 I have a new this. This is a cheap and cheerful voice recorder module. It's based around a CPU and a blob. This is probably a ubiquitous 8051 clone. It may be a particular kind of 8051 called an AC1082, which is why I originally got this. And this is its storage, which is a small flash chip. One of this will do is it will record a voice clip using the built-in microphone here and play it back on demand. I will demonstrate. Testing one, two, three. Let's try that a bit closer to the microphone. Sound quality leaves a great deal to be desired. Now the reason I got this is because some of these AC1082 based devices actually store their programs on the flash chip, which means they can be reprogrammed. And the AC1082 has a whole bunch of CPU extensions that make programming for the 8051 considerably better. This unfortunately probably isn't one, but I thought it would be interesting since I have a spare device of no particular value to try and dump that flash chip and see what there is that's on it. Almost certainly nothing particular of interest. I mean just the audio data encoded in some peculiar way. But I have never actually managed to dump one of these little flash chips before, so this could be entertaining. So before I actually get out to the EEPROM programmer, a quick tour of some of the components. This is the heart of the thing. It's a blob processor. What this is is a silicon chip glued directly to the PCB and then covered with black epoxy to protect it. It's the cheapest way of deploying chips on a board. There are real bane to reverse engineer because of course there's no labels and none of the pins are accessible. It is possible to etch off the epoxy to expose the chip, but the chip usually doesn't survive this process. This is the flash storage chip. It's a XT25F16B. It's a two megabyte device. It speaks SPI, so there's a serial input output protocol to the processor. It's a pretty capable device. They are incredibly cheap and as you can see tiny. We have here a bunch of passives to do with connecting up various external devices. The red wires here are the record enable button so that if I press the button attached to that it will start recording and then again to make it stop. These two black wires are for the playback button and these can also be replaced with a light sensor. This allows you to hide one of these things inside like a gift box so that when you open the lid it plays back the pre-recorded message. There's a number of interesting looking test pads that I need to investigate. One of them is probably for status LED. That might be this thing here labeled 0R. We'll have to do some experimentation there. This silver thing here is the microphone and three button cells to actually power the thing. It doesn't use a lot of battery and in standby mode it appears to use practically none. So here I have my trusty mini laptop set up with the eProm programmer plugged into it and we are going to connect it up to the flash chip here. Now full disclaimer I've tried this before so I know it doesn't work but let's just walk through it anyway. So the first thing you need is a adapter to allow you to connect the eProm programmer which of course takes dip style eProms to the flash chip here. That's done using this test clip so we plug this in like so and then the test clip is supposed to clip on to the eProm. Let's get it lined up properly more or less like it's not right like so and it should be now possible to just read it directly. Pin 1 is lined up properly so we just tell the mini pro software to read and it immediately fails to detect the chip. All these SPI ROMs have the same command set and pin out so that should have worked. Now one possibility is that because it's actually connected up to the CPU which is running then that is interfering with the read process so let us make it not run by removing one of these batteries like so. Now try that again and you see we now get a different result but it still has failed to detect the chip. Just just that a bit. So the problem here now could be that because this is now connected to the CPU it's failing to talk to the flash chip properly that is the CPU is interfering with the communications. That is possible because the eProm program is going to be trying to power the flash chip and since that's connected to the CPU then it may be trying to power the CPU as well. However I know that people have done this with these boards before so I suspect that that's not the problem. Instead what I think is happening is that this clip is not making good contact with the flash chip so what I'm going to do is try and solder some actual pins onto that to give better contact. So here I've got a couple of these four-way header things. These use the standard 10th of an inch spacing. You may be able to notice if you look hard that the pin spacing on the flash chip does not match the pin spacing on the header pins so we're going to have to do a bit of work here. That one wasn't so bad and once more so hopefully that will be all the soldering and it was pretty janky but it does seem to have worked. I don't know whether they've made proper contact yet but it's worth a try. So now I need to put the soldering iron away, get out the laptop again and cook it up and see if we can read it. So here it is wired up hopefully correctly. No batteries in so moment of truth time. Nope hasn't found anything. Does it want the batteries in it? Nothing. I didn't wire up that last pin, the one that is connected to ground. Maybe it does need that because that was duplicated elsewhere. That one's a little bit bent. Let's try that one goes to here but still nothing cusses. I don't want to be too rough with it or these badly bodged solder joints will just come right off. There we go. Gone on and nothing. Well I was hoping but so either my solder joints haven't made contact which is entirely plausible. It looks okay I have to admit or there's something weird about this flash chip. So I do have a backup plan B so let us head that way. So this is plan B which is my 8 channel signal analyzer. So I've wired it up hopefully correctly and what I'm going to do is hit the run button, set the number of samples rather bigger, hit the run button then tell this to play and see what we get out. So good that was 15 million samples so let's zoom out. Right we got some stuff so the data channels here match the pins in the data sheet. So pin one is chip select. You can see here the chip select line is being asserted and de-asserted during the run. Pin two is data output that looks like data. Three and four are unused. Four is not connected. Four is power. So three is write protect. So yes unused. I'm going to notice that one does seem to be brought out to a test pad. I'm not sure why. Five is data in. Six is the clock and seven is hold. That also looks like it's unused and that's the one that's tied to high. So let's turn off the ones we don't want which is zero, three, four and seven. Let's get rid of UR to decode as I was using the last time I did anything with this. We're zoomed in way too far to actually make out anything in the data but let's try and add a decoder. Nope not that one this one SPI flash. Okay so now I need to associate channels. So we decided that D2 was data out. That's miso. Chip select is D1. Clock I believe was oh yeah we have the pin out here. Clock was on D6 and mozzy master out slave in is pin five. Okay so now it's decoding what it saw so we zoom in a bit. So this is just noise which we think we can ignore whether it will upset the rest of the decode I'm not sure. We are looking here at individual bits. Some of these look like it's just completely failed to decode anything. I've been a little bit suspicious about this signal analyzer to be honest. We seem to be getting an awful lot of right disabled commands. So on playback I would expect it to be transferring lots of data from the device to the processor. So let's just try that again but I'll give it a little bit more time before pressing the button. So here when it zoomed in you can see D6 is the clock. These do not look like same clock pulses to me to be honest. I would expect that to be more of a square wave. Do I need to crank up the rate? That's why it's so confused. The it's glitchy data. So you can see this is supposed to be as far as I can tell a single clock pulse unless this thing is running really quick. The flash chip can operate up to I think 120 megahertz but I doubt very much whether the blob processor in here can do that. Let's just crank it up one more time. This may not actually even work. Yeah it's not working. It's just refusing to sample. So what do we got near the beginning of this thing? Yeah you can see that the bursts of noise each one of these is supposed to be a nice square clock pulse but the signal analyzer is failing to actually you know analyze. That is annoying. This is the second time I've had problems with this signal analyzer. I suspect it may just be junk and I should ditch it and get something just more expensive. Now I do have a plan C. Plan C is to use my oscilloscope however plan C is rather harder to show on camera due to the fact the oscilloscope screen is here and I have yet to figure out how to get it to do how to do screen recording on it. So much like the contents of the casserole currently in my oven the plot is thickening. I have hooked my oscilloscope up which is this horrible tangle of wires and got out an old cell phone to record the screen with so that you can see what it's doing. Now it turns out that this oscilloscope actually has some protocol decoders which took me ages to find which include SPI. I'm not convinced it's actually doing terribly well with this for a reason I will show you but I can press the single capture button and then go on the device and this is what we get. Now these four tracers the top one is chip select. This one is clock and this is miso mastering slave out and this one is mozzie master out slave in. I think I might have those backwards I doubt it actually tracing the wires and this tangle is a pain. Now remember that when I had the signal analyzer hooked up there was a big patch of noise at the beginning of the capture that I dismissed as garbage. I don't think it is. If we zoom in and let me find the beginning of the trace and this way the knobs turn in not exactly the most obvious direction because it might be better if I wasn't using my left hand for this if I use my right hand I bump the phone. Okay so here you can see uh chip select gets asserted and then we get this little bursts of eight clock pulses so what it appears to be doing is talking to the flash chip rapidly at a high clock rate. I think I can actually persuade this to measure that for me so if I select channel two no wait the clock is channel four which is blue which is already selected so I press the frequency button it then measures the frequency of this trace at about eight megahertz that is pretty quick but this allows it to send a bunch of bytes to the flash chip and then get back a response so these are the bytes that are showing up they're in ASCII um let's see if I can configure this so decode format from ASCII to HEX there we go and to get rid of this I think I click yep uh this is still new I am somewhat struggling to come to terms with it but it's uh so far it seems to be pretty awesome so we can see bytes going to the flash chip and then do we get a response well I think I might need to back up a little I think it's having trouble decoding if it can't see the beginning of the trace which is not terribly helpful but we can clearly see here data going out data coming back so it's talking to the chip so rather than all that stuff being noise we do actually seem to be seeing correct communication uh in the signal analyzer but then if we zoom out we then get very short pulses on the clock at wide intervals let me try and home in on one so oh oh I haven't done this yet um right what this is doing is it's reading a byte that's what it's doing right so almost certainly what the flash chip is doing when it's playing back is it's talking flash chip what's the processor that is this blob here is doing when it's talking to the flash chip is it sets up various communications it looks to see if there's anything on the flash chip then it sets up a byte read transaction which basically it'll just return bytes until further notice and then whenever it wants a byte all it does is it toggles the clock eight times it gets back a byte in this case it's hex nine one and then there's a long pause before it requests the next byte this is because the bytes it reads are going to be fed into the audio decoder and the audio decoder is going to consume byte quite slowly compared to the microcontroller good right what this has taught us is that the communications on this thing makes sense so I think the next thing I want to do is to try and use the uh the e-prom programmer to look at the flash chip and at the same time record what's coming out to see what's going on I actually have a suspicion I think that the flash chip here is holding the chip select line de-asserted that is high that will let me zoom all the way out so high means off and I think it's providing more power to keep it high than the e-prom reader is supplying to lower it therefore the flash chip is never waking up and this thing is never seeing any data so the next step is to get out the laptop again and plug in the e-prom programmer all right let's see how this works now the first thing is to just do another capture just to show that the the lines are all actually still hooked up properly so now we run the mini pros detector and nothing happens interesting right the capture level is not right so if I adjust this adjust the trigger okay got something so what are we seeing great I can't reach the controls without either blocking something with an arm either camera well you can see the chip selectors at the top not looking very feeble it's being lowered by the e-prom programmer but not very much at the same time the e-prom programmer is lowering the clock and me so so I think I was right and the e-prom programmer is failing to assert chip select hard enough to make the chip wake up because the microcontroller here has basically has its finger on that particular control line okay so next let's remove one of the batteries to turn this thing off okay so now nothing happens so let's do that again so capture okay come on so that's actually made the signal go up this is now in dead slow mode you can see it tracing the signal so clearly with the battery removed I think we have the opposite problem in that the lines are not floating high properly that is probably because I haven't hooked up the VCC line on this because it's trying to power the yeah it's trying to power the flash chip from the e-prom programmer but I haven't given it a power line so let's just do that okay now power is VCC which is pin 8 so that's pin 8 here and same pin here like so don't think anything happened on your oscilloscope now let's try that again and that's still not doing it right sometimes if you put a battery back in you see that goes high and then when we try to actually do a to try to do anything it glitches down a bit so that is at zero volts so if we poke it it goes up to about five volts for a moment which is wrong in order to activate the chip you have to bring chip select down it's possible that is try to raise it and then lower it again but I also don't have no idea what voltage the programmer is set to I can change that actually the VCC so it's we want VDD equals five so voltage VDD equals five let's try this like this right that's done the same thing so try 3.3 no okay so I'm going to guess that there's something wrong with the something wrong with the way that the e-prom programmer is interacting with the the blob chip now there's a solution and this is to cut the chip select line between the flash chip and the blob this will render the device non-functional so I will have to have a hunter round for a solution to that and also identify the various traces on the board the casserole by the way is chestnut and brussel sprout okay so having unplugged the various things this one is let me just double check the data sheet pin one is chip select that's this one here and unfortunately you may just be able to see but there's a row of minuscule tracks here that is where the flash chip pins connect to the device so I've got no chance of doing anything with that however some of these test pads look interesting so let's let's actually remove I can find my pusher thing the battery and turn the thing off it doesn't have a switch there we go all right and now let's do some continuity testing to see whether the chip select is brought out anywhere useful so there's a pin are here a test pad here just under the blob nope this one nope this one well that's helpful great um just thinking about what I can do one option is to remove the chip completely from the board and then use then solder these things back on and use that to connect the chip back to the board to actually make it work which I think is going to be my best option this is going to be it's going to involve more skill than I really have and I'm going to have to get the hot air gun out I'm also a little bit concerned by the there this goop here which is um there's the focus gone that's a bit better which is hot glue because applying heat here is going to melt the hot glue and it may even like boil look can does hot glue catch fire but I think that's my only real option I could probably cut these but trying to reconnect them again afterwards is going to be impossible yeah let's try taking the uh taking the chip off well I have eaten my casserole which was very nice if a little enthusiastic and got the hot air gun out so let's have a go at this so power on you probably hear it wait for it to heat up I am very bad with the hot air gun I've had very little experience with it because it's brand new so I don't really know how to work it anyway that's it hopefully up to temperature so I set it to 375 which may not be hot enough I'm hoping to melt enough solder that the pin header will drop off like so that worked quite well so let's try the other pin header like so oh yes indeed the hot glue has melted you can see it there okay um I now need the up now I'm going to try and heat up the chip itself get that back on camera so hopefully we should see the solder soften okay it's going shiny it's good let's try this side okay I think it's going shiny yeah okay so oh wow that was easy I was expecting that to be a lot harder awesome um okay well let's shift this out of the way and pick this up again and let's just toast the legs lightly so try and melt the solder just to get it a little bit more uniform that looks fine okay well that took much less time than I thought it was going to next step is back to the eprom reader so here we are the eprom reader actually came with this which is a special adapter for reading uh eight pin chips and I'm just looking to see where pin one is I think it's top left though it shouldn't really matter so what you do is you pick up a chip just rotate it so it's the right way around the dot indicates pin one you press this home like this put the chip into the reader and then let go and it clamps down with really rather rather good alignment in just the right place and then you can put the chip into the reader like so so now let's run our probe and see what happens it has identified what it is it's a b4015 which is not in mini pros database but we should be able to uh we should be able to tell it that it's a similar device he I think it's a pm 25 f 16 b at soic eight I think that's what it is it's the same code as this which is an xt 25 f 16 b except by a different manufacturer in fact it turns out that pm and xt are both the same people so pn not pm okay so now we read it right it's a different device therefore the chip id doesn't match we tell it to go ahead anyway and now it's reading decently quickly done okay and what do we get here is the contents of the e-prom as I thought it is in fact complete garbage well not garbage it's encoded in some way probably ad pcm but as far as I know this particular format hasn't been reverse engineered the actual device that I'm I want to reverse engineer that I'm practicing with this thing stores its program on the flash chip and it's as a fixed partition layout that's quite distinctive but this isn't it right well that is how to read a eight pin flash chip of a cheap and nasty device of course the cheap and nasty device is now non-functional so I will have to find a way to well I can just solder this back on that's quite straightforward but it would be nice to be able to be able to take put the device on and off in order to play with it now I did manage to solder on the header pins which are here so it's entirely plausible that I might be able to make my own adapter white one so this came with the mini pro and it is indeed a soic adapter but it's the other way round than the one I'm looking for this that little board there will let me solder this chip onto it and put header pins on and it basically does the same job as this so that's not quite what I wanted now but what I could do is