P28F010 Summary
From Wij vertrouwen stemcomputers niet
Contents |
[edit] the P28F010 flash chip programming interface
programming the 28f010 flash chip
| Command | cycles | op1 | addr1 | data1 | op2 | addr2 | data2 | ... | in rom |
|---|---|---|---|---|---|---|---|---|---|
| Read Memory | 1 | Write | X | 0x00 | |||||
| Read Intelligent Identifier Codes(4) | 3 | Write | IA | 0x90 | Read | IA | ID | ||
| Set-up Erase/Erase(5) | 2 | Write | X | 0x20 | Write | X | 0x20 | ... | 0x80 at 000187A8 |
| Erase Verify(5) | 2 | Write | EA | 0xA0 | Read | X | EVD | ... | 0xa0 at 000187C0 |
| Set-up Program/Program(6) | 2 | Write | X | 0x40 | Write | PA | PD | ... | 0x40 at 00018372, 0001880E, 00016DC0, 0001A02E |
| Program Verify(6) | 2 | Write | X | 0xC0 | Read | X | PVD | ... | 0x60 at 00018386, 00018820, 00016DD4, 0001A03E |
| Reset(7) | 2 | Write | X | 0xFF | Write | X | 0xFF |
[edit] Meaning of the address and data values:
| IA | 00 : manufacturercode |
| IA | 01 : device code |
| EA | address to read during erase verify |
| PA | address to be programmed |
| X | don't care |
| ---- | |
| ID | identifier data ( manufacturer=0x89, device=0xb4 ) |
| EVD | erase verify data |
| PD | data to be programmed |
| PVD | program verify data |
Things to note about the es3b software:
[edit] swap bits 5 and 7 !
Each flash chip on the memory module has two data bits swapped: DQ5 and DQ7. Since bytes get swapped around twice when you read any data that was first written it doesn't change things. But it does change things when you talk to the flash itself. So if you want to issue any of the above commands to the module, or read the identifier, remember to swap these two bits.
in the code you can see that a 0x60 is written for a program-verify ( for instance at 0x18820 )
and a 0x80 when an erase command is issued (at 0x187A8).
and a 0xA0 when an erase-verify command is issued (at 0x187C0)
the reader/voting slot has D7 not connected to the bus tranceiver(ic64), so the cpu always reads a '1' there. ( the bustranceiver has all datalines pulled up ) you can see this by looking at the backside of the mainboard, in the upper right corner at the top of the memory slot connector, the 3rd pin down, is D5/D7
on the mainboard D7 is D5 for the flash chip.
on the memory board this dataline is pulled down to ground, so when it is not connected to anything else,
it will always read a '0' there. preventing the 'erase' command from being executed.
This sounds wrong to me (PK). If D7 is not connected on the main board and there is a pull up resistor in the flash memory module, any writes to the memory will put a logic 0 on that signal (going into the memory module as bit D5). Reading by the MC68000 returns the state of the floating D7 line (on the main board) in bit 7 of whatever register the CPU moves the data to (unless there is some component on the motherboard that forces the D7 line to a specific state on a read from the reader/voting slot).
- itsme: there is a pullup on the d7 of ic64 ( the bus transceiver for the even bytes in the memory sot ). just this line is not connected to the memory slot.
It also implies that the contents of the D7 bits in the flash chips can not be retrieved while the cartridge is in the reader/voting slot. Is it true that bit D7 in the flash chips is never used?
- itsme: the only place where D7 is set, is at offset 0x0002, which contains 0xa1 .. 0xa4 depending on which part of the module is written.
it also explains why larger-than-a-byte numbers are stored as 7 bits per byte.
[edit] (probably) setting vpp
- prior to flashing 0x01 is written to ioaddr 0xbffff5
- after flashing a sequence 0x02, 0x03, <delay>, 0x06 is written to ioaddr 0xbffff5