Reading EEPROM data from PIC

[Alexei.Polkhanov]

Nespresso C60 coffee maker died in our office. We got replacement and I decided to tear down old machine. (Phos are here if anyone is interested: https://plus.google.com/u/0/photos/+AlexeiPolkhanov/albums/5942601403050829121.

I really wanted to find out how many cups of coffee this machine made over its lifespan, so once I got to the controller board I started looking for EEPROM or something like that hoping that I may be able to get data from it. What I found is a PIC Microcontroller - PIC16F685 (Datasheet: http://ww1.microchip.com/downloads/en/DeviceDoc/41262A.pdf). It has EEPROM inside the chip itself.

Unfortunately I don't have any experience with PIC micros. I am wondering if it is possible to get data from internal EEPROM in this microcontroler? How would I do that? 

I found this debugger http://www.microchipdirect.com/productsearch.aspx?Keywords=PG164130 ) and probably should get it anyway cuz I tend to bump into PICs a lot lately. I can definitely reprogram the chip if it is not fused and read the EEPROM programmaticaly just like datasheet say, but I would probably wipe off the EEPROM in a first attemp to re-programe the device?

Controller board has 5 unconnected through hole pads that I think maybe JTAG, but maybe not because Datasheet that I found does not even mention JTAG 

[garak]

Any halfway decent PIC programmer ought to be able to read the EEPROM data out of the PIC. I think even the cruddy parallel-port based stuff can do this.

However, this doesn't mean that the PIC will let you. I can't remember if the PIC16F685 has an EEPROM data protection function, but many many PICs do, and if it's turned on then you're scuppered. It's fairly common for manufacturers to switch on every protection feature they can find in a paranoid effort to protect their IP, regardless of if anyone would actually WANT to steal it.

At any rate, keep the PIC. The part number you gave is not an OTP version, so you can use it again in something else should you want to.


EDIT: This sentence, no verb...

[amyk]

Most if not all PICs have code protection function. While it will be common that the protection is enabled, it's not 100% of the case so you should try anyway.

(And even if it is, it's not 100% effective...)

[garak]

Most if not all PICs have code protection function. While it will be common that the protection is enabled, it's not 100% of the case so you should try anyway.

(And even if it is, it's not 100% effective...)

OP was referring to the EEPROM rather than program code, and I don't think that they all have protection on that. I agree that it's definitely worth a shot though. I don't think it's worth trying to break it for his needs though

[Rufus]

What I found is a PIC Microcontroller - PIC16F685

Controller board has 5 unconnected through hole pads that I think maybe JTAG, but maybe not because Datasheet that I found does not even mention JTAG 

The PIC16F685 has optional protection for program memory and EEPROM. If the thing bothers to record how many cups it has made you would think they must have provided some way to inspect that information.

5 pins is very typical of PIC ICSP program/debug connections, they probably line up with pins 1 to 5 of the programmer/debugger you linked.

Being able to read the EEPROM still leaves you with the problem of understanding what you read.

[garak]

Being able to read the EEPROM still leaves you with the problem of understanding what you read.

Very true. Still, being a coffee machine, I kinda doubt deciphering any information that it's got stashed away in there would be too difficult. I mean, how complex could its life possibly be? Cup count, runtime, error codes? That's about all I can think of.

[nctnico]

There can be all kinds of information like the 'recipy'. But maybe its just blank. If it would count the number of cups it made then there should some way to read it. Maybe you can resurrect the PCB and see if there is some way to communicate with it.

[dannyf]

I really wanted to find out how many cups of coffee this machine made over its lifespan, so once I got to the controller board I started looking for EEPROM

That's assuming that the chip actually writes such data into the eeprom.

Otherwise, reading the eeprom isn't difficult, assuming that no data protection is enabled: all you need is a programmer, like pickit2/3 - <$50 at the high-end.

[Alexei.Polkhanov]

I guess I will find out in few days. I ordered pickit3 from Digikey. Looks like 5 through hole pads in the top right corner of the board match the hookup described in pickit3 documentation. I hope that EEPROM is not locked up.

[Alexei.Polkhanov]

Most if not all PICs have code protection function. While it will be common that the protection is enabled, it's not 100% of the case so you should try anyway.
(And even if it is, it's not 100% effective...)

$1000 - pretty steap price for 256 bytes from coffee machine's EEPROM 
I've heard that discharging flash from recyclable film camera near the IC while trying to navigate JTAG state machine sometimes can reset the right flip flop and allow to read data from IC even if it is has protection fuse.

Has anyone on this forum ever tried and succeeded reading protected flash or EEPROM?

[Alexei.Polkhanov]

Well, I got the EEPROM contents, but I was unable to read program memory - it all came out 0s. I was careful not to overwrite it, but I don't exclude the possibility that I reset it by powering up device incorrectly or something like that, another explanation is that program memory is indeed protected. I got no warnings or errors while trying to read it.

Code: [Select]

    Address      00   02   04   06   08   0A   0C   0E                                                 ASCII                                               
00             0A04 02A6 0096 3AF7 1A2C 60AA 0300 0900 .......: ,..`....                                                                                   
10             3000 4098 CA00 4C67 0000 0000 2900 0000 .0.@..gL .....)..                                                                                   
20             FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ........ ........                                                                                   
30             FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ........ ........                                                                                   
40             FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ........ ........                                                                                   
50             FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ........ ........                                                                                   
60             FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ........ ........                                                                                   
70             5753 3020 2E35 3530 4E20 4E41 FF4F FFFF SW 05.05  NANO...                                                                                   
80             FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ........ ........                                                                                   
90             FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ........ ........                                                                                   
A0             FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ........ ........                                                                                   
B0             FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ........ ........                                                                                   
C0             FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ........ ........                                                                                   
D0             FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ........ ........                                                                                   
E0             FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ........ ........                                                                                   
F0             FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF ........ ........                                                                                   

While looking at the board I found that 'N' pin which is connected to AC power input is not connected to GND (VSS) but to +5V VDD of net.
Why? 
This is not first time I see this but I am not sure why would someone design it this way?
Why? 

[RoadRunner]

I can't remember if the PIC16F685 has an EEPROM data protection function,

PIC16F685 has separate protection setting bits for Data(EEPROM) memory and the Program flash.
as the read configuration bits shows only the Program memory protection is enabled. data (EEPROM) protection is not enabled.
that is why you get back all 0s when try to read Program Flash. PIC micro return 0s if the Flash memory is protected or return FFFFs if blank or erased.

user can enable any protection he wants although,

"It is recommended to code-protect the program memory when code-protecting data memory. This prevents anyone from programming zeroes over the existing code (which will execute as NOPs) to reach an added routine, programmed in unused program memory, which outputs the contents of data memory. Programming unused locations in program memory to ‘0’ will also help prevent data memory code protection from becoming breached."

[amyk]

Looks like in this case code protection is on but data protection is off, thus you can read the EEPROM just fine. Now you'll just have to figure out what is stored in the EEPROM...

The board uses a nonisolated capacitive dropper supply (probably half-wave rectified), and since AC is AC it doesn't matter which lead is connected. The advantage of using N might be to reduce noise on the +5.

[mazurov]

You need to brew a cup of coffee and see what has changed in the EEPROM.

[Alexei.Polkhanov]

Looks like in this case code protection is on but data protection is off, thus you can read the EEPROM just fine. Now you'll just have to figure out what is stored in the EEPROM...

The board uses a nonisolated capacitive dropper supply (probably half-wave rectified), and since AC is AC it doesn't matter which lead is connected. The advantage of using N might be to reduce noise on the +5.

I is using LNK304,  Off-Line Switcher IC, Datasheet:  http://www.mouser.com/ds/2/328/lnk302_304-306-179954.pdf I powered it up from my bench PSU by connecting +5V directly to +5V net on the board it never used more than 50mA.

I think I figured the counter, but it looks like it counts more like "cycles" not cups. It is a 16 bit number at 0A - 60AA (which later became 60AB. I understand 16 bit integers in PIC16F685 saved as little endian.

[abyrvalg]

Try flipping unused bits - maybe it will unlock some new features like 200MHz bandwidth double cups 

[amyk]

I think I figured the counter, but it looks like it counts more like "cycles" not cups. It is a 16 bit number at 0A - 60AA (which later became 60AB. I understand 16 bit integers in PIC16F685 saved as little endian.

24746 cups is a lot of coffee...

[JTR]

I think I figured the counter, but it looks like it counts more like "cycles" not cups. It is a 16 bit number at 0A - 60AA (which later became 60AB. I understand 16 bit integers in PIC16F685 saved as little endian.

Maybe but how anything is saved to the data eeprom is entirely arbitrary. Endianess is at the whim of the firmware writer as there is nothing inherent with a 8-bit PIC's ISA that dictates data eeprom endianess. The value could just as easily be 938 power cycles or some such.

[trackman44]

The PIC16F685 has 256 bytes of EEPROM. Each address space is only 8 bits wide ( there is no 16 bit wide address space in the chip). Odds are that once it reaches a set value (x number of cups of coffee brewed) it will shut down. It was designed to fail. You just need to reset the number of cups brewed counter to zero. I would experiment and find out which byte it is that is incrementing ( the one that changed from AA to AB looks promising) you just have to brew another 86 cups to see what other byte will change (because it would go from FF to 00 and then the other byte will increment). Once you know that, reset both bytes to 00 and then the PIC will think it's brand new again.

Will

[Teemo]

Hello Alexei

Interesting teardown, thanks for sharing!

[Kjelt]

Odds are that once it reaches a set value (x number of cups of coffee brewed) it will shut down. It was designed to fail.

Perhaps with fast consumables such as print cartridges this is the case but with expensive consumer goods such as these almost definetly not since these brands are looking for consumer binding they do a lot to give the consumer the best experience so they buy again in the future. It won,t help if all at a sudden all the machines in the world would start failing and the internet would be swamped with negative reviews  there are less conspiracies out there then most peolple think.

[trackman44]

True that. So i guess the other alternative is to change each byte up or down by one to see what happens. Also you need to determine if the machine really has failed. The PCB looks OK. Does anything else in the espresso maker look out of sorts? (Clogged tubes, short or open micro switches, micro switch arms bent too far, poor solder joints on wires, bent pinched burnt wires, burnt out LEDs, power supply voltages out of specs). Let us know Alexei.

Will

[Alexei.Polkhanov]

True that. So i guess the other alternative is to change each byte up or down by one to see what happens. Also you need to determine if the machine really has failed. The PCB looks OK. Does anything else in the espresso maker look out of sorts? (Clogged tubes, short or open micro switches, micro switch arms bent too far, poor solder joints on wires, bent pinched burnt wires, burnt out LEDs, power supply voltages out of specs). Let us know Alexei.

Will

Machine failed mechanically, it has a crack somewhere in piping and was leaking water. I was not trying to fix it I wanted to tear it down simply out of curiosity nothing more. There was no electrical failure in the machine of any kind and water leak did not short anything. It was definitely not designed for abuse it went trough and subsequently it was replaced by another machine of same model. It looks like it was made in Switzerland entirely - I found no "outsourced" parts in it at all. Plastic molding is so precise it is hard to see if it is multiple parts or one - I think that kind of plastic molding only comes from two places Germany and Japan.

[trackman44]

Oh. Ok then. So what are you planing to do with it? You cant read the program flash memory ( read protection is active). So your best bet is to analyze the data on the pins of the PIC so you have a basic understanding of what's going on ( which pins are outputs and what do they turn on,( motors, solenoids, LEDs, relays) which pins are inputs and are they assigned to the ADC?( water level, temperature sensing, key pad)). You could use a multimeter to measure the logic state, or a diode with a 1k resistor in series to probe the pins with, or a USB logic analyzer. Good luck learning the layout!

Will

[fluxcapacitor]

heres a great article entitled "Hacking the PIC 18F1320"

http://www.bunniestudios.com/blog/?page_id=40

[Alexei.Polkhanov]

Since I got the Pickit3 I thought I may take a closer look at other boards with PIC devices that I have in my junk box. Very recently my company moved offices and previous tenants left a white board, big ridiculously heavy but it had Virtual Ink device on it which I took off the board before it got recycled.

Here is hi-res photos if anyone curious https://plus.google.com/u/0/photos/116960055711068468555/albums/5944428142857688161

Device was made by company called Virtual Ink which may have originated from MIT media lab in at the end of 1990. It based on triangulating position of marker hosted inside a hollow pen that transmits infrared plus ultrasound pulses. Receiver triangulates the position of the pen (or eraser) by looking at how much ultrasound pulse lags behind IR. I have attached simple capture from one of receivers on my oscilloscope - blue trace is IR and yellow is ultrasound.

Amusing thing about whole design was how many PIC microcontrollers used in whole system! Main board has 4, plus 1 on "eraser PCB"!

I tried to "pick" at them using the pickit3 programmer but then I discovered that all devices on the board are not supported by modern programmers. They are too old 

I wonder where can I get PIC programmer that supports 14 y old devices?

Dates on chips suggesting middle of year 2000. Whole design is not very exciting, but it is still functional, well I guess it is ... because I cannot find any drivers for it (the Virtual Ink device) anywhere. Company still makes and sells modern version of it.

[trackman44]

I looked up PIC16C756A-33/PT and some manufacturers sell them, but no datasheet. Try the microchip forums, see if anyone there knows about the chip.

Will

[amyk]

Only one result from Microchip's site about that part, which seems to suggest that a datasheet did exist: http://www.microchip.com/forums/m19421.aspx

I doubt it's just a matter of age since e.g. the 16C76 is at least as old if not older, and you can still buy them. Maybe it was a custom run?

[fluxcapacitor]

PIC17C752/56A/62/66 Datasheet

http://www.microchip.com/wwwproducts/Devices.aspx?dDocName=en010251#documentation

EDIT: virtual ink mimio drivers .  http://www.mimio.com/en-EM.aspx

[JTR]

I looked up PIC16C756A-33/PT and some manufacturers sell them, but no datasheet. Try the microchip forums, see if anyone there knows about the chip.

Will

The 17Cxx and 17Cxxx PICs are effectively the only microchip PICs to be discontinued (without a close fit replacement.) For a programmer for these dinosaurs  you can use the odd picstart plus (which originally in fact had a 17C42 for the firmware, guess that was one way to get rid of this failed family.) However have fun connecting the 22 wires required for programming as the picstart only supported the parallel programming method.  The old parallax/tech-tools programmer did support the ICSP mode for the larger pin count devices (17Cxxx not 17Cxx.)

[amyk]

A PIC17? Apparently you can still buy them...

[trackman44]

But apparently is not supported by a PICkit2 or PICkit3, bummer  (unless i'm mistaken) 

Will