Reprogramming "old" Sennheiser Microphone - Part 5 - Writing to Memory and Testing

 Writing and testing

 I have table with the values that should be written to into the EEPROM which needed some splitting and padding in order to get it into correct format. Then I added addresses on which data should be written. In this case it should be first 16 channels, that all I need even if there is possible to store up to 32, but the 820-830MHz bandwidth is too narrow for more than 16 channels.


 Transformed the addresses and values to array string, odd is address even is value. But I wanted to start with just one value in order to do make any mistake and test if everything is working so I prepared program to write data to first and second bank. Plug the ESP32 on the I2C bus and wait until there is no communication. Push the button, then after removing the ESP32 turn off and on the mic. Which should not be necessary. Set the first channel that I wanted to overwrite and it show this new, correct frequency! But when tuning the receiver to see if everything is working I did not get any signal... So are my PLL calculations wrong or what? But on the other side if there would be some deep issue with PLL settings, microphone would show that the PLL was not successfully locked. 
 I needed to se what is going on in RF, and luckily I have Software Defined Radio, that means I can scan the frequency range and see if there is some transmission or not. And surely after staring the SDR console I can see that the microphone is transmitting, but on the old frequency. That's actually relief, since it means that everything is fine, just the second block of memory was not overwritten. That also actually explains what I was wondering about before. There is WP pin of memory connected to the programming connector. That means in case programming connector is plugged, this pin gets shorted to ground so new frequencies can be programmed. Also again captain RTFM (Read The F* Manual) to the rescue. And truly its is like this. There are bits on the end of second block of memory that sets from which address its protected. On this memory it is set to whole second block. I was also able to improve my understating of memory layout little bit.

0x50 > 10 = Selected Channel
0x50 > 40-9F = Channel freq.
0x50 > A0-BF = Channel Number+1
0x51 > 40-9F = Channel A and N counter

0x51 > B0-B2 = lower BW limit
0x51 > B4-B6 = upper BW limit
0x51 > FF = write protection for whole 2nd block
0x50 > 11 = gain



 With simple jumper connecting this pin to ground I should be able to unblock writing to second block. With this installed I tried this procedure once more. And after all I got transmission at new frequency! So not only in theory but even practically everything works fine. Now it was all just about expanding program to write 16 channels at once. And as final touch I also changed channel number to be simply from 1-16, since before it was somehow messy.

Conclusion

 This project was really fun as it was not only good for learning stuff, but after all, it was useful. As the last step I put my offer for reprogramming such microphones on eBay for half of what is asking the guy. As kind of retaliation for not accepting my offer and being greedy. 
 There are some lessons for me, which is more like addressing my weak spots. I should study documentation in more details and be more prepared before just playing around. 
There were phases where I was worried about going on with the project and pushing it back since I was not confident enough if it gonna be successful. But as there is already happy ending everything now looks simple and straightforward. And that's the issue of the most of projects. If you are working on something you never now if it gonna have happy ending at all, and for me it's really hard to push forward the motivation. 

Lessons for aspiring reverse engineers

  • Spend a few hours/days reading before you start doing.

  • Prior knowledge helps. You'll get better at reverse engineering as you do it more.

  • Code shape is recognizable. SPI drivers all look the same, I2C drivers all look similar, circular buffers all look the same. Code shape is a great hint about code function.

  • Assume people who wrote the code and designed the chip are sane (until proven otherwise).

  • Newton's first law of software and hardware design: without a significant outside force, things will keep being designed as they always have been. Assume most designs are similar, and what you saw before is likely what you'll see again

  • Defaults are not changed most of the time.

  • Every bit of knowledge helps eliminate possibilities in other places. When something confuses you, leave it alone and go analyze something else. Come back to this one later when you know more.

  • Weird-looking constants mean things. The weirder the number, the more meaning it probably carries

  • Have a theory before you rush to try things. An experiment with no theory is meaningless.

  • Do try things. A theory with no experiment is pointless.

  • Take notes as you try/figure out things, since your "trying things" binary will quickly become an unmanageable mess and you'll forget things.


Last lesson is, that doing good writeups is really hard!

Komentáře

Okomentovat

Populární příspěvky z tohoto blogu

Bottle Plotter

Obrázek
Bottle Plotter      I have noticed that, it is quite common in group of small wine producers, that they don't use bottle labels. Usually they just draw some basic info on the bottle with special ( Edding ) paint marker. That is how I got this idea. Everybody can get paper label printed, but what about bottle plotter. CNC that would used paint marker as plotter to plot the label directly on the bottle. And with tool-changer you could also have more colors.         I had this idea in my head for some time, but it take me quite long time to do this mental kick-off and start to work on it. Usually, what works for me is that when the mood is right I go outside walking and fully put myself in this trans-like state where I keep iterating on that idea and create first design in my head. But the "mood" was not coming for some time, so once I have found myself forced to drive for 2h alone in car back home. I never tried this while driving, but I have managed to get myself into that
Další informace

Reprogramming "old" Sennheiser SKM 3072-U - Part 1 - Intro

Obrázek
I'm somehow interested in audio production. But not it more my pet hobby, nothing that would generate decent income. This means I usually don't want to spend much of money on the equipment.  Right about now is quite good time to get some old-ish wireless audio equipment for decent price. The reason is that there was change ( info ) in wireless bands and bands that used to be free before are not available for the professional audio anymore. That means that lot of productions are ditching their stuff to buy new one, compatible. But not all the old stuff is useless as some of it can be reprogrammed. There is tight window from 822 to 830 MHz in EU. This window is quite narrow, but at least it should granted all the time for professional audio. Other option is to go below 700Mhz, but then you might get into collision with local TV transmitter. Therefore I settled for the narrow band since I don't plan to use too many transmitters at once and this should work for me well. My movi
Další informace

Reprogramming "old" Sennheiser SKM 3072-U - Part 2 - I2C

Obrázek
 Understanding what is going on I2C In the previous step I hooked up my logic analyzer on the I2C to see how the communication inside the mic actually looks like. Partially because I want to understand better how to reprogram the microphones EEPROM but also because I'm just curious and want to see what is really going on. After powering up the microphone this is the output from I2C. write to 0x3E ack data: 0xE0 0xC8 0xF0 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00  write to 0x3E ack data: 0xE0 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00  write to 0x50 ack data: 0x10  read to 0x50 ack data: 0x11 write to 0x51 ack data: 0x1A  read to 0x50 ack data: 0xA9 write to 0x51 ack data: 0xB3  read to 0x50 ack data: 0x1F write to 0x51 ack data: 0xAE  read to 0x50 ack data: 0x03 write to 0x51 ack data: 0xAF  read to 0x50 ack data: 0x20 write to 0x51 ack data: 0xAC  read to 0x50 ack data: 0xFC write to 0x51 ack data: 0xAD  read to 0x50 ack data: 0x5D write to 0x51 ack data: 0xC4  read
Další informace