Nevo C2 Remote Control - Reverse Engineering - Part 3
2016-05-08 16:39 - Making
After quite a delay I'm continuing this series of posts.
I've learned that Samsung's SAM8 line of microcontrollers is based on the Zilog Z8:
Historically, the SAM8 and SAM88 CPUs that are the core of the S3 Family were based on Zilog’s efficient Z8 architecture. For Zilog to introduce the S3 Family is simply a natural evolution culminating in a cooperative agreement between IXYS and Samsung.
And that Zilog has purchased this line from Samsung to bring the product full circle:
IXYS Corporation, parent company of legacy and legendary microcontroller manufacturer Zilog, has entered into an agreement to purchase 4-bit and 8-bit Flash microcontroller product lines from South Korean semiconductor manufacturer Samsung Electronics for $50 Million.
This nugget of info helped me find the S3 Embedded Flash Serial Programming document (mirrored at archive.org and locally), which at first seemed very promising. The best I could find from the datasheet was vague references to "tool mode" which the TEST pin could set, but not whether it's active high or low, and also a NRESET pin with no polarity/value indication, and SDAT/SCLK which sounds like I2C. (The N in NRESET implies active low, and some vague wording implies active high for TEST, but that's not enough to go on by itself.) And no data about the protocol. But this S3 document from Zilog mentions pins with nearly identical names, has much more clear wording about the Reset and Test pins, and specifies the protocol to talk over the data line!
Unfortunately all my attempts to whip up something to talk to this chip with that protocol have failed. The Arduino is terribly easy to work with, but I've only got 5V modules, so I tried working with the 3V STM32 board I have instead. I might have been tripped up by the dual-direction data line (output at first to specify the operation, then input). Either way, I can't get the chip to respond.
Next up is the J6 header which just has two power pins and two UART interfaces. It took a little digging, but I found that UART1 spits out some data at power up, at 38400 N81; here's several repetitions:
00000000 00 00 55 49 42 30 01 0b 00 00 55 49 42 30 01 18 |..UIB0....UIB0..| 00000010 00 00 00 55 49 42 30 01 0b 00 00 55 49 42 30 01 |...UIB0....UIB0.| 00000020 18 00 00 00 55 49 42 30 01 0b 00 00 55 49 42 30 |....UIB0....UIB0|
By watching in my logic analyzer, I can see an 0x00, followed by an 8ms delay, then the 0x00 UIB0 0x01 0x0b, a 10ms delay, an 0x00, another 8ms delay, then the 0x00 UIB0 0x01 0x18. There's a clear pattern here, but I can't interpret the data. With the guts of the remote tacked down to the breadboard I can hardly interact with it. When I move it the backlight lights up, but I see no serial traffic. I can get to a few of the hard buttons beside the display, and they also have no effect.
The JTAG interface remains. But it will remain a topic for another day, as I've got learning to do before I have a chance of making progress.
2016-05-12 05:56 - impeeza
Hi, from Colombia we send you lot of good energy on the current task, regards and cudos.