Introduction The SPCA504B allows access to the picture Flash memory
through two methods.
The usual method used routes the data through specialized hardware in
to or out of the Flash. This is typically done when reading data out
over USB and storing data from the compressed version stored in SDRAM.
This method is fast, but has not been reverse-engineered yet.
The microcontroller can also access the Flash at a very low level
through use of specific registers. This is typically used to erase the
flash, to read the flash's size and manufacturer ID, and to access low
volume non-picture metadata (such as the file directory, bad-block
table, and wear-leveling info). This is the method we're going to use,
and it is very slow because the camera's slow 8-bit processor must work
hard. I averaged 544 bytes per second on a computer capable of
saturating the USB bus, so transferring the whole 16 MB took about 10
hours.
SPCA504B Hardware Registers
The chip has four registers that we need to deal
with. There are probably other registers that must be set up, but it
seems that the firmware initializes them properly on boot.
Register 0x2019 some sort of mode configuration register.
Use as described in the detailed procedure.
Register 0x2026 some sort of mode configuration register.
Use as described in the detailed procedure.
Register 0x2423 is the picture flash control
register. This is mapped directly to pins on the Samsung flash and
allow direct control.
7
6
5
4
3
2
1
0
x
x
x
x
CLE
ALE
WP*
CE*
'x' means not used; write a 0.
'*' means that the signal is inverted (as the
FLASH expects).
Register 0x2420 is
the picture flash data
register. Read and
Write strobes are automatically generated by the hardware.
To be found: there probably is a way to read the R/B* signal ("busy")
signal from the flash, but I haven't decoded it yet. Due to the slow
speed of the USB interface, we won't need to read this bit unless we're
programming the part (in that case, we could probably just wait the
maximum amount of time).
Samsung Flash Architecture
This flash is optimized for low-cost, high-density storage of data, not
code. The consequences of this is that it has two features not
typically
found in other flash memory:
The flash comes from the factory with has unusable bad blocks.
The data sheet says that a minimum of 502 valid blocks are
guaranteed for each contiguous 8MB of memory space, so the 16MB part
will
contain, at most, 20 bad blocks out of 1024.
Memory is organized in pages of 512 bytes (as usual), but
includes an
additional 16 "out of band" spare bytes per page to manage
data integrity. These bytes can be used to mark bad blocks, checksums,
error-correcting codes (ECC), or to maintain FAT-like file block
chaining.
Samsung Read Algorithm
The Samsung data sheet fully describes the algorithm for reading the
FLASH data on page 21. The reading method is a little funny - the
read command
(READ1 or
READ2) describes the 8th address bit, but since we're reading blocks of
512, we won't need to specify this bit (nor A0-A7). After reading a
block of 512 bytes, the FLASH's internal address pointer automatically
moves to the spare area, and are read out as the following 16 bytes.
The general algorithm is:
Issue a READ1 command (0x00) or a READ2 command (0x80), depending
on A8.
Send address A0-A7.
Send address A9-A16.
Send address A17-A23.
Read 512 bytes of data.
Read 16 spare bytes.
Issue a RESET command.
Detailed Procedure
This is a summary of how the code in the flashdump.c program implements
the Samsung FLASH read algorithm. This
description should match, but rely on the code because it has been
tested. This code could easily be changed to allow for writing or
erasing the FLASH.
Set the mode configuration registers to access the Flash at a low level:
1. Register 0x2026 &= 0xFE (clear bit 0)
2. Register 0x2019 |= 0x02 (set bit 1)
3. Register 0x2423 = 0011b (not write protected, not enabled)
4. Register 0x2423
= 0010b (chip now enabled)
Issue the READ1 or READ2 command:
5a. Register 0x2423 = 0011b (not write protected, not enabled)
5b. Register 0x2423 = 0010b (chip now enabled)
5c. Register 0x2423 = 1010b (chip enabled, CLE high to indicate a
command)
5d. Write READ1 or READ2 command to Register 0x2420. The hardware
automatically
generates the write strobe.
5e. Register 0x2423 = 0010b (CLE brought low)
6. Issue A0-A7, A9-A16, and A17-A23 in a similar fashion to the read
command -- simply replace the value written in step 5d with the
address subset.
7. Read 512 bytes of data from Register 0x2420. The hardware
automatically generates the read strobe.
8. Read 16 bytes of data from Register 0x2420.
9. Issue a reset command (0xFF) in a similar fashion to the read
command in steps 5a-5e.
10. Repeat steps 5-9 until all desired data is read.
Return the mode configuration registers to a normal mode:
11. Register 0x2423 = 0001b (write protected, not selected)
12. Register 0x2026 |= 0x01 (Set bit 0)
13. Register 0x2019 &= 0xFD (clear bit 1)
Download
I wrote a program called flashdump
to dump the picture flash memory, including the
main
and ECC data areas (both are required to extract data stored in the
Smart Media format). This provides the same results that you'd achieve
by desoldering the picture flash from the board and reading it in a
compatible memory reader.
I found that the camera's memory had no blocks marked as bad. I don't
know if that's because Samsung's testing had determined that the flash
was flawless, or if the bad-block-markers had been erased.
![[camera pic from pcworld.com article]](dakotadig.jpg)