I found an old Nokia 5110 mobile phone from way back in the day (1998?). Decided it was time to take it apart, and in the process get me a nice LCD screen to play around with. I’ve found them on Ebay for like $3, but it seemed a little cooler to reuse an LCD from an actual phone.
While taking it apart however, I found a little gem of a microchip, an AT24C16 16KB EEPROM:
I’ve seen many cool hacks of people taking apart commercial devices and extracting information from them. I’ve used EEPROM’s before, so decided to try and recover the data from this one, more for a little practice in the process, rather then wanting to extract any real data from it.
Given this phones popularity, i was able to pretty quickly find a schematic and service guide for the phone, and a datasheet for the AT24C16 chip. The chip is a 8x2KB (16KB) I2C bus chip. This basically means that the data is organised into 8 pages of 2KB of data, and the information is read and written using the I2C protocol.
Removing the Chip, and making it Usable
First things first, get the chip de-soldered from the board, and get it into a form i can use. The chip is a SOP-8 chip, so can be pretty tricky to work with. Though, i have recently taught myself SMD soldering using the ‘Simon’ kit from Sparkfun, so felt ready to take on the challenge.
I used a bit of solder wick to remove as much solder as possible, and then the chip could be then just gently pried off using a small screwdriver. With the chip free of the board, i then soldered in back onto a SOP-DIP converter board (Another ebay cheapie). This allowed for a easy way to interface the chip using a breadboard only.
Accessing Data with the Bus Pirate
An interesting difference here between this chip and other EEPROM’s i’ve used before. The I2C address is used to select which page to read the data from. This is an interesting design consideration, as it means the A0, A1, & A2 address select lines cannot be used, and only on 16K chip can be used on the bus at one time. Data can be retrieved using this procedure outlined in the datasheet:
Basically, write to the I2c address (0xA1-0xAF, odd numbers only), and the byte you wish to read (0x00-0xFF). Then send a read request. I’ve also listed out the addresses to use to get to each page of the EEPROM
|Page||Read Address||Write Address|
With all the theory done, it was time to hook up the EEPROM to my Bus Pirate, and start read some data! Notice in the below picture the two pullup resistors. The Bus Pirate has the ability to use internal pullup resistors, but where possible, i like to use my own. I’ve used 4.7k resistors here, same as what are used in the Nokia 5110 schematic.
Rather then drawing a circuit diagram, I’ll just list out the networks attached to the 24C16
- MOSI on the Bus Pirate, and a 4.7K resistor to +5V
- CLK on the Buspirate, and a 4.7K resistor to +5V
- WP to +5V (to inhibit writing to the EEPROM)
The +5V and GND from the Bus Pirate to the power rails on my breadboard.
Using the Bus Pirate
Minicom in linux has been used to access the Bus Pirate, but any terminal can be used really. The settings for a bus pirate are 115000, 8-N-1, No hardware flow control (This stopped it working with my version of the bus pirate).
First, setup the I2C parameters. I’m using the Bus Pirate to provide power, so the power supply also needs to be turned on.
HiZ>m 4. I2C (1)>4 Set speed: 3. ~100KHz (1)>3 Ready I2C>W Power supplies ON
Now scan the bus I2C. You can see the addresses returned match the address listed in the earlier table.
I2C>(1) Searching I2C address space. Found devices at: 0xA0(0x50 W) 0xA1(0x50 R) 0xA2(0x51 W) 0xA3(0x51 R) 0xA4(0x52 W) 0xA5(0x52 R) 0xA6(0x53 W) 0xA7(0x53 R) 0xA8(0x54 W) 0xA9(0x54 R) 0xAA(0x55 W) 0xAB(0x55 R) 0xAC(0x56 W) 0xAD(0x56 R) 0xAE(0x57 W) 0xAF(0x57 R)
Now all that is left is to read some data!
** Read 4 bytes from Page 1, 0x00 I2C>[0xA0 0x00] [0xA1 rrrr] I2C START BIT WRITE: 0xA0 ACK WRITE: 0x00 ACK I2C STOP BIT I2C START BIT WRITE: 0xA1 ACK READ: 0x61 READ: ACK 0x73 READ: ACK 0xCA READ: ACK 0x82 NACK I2C STOP BIT ** Read 2 bytes from Page 4, 0x55 I2C>[0xa6 0x55] [0xa7 rr] I2C START BIT WRITE: 0xA6 ACK WRITE: 0x55 ACK I2C STOP BIT I2C START BIT WRITE: 0xA7 ACK READ: 0x3C READ: ACK 0x19 NACK I2C STOP BIT
Turned out to be all pretty easy stuff actually! I’m going to follow this through with a Project to read all the data from the EEPROM and dump it to a file. USB enabled of course. And after that, maybe try and access one of those flash chips as well (When my wire wrap cable arrives.) Stay tuned!