[Jason P], evidently an enjoyer of old reliable laser printing tech, spilled a drink (nitter) onto his Panasonic KX-P5400 SideWriter. After cleanup, everything worked fine — except that the PSU’s 5 V became 6.5 V during the accident, and the EPROM with LocalTalk interface firmware died, connection between VCC and GND seemingly interrupted inside the chip. Understandably, [Jason] went on Twitter, admitted the error of his ways, and sheepishly asked around for EPROM dumps.
Instead, [Manawyrm] wondered — would the chip have anti-ESD body diodes from GND to IO pins, by any chance? A diode mode multimeter check confirmed, yes! It was time for an outlandish attempt to recover the firmware. [Manawyrm] proposed that [Jason] connect all output pins but one to 5 V, powering the EPROM through the internal VCC-connected body diodes – reading the contents one bit at a time and then, combining eight dumps into a single image.
After preparing a TL866 setup, one hour of work and some PHP scripting later, the operation was a success. Apparently, in certain kinds of cases, dead ROM chips might still tell their tales! It’s not quite clear what happened here. The bond wires looked fine, so who knows where the connection got interrupted – but we can’t deny the success of the recovery operation! Need a primer on dumping EPROMs that are not dead? Here you go.
Here's a cool trick to recover data from a broken/defective EEPROM after an overvoltage or reverse-power event:
Misuse the internal ESD protection diodes to feed the chip with voltage through the data pins. Then take multiple dumps with different bits being powered. https://t.co/WHUiiaJdgf
— Manawyrm (@Manawyrm) August 26, 2022
We thank [Chaos] for sharing this with us!
Excellent hack.
Photo shows EPROM, not EEPROM?
Brillant hack, yes.
I’ve been hindered by this actually… trying to hardware rebood a mcu only to find that it stays powered up by some devices injecting current like this…
To this day I have to carefully sequence powering up my desktop mini CNC each time I use it, because if the driver box powers up before the GRBL controller is USB connected then it back-powers the controller into a zombie state with its LEDs on where the CNC starts devil-dancing…
Hi Arya, It would be helpful to get the title of the article correct. This is about an EPROM not an EEPROM. These are different technologies. Note also that “reading the flash one bit at a time” is also a bit off, EPROMS aren’t Flash ROMs either, although they do store their bits on a charged and isolated gate. I suspect (because it makes sense) that he was reading one byte at a time whilst supplying power via the control and the (cycling) address lines
Agreed on the title, and yes, that’s a bit of a liberal use of “flash” there! Functionally, he was reading one bit at a time – since all but one outputs were held high, even though the EPROM would try to drive them and the TL866 would try and read them, you’d only be able to receive one bit per one combination of address lines.
Yup! And EPROM, EEPROM, Flash ROM, doesn’t actually really matter for this trick: Everything with a CMOS process (and the resulting body diodes) could be recovered in this way, as long as only the VCC connection is broken. Might even work for microcontrollers, etc.
Hey, can you explain how would one wire-up typical 8 pin SPI chip for this type of recovery ? I have BIOS here from SSD disk that is very low on VCC to GND, gets very hot during read attempts and out of 2MB there are like 5-6KB of differences across multiple dumps. Tried putting it in a freezer, i only got reduced amount of diff around 2.9KB
Let me be the first to vote that the name change be UVEPROM instead of either EPROM (erasable PROM) or the original EEPROM (electrically erasable PROM). I speak from “vast” experience, beginning from ancient times when I did my 1976 college senior design project for an Intel 1702A 256×8 (not 256K!!!) PMOS (+5 and -9 V supplies) UVEPROM programmer that used -46V programming pulses (why? because it was the only PROM I could afford – student, remember?) . I then continued to use (improved and bigger) UVEPROMs from Intel and others throughout my career until manufacturers gave up on the old (NMOS and a occasional CMOS) processes that relied on UV light to erase the (whole) die whether by intent or accident (to be fair, the die didn’t know the difference).
As for EEPROM, (I think) that came AFTER the original General Instrument (GI) EAPROM (electrically alterable PROM). GI became the first (US?) manufacturer to make PROMs that could be erased electrically, but that too was “complicated” and didn’t utilize on-board charge pump DC-DC converters to boost voltages to that necessary for either programming and/or erasing (those voltages had to be supplied during programming and erasing). I played with EAPROMs at my first engineering job and they weren’t cheap and if I recall correctly, they had long programming times. Later, the old GI company shed it’s semiconductor (by then, microelectronics) division into today’s Microchip (see: https://www.computerhistory.org/siliconengine/companies/).
A big proponent of alterable ROM was Stanford R. Ovshinsky, who founded Ovonics to make “better memory devices” which then evolved into energy conversion tech like NiMH, LiPo, fuel cells, etc. and partnered with Intel, Chevron, and others along the way. More details can be found in: https://medium.com/chmcore/pioneers-of-semiconductor-non-volatile-memory-nvm-9687c141a7d7
Those that managed to read all the way though can now relax as this lesson is over.