Hey, so I'm gonna be kind of going into the reverse engineering of the PMS 150c programming interface. This might not be due. This might be very difficult. it might be very easy, but I suspect it's going to be quite obscure.

so let's just look at what we've got. So first things first: I have this: SOI C8 when I talk about a pin. I'm going to be talking about the numbers. that numbers go round anti-clockwise so one two three, four, five, six, seven, eight.

Now I've made some assumptions with this. so I'm going to assume that this is ground and this is power. I'm also going to assume that reset is still reset. So and I'm also going to assume reset is active low.

so it's resetting when it's at ground, so it's running when it's at power rail or something high logic high. So that leaves us with SiC five pins to analyze for data and clocks and things like that, which could potentially be to do with programming. Now, why would you want to do this? Why would you not just use the existing program that? It is pretty cheap and I think you probably should use the existing programmer, but you might have a specific application where you simply want to program it in the feet, in the field, or in the device itself. Or you don't have the ability to cut around this huge blue thing.

Which may well be the case. and it might be that you just want to get rid of a production step. Maybe your device has the required power rails and it all it would cost is a MOSFET or something to be out a program that when it's in the device itself so or even just programming it from test points. Maybe you want to do that.

Let's probably just get started. What I have here is the Analog discovery and I have the programmer and I'm basically just hooking up the analog pins of the programmer to the oscilloscope section of the analog discovery. So I'm gonna be looking at the power pin and I'm gonna look at the reset pin to make sure that things actually make some sense. We're gonna need to actually sanity check this.

So the yellow waveform strangely enough is the power supply. Now this might look a bit strange because it's got all these levels and these are suspected is programming voltages. If you look at the far left over here the section I that I am circling you have these on-off on-off on-off moments and not really sure what's happening here. It's probably entering some kind of initialization mode although the power line is being turned off so not really sure and reset is being thrown.

But after after that point we have this long section and I suspect this is where the real initialization happens. We're getting ready to program the prom. It has to enter some kind of programming mode. This device can't just always be in programming mode.

It uses the pins that would normally be IO for programming so it probably has to enter that mode or it is also possible that it's always in that mode. It could be in that mode initially, and because it's one-time programmable, the first time you program it a texture. that's that mode forever. So that could well be the case.

But because of the shape of this waveform, I'm going to assume it's not I Think there is an initialization section. could be wrong, but don't know. The next section. We get this high voltage section.

Now this is about six and a half volts up here. This is probably the section where the prom itself is being programmed and I suspect we have some kind of verification happening over here. Programming again and some more verification. What's going on with the reset line? Well, after each section, it appears that a reset takes place.

So the So: I'm thinking now the device must be stateful, meaning that after each stage in the programming, it must retain some state it must know where it is up to. So so those states aren't lost between these resets, because if they were, you would have to start the programming process all over again and that would be not very useful. So yeah, kinds of things do we need to look at here? Well, from the start to the start of the programming is about 244 milliseconds. We're gonna be looking for the data at 244 milliseconds approximately.

It should be pretty obvious when it is, because there should be a fair bit of data. And the data to this what I think is an initialization section is sixteen eight milliseconds. So let's have a look at what I think the clock pin is. Let's see if the clock pin resides inside that when the reset pin is up or down.

Now, this will help us determine whether that really is a reset pin and whether that power pin is really the power pin we don't know doesn't act. It's not actually guaranteed. until until the device is programmed, that spec sheet, the datasheet doesn't really come into play, could burn some fuses and change the pins altogether. Let's have a look.

Oh, that does look like a clock line. Now we're getting a little aliasing because the sample rate of the ADC on the analog discovery sucks. But we can zoom in and I'm going to I'm just adding some hold off so it doesn't reach trigger immediately. That's really annoying.

Okay, so here we go. We're at 1044 milliseconds there. abouts I'm having to reprogram it every time. now.

this is a one-time programmable thing and because it takes a while to actually you swap the device out I'm not using the I'm only analyzing the data that sent when it's already programmed. The device doesn't seem to know the difference. It can't tell whether it's already programmed. So I'm only analyzing that data because otherwise it'd take forever.

Now there are probably some differences. We've got the power and what I believe to be the data. so we should be able to look at a clock if we zoom into here now. Annoyingly, this device isn't perfectly timed.

You'll notice that the relative timings changed slightly and that does that. has made this more difficult. You'll notice the seed right now. Totally got a wrong section.

Okay, so it does appear that the clocks when the powerlines high, which is exactly expected. and if we look at the reset pin, we should see basically the same thing. and we do. So that's great.

So what? Now we've got the clock line. Now we need to find the data line Now I Believe it to be the next pin. It Usually they're usually right next to each other and from previous probing around, it looks like the data line. So let's go ahead and find that.

Oh so this is. this is the two and forty four milliseconds section and this looks like data. So with that assumption, I'm going to move the reset line over to the clock line. so channel one the other one will be now.

B o'clock There we go. So if I had some good probes, it probably wouldn't do this at all. Okay, so let's have a look. Well, if you look at this, let's look at this one data pulse in.

compared to the clock, the clock goes up and down in that data pulse. Now it's important, It doesn't always do that. You could just have a rising edge inside the data, so that will change how we interpret the data. So I believe this section to represent one zero, zero, one one.

So I think that's sort of how the serial protocol is working here. and I don't know whether it's clocking in or I don't know what, whether it's clocking in and out on the rising or falling edge, but because they're both inside every data, it probably doesn't matter so much. That makes sense. I Don't know.

Now there's something to notice. There is this section here. It's a slower clock rate. Don't know what's happening here? I Have tried to figure it out I have no idea I can't get it to do anything in that section.

so I don't know why it's clocking so over here. It's still pulsing in the high frequency section, so no different than before. Okay, so I've thought about this sense and I've seen this a little bit before and this could be the clock pulses required to actually process the command by the by the BMS 150 see So it could take 12 clock pulses to process a word. Perhaps those pulses are required to shift it out of the out of one register into another? Who knows? But I suspect those slow frequency pulses their lower frequency because that's how much time it needs to process things.

And they're also. they're also required to actually process it. So I'm not really sure what that low frequency clock section does. So if we look at this, we do have these sections and they sort of seem to align like this.

Walk with this. Bay Well, this could be the data direction. The only reason I think that is because we have some clocks when it's high and usually you wouldn't have clocks when it's high and you got a chip select if it is a chip select at all. So data Direction clock when high makes a lot of sense.

but then again, it could just be always clocking and this whole region could be a big A big chip select. Why would I think that? Well, it's very periodic. If you look at again, it's almost perfect. Keep zooming out.

So I think I think our best bet is some form of chip select and pin three. Okay, so we now have a rough idea of what the data, clock, power, ground, and recent pins are. But what about pin 2 and pin 7? It doesn't really seem like they have a purpose. So I'm about to investigate that.

pin 2 is one of our possibilities and I've looked at this before and it is a bit weird it Now this one doesn't Isn't at all interesting. When the device is being programmed, it's actually does nothing. But when it's not being programmed, there are these constant pulses. What are they? So we've got.

this is the this is pin 6. Now it appears to have a delay after that initial pin to pulse. So Pin this is pin five. Now pin five is basically synchronized with pin Six.

It doesn't seem to do anything. Pin Seven: What does that do? Well, it seems to be doing the same thing again. Our pin seven and six and five synchronized. Let's see, maybe there's a timing now.

I'm gonna have to move these channels closer to figure it out. Ah no, they're not. They're not in line, so let's have a look what's going on. Oh, they're one clock apart each of them.

So what does that mean? Program is checking for open circuit. It's constantly doing that. If I if I connect the ground of my logic analyzer to it, it beeps and tells me it won't work and it also won't program. So I know it is checking for open circuit and these checks these are these.

strobing of every single pins in each pin individually will do that. It will be able to tell if if it has a shorted pin because I won't be able to drive it high. So perhaps it's doing that. But also perhaps it is doing some kind of ID check.

Something is embedded in this signal that allows the programmer to tell what chip it is. Perhaps it's that. Perhaps it's the the timing of it. Perhaps it's the order of the spins.

If the micro is the host of this process I don't know. So I will just go through a few of the problems that I have with this this device in decoding the protocol and there are a lot. This is a really weird protocol. The voltage changes for everything.

So this is the chip select and the clock line and you'll notice that the voltage envelope is the same so but it's not constant around here. It's like to point something volts at max and up here it goes up to 6.5 we saw much earlier, so it is still quite mysterious what this protocol is doing. There's so many things that are strange about this and between programming runs that there is slight variation in the timing which makes it very difficult to correlate multiple all the pins or the the data from each of the pins without something like a five channel a scope with a very deep deep memory because I need to record the whole programming process to be able to decode it. So if anyone has the ideas, all this looks familiar to you, leave it in the comments.

Maybe it is some kind of ripoff of an existing protocol. There were some ideas that it was from the old Pic prom programmers, but I'm not so sure. Um, but yeah, mystery to me. I Couldn't use a logic analyzer because the threshold changes because the voltage changes with the programming stage.

So during the the prom programming stage. is a higher voltage and it's also a voltage which is above the range of the logic analyzer. NFA is a voltage divider which I did before actually lose the data from the previous samples because there's below the threshold if it is. If it is a chip select, it doesn't have an easily distinguishable word length.

It also has for programming voltages: ground two or four, five volts, seven, a half no six and a half volts. - yeah, it's got tons of levels. Dinner: what's going on? haha I Hope this was interesting to someone. Either way, have a good day.

See ya you.