Now that I have a Bus Pirate<\/a>, I decided to dump the 24c64 EEPROM. A 24c64-type EEPROM speaks standard I2C<\/a>, with the addition of three dedicated address pins (for banking chips), and a hardware write protect pin.<\/p>\n My first attempt was a little troublesome, because attaching the chip in-place was (as is often the case) powering the whole board, leaving two I2C bus masters, and confusing the situation.<\/p>\n The following is basically a reference for communicating with 24c32\/64 EEPROMs<\/strong>.<\/p>\n To remedy the problem, I simply desoldered the 24c64 from one of the buttons, soldered pins 1-4 (one full side) to a bit of wire, so I could ground GND, A2, A1 and A0 with a single clip, and attached the bus pirate leads to the floating chip (Yes, SOIC8 packages are rather small):<\/p>\n To be specific the connections are GND to pins 1-4 (Gnd, A2, A1, A0) 3.3V to Vcc (8) and WP(7), CLK to SCL (6), and MOSI to SDA (5) like so:<\/p>\n To write the ROM, the WP pin would need to be grounded instead of powered, but preventing writes is a good safety measure when exploring.<\/p>\n Software-side, I ended up following the communication instructions in the Bookly 24c64 datasheet<\/a>, because I found them asier to interpret, but the datasheets from Atmel or any other manufacturers that make a compatible part will do as well. Start with the usual bus pirate setup of \u2018m\u2019 for menu, \u20184\u2032 for I2C, Chose a clock (I used 100kHz for fear of interference from the long-for-I2c leads), \u2018P\u2019 to turn on pull-up resistors, and \u2018W\u2019 to turn on the power supplies.<\/p>\n Then, to read out a 24C64, you feed it (this is a commented log of the terminal session) Giving analysis a first pass, I looked for pieces of the string it prints when activated as ASCII and raw USB HID Scancodes, but didn\u2019t find them\u2026 which either means there is a problem with the dump (byte order?), or some clever and inconvenient encoding was used. I\u2019m not terribly familiar with 8051s and their associated tools, so that will be the rather large next step. If nothing turns up in analyzing the dump, I may have to sniff the bus while the board is in operation to see if there is some funky data layout obfuscation.<\/p>\n","protected":false},"excerpt":{"rendered":" It took over a year for me to get back to it, but I finally sat down and made some progress on hacking the Buttons Pionier was giving away at SC09. When I last posted about it, I had drawn … Continue reading ![\"24c64dump_sm.jpg\"](\"https:\/\/pappp.net\/wp-content\/fp-content\/images\/24c64dump_sm.jpg\" "\\"24c64dump_sm.jpg\\"")
<\/p>\n![\"24c6pins_sm.png\"](\"https:\/\/pappp.net\/wp-content\/fp-content\/images\/24c6pins_sm.png\" "\\"24c6pins_sm.png\\"")
<\/p>\n
\n
\nI2C>[0xA0\t--\u00a0Start,\u00a0Send\u00a01010,\u00a0the\u00a0Values\u00a0on\u00a0the\u00a0A2-A0\u00a0pins\u00a0(000\u00a0if\u00a0grounded),\u00a0Followed\u00a0by\u00a00\u00a0write\u00a0for\u00a0and\u00a01\u00a0for\u00a0read\u00a0--\u00a0dummy\u00a0write\u00a0to\u00a0set\u00a0address\u00a0pointer
\nI2C\u00a0START\u00a0BIT
\nWRITE:\u00a00xA0\u00a0ACK
\nI2C>0x00\t--\u00a0Send\u00a0the\u00a0start\u00a0address\u00a0to\u00a0the\u00a0chip,\u00a0the\u00a024c64\u00a0ignores\u00a0first\u00a0three\u00a0bits.\u00a00x0000\u00a0to\u00a0start\u00a0at\u00a0the\u00a0beginning\u00a0of\u00a0the\u00a0ROM.
\nWRITE:\u00a00x00\u00a0ACK
\nI2C>0x00
\nWRITE:\u00a00x00\u00a0ACK
\nI2C>[0xA1\t--\u00a0Starts,\u00a0then\u00a0random\u00a0read\u00a0(same\u00a0as\u00a0first\u00a0byte\u00a0of\u00a0dummy\u00a0write,\u00a0with\u00a0R\/W\u00a0high\u00a0instead\u00a0of\u00a0low)
\nI2C\u00a0START\u00a0BIT
\nWRITE:\u00a00xA1\u00a0ACK
\nI2C>r:255\t--\u00a0Sequential\u00a0read\u00a0out\u00a0the\u00a0whole\u00a0ROM\u00a0(Overflows\u00a0most\u00a0terminal's\u00a0history,\u00a0I\u00a0pulled\u00a0256\u00a0or\u00a0512\u00a0at\u00a0a\u00a0time.)
\nREAD:\u00a00x5A\u00a0\u00a0ACK\u00a00xA5\u00a0\u00a0ACK...
\n<\/code>
\nI dumped it twice to cross-check that I didn\u2019t make any dumb mistakes the first time, then massaged the dump with some regexes to get rid of the communication details and extract a pure hex dump<\/a>. Only the first 4608 bytes of the ROM are written, so there is even room to tamper, if I can figure out the encoding. Note that the posted string is NOT S-records<\/a> or Intel HEX<\/a>, but raw ASCII-encoded two-characters-per-byte hex. In order to get it into an 8051 disassembler for further analysis, I will either need to figure out how to coax the Bus Pirate to generate a formatted dump, or write a script to segment and prefix the existing string, but neither has happened yet.<\/p>\n