Go Down

Topic: Reading mystery Memory (Read 791 times) previous topic - next topic


I am still trying to reverse engineer that mystery cartridge. I did have xrays taken, but unfortunately there wasn't enough detail to see any device markings. However, the cell structure itself looked like a normal memory, so I am assuming that it is just a normal flash memory.

I hooked it up to the logic analyzer again and did a few raw captures to check my logic for what I think the pin functions are for. When I was certain that I found the chip select line, I triggered on that. I see one line that appears to operate like a clock, but it is not always regular. It could be an OE line. Then there are four lines which appear to be data. Looking through my various captures, the pin that I label D0 is the only pin that toggles when CS is not active. I *think* this means it is likely a serial data input coming from the microcontroller.

I am attaching a screenshot of the logic analyzer output for what appears to be one cycle. I am hoping that someone can look at it and help me figure out how to start reading it. The thing that is really got me is that there are only 7 clock pulses in the cycle.

I set some cursors on what looks like important points. If my pin functions are correct, I am seeing that the data lines are being set 100ns before the clock is pulsed high. This would indicate to me that this cycle was likely created by the CPU and not the memory.

Any sharp members out there able to look at this and figure out exactly how it works? The data that I would expect to be encoded on here is sound and motor movement information. There are 3 motors in the product. If that information is useful.


Here is a larger view with more than one cycle in it. I notice the bursts of what appears to be the clock and I also notice that during some times, the data is set up before the clock, and other times it lines up with the rising edge of the clock. I should point out that this thing has on-board flash and the cartridge and all the lines are shared except those lines I labeled as CS lines (U7 and U8.) So some of the data is coming for accesses to the on-board flash. I am filtering it by looking at when the U7 CS line goes low. Notice that when it goes high, the data lines always return to high.


I am still trying to reverse engineer that mystery cartridge.

Mystery indeed.
Capacitor Expert By Day, Enginerd by night.  ||  Personal Blog: www.baldengineer.com  || Electronics Tutorials for Beginners:  www.addohms.com


I am making some progress on this finally. I have narrowed it down to two options:

It is either a winbond serial flash eeprom with an odd interface or Quad-SPI (also called QPI)
So I started digging into as many datasheets as I could find and I am pretty convinced that it is a QPI memory. I came to this conclusion by comparing timing diagrams. With QPI, most commands have at least 4 bytes. Since I doubt that any writing functions are being done, I can focus on the read functions. A read function starts with one byte for a command and 3 bytes for an address. There is a burst mode, which is most likely what is used here and that makes it a bit more difficult to get a good capture (aside from the fact that 4 different memories are being talked to.) Once I get the data pins right, though, I can trigger on the set burst (0xC0) and read burst (0C) command.

As noted in the first screenshot I posted, there is one line data line that will toggle while all others do not. I suspect this is because QPI starts up in SPI mode (and can actually stay in that mode.) My assumption is that this is the Data In pin and the CPU is setting up the memory for Quad-SPI.

Anyway, once I am 100% confident that this is Quad-SPI, I should be able to gain control of the memory using only the SPI interface. Success will be measured by reading out the JEDEC ID code for the device.

Go Up