Reverse engineering a CSL Dualcom GPRS part 5 – reading the EEPROM

In part 4, I looked at the Windows utility that can be used to program the CSL Dualcom GPRS board. It seems to be able to do this one of two ways – over the air, but also by removing the socketed EEPROM chip on the board and putting it into a programmer connected to a PC.

I don’t have one of these programmers unfortunately – it’s called a CS0355 and looks like this:
CS0355 NVM programmer

I’ve asked around to see if anyone has one, but they don’t. It looks like a generic device, but I can’t find out enough to track one down. There is a .hex file in the CS0054 package that looks like it might have PIC code in it, so this might just be a simple PIC microcontroller acting as a EEPROM programmer.

Luckily we don’t need this programmer to read the contents of the EEPROM though – not when we have a Bus Pirate.

The 93C86 is an 16K Microwire Serial EEPROM. Microwire is Microchip’s nâme for their SPI-like protocol used for their ICs. It is very similar to SPI – Chip Select (CS), Clock (CLK), MISO (DO) and MOSI (DI). It doesn’t always work on 8-bit words though, so standard SPI hardware might not work.

This is fine though – the Bus Pirate has a mode called 3WIRE which allows us to bit-bang Microwire.

First we remove the 8-pin EEPROM from the CSL Dualcom GRPS, then put it into a breadboard. We connect it up as follows to the Bus Pirate:

  • Pin 1 CS -> CS
  • Pin 2 CLK -> CLK
  • Pin 3 DI -> MOSI
  • Pin 4 DO -> MISO
  • Pin 5 VSS -> GND
  • Pin 6 ORG -> Pin 8 VCC (This choses either 2048x8bit or 1024x16bit operation – this is arbitrary, I went for 16bit)
  • Pin 7 PE -> can be left floating
  • Pin 8 VCC -> 5V
Connected to Bus Pirate

Connected to Bus Pirate

Now we fire up our terminal and connect to the Bus Pirate.

1. HiZ
2. 1-WIRE
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. LCD
x. exit(without change)

Set speed:
 1. ~5KHz
 2. ~50KHz
 3. ~100KHz
 4. ~400KHz

 1. CS
 2. /CS *default

Select output type:
 1. Open drain (H=Hi-Z, L=GND)
 2. Normal (H=3.3V, L=GND)


First we change to 3WIRE using m, then option 7.

We then chose 400KHz, the fastest bit-banged 3WIRE can go.

CS is active high – contrary to many SPI devices. Chose 1.

Although the chip is a 5V device, 3.3V is detected as logic high by the specs, so we can stick with normal outputs.

Finally, capital W turns the 5V power supply on. The chip is now powered.

The next step is to read the data out. The chip has a convenient bulk read mode. Instead of having to do command + address + read, command + address + read, command + address + read etc. you can just do command + address + read + read + read – the chip will automatically increment the address.

Doing this with the Bus Pirate is easy:

[0b110;3 0x000;10 r:0x800;8]

Let’s break this down.

[ means assert CS to select the chip.

0b110;3 means send 110 in 3bits. If you just do 0b110, you send 8bits i.e. 00000110, which is not what we want.

0x000;10 means send 0000000000 as the address (i.e. the first address). This is 10bits when ORG is high (1024x16bit organisation).

r:0x800;8 means read 8bit values 0x800 (2048) times. For some reason I couldn’t get r:0x400;16 to work.

What do we get out of this?
BP readout

There’s all of the data, from the EEPROM.

If we compare the start of the data read out from the EEPROM:

0x00 0x47 0x00 0x25

with the start of the Sample.prm file:


It looks like we have the same data, just ordered a little differently.

I can also spot some ASCII phone numbers and IPs in there.

It does look a lot like the prm file is just a representation of the EEPROM.

2 thoughts on “Reverse engineering a CSL Dualcom GPRS part 5 – reading the EEPROM

  1. Permalink  ⋅ Reply


    December 3, 2015 at 11:26pm

    awesome post! this really helped me understand what is going on and enabled me to dump a 93LC66 4K chip via the buspirate.

  2. Permalink  ⋅ Reply


    February 2, 2016 at 8:46am

    To second geno’s comment, thanks to this post I was able to get my bus pirate working with the 93LC66A that I could NOT get to work!
    It seems that ;3 on the command and ;9 on the address were the magic tricks missing in every other guide on the net about the bus pirate and eeproms.

Leave a Reply

Your email will not be published. Name and Email fields are required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.