Nevo C2 Remote Control - Reverse Engineering - Part 2

2016-03-09 22:14 - Making

For context see part 1, which has pictures and descriptions of the chips I'm referencing.

The important bits are two microcontrollers: one ARM made by ST, ("Chip 1") one 8-bit made by Samsung ("Chip 7"). I'll be referring to them as ARM and SAM8, respectively. Plus three connectors. There's J6 and J8, both close to the SAM8, both two by three standard 0.1" pitch headers, unpopulated. Then a completely unlabeled two by four arrangement of rectangular pads next to the batteries, far from any chips. I'm calling this one JX, for either eXtra or eXternal -- this one is accessible without disassembling the remote at all, just by opening the battery compartment. I've figured out what these all do, so let's share!

J6

Just like J8 to come pin one is clearly marked as the singular square pad of the six, plus the notch on the silkscreen layout. Orient yourself so it's top left and I've chosen to label the pins counter-clockwise like a standard IC package. All of these are connected through to the ARM controller, like so:

J6 PinARM Pin
1P1.3 UART2_RX
2P1.5 UART2_TX
3GND
4VDD
5P1.0 UART1_TX
6P1.1 UART1_RX

I was quite confused for a while at the selection (port 1, pins 0 1 3 5, skipping 2 and 4??) for a while until I found, on pin 47 of its data sheet the alternate functions available on those pins, and the pattern seemed clear. I'm mildly surprised to see two UARTs broken out, perhaps the software dedicates one to sending and one to receiving, or command/debugging output, or some other combo? Or perhaps one is unused, "just in case" design. Certainly it will be interesting to check, but I doubt it will be much use on its own.

J8

Also located just next to the SAM8, this is clearly a programming header for it:

J8 PinSAM8 Pin
1VDD
2GND
3TEST
4SCLK
5SDAT
6nRESET

Unfortunately data on this line of micros looks sparse. I can see these pin names, and a bare description of their function, in the data sheet, and it makes sense as a synchronous serial channel, and the TEST/nRESET pins to force it into programming mode. But what protocol goes over this channel? I surely don't know. The data sheet also has a surprising list of development tools listed, but none of them are common things. I could only find concrete evidence of one, a storefront with no price listed, which makes me think "If you have to ask how much it costs, you can't afford it." Certainly not for a hobby project! Slightly better news, I found concrete evidence of this particular micro model in use for other UEI remotes (specifically JP1.3). This is clearly the driver for the infra-red side of the remote, which works fine, so I don't need to mess with it. And maybe I can find some community reference, even if just source code, for how JP1.3 works, and maybe it's just the flashing protocol for this micro?

JX

The main attraction was saved for last. Given the lack of markings I have to make up my own numbering scheme. So, with the remote oriented as pictured, see that it is two columns of four pads. Pin one is the top left, and they go counter clockwise from there. With that set, I can show the map to ARM pins:

JX PinARM Pin
1JTDI
2JTMS
3JTCK
4JTDO
5VDDQ
6JTRSTn
7RESET_INn
8GND

Jackpot! This is clearly the JTAG debugging header for the ARM micro! This is without a doubt the next area for me to concentrate on. I know what JTAG is, but so far very little about how it works. I've got an ST-LINK device, used for STM32 (ARM Cortext) work in the past which might be enough to move forward with. And if so that should give me full access to the ARM and whatever it has stored inside, plus I think I should be able to bit-bang SPI to the external flash chip as well, at least. I've mapped its pins to the SSP0 port on the ARM, no surprise, so it's accessible that way.

Fun aside: this had me very confused at first. For the lamest of reasons: I carefully counted out the pins and double-checked them all, thanks to the narrow pitch. I knew which went where for sure, looked them up and they made no sense. Only after a few back-and-forth attempts did I finally take notice of the "pin 1" marker on the chip. It's rotated 90 degrees counter-clockwise from the "natural" orientation. Compensate for that and the JTAG pins all jumped out.

Comments:

Cool stuff!
2016-04-27 10:39 - jjrh

Recently bought this remote too, hope to also do some hacking - looking forward to part 3!

Post a comment:

Username
Password
  If you do not have an account to log in to yet, register your own account. You will not enter any personal info and need not supply an email address.
Subject:
Comment:

You may use Markdown syntax in the comment, but no HTML. Hints:

If you are attempting to contact me, ask me a question, etc, please send me a message through the contact form rather than posting a comment here. Thank you. (If you post a comment anyway when it should be a message to me, I'll probably just delete your comment. I don't like clutter.)