Assistance identifying microprocessor/EEPROM on consumer device pcb

Thread Starter

Cyb

Joined Jul 10, 2021
4
Hey everyone.

I'm looking to potentially read out program data from a consumer espresso machine to customise its functionality (safely with a low voltage power source!) It appears to have a 64 pin microprocessor with connections to a program port (which I'm hoping will be JTAG). Unfortunately the chip has no label. Similarly there is what looks like an 8-pin EEPROM with no label. Pictures here:

Rear (microprocessor and EEPROM): https://media.discordapp.net/attachments/736306688419823637/863250001806491668/MG_8815.JPG

Front (program port):
https://media.discordapp.net/attachments/736306688419823637/862743354743062568/IMG_8790.JPG

Any clues on how to identify these parts? The pin numbering printed on the board and the program port mapping may narrow the possibilities, however I have little experience working with microprocessors in general. Happy to do the legwork if I'm pointed in the right direction. Cheers!
 

Papabravo

Joined Feb 24, 2006
21,159
The manufacturer's of the espresso machine have thrown up these roadblocks on purpose, but they are only the beginning. You may be able to identify the data transfer method as either SPI or I2C. then you have to determine the parameters of the data transfer with respect to clock timing. Last but not least you have no idea how the data is organized internally or if any translation mechanism may be involved. They could even have put the data into the EEPROM in reverse order.

The message is pretty clear - they do not want you to do what you are trying to do and they want to make it as difficult as possible. We have had a number of similar requests over the last decade and a half on this and other forums. I cannot recall hearing of a single successful attack.
 

Thread Starter

Cyb

Joined Jul 10, 2021
4
I understand that they don't want me to do it, but I'm a stubborn person. :D

At this stage I just need assistance identifying the chips. If there are any techniques I can apply I'm happy to learn.
 

Papabravo

Joined Feb 24, 2006
21,159
I understand that they don't want me to do it, but I'm a stubborn person. :D

At this stage I just need assistance identifying the chips. If there are any techniques I can apply I'm happy to learn.
The chip and the board don't care how stubborn you are and neither do I.
If you had a schematic of the board it might provide some clues for identifying the processor.
  1. Locate the pins connected to a crystal or external oscillator
  2. Locate the RESET* pin by the presence of an RC network or a supervisor chip that provides a reset signal
  3. Locate the GND pins
  4. Locate the voltage input pins
  5. Locate any voltage output pins from internal regulators.
  6. Once you identify a candidate part, get the datasheet and go through each pin to see if it is connected in a reasonable way.
For the serial EEPROM
  1. Identify the GND and VCC pins
  2. Try to determine if the part is SPI or I2C
  3. Get some datasheets for potential candidates
  4. Analyze how the rest of the pins are connected
Lastly
  1. Figure out how you are going to dump the contents.
  2. Figure out how you are going to edit and revise the contents
  3. Figure out how you are going to reprogram the contents.
So go for it!
 

BobTPH

Joined Jun 5, 2013
8,812
In addition to everything that Papa said, the code in micro is likely read protected. You will not be able to defeat that.

Bob
 

Papabravo

Joined Feb 24, 2006
21,159
In addition to everything that Papa said, the code in micro is likely read protected. You will not be able to defeat that.

Bob
It is not exactly clear where the code is actually located. As you surmised it might be inside the 64-pin chip, and it will likely be "read protected". The TS has suggested, without disclosing the evidence for his conclusion, that the code resides in a serial EEPROM. We had a product built around an Analog Devices DSP (Tiger Shark family) that used this strategy. It had enough internal Flash for a boot loader and a whole boatload of RAM. The main firmware was contained in an external serial Flash chip with an SPI interface. The serial EEPROM was programmed through the USB interface and made to look like a USB mass storage device, Easy-peasy.

Both techniques are possible and this presents a new level of difficulty in establishing the answers required for the TS's, as he put it, stubborn quest.

The only other technique I have read about is to decapitate the chip and scan it with a scanning microscope. The guy who did this was from Ukraine I think.
 
Last edited:

Ian0

Joined Aug 7, 2020
9,667
Presumably you know how an espresso machine works? Wouldn't it be easier to write your own code?
Just develop an arrogant attitude that you know better than your competitors. Then why would you want to copy their code? Why copy their bugs? You can create your own bugs. Your home-created bugs would be easier to find than copied bugs!
 

dcbingaman

Joined Jun 30, 2021
1,065
Even if you are smart enough to reverse engineer it, it is not worth the effort. You would be better off removing the main board, reuse all the actuators/sensors etc. for the machine create your own interface board with your own microcontroller. That would be significantly less effort and at the same time you now have full control of the code. The code will be compiled into machine language, it will not be C or anything else, making it terribly hard to reverse engineer and or modify. Easier just to make your own board.
 

Thread Starter

Cyb

Joined Jul 10, 2021
4
Thank you everyone. I'll keep this all in mind as I evaluate what I want to do next.

Just to be clear, my intent was to see what functionality I could unlock from this hardware for personal use (making better coffee), not to copy or move it to another product. I thought it could be a fun modding project but I understand that tweaking the existing code could be impossible.
 

GetDeviceInfo

Joined Jun 7, 2009
2,192
Often, manufacturers will drive system messages out a uart port, for low level boot status. Such messages may contain system and/or hardware identifiers. Not that it would help though.
 

Ian0

Joined Aug 7, 2020
9,667
How complicated a coffee machine is it? What parameters could you possibly change?
For instance, if it doesn't already have a "brewing temperature" setting, you could adjust that by adding resistors in series/parallel with the thermistor, or the output of the thermocouple amplifier.
 

Thread Starter

Cyb

Joined Jul 10, 2021
4
How complicated a coffee machine is it? What parameters could you possibly change?
Reasonably complicated. Has temperature control for grouphead and steam boiler, pre-infusion timing and pressure control, volumetric and shot time control, and other bits and pieces for maintenance.

What I'd love to do is to control the pressure for more than just pre-infusion, and add shot profiles. I was originally hoping to do this without having to rewrite all the other functionality which already works well.
 
Top