Monday, December 8, 2014

Listening to the SPI bus of a Flash Memory IC

It's time for another update on my attempt to reverse engineer the protocol used by a toy that plays animal sounds.  To bring yourself up to speed I suggest reading the couple of posts I've done on this topic.


The goal is to figure out how the data is stored in flash memory and then replace it with my own audio, so far I've had no luck.  I had one last hope of figuring out how everything worked, and that was to get a logic analyser and listen on the SPI bus.  I thought if I could see what memory was accessed and when it was accessed I might be able to gain some insight into the operation of the device.  So that's what I did, but unfortunately things didn't work out.

Anyway, I'll still document how things went.  The first step is to solder some wires onto the signals of interest and bring them all out to a row of header pins to connect to the logic analyser.  To listen to the SPI bus we need MISO, MOSI, SCLK, CS, GND, and to see the audio I connected a a line to one of the speaker terminals as well.

Circuit Board
Probing the Flash memory
I hooked everything up, set the logic analyser to trigger when it sees data, and then swiped a card.  Success, it recorded all the data lines and decoded the data transmitted on the SPI bus.  Everything seemed to be going well until I realised that the amount of data transmitted was nowhere near what I expected, and the decoded data was just gibberish.  You should be able to see structured requests for data on the MOSI line, but all I was getting was random bytes.  It was then I did something I should have done a week ago, I probed the clock line of the flash memory.

Oscilloscope Display
Clock Signal
Facepalm.  My logic analyser only runs at 24 MHz, but the clock signal is 33 Mhz.  From what I've been able to gather, the operational frequency of the logic analyser should be 4 times the frequency you are trying to decode.  In this case that would be 132 Mhz.  I'm wayyyyyy off.  (Note: the sine wave above is expected.  The bandwidth of the scope is only 60 MHz, so only the fundamental frequency is making it's way through. The higher frequency components of the square clock signal have been filtered out.)  This means that unfortunately the logic analyser won't be able to help me.

It was also noted that the device requests data from the memory in bursts.

Oscilloscope Display
Burst of Clock Signal
I was able to see some activity on the MISO and MOSI signals

Oscilloscope Display
MISO Signal

Oscilloscope Display
MOSI Signal
I probed the speaker to see how it operated.  As expected it's just a PWM signal. It has a period of 15 uS and the drive signal is at most on for 2 uS, a duty cycle of 0.13.

Oscilloscope Display
Speaker PWM Signal
So that's pretty much it for me on this one.  To make things more interesting, it's been recently announced that there are an extra 72 cards that play sounds in addition to the original 108.  So we are now at 180 sounds, each one approximately 4 seconds long.  720 seconds of sound in 16 Mib of memory is not easy.  That equates to a data rate of 23.3 kb/s, so there has to be some sort of compression.  I'm assuming it's ADPCM not mp3,  I searched the binary data for mp3 frame headers and found nothing.  That's great I think I know the format of the data, but the ADPCM format isn't well defined, and there are hundreds of different possible algorithms.

Another possible lead I've been following is the software from a company called Nuvoton.  The Voice Prompt Editor for their chipcorder series of ICs may be able to program and read the memory, but it needs a password for installation.  I'm not saying they are the manufacturer of the chip, but it's worth a shot.  I'd really love to know if someone has more luck than me with this problem.  So, get to it internet.

For your convenience, here is the dump of binary data from the flash memory.

Although I didn't succeed in decoding the data in the memory, I used an EEPROM programmer and a logic analyser for the first time and learnt some of the pros and cons of each device.  I definitely want a higher speed logic analyser though.  Santa ,cough cough. :-)

No comments:

Post a Comment