Hack: Reading an EEPROM from a Nokia 5110

 Intro

I found an old Nokia 5110 mobile phone from way back in the day (1998?). Decided it was time to take it apart, and in the process get me a nice LCD screen to play around with. I’ve found them on Ebay for like $3, but it seemed a little cooler to reuse an LCD from an actual phone.

While taking it apart however, I found a little gem of a microchip, an AT24C16 16KB EEPROM:

I’ve seen many cool hacks of people taking apart commercial devices and extracting information from them. I’ve used EEPROM’s before, so decided to try and recover the data from this one, more for a little practice in the process, rather then wanting to extract any real data from it.

Given this phones popularity, i was able to pretty quickly find a schematic and service guide for the phone, and a datasheet for the AT24C16 chip. The chip is a 8x2KB (16KB) I2C bus chip. This basically means that the data is organised into 8 pages of 2KB of data, and the information is read and written using the I2C protocol.

Removing the Chip, and making it Usable

First things first, get the chip de-soldered from the board, and get it into a form i can use. The chip is a SOP-8 chip, so can be pretty tricky to work with. Though, i have recently taught myself SMD soldering using the ‘Simon’ kit from Sparkfun, so felt ready to take on the challenge.

I used a bit of solder wick to remove as much solder as possible, and then the chip could be then just gently pried off using a small screwdriver. With the chip free of the board, i then soldered in back onto a SOP-DIP converter board (Another ebay cheapie). This allowed for a easy way to interface the chip using a breadboard only.

Accessing Data with the Bus Pirate

An interesting difference here between this chip and other EEPROM’s i’ve used before. The I2C address is used to select which page to read the data from. This is an interesting design consideration, as it means the A0, A1, & A2 address select lines cannot be used, and only on 16K chip can be used on the bus at one time. Data can be retrieved using this procedure outlined in the datasheet:

Basically, write to the I2c address (0xA1-0xAF, odd numbers only), and the byte you wish to read (0x00-0xFF). Then send a read request. I’ve also listed out the addresses to use to get to each page of the EEPROM

PageRead AddressWrite Address
00xA10xA0
10xA30xA2
20xA50xA4
30xA70xA6
40xA90xA8
50xAB0xAA
60xAD0xAC
70xAF0xAE
Addresses for reading/writing to each page of 32 bytes.

With all the theory done, it was time to hook up the EEPROM to my Bus Pirate, and start read some data! Notice in the below picture the two pullup resistors. The Bus Pirate has the ability to use internal pullup resistors, but where possible, i like to use my own. I’ve used 4.7k resistors here, same as what are used in the Nokia 5110 schematic.

Connections

Rather then drawing a circuit diagram, I’ll just list out the networks attached to the 24C16

  1. GND
  2. GND
  3. GND
  4. GND
  5. MOSI on the Bus Pirate, and a 4.7K resistor to +5V
  6. CLK on the Buspirate, and a 4.7K resistor to +5V
  7. WP to +5V (to inhibit writing to the EEPROM)
  8. +5V

The +5V and GND from the Bus Pirate to the power rails on my breadboard.

Using the Bus Pirate

Minicom in linux has been used to access the Bus Pirate, but any terminal can be used really. The settings for a bus pirate are 115000, 8-N-1, No hardware flow control (This stopped it working with my version of the bus pirate).

First, setup the I2C parameters. I’m using the Bus Pirate to provide power, so the power supply also needs to be turned on.

HiZ>m
   4. I2C
(1)>4
 Set speed:
   3. ~100KHz
(1)>3
 Ready
I2C>W
 Power supplies ON

Now scan the bus I2C. You can see the addresses returned match the address listed in the earlier table.

I2C>(1)
  Searching I2C address space. Found devices at:
  0xA0(0x50 W) 0xA1(0x50 R) 0xA2(0x51 W) 0xA3(0x51 R) 0xA4(0x52 W) 0xA5(0x52 R) 
  0xA6(0x53 W) 0xA7(0x53 R) 0xA8(0x54 W) 0xA9(0x54 R) 0xAA(0x55 W) 0xAB(0x55 R) 
  0xAC(0x56 W) 0xAD(0x56 R) 0xAE(0x57 W) 0xAF(0x57 R)

Now all that is left is to read some data!

** Read 4 bytes from Page 1, 0x00
I2C>[0xA0 0x00] [0xA1 rrrr]
  I2C START BIT
  WRITE: 0xA0 ACK 
  WRITE: 0x00 ACK 
  I2C STOP BIT
  I2C START BIT
  WRITE: 0xA1 ACK 
  READ: 0x61 
  READ:  ACK 0x73 
  READ:  ACK 0xCA 
  READ:  ACK 0x82 
  NACK
  I2C STOP BIT

** Read 2 bytes from Page 4, 0x55
I2C>[0xa6 0x55] [0xa7 rr]
  I2C START BIT
  WRITE: 0xA6 ACK 
  WRITE: 0x55 ACK 
  I2C STOP BIT
  I2C START BIT
  WRITE: 0xA7 ACK 
  READ: 0x3C 
  READ:  ACK 0x19 
  NACK
  I2C STOP BIT

Conclusion

Turned out to be all pretty easy stuff actually! I’m going to follow this through with a Project to read all the data from the EEPROM and dump it to a file. USB enabled of course. And after that, maybe try and access one of those flash chips as well (When my wire wrap cable arrives.) Stay tuned!

 

 

Leave a Reply