
04A0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
04B0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
04C0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
04D0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
04E0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
04F0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0500: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0510: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0520: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0530: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0540: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0550: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0560: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0570: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0580: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0590: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
05A0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
05B0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
05C0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
05D0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
05E0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
05F0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0600: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0610: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0620: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0630: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0640: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0650: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0660: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0670: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0680: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0690: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
06A0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
06B0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
06C0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
06D0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
06E0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
06F0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0700: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0710: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0720: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0730: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0740: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0750: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0760: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0770: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0780: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
0790: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
07A0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
07B0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
07C0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
07D0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
07E0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 0282 025A 1FFE
07F0: 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF 3FFF
Writing to memory...
374 402 428 453 476 496 515 532 ACK: FAA1
Vpp initial: 536        PWM: 9
553 563 572 Vpp write mode: 595 PWM: 13
Vpp after writing: 580
Vpp off: 312

 

Offline tim_

  • Regular Contributor
  • *
  • Posts: 237
  • Country: de
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #398 on: January 10, 2019, 01:24:37 am »
I think it could be very helpful to take an analog log of the PFS154 writes sequence. Most likely it will also be possible to deduce the write direction from the analog voltages.
Frank, do you think you have a chance to do this? If you don't have any PFS154 I could send some to you.

Yes, I can do this. I have only PMS150C and PMS154B, but I guess a flash version can be very different. If you want to send me a few, my address is on my impressum page: http://www.frank-buss.de/impressum.html Would be faster than when I'm ordering it at lcsc, if you have already some. How many signals should I sample? Just asking in case I need to solder the second board, for a full 8 channel version of my ADC.

Thanks a lot! I will send out the devices tomorrow. The PFS154 is only using 4 wires (+gnd) instead of 5 like the PMS150C (see slide 4 in attachment). So your existing hardware should be fine.
 

Online oPossum

  • Super Contributor
  • ***
  • Posts: 1415
  • Country: us
  • Very dangerous - may attack at any time
Re: EEVblog #1144 - Padauk Programmer Reverse Engineering
« Reply #399 on: January 10, 2019, 12:14:07 pm »
The circuit diagram from @oPossum looks good, the ALM2402 can drive up to 400 mA, so maybe no external transistor amplifier is even needed. But it has only a gain bandwidth of 600 kHz, maybe would be good to use some additional 4051 for the high frequency data lines.

At the time I designed that it wasn't clear if two programmable voltages would be enough, so I used four. I didn't intend to use the DAC for clock or data lines. I will probably be using 74LVCH1T45 for level translation of clock and data lines.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf