|  Author | Topic: Success putting flash into product id mode! (Read 4,343 times) |
tlr
Wizard's Apprentice
member is offline
![[homepage]](http://s1.images.proboards.com/buttons/www_sm.gif)
Joined: Nov 2005
Posts: 844
Location: Stockholm/Sweden
|  | Success putting flash into product id mode!
« Thread Started on Dec 4, 2005, 4:17pm » | |
The routine below will sucessfully read the Product identification registers on the flash.
Note that the flash goes into Product Id read mode during this, so everything from flash will look weird during the operation, including the charset data. This is why it flickers a bit.
After: $1100=$1f (=Atmel), $1101=$c2 (=AT49BV/LV16xT), $1102=$08 (=AT49BV/LV16xT)
I just map in the first 16Kb of the flash to $4000-$8000 by using the segment mapper. Writing to that area will result in write accesses to the flash.
This confirms that it is indeed possible to write to the flash in DTV V2.
Code:1000 78 SEI
1001 32 88 SAC #$88
1003 A9 51 LDA #$51
1005 32 DD SAC #$DD
1007 A9 00 LDA #$00
1009 32 00 SAC #$00
100B A9 AA LDA #$AA
100D 8D AA 4A STA $4AAA
1010 A9 55 LDA #$55
1012 8D 54 55 STA $5554
1015 A9 90 LDA #$90
1017 8D AA 4A STA $4AAA
101A AD 00 40 LDA $4000
101D 8D 00 11 STA $1100
1020 AD 02 40 LDA $4002
1023 8D 01 11 STA $1101
1026 AD 06 40 LDA $4006
1029 8D 02 11 STA $1102
102C A9 F0 LDA #$F0
102E 8D 00 40 STA $4000
1031 32 88 SAC #$88
1033 A9 55 LDA #$55
1035 32 DD SAC #$DD
1037 A9 01 LDA #$01
1039 32 00 SAC #$00
103B 58 CLI
103C 60 RTS
|
|
| |
|
graham
Newbie
member is offline
Joined: Dec 2005
Posts: 18
| | Re: Success putting flash into product id mode!
« Reply #1 on Dec 4, 2005, 5:40pm » | |
This is great news. But be careful, don't bust your DTV 
| |
|
David Murray
Moderator
member is offline
![[avatar]](http://galaxy22.dyndns.org/david-avatar.jpg)
Joined: Dec 2004
Gender: Male 
Posts: 1,563
Location: Kennedale, TX
| | Re: Success putting flash into product id mode!
« Reply #2 on Dec 4, 2005, 8:12pm » | |
For us stupid folks like me, can you explain the significance of what product ID mode is?
| |
|
suschman
Newbie
member is offline
Joined: Nov 2005
Posts: 41
| | Re: Success putting flash into product id mode!
« Reply #3 on Dec 5, 2005, 3:00am » | |
Hi
Product ID Mode is a state you you can put a flash rom into which lets you read some information bytes out who tell the manufacturer and a specific device id code to identify the used flash chip. The procedure is similar to enabling write acces to a flash and so a first step towards this .
Greets
| |
|
Roland
Full Member
member is offline
![[avatar]](http://www.forum64.de/wbb2/images/avatars/avatar-1014.gif)
Joined: Oct 2005
Posts: 192
| | Re: Success putting flash into product id mode!
« Reply #4 on Dec 5, 2005, 3:53am » | |
Quote:The routine below will sucessfully read the Product identification registers on the flash.
Note that the flash goes into Product Id read mode during this, so everything from flash will look weird during the operation, including the charset data. This is why it flickers a bit.
After: $1100=$1f (=Atmel), $1101=$c2 (=AT49BV/LV16xT), $1102=$08 (=AT49BV/LV16xT)
I just map in the first 16Kb of the flash to $4000-$8000 by using the segment mapper. Writing to that area will result in write accesses to the flash.
This confirms that it is indeed possible to write to the flash in DTV V2.
Code:1000 78 SEI
1001 32 88 SAC #$88
1003 A9 51 LDA #$51
1005 32 DD SAC #$DD
1007 A9 00 LDA #$00
1009 32 00 SAC #$00
100B A9 AA LDA #$AA
100D 8D AA 4A STA $4AAA
1010 A9 55 LDA #$55
1012 8D 54 55 STA $5554
1015 A9 90 LDA #$90
1017 8D AA 4A STA $4AAA
101A AD 00 40 LDA $4000
101D 8D 00 11 STA $1100
1020 AD 02 40 LDA $4002
1023 8D 01 11 STA $1101
1026 AD 06 40 LDA $4006
1029 8D 02 11 STA $1102
102C A9 F0 LDA #$F0
102E 8D 00 40 STA $4000
1031 32 88 SAC #$88
1033 A9 55 LDA #$55
1035 32 DD SAC #$DD
1037 A9 01 LDA #$01
1039 32 00 SAC #$00
103B 58 CLI
103C 60 RTS
|
|
|
|
Hi Daniel,
ok..I think I understand most of that code...
(mapping $4000-$7fff to the first 16k of the ROM, reading some bytes and store them at $1100...
but what's the meaning of those writings into the ROM
(those lda#aa sta $4aaa.....)
| |
|
mboehmer
Newbie
member is offline
Joined: Dec 2005
Posts: 16
| | Re: Success putting flash into product id mode!
« Reply #5 on Dec 5, 2005, 4:23am » | |
Quote:| but what's the meaning of those writings into the ROM (those lda#aa sta $4aaa.....) |
|
Please read the datasheet of the 49BV161 (http://www.atmel.com/dyn/resources/prod_documents/doc1427.pdf).
FlashROMs have "modes": reading from it is like one would do from any linear memory, writing needs some more stuff (so called "commands"), as well as clearing the memory or switching it to the id mode.
I would be careful about writing to the FlashROM - we still don't know the differences between 47 and 49 chips...
Michael
| |
|
suschman
Newbie
member is offline
Joined: Nov 2005
Posts: 41
| | Re: Success putting flash into product id mode!
« Reply #6 on Dec 5, 2005, 6:23am » | |
For my turn, i try to get some at49bv162 which suceedes the droped 161 type for a replacement of the chip. I sure dont know if the at47 is writeable or not, itīs just strange to manufacture a device which identifies itself with the wrong id (at47 label, at49 id code) what draws the codes useless at all. Digikey has the chips for 3,30$ but i need to find a suplier more local to me .
Greets
| |
|
x1541
Newbie
member is offline
![[avatar]](http://www.forum64.de/wbb3/wcf/images/avatars/avatar-321.gif)
Joined: Nov 2005
Gender: Male
Posts: 36
| | Re: Success putting flash into product id mode!
« Reply #7 on Dec 5, 2005, 11:08am » | |
Quote:
This confirms that it is indeed possible to write to the flash in DTV V2.
|
|
Sort of, yes. You can write to the registers of the chip, but you didn't show that it is indeed possible to use the erase or write commands of the chip. Two things can happen here:
- the AT47 series is OTP and cannot be written to at all
- the chip is write protected and you need a password to unlock the write and erase commands.
I think it is safe to try writes to the "empty" banks of the chip, as long as you don't issue the "erase chip" command. Writing to an (empty) bank or erasing such a bank after a write will not do any harm to data in other banks.
I say this from my experience with AT29Cxxx series chips (sector based) and AM29Fxxx (byte/bank based like AT49 series). Who doesn't know about it, I build flash chip programmers for Commodore PET, VIC-20 and disk drives: www.x1541.de
BTW, almost forgot: CONGRATULATIONS, good job!
| |
|
tufty
Newbie
member is offline
Joined: Dec 2005
Posts: 20
| | Re: Success putting flash into product id mode!
« Reply #8 on Dec 5, 2005, 12:45pm » | |
Quote:
Quote:
This confirms that it is indeed possible to write to the flash in DTV V2.
|
|
Sort of, yes. You can write to the registers of the chip, but you didn't show that it is indeed possible to use the erase or write commands of the chip. Two things can happen here:
- the AT47 series is OTP and cannot be written to at all
- the chip is write protected and you need a password to unlock the write and erase commands. |
|
Assuming that the 47 is not otp, according to the datasheets it should be simple enough to tell if the chip (or sectors of it) have been locked. If it is locked, then what happens next is a factor of exactly what chip it is - for the 49 series lockdowns are overridable either by a straight reset or by setting the reset pin to 12v depending on chip (check 49BV161 vs 49BV1614, both of which look to give the same chip identifier...
The v2 schematic indicates a 49BV1614, which would imply a need for 12v for lockdown overrides, but I'm not sure how accurate that is.
Still, yeah. Good work.
I'll have my DTVs in a couple of days, I hope, and I'll be up for some fairly heavy hacking on them. Got them super cheap, so I'm not scared of 'bricking' one by accident.
Simon
| |
|
tlr
Wizard's Apprentice
member is offline
Joined: Nov 2005
Posts: 844
Location: Stockholm/Sweden
| | Re: Success putting flash into product id mode!
« Reply #9 on Dec 5, 2005, 1:14pm » | |
Hi all,
Yes I agree that it might not be possible to actually store data into the flash. Technically what I ment is that I can make write accesses to the flash, and it responds. We have two way communication.
As Michael pointed out in a mail this could be an OTP version.
If it is really OTP, writing zero-bits will probably be possible, but not writing one-bits (i.e erase commands).
There is no mention on the Atmel page about any OTP versions. There is however on the flash-FAQ page a mention of a "secure" version which can be ordered by contacting the sales department. This "secure" version can have selected sectors permanently locked from writing. If the latter is the case here, I doubt that the sectors are locked. They just wanted the cheapest part in stock.
I have posted a Technical question on the Atmel page and sent a mail to a couple of friends in the cell-phone buisiness, also I know Michael has sent out some questions on this.
Hopefully we will know soon...
@Roland, Michael is correct, the strange STAs are the activation sequence.
The address listed in the datasheet are word addresses (bits A0 and up) when running the flash in byte-mode there is an additional address bit below (A-1) which is not used for the activation sequences.
Thus if the flash is mapped to $4000, the address to be used is the one in the data sheet times 2 + $4000.
i.e
Enter Product Id Mode: $aa -> $555, $55 -> $aaa, $90 -> $555 becomes $aa -> $4aaa, $55 -> $5554, $90 -> $4aaa.
| |
|
tufty
Newbie
member is offline
Joined: Dec 2005
Posts: 20
| | Re: Success putting flash into product id mode!
« Reply #10 on Dec 5, 2005, 2:54pm » | |
Quote:Hi all,
There is no mention on the Atmel page about any OTP versions. There is however on the flash-FAQ page a mention of a "secure" version which can be ordered by contacting the sales department. This "secure" version can have selected sectors permanently locked from writing. If the latter is the case here, I doubt that the sectors are locked. They just wanted the cheapest part in stock.
|
|
I think you're probably right. Still, the way to check is mapped out in the chip documentation: put the chip into product identification mode, and read address $0002 - if bit 0 of the result is set, then the sector is locked using sector lockdown. Clearing it then requires knowledge of the actual chip, and more or less messing about - either lockdown is cleared at reset, in which case you need to get in before the reset code (not easy) or it requires 12v on the reset pin, also not terribly easy.
Any chance of modding your program to do that read for the sectors on the chip and letting us know what the results are? you're way ahead of me - my DTVs won't be with me until Wednesday night at the latest.
I'm not sure where the protection register comes into all this, if at all. It seems to just be a serial number storage area, if I'm reading the docs correctly.
Simon
| |
|
tlr
Wizard's Apprentice
member is offline
Joined: Nov 2005
Posts: 844
Location: Stockholm/Sweden
| | Re: Success putting flash into product id mode!
« Reply #11 on Dec 5, 2005, 3:18pm » | |
Quote:
Quote:Hi all,
There is no mention on the Atmel page about any OTP versions. There is however on the flash-FAQ page a mention of a "secure" version which can be ordered by contacting the sales department. This "secure" version can have selected sectors permanently locked from writing. If the latter is the case here, I doubt that the sectors are locked. They just wanted the cheapest part in stock.
|
|
I think you're probably right. Still, the way to check is mapped out in the chip documentation: put the chip into product identification mode, and read address $0002 - if bit 0 of the result is set, then the sector is locked using sector lockdown. Clearing it then requires knowledge of the actual chip, and more or less messing about - either lockdown is cleared at reset, in which case you need to get in before the reset code (not easy) or it requires 12v on the reset pin, also not terribly easy.
Any chance of modding your program to do that read for the sectors on the chip and letting us know what the results are? you're way ahead of me - my DTVs won't be with me until Wednesday night at the latest. |
|
I read it yesterday from sector 0, and it is 00, so that sector is not locked. Also I was under the impression that sector lockdown is a software mode to protect against inadvertent writes. If one sector is locked it will stay locked until power-cycle or hard reset. I didn't read the docs that carefully on that part though, so correct me if I'm wrong.
What I do know for certain though, is that the boot procedure in kernal ROM does not write to flash at all! If sector lockdown is indeed a software mode, it will not be activated.
Quote:| I'm not sure where the protection register comes into all this, if at all. It seems to just be a serial number storage area, if I'm reading the docs correctly. |
|
The protection register A/B is just storage. A is preprogrammed from factory, and cannot be changed. B can be user programmed and optionally locked for all eternity. I read the status of it on my unit. The B register It is not locked.
| |
|
tufty
Newbie
member is offline
Joined: Dec 2005
Posts: 20
| | Re: Success putting flash into product id mode!
« Reply #12 on Dec 5, 2005, 3:56pm » | |
Quote:
I read it yesterday from sector 0, and it is 00, so that sector is not locked. |
|
Woo-Hah! That is exceptionally good news. Next step is to try actually writing to a sector that's not in use, I guess. Atmel do have some flash-writing example C code on their site, I found it linked from the same place as the datasheets. It's not really terribly difficult conceptually, and should be relatively easy to convert to asm.
Quote:Also I was under the impression that sector lockdown is a software mode to protect against inadvertent writes. If one sector is locked it will stay locked until power-cycle or hard reset.
|
|
Yep. Depending on the chip, it seems - the 16x4 series seem to require 12v on the reset line to override, and I think the lockout persists between resets, although the datasheet seems ambiguous on that. Still, if nothing is locked...
Simon
| |
|
tlr
Wizard's Apprentice
member is offline
Joined: Nov 2005
Posts: 844
Location: Stockholm/Sweden
| | Re: Success putting flash into product id mode!
« Reply #13 on Dec 5, 2005, 4:19pm » | |
Quote:
Quote:
I read it yesterday from sector 0, and it is 00, so that sector is not locked. |
|
Woo-Hah! That is exceptionally good news. Next step is to try actually writing to a sector that's not in use, I guess. Atmel do have some flash-writing example C code on their site, I found it linked from the same place as the datasheets. It's not really terribly difficult conceptually, and should be relatively easy to convert to asm. |
|
I'm not scared of flash writing code, I've done several boot loaders with flash ability at work. 
I would like to hold trying it before I get a better hint on what differs between AT49 and AT47 though.
Better analyzer coming up.
So far:
ID ($00,$01,$03) : 1F C2 08
PROTECT LOCK ($80) : FE
PROTECT REG A ($81): FF0300FF
PROTECT REG B ($85): FFFFFFFF
Quote:
Quote:Also I was under the impression that sector lockdown is a software mode to protect against inadvertent writes. If one sector is locked it will stay locked until power-cycle or hard reset.
|
|
Yep. Depending on the chip, it seems - the 16x4 series seem to require 12v on the reset line to override, and I think the lockout persists between resets, although the datasheet seems ambiguous on that. Still, if nothing is locked... |
|
Ah, this could be the difference then. I wonder if ,in one of the "secure" flashes, the inability to write it would show in offset $02?
| |
|
dw
New Member
member is offline
Joined: Nov 2005
Posts: 3
| | Re: Success putting flash into product id mode!
« Reply #14 on Dec 8, 2005, 2:06pm » | |
Quote:The routine below will sucessfully read the Product identification registers on the flash.
Note that the flash goes into Product Id read mode during this, so everything from flash will look weird during the operation, including the charset data. This is why it flickers a bit.
After: $1100=$1f (=Atmel), $1101=$c2 (=AT49BV/LV16xT), $1102=$08 (=AT49BV/LV16xT)
I just map in the first 16Kb of the flash to $4000-$8000 by using the segment mapper. Writing to that area will result in write accesses to the flash.
This confirms that it is indeed possible to write to the flash in DTV V2.
Code:1000 78 SEI
1001 32 88 SAC #$88
1003 A9 51 LDA #$51
1005 32 DD SAC #$DD
1007 A9 00 LDA #$00
1009 32 00 SAC #$00
100B A9 AA LDA #$AA
100D 8D AA 4A STA $4AAA
1010 A9 55 LDA #$55
1012 8D 54 55 STA $5554
1015 A9 90 LDA #$90
1017 8D AA 4A STA $4AAA
101A AD 00 40 LDA $4000
101D 8D 00 11 STA $1100
1020 AD 02 40 LDA $4002
1023 8D 01 11 STA $1101
1026 AD 06 40 LDA $4006
1029 8D 02 11 STA $1102
102C A9 F0 LDA #$F0
102E 8D 00 40 STA $4000
1031 32 88 SAC #$88
1033 A9 55 LDA #$55
1035 32 DD SAC #$DD
1037 A9 01 LDA #$01
1039 32 00 SAC #$00
103B 58 CLI
103C 60 RTS
|
|
|
|
Hi there
Thought I'd drop a quick note on this subject. I wrote the flasher we used during the development of the PAL DTV.
The prototype used a diffferent kind of flash chips though: 4 x Winbond 29c040 (256-byte sectors, 512KB per chip). The Atmel used on the production units has 64KB sectors, except for the first or last 64k, depending on wether the part # ends on T (top) or B (bottom).
The principle is exactly the same though... unlock the flash chip with a 'magic' write sequence, issue an erase sector command, unlock again, issue a write command, write sector, wait for the chip to finish, verify, repeat till done (the winbond chips didn't need the erase sector part).
One suggestion though, and you probably already know this but just in case: copy your charset to ram and use it from ram. You really don't want the asic reading char/bitmap/etc data from the flash while you're trying to write to it.
We were led to believe all the production units would have flash, but I truly have no idea if the AT47 series is OTP or not. Best bet would be to try to write to one of the small unused 8K sectors at the end of the chip (SA38/39, $1fc000/1fe000, assuming a 'T' chip) and see what happens.
I wish I had a production unit to tinker with
If it does prove to be OTP, there's some interesting stuff in the reset routine that could be the next best thing to flashing your DTV.. I'm surprised nobody has noticed that
-Adrian
| |
| |
|
![[Home]](http://s1.images.proboards.com/menu/home.gif)
![[Help]](http://s1.images.proboards.com/menu/help.gif)
![[Search]](http://s1.images.proboards.com/menu/search.gif)
![[Login]](http://s1.images.proboards.com/menu/login.gif)
![[Register]](http://s1.images.proboards.com/menu/register.gif)
![[Search This Thread]](http://s1.images.proboards.com/search2.gif)
![[Send Topic To Friend]](http://s1.images.proboards.com/buttons/sendtopic.gif)
![[Print]](http://s1.images.proboards.com/buttons/print.gif)
Logged