shaun20120
Posts: 2
Joined: Wed Jul 25, 2018 8:58 am

i2c-tools with custom EEPROM

Wed Jul 25, 2018 9:22 am

Hello,

I have a little bit of an issue playing around for my engineer essay.
I am using raspberry as an interface to communicate with custom chip - I am using i2c-tools(i2cdetect i2cget and i2cset).
The chip - I call it custom because I have no idea about manufacturer and model(chip by itself is covered with black liquid so it is impossible to recognize it). I have found out which pin is responsible for communication(so I have found Vcc GND SDA and SCL). Using i2cdetect I have found out that the address of the chip is 0x73.

I wanted to read something from the chip using i2cdump but the data are changing all the time and it looks every readout diffrent:

Code: Select all

No size specified (using byte-data access)
     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f    0123456789abcdef
00: XX 00 XX 00 00 XX 00 XX XX 00 XX XX 00 XX XX XX    X.X..X.XX.XX.XXX
10: XX 00 00 XX 00 00 XX XX XX 00 00 XX XX XX XX 00    X..X..XXX..XXXX.
20: XX XX 00 XX XX 00 00 XX XX 00 XX XX XX 00 00 XX    XX.XX..XX.XXX..X
30: 00 00 00 00 XX XX 00 XX 00 00 00 00 XX 00 XX 00    ....XX.X....X.X.
40: 00 00 XX 00 00 XX XX XX 00 00 00 XX XX XX XX 00    ..X..XXX...XXXX.
50: XX XX 00 00 XX XX XX XX 00 00 XX 00 XX XX XX 00    XX..XXXX..X.XXX.
60: XX 00 00 00 XX XX XX XX 00 XX XX XX 00 XX XX XX    X...XXXX.XXX.XXX
70: 00 00 00 00 XX 00 XX 00 00 XX 00 XX XX XX XX XX    ....X.X..X.XXXXX
80: 00 XX XX XX 00 XX 00 XX 00 00 XX 00 00 XX XX XX    .XXX.X.X..X..XXX
90: 00 00 00 XX 00 XX XX XX XX 00 00 XX XX XX XX 00    ...X.XXXX..XXXX.
a0: XX 00 00 XX 00 00 XX XX XX 00 00 XX XX XX 00 XX    X..X..XXX..XXX.X
b0: XX 00 00 XX XX XX 00 XX XX XX 00 XX XX XX XX 00    X..XXX.XXX.XXXX.
c0: XX XX XX XX XX 00 00 00 XX 00 00 00 XX XX 00 XX    XXXXX...X...XX.X
d0: XX XX XX XX XX XX XX XX 00 XX XX XX 00 XX XX 00    XXXXXXXX.XXX.XX.
e0: XX XX XX XX XX XX XX XX 00 XX XX XX 00 XX XX XX    XXXXXXXX.XXX.XXX
f0: 00 00 XX XX 00 XX 00 00 00 00 XX XX 00 XX 00 00    ..XX.X....XX.X..

Code: Select all

No size specified (using byte-data access)
     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f    0123456789abcdef
00: XX 00 00 XX XX 00 00 XX XX XX XX XX XX XX XX XX    X..XX..XXXXXXXXX
10: 00 00 XX XX XX XX XX XX XX XX XX XX XX 00 00 XX    ..XXXXXXXXXXX..X
20: XX XX 00 XX 00 XX XX 00 XX XX XX 00 XX XX XX XX    XX.X.XX.XXX.XXXX
30: XX XX XX XX XX XX 00 XX XX 00 XX 00 00 00 XX XX    XXXXXX.XX.X...XX
40: 00 XX XX XX XX XX XX XX XX 00 00 XX XX 00 XX 00    .XXXXXXXX..XX.X.
50: XX 00 XX 00 XX XX XX 00 XX XX XX 00 00 00 XX XX    X.X.XXX.XXX...XX
60: XX XX XX XX XX XX XX XX 00 00 XX XX 00 XX XX 00    XXXXXXXX..XX.XX.
70: 00 00 XX 00 XX XX XX 00 XX 00 XX XX XX 00 00 XX    ..X.XXX.X.XXX..X
80: XX XX XX 00 00 XX XX XX XX 00 XX XX XX XX XX XX    XXX..XXXX.XXXXXX
90: 00 XX 00 XX 00 XX 00 00 XX XX XX XX XX XX XX XX    .X.X.X..XXXXXXXX
a0: 00 XX XX 00 XX 00 XX 00 00 XX XX XX XX XX XX XX    .XX.X.X..XXXXXXX
b0: XX XX XX 00 XX 00 XX XX XX XX XX XX XX 00 00 XX    XXX.X.XXXXXXX..X
c0: 00 XX 00 XX XX XX XX 00 00 00 XX XX 00 00 XX 00    .X.XXXX...XX..X.
d0: 00 XX XX XX XX XX XX XX XX XX XX 00 XX 00 00 XX    .XXXXXXXXXX.X..X
e0: XX XX 00 XX XX XX XX 00 00 XX XX 00 XX XX XX 00    XX.XXXX..XX.XXX.
f0: 00 XX 00 XX 00 XX XX XX XX 00 XX 00 XX 00 XX XX    .X.X.XXXX.X.X.XX
I have also some kind of a sniffer on Arduino. So I emulated the same address(0x73) and connected to the machine which is using this chip. I see that there must be some authentication to unlock the chip for reading, because every time machine is sending following messages to the chip:

Code: Select all

- --MESSAGE---
CC
B9
--END MESSAGE--
Request
- --MESSAGE---
E5
87
D4
D5
B2
76
--END MESSAGE--
Request
- --MESSAGE---
FE
8B
--END MESSAGE--
Request
- --MESSAGE---
17
75
25
F0
49
1A
--END MESSAGE--
Request
- --MESSAGE---
30
45
--END MESSAGE--
Request
- --MESSAGE---
49
2B
7A
29
DE
5
--END MESSAGE--
Request
- --MESSAGE---
62
17
--END MESSAGE--
Request
- --MESSAGE---
7B
19
4F
0
E3
B6
--END MESSAGE--
Request
- --MESSAGE---
94
E1
--END MESSAGE--
Request
- --MESSAGE---
AD
CF
98
8D
C0
E
--END MESSAGE--
Request
Maybe a little bit of an explanation how the sniffer works. It displays all messages(packets) that comes to the address that we are connected as(0x73).
For example if the sniffer has address 0x73 and we send following command:

Code: Select all

i2cget -y 1 0x73 0xff
we will get answer like this:

Code: Select all

- --MESSAGE---
FF
--END MESSAGE--
Request
And when we send:

Code: Select all

i2cset -y 1 0x73 0xff 0x01 0x02 0x03
we get:

Code: Select all

- --MESSAGE---
FF
1
2
3
--END MESSAGE--
So if there is a request comming from the machine, sniffer shows "Request".
If there is something to set we can see it because first byte is an address of memory to set and the rest are data to set.

Now how it is possible that machine is sending data to set and request at once?

Code: Select all

- --MESSAGE---
E5
87
D4
D5
B2
76
--END MESSAGE--
Request
I am trying to unlock this chip to reset it's value and/or change it. I don;t have enough experience and that is the issue but I learn fast. I cannot also find any more information about this case on the internet.

Any help or thoughts? Maybe there is something that I do wrong and I don't have idea about this?

User avatar
The Traveler
Posts: 360
Joined: Sat Oct 21, 2017 3:48 pm

Re: i2c-tools with custom EEPROM

Wed Jul 25, 2018 1:03 pm

I see that there must be some authentication to unlock the chip for reading. I am trying to unlock this chip to reset it's value and/or change it
If' your find an authentication routine, it's there for a reason. To deter people from cracking it.
Retired IT professional, C programmer and "beardie weirdie".
RPi interests: Developing an Infinite Improbability Drive
“Thinking outside of the box allows you to get rewards outside of your reach.” Matshona Dhliwayo

shaun20120
Posts: 2
Joined: Wed Jul 25, 2018 8:58 am

Re: i2c-tools with custom EEPROM

Thu Jul 26, 2018 7:30 am

It is not rally cracking. I have to read some data from the chip to interact with my multimedia system, which is the main part of my essay. The teacher said that it is possible but I have to do a lot of research.

The stranger thing(for me) is why there is block of data to be written and at the end there is a request. I mean this result:

Code: Select all

- --MESSAGE---
E5
87
D4
D5
B2
76
--END MESSAGE--
Request
As I understand from this, the machine want to write to cell address 0xE5 with block of data: 0x87 0xD4 0xD5 0xB2 0x76. The question is why there is Request. It looks like it would like to read but when you read data there is only memory address without any data like this:

Code: Select all

- --MESSAGE---
E5
--END MESSAGE--
Request
When chip is writing to the memory and reads back to get some feedback it should look like this:

Code: Select all

- --MESSAGE---
E5
87
D4
D5
B2
76
--END MESSAGE--
- --MESSAGE---
E5
--END MESSAGE--
Request
Machine is writing data and then it is checking if the value is changed.

The topic is very interesting and thank you very much for your answer. I really appreciate this because you sacrifice your time.
It is fun process as I learn a lot during my essay and nothing is impossible :D :D

Return to “Troubleshooting”