The sensor I disassembled was not operative and I was not able to retrieve the EEPROM and Flash contents using John McMaster's driver, but as I had already open the devide I desoldered the devices and read them using a TL866 memory reader.
It was a surprise to discover that the EEPROM had the serial number erased. This is a known issue on these sensors and some users claim it is caused by a bug in the Cypress SDK.
As shown in the following image the serial number area (highlighted in red) is blank:
Other interesting areas in the EEPROM are the ones highlighted in orange/yellow, that match the description in Cypress EZ-USB Technical Reference Manual, where 0xC0 indicates that the EPPROM contains the VID/PID/DID to be used for USB enumeration, and the 0x01 configures the I2C bus to operate at 400KHz.
After the USB/I2C configuration follow two 32-bit integers (note that ALL the multi-byte data is stored in little-endian format) that are incremented with every capture of the sensor (using forced capture in John's driver both counters increment by one unit, but I do not have any operative sensor, so I don't know what happens if the sensor triggers by normal operation or which is the difference between the two counters).
As shown in the image only 80 bytes of the 8KBytes memory are used.
It is posible to fix the serial number in EEPROM by dumping the EEPROM contents using John's driver "dump-dev.py --eeprom". Once you have the binary file open it using an hexadecimal editor and enter the serial number starting at address 0x40 (red area above). The serial number has a CRC that can be calculated using this CRC-calculation page:
Select CRC-CITT first. Then change the fields highlighted in red as shown in the image. Enter the serial number in decimal format and press "compute!". You'll get the CRC (highlighted in blue in the example above) in hexadecimal format.
The serial number CRC needs to be written in the EEPROM as shown in the image below (note the zeroes that also need to be added highlighted in blue). The CRC need to be 4 hexadecimal digits, so complete with leading zeroes if required:
Obviously, to be able to fix the serial number you need to know it. The serial number value can be retrieved from the USB cable sticker that also holds the reference and manufacturing date:
Or, if the cable doesn't have the sticker the serial number can also be retrieved from the Flash image that can be dumped using John's driver "dump-dev.py --flash" (serial number highlighted in green in the image):
As can be seen only 532 bytes of the 16MBytes Flash are used!
Ii is interesting to note that after the signature (boxed in red) the Flash contains two 32-bit integers holding the sensor resolution (1346x1850 for Gendex Size 2 sensors and 1346x1700 for Dexis ones).
The Flash also contains a manufacturing date matching the cable one, and several version numbers (maybe of the FPGA firmware components).
Although the resolution stored in EEPROM is different it looks like both Gendex and Dexis use the same hardware, with the same physical CMOS sensor.
No hay comentarios:
Publicar un comentario