Reverse engineering a CSL Dualcom GPRS part 5 – reading the EEPROM

In part 4, I looked at the Windows utility that can be used to program the CSL Dualcom GPRS board. It seems to be able to do this one of two ways – over the air, but also by removing the socketed EEPROM chip on the board and putting it into a programmer connected to a PC.

I don’t have one of these programmers unfortunately – it’s called a CS0355 and looks like this:
CS0355 NVM programmer

I’ve asked around to see if anyone has one, but they don’t. It looks like a generic device, but I can’t find out enough to track one down. There is a .hex file in the CS0054 package that looks like it might have PIC code in it, so this might just be a simple PIC microcontroller acting as a EEPROM programmer.

Luckily we don’t need this programmer to read the contents of the EEPROM though – not when we have a Bus Pirate.

The 93C86 is an 16K Microwire Serial EEPROM. Microwire is Microchip’s nâme for their SPI-like protocol used for their ICs. It is very similar to SPI – Chip Select (CS), Clock (CLK), MISO (DO) and MOSI (DI). It doesn’t always work on 8-bit words though, so standard SPI hardware might not work.

This is fine though – the Bus Pirate has a mode called 3WIRE which allows us to bit-bang Microwire.

First we remove the 8-pin EEPROM from the CSL Dualcom GRPS, then put it into a breadboard. We connect it up as follows to the Bus Pirate:

  • Pin 1 CS -> CS
  • Pin 2 CLK -> CLK
  • Pin 3 DI -> MOSI
  • Pin 4 DO -> MISO
  • Pin 5 VSS -> GND
  • Pin 6 ORG -> Pin 8 VCC (This choses either 2048x8bit or 1024x16bit operation – this is arbitrary, I went for 16bit)
  • Pin 7 PE -> can be left floating
  • Pin 8 VCC -> 5V
Connected to Bus Pirate

Connected to Bus Pirate

Now we fire up our terminal and connect to the Bus Pirate.

First we change to 3WIRE using m, then option 7.

We then chose 400KHz, the fastest bit-banged 3WIRE can go.

CS is active high – contrary to many SPI devices. Chose 1.

Although the chip is a 5V device, 3.3V is detected as logic high by the specs, so we can stick with normal outputs.

Finally, capital W turns the 5V power supply on. The chip is now powered.

The next step is to read the data out. The chip has a convenient bulk read mode. Instead of having to do command + address + read, command + address + read, command + address + read etc. you can just do command + address + read + read + read – the chip will automatically increment the address.

Doing this with the Bus Pirate is easy:

Let’s break this down.

[ means assert CS to select the chip.

0b110;3 means send 110 in 3bits. If you just do 0b110, you send 8bits i.e. 00000110, which is not what we want.

0x000;10 means send 0000000000 as the address (i.e. the first address). This is 10bits when ORG is high (1024x16bit organisation).

r:0x800;8 means read 8bit values 0x800 (2048) times. For some reason I couldn’t get r:0x400;16 to work.

What do we get out of this?
BP readout

There’s all of the data, from the EEPROM.

If we compare the start of the data read out from the EEPROM:

with the start of the Sample.prm file:

It looks like we have the same data, just ordered a little differently.

I can also spot some ASCII phone numbers and IPs in there.

It does look a lot like the prm file is just a representation of the EEPROM.

2 thoughts on “Reverse engineering a CSL Dualcom GPRS part 5 – reading the EEPROM

  1. Permalink  ⋅ Reply

    geno

    December 3, 2015 at 11:26pm

    awesome post! this really helped me understand what is going on and enabled me to dump a 93LC66 4K chip via the buspirate.

  2. Permalink  ⋅ Reply

    Pyrofer

    February 2, 2016 at 8:46am

    To second geno’s comment, thanks to this post I was able to get my bus pirate working with the 93LC66A that I could NOT get to work!
    It seems that ;3 on the command and ;9 on the address were the magic tricks missing in every other guide on the net about the bus pirate and eeproms.
    Thanks!

Leave a Reply

Your email will not be published. Name and Email fields are required.