2016-03-09 22:14 - Making
For context see part 1, which has pictures and descriptions of the chips I'm referencing.
The important bits are two microcontrollers: one ARM made by ST, ("Chip 1") one 8-bit made by Samsung ("Chip 7"). I'll be referring to them as ARM and SAM8, respectively. Plus three connectors. There's J6 and J8, both close to the SAM8, both two by three standard 0.1" pitch headers, unpopulated. Then a completely unlabeled two by four arrangement of rectangular pads next to the batteries, far from any chips. I'm calling this one JX, for either eXtra or eXternal -- this one is accessible without disassembling the remote at all, just by opening the battery compartment. I've figured out what these all do, so let's share!
J6
Just like J8 to come pin one is clearly marked as the singular square pad of the six, plus the notch on the silkscreen layout. Orient yourself so it's top left and I've chosen to label the pins counter-clockwise like a standard IC package. All of these are connected through to the ARM controller, like so:
| J6 Pin | ARM Pin |
|---|
| 1 | P1.3 UART2_RX |
| 2 | P1.5 UART2_TX |
| 3 | GND |
| 4 | VDD |
| 5 | P1.0 UART1_TX |
| 6 | P1.1 UART1_RX |
I was quite confused for a while at the selection (port 1, pins 0 1 3 5, skipping 2 and 4??) for a while until I found, on pin 47 of its data sheet the alternate functions available on those pins, and the pattern seemed clear. I'm mildly surprised to see two UARTs broken out, perhaps the software dedicates one to sending and one to receiving, or command/debugging output, or some other combo? Or perhaps one is unused, "just in case" design. Certainly it will be interesting to check, but I doubt it will be much use on its own.
J8
Also located just next to the SAM8, this is clearly a programming header for it:
| J8 Pin | SAM8 Pin |
|---|
| 1 | VDD |
| 2 | GND |
| 3 | TEST |
| 4 | SCLK |
| 5 | SDAT |
| 6 | nRESET |
Unfortunately data on this line of micros looks sparse. I can see these pin names, and a bare description of their function, in the data sheet, and it makes sense as a synchronous serial channel, and the TEST/nRESET pins to force it into programming mode. But what protocol goes over this channel? I surely don't know. The data sheet also has a surprising list of development tools listed, but none of them are common things. I could only find concrete evidence of one, a storefront with no price listed, which makes me think "If you have to ask how much it costs, you can't afford it." Certainly not for a hobby project! Slightly better news, I found concrete evidence of this particular micro model in use for other UEI remotes (specifically JP1.3). This is clearly the driver for the infra-red side of the remote, which works fine, so I don't need to mess with it. And maybe I can find some community reference, even if just source code, for how JP1.3 works, and maybe it's just the flashing protocol for this micro?
JX
The main attraction was saved for last. Given the lack of markings I have to make up my own numbering scheme. So, with the remote oriented as pictured, see that it is two columns of four pads. Pin one is the top left, and they go counter clockwise from there. With that set, I can show the map to ARM pins:
| JX Pin | ARM Pin |
|---|
| 1 | JTDI |
| 2 | JTMS |
| 3 | JTCK |
| 4 | JTDO |
| 5 | VDDQ |
| 6 | JTRSTn |
| 7 | RESET_INn |
| 8 | GND |
Jackpot! This is clearly the JTAG debugging header for the ARM micro! This is without a doubt the next area for me to concentrate on. I know what JTAG is, but so far very little about how it works. I've got an ST-LINK device, used for STM32 (ARM Cortext) work in the past which might be enough to move forward with. And if so that should give me full access to the ARM and whatever it has stored inside, plus I think I should be able to bit-bang SPI to the external flash chip as well, at least. I've mapped its pins to the SSP0 port on the ARM, no surprise, so it's accessible that way.
Fun aside: this had me very confused at first. For the lamest of reasons: I carefully counted out the pins and double-checked them all, thanks to the narrow pitch. I knew which went where for sure, looked them up and they made no sense. Only after a few back-and-forth attempts did I finally take notice of the "pin 1" marker on the chip. It's rotated 90 degrees counter-clockwise from the "natural" orientation. Compensate for that and the JTAG pins all jumped out.
2016-03-07 19:36 - Making
I've been a fan of JP1 Remotes for quite some time. There's a wonderful community that has written software to put the user in total control of all the features they make possible, and even written "extender" software to add additional features. My approach for some time has meant turning on all the right devices (player, TV, receiver) and set them all to the right inputs, at the press of one button. Then turn them all off with the press of another.
Most recently I've switched to the "Nevo C2" remotes (also known as "Xsight Color" or "ARRX15G"), which have a graphical display built in. This makes it easy for me to deal with the huge array (TiVo, HTPC, plus eleven game consoles) of devices I've got hooked up. The built in software is pretty good, especially with RemoteMaster to customize it. But it's pretty clunky in some areas. At one point I found a post with pictures of the inside of my remote. The post was meant to highlight the (very minor) differences between two similar models. In the full size image, one can just make out a big ARM chip in the middle. I got interested in discovering more about the innards of these things, and how hackable they could be with some reverse engineering. So I ordered an extra one to take apart and tinker with, with no worry of damage. (They can be found on eBay for around $16, so this isn't a huge investment.)
Just for posterity, here's the external view of the remote. Front, back, and battery compartment. Forgive the crappy shots, this isn't the interesting bit. Except the battery compartment, which shows eight exposed pads which are fully accessible, at the bottom of a rather deep/narrow opening. What exactly they're for is very much worth looking into. But what I really want to do is highlight the insides. It's a good thing I bought a sacrificial unit to do this with. I cracked about half of the clips off to get the thing open. Brittle plastic, plus I didn't know the layout. I also ended up ripping the leads right off of the piezo buzzer once the two halves finally separated.
First, here's a full shot of the immediately accessible (once opened) side of the PCB. The battery compartment is towards the left. On the far left are the previously mentioned exposed pads, plus a little circuitry which at first glance seems to be only related to the photodiode located there for learning capabilities.
The interesting bits are all at the other side, the right in this image. That area has been separately shot in a more close up view. I'm going to concentrate today on identifying the chips, so here's another copy of that image, with numbers overlaid for reference in the following commentary.
I've called out seven chips that seem especially interesting.
Chip 1
There's a large ARM logo at the top (with an "H" next to it), and STMicroelectronics logo at the bottom. The rest of the text reads:
STR911FA
W42X6
HPAGP VG
KOR HP 948
This has got to be a STR911FAW42 chip which confirms that it's a 32 bit ARM MCU. The datasheet tells us that the 911FAW42 has 256+32 kB of flash and 92 kB of RAM, and comes in a LQFP128, which all seems right. Finding the programming pins, and ideally some spots that are more accessible than the tight pitch pints themselves, will be interesting.
Chip 2
This chip has no obvious (to me) markings besides the NXP logo which is upside down in this image. The text on it is:
LVCH16373A
L8C5M7 03
UnG0939C
This turns out to be a simple 74 series 74LVC(H)16373A: 16-bit D-type transparent latch with 5 V tolerant inputs/outputs; 3-state. A latch/flip flop. Curious.
Chip 3
This tiny chip is unreadable in the images so the text transcription will be extra important. By the look of it, an eight pin SOP, I'm guessing serial flash.
ATMEL0937
45DB321D
SU
First, I see the second apparent date code: this 37th, chip 2 38th, week of 2009. As far as I know these remotes are discontinued, so it looks like I've gotten some "new old stock" here, which might help explain how cheap they are. Either way, this definitely looks like the 32Mb, 2.5V or 2.7V
Atmel DataFlash (Update: I had the wrong link, for part B not D here originally; Atmel doesn't have the D part on their site?!) by the part number on the second line. The remote supports adding custom icons, so the bulk storage in addition to the flash built into the MCU makes sense. This is the second part I'll be very interested to try to dump. It's probably wired straight to the MCU, but it's a much wider pitch part; I can solder breakout wires by hand without much fuss.
Chip 4
This chip is also small, and upside down in the image. A TI logo is visible. Its text is:
VA08
9CKG4
CNQ4
This turns out to be a SN74ALVC08 QUADRUPLE 2-INPUT POSITIVE-AND GATE, and the data sheet tells us that the top marking is indeed "VA08". The package lines up as well, so I have no reason to doubt this yet. The amount of glue logic is a bit surprising, though.
Chip 5
I've used an ISSI memory chip myself before, so I think I know what I'll find just by seeing the logo. But for completeness:
IS61WV6416BLL-12TLI
BE9622P1 0937
Yet another date code confirmation, this device is from late 2009 for sure. As suspected, this is a 64K x 16 HIGH-SPEED CMOS STATIC RAM, 1 megabit of RAM addressable as 16 bit words. I can probably ignore this chip. If I can dump and restore the firmware, I probably won't need to examine the expansion RAM. The bulk flash made sense, but I'm especially surprised to find a separate RAM chip on the board. I wonder what in the design necessitated this, that the RAM built into the MCU was insufficient?
Chip 6
I can see from a mile away that this is another standard series glue logic chip. The TI logo is visible in the corner, and the text:
9CDN2LKG4
LVC04A
We only need the second line to see this is a SN74LVC04A Hex Inverter. Nothing to say about that until I trace out where the connections are going. Physically it's between Chip 6 (RAM) and ...
Chip 7
This one's interesting! With my naked eye I can really only make out the bold Samsung mark. I need good lighting and magnification to make out the text:
U930
3F80KBXZZ-QZ8B
K3HTHRN
This is as best as I can tell a S3F80KB 8-BIT CMOS MICROCONTROLLER, a secondary MCU‽ The plot thickens. Traces definitely must be found. What does this connect to, vs. the ARM MCU? Thankfully not terribly fine pitch, so again something I can work with. This is located towards the top, near the screen, is it related to that? There's also an obvious 8MHz resonator right next to it. Now I know why; I was surprised to see it before, when I saw what clearly seemed to be an SMD 24MHz crystal next to the main ARM MCU.
Interesting Bits
Near chip 7 are J8 and J6, two unpopulated 2x3 0.1" connectors. Near chip 1 is a metal tube, this is a tilt ball switch; the remote will (optionally) light up its display when moved.
Next Steps
I've got lots of things to do. An extra reason I wanted to order an extra remote to hack on is the firmware. All the ones I actively use are already in use, and I had to upgrade the firmware to be able to use them. I'm hoping to dump any contents of any flash memory on the device before ever plugging it in for real. There's a (mini) USB connector on the device (J1, near the bottom left of the close up view) for hooking up to a computer. I'd like to be able to compare the pre/post upgrade contents of the raw flash, plus make sure to monitor and log every possible (network, USB) interaction when upgrading the device. If I manage to do anything useful, it will almost definitely mean putting an alternate firmware together.
Figuring out where J6 and J8 go may prove enlightening/useful. Also the unlabeled exposed pads down by the batteries. There can't be much under the battery sticker, but some silkscreen markings are half covered at the edges, so perhaps something. Examining the other side of the board may be important as well, but these are tasks for another day!
2016-03-05 11:13 - Making
Just under twelve years ago, I bought a Braun 7505 electric razor. I like this thing. I've needed to replace the blades several times, of course, but overall it's worked very well over time without any issue. Except the batteries. One of my favorite features was the batteries, meaning it need be plugged in only to charge, not to use. But the batteries didn't last. I finally decided to see if I could do something about it.
At first I found only one relevant page online: How to change the batteries in a Braun 7505 Synchro Shaver. It complained of a bad similar explanation on eHow (which I've not read), which referenced a manual without any instructions. So I found the Braun SyncroPro Manual and indeed, it has no instructions to describe replacing the batteries. But the Korean Syncro Manual does have these instructions, on page seven.
I've reproduced that image on the right. It's got unrelated English text on the page, but it's a nice visual description of the necessary steps. I found that prying the outermost cap (step 2) works best by grabbing the inner edge of the opening for the plug. I couldn't (confidently) get something around the edge like pictured without damaging it. Once that cap is off, the sides come off easily by hand, and some T9 torx screws hold the back on. With that removed the power board comes right out, it's held in place only by the structure just disassembled.
The original batteries have tabs welded on, which are soldered into the circuit board. (Maybe Korean models aren't welded in, thus the instructions in their manual?) I popped the tabs off by prying with a knife, which damaged them only slightly. With some replacement (NiMH) batteries in hand, I cleaned their terminals and heavily tinned them with solder, then set them next to the tinned tabs, then heated the whole lot until the solder melted together again. The original batteries were also stuck down with adhesive; some hot glue took that place with my replacements.
After reassembly, I've finally got a cordless electric razor again! I delayed this repair so long, it will actually be hard to get used to.
2016-02-29 13:46 - Gaming
I've been greatly enjoying playing the video game Fallout 4. One of the options available is to build a settlement, with a plethora of customization options. I'm deep enough in that I decided to invest the time and effort.
Here's a wide shot of the big, square, flat settlement. It's now got a wall built all the way around. The main gate is in the southeast corner, surrounded by turrets for defense.
Directly inside the main gate is the bazaar, with a general store and clothing store, a clinic, and a weapons and armor dealer. Pass through that and turn around to see the farm, and scavenger stations, in the northeast corner. Hidden from view up on the wall are beds for the dealers and the farmers, near their work stations.
Here's a close-up of the farmers at work, as well as a shot of the northwest gate, which is seldom used and less well guarded. You can also see, from this vantage point, my house.
My house floats magically on a cushion of air. The stairs don't technically connect, on purpose. I can easily walk up and down, but the riff-raff NPCs don't know how to deal with the gap, so they stay out.
Visible from my front door is the bazaar by the main gate, as well as my collection of power armor along the south wall. Currently eleven suits strong, though they're not all complete yet.
Visible inside is my magazine rack, plus my large Nuka-Cola collection.
Inside my house, main level, counter clockwise: Magazines, Nuka-Cola, chemistry station, armor and weapon workbenches, Bobble-head display, and three storage units for power armor, other armor, and clothing respectively. The clothing dresser has a collection of model robots displayed on top. Only the bed goes upstairs.
Finally, take note: residence at the drive-in requires adherence to a strict formal wear dress code.
2016-02-04 20:32 - Gaming
I've spent the vast majority of my free time since Thanksgiving, save some time traveling, on my PS4 playing MGS5. Last night I finished hitting 100% completion in game, and tonight I finished creating and then destroying a nuke, for the final trophy in the game to also earn the "earned all trophies" trophy. Two hundred and twenty seven hours played. I enjoyed this one quite a lot.
2015-12-28 18:16 - General
Helping my mom replace the bathroom sink. The lifter for the drain went, so the plumbing needed to come undone, so she wanted to replace the old rising sink, so we ended up getting a new top with integrated one piece sink.
It's not 100% done but it looks nice.
2015-11-01 22:22 - General
A short while back something made me wonder what a Rolex really costs. It's a lot. But despite not wanting to spend thousands, I was still left with a hankering for a different wristwatch. Long story short, now I've got a collection. Today I had to fix them all thanks to daylight savings, so I decided it was a decent time to take a picture.
Left to right: a Casio with a camera built in, a Casio which can record voice memos, a Highgear with thermometer and barometer built in (I wore this before the one I regularly wore before this collection exploded), a Casio calculator watch, a Nike with several workout-tracking features, and a really big display, a TI ez430 programmable, a Seiko (a very old gift) analog quartz, a Seiko UC-2000 (an awesome vintage dot-matrix watch with external keyboard for note taking), the Citizen Skyhawk (solar powered, no winding, no batteries!) I wore just before building this collection, and a Casio AW80D.
And there's what ended up being a few purely mechanical watches still in the slow-boat mail from India. But I'm done buying watches now, I swear. Except a couple quirky ones I'm watching on eBay, but only if they stay cheap, I swear!
2015-10-25 11:45 - Making
I ordered a DSO 138 kit recently, and it arrived yesterday. Much of my evening was consumed with assembling it. This is a simple digital oscilloscope with a 2.4" LCD display, and only a 200kHz bandwidth. That's too low to be of much use, but I have an audio range (only up to 20kHz!) task to put it towards, and it was only $20.
The cheap kit I got came with lots of small parts, and basically none of them labeled, so it took a few hours to put everything together. That went mostly without issue, besides being tiring to lean over the work for that long. Once it was together, it didn't work! Oh no! I stopped for dinner and long story short a few hours later I realized the issue: I used my "proper" electronics power supply, with current limiting. This saves electronics from blowing up if there's problems, by not providing enough power to cause damage. I still had it set too low, so it wasn't providing enough power for correct operation! A twist of the right knob made it all work, and showed that there were no shorts anywhere: current draw stopped at right around the expected value.
All that's left is a bit of the calibration procedure. I just need to find a tiny screwdriver small enough to fit into the tiny adjustable capacitors, the round little green things near the top left of the final picture, between the display and the switches. I got rid of my cheap "jewelers screwdrivers" set when I got a much better iFixit set of drivers, but this is at least the second time that I've found it doesn't have the right thing. When it's the right size they're great drivers, but it's only got one flat head, too wide for this purpose.
Other than that, a nice way to spend a long afternoon!
2015-08-08 18:00 - Making
My past two posts have hinted at the project that I've just "finished" (final notes on that towards the end). It was the confluence of a few things. Besides, of course, generally enjoying my recent work in electronics projects, first I wanted to try a new microcontroller. I've used Arduino, and designed projects directly around the ATMega microcontroller it's based on. While it's great within its sweet spot, there's very little room to grow past its maximum limits (32 kB flash, 2 kB ram, 23 GPIO pins, 20MHz). Its maker, Atmel, has some bigger chips, but if you're going to switch from the Arduino world, why not go far afield? I picked the STM32 line, which has one especially nice feature: hardware supported interactive step-through debugging.
But I needed a practical project to apply it to. When I discovered the "IV-22" VFD (vacuum fluorescent display), I had it picked: a clock. Not a super complicated project, but I've had fun with it, and I'll end up with a curious looking thing to leave on my desk at work. These tubes are unusual in their shape and look, which I like.
Here's the PCB I designed for this project. It's the biggest I've ever had made, but much of that space is taken up to hold the tubes across the top and little else. There's lots of surface-mount parts covering the rest of the front of the board. Step one is to apply solder paste to attach them. I laser cut a stencil out of plastic, and squeegeed the paste over it with an old credit card. If you look closely, you can see a few spots I missed, like the far pads of chip U5 near the middle. These were touched up by applying a bit more paste with a toothpick. There were only a small handful of these errors.
Solder paste is quite a bit like toothpaste, except it's toxic and grey. It's just sticky enough that the parts can simply be placed onto it, and they stay put where they need to be. The first picture shows after this step is completed. A good set of tweezers helps you lift each of the parts (some being very tiny!) into place correctly. The picture on the right is after the soldering process, which in this case just meant putting the whole thing in a skillet on the stove. Look closely again at U5 and you can see that the spots I needed to touch up by hand leave just a bit of solder residue scattered around, but otherwise everything is tight and clean, looking quite professional. After this was a lot of work to solder in the rest of the through hole components one by one.
Finally, here it is turned on and working. It's very difficult to photograph. On screen the digits look washed out, but in person they're clear and easy to read.
It's not truly done yet though. The plastic stand is not the right shape to both support it and also not be placed in the middle of something else, so that needs tweaking. I currently can't fit the power cord into the jack with the legs installed. I'm also only mostly done with the software part of it. While the new STM32 chip is much more powerful, with lots of great features, it's also very hard to work with. Documentation is often dense and difficult to comprehend clearly. I've worked through several little things where I felt stuck for a while, then after several tries and several returns to the internet to discover new information, finally I figure it out. Right now I'm stuck on getting the time data to work from the battery backup while power is disconnected. I should be able to do this, and I think it should be easy. But it's not. It will take time to figure out the secret detail that I don't quite know yet.
