I've set aside this afternoon to learn to read and program a PIC 16F628a with the new Bus Pirate high-voltage programming adapter:
http://dangerousprototypes.com/forum/in ... opic=265.0 (http://dangerousprototypes.com/forum/index.php?topic=265.0)
I'm going to follow sjaak's basic outline here:
http://dangerousprototypes.com/forum/in ... icseen#new (http://dangerousprototypes.com/forum/index.php?topic=412.new;topicseen#new)
And the programming datasheet here (http://http://www.google.com/url?sa=t&source=web&ct=res&cd=1&ved=0CBEQFjAA&url=http%3A%2F%2Fww1.microchip.com%2Fdownloads%2Fen%2FDeviceDoc%2F41196G.pdf&ei=9-exS-bfEMmd-Abg8OmeAg&usg=AFQjCNGS_-E-E8QBQz7kNVtSbJcs2LolSw). You can find all the Microchip programming specs here (http://http://www.microchip.com/stellent/idcplg?IdcService=SS_GET_PAGE&nodeId=1407).
I'm going to test the PIC with ICD2 first, then start to mess with the Bus Pirate. Breadboard pic in a minute.
Great! All the info is in the datasheet. especially on the first pages (memory map en commands). I found out that the timing isn;t as critical as stated in the datasheet. For example the external timed operation states you need to send endprogramming command after 2ms. I tested it with several seconds (then I found out yoiu need to give this command).
What I did saw about the 628a it had a low power programming mode. I think you need to ground the pgm pin first.
Happy hacking!
BTW there is a binmode on it way ;)
Testing the adapter:
3WIRE> m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. KEYB
9. LCD
10. PIC
x. exit(without change)
(1)> 7
Set speed:
1. ~5KHz
2. ~50KHz
3. ~100KHz
4. ~400KHz
(1)>
Select output type:
1. Open drain (H=Hi-Z, L=GND)
2. Normal (H=3.3V, L=GND)
(1)> 2
READY
3WIRE> W
POWER SUPPLIES ON
3WIRE>
Used raw3wire mode with regular outputs. enabled power - the 5volt supply is used by the 13volt boost converter.
3WIRE> a
AUX LOW
AUX LOW
3WIRE> A
AUX HIGH
3WIRE>
AUX controls the 13volt supply to the PIC mclr pin (T2, T3). Low is off, high is on.
I get a double AUX LOW in raw3wire in the newterm-basic version.
3WIRE> [
CS ENABLED
3WIRE> ]
CS DISABLED
3WIRE>
CS controls T1, which grounds the MCLR pin. This is used to reset the PIC and manipulate the +13volt programming voltage. T1 is needed because the 13volt programming voltage would damage the Bus Pirate pin if it was exposed directly. CS enabled allows current into T1 base and grounds the MCLR/RESET pin. CS disable grounds the T1 base and T1 has no impact on the circuit (allows Vpp or pullup resistor to hold high).
I've got the PIC 16F628a on a breadboard in a simple circuit. The power pins are connected, and a resistor and diode connect MCLR to the power supply but don;t allow the 13volt programming voltage back into the circuit. I powered the circuit with 5volts and will program/read the pic at 5volts.
Note that this arrangement can only pull-down, so any target CPU (PIC or AVR) will need to have a pull-up resistor on the MCLR or RESET pin. This is a standard requirement anyways.
3WIRE> v
Voltage monitors: 5V: 4.95 | 3.3V: 3.30 | VPULLUP: 5.05 |
3WIRE>
The programming board's V+ pin is connected to the Bus Pirate's vpullup pin so the target board's power supply can be used to power the pull-up resistors and interface PICs at voltages other than 3.3volts. The voltage monitor report shows the pic is currently powered to 5.05 volts.
I'll look into the double auxlow (I guess both auxpin.c and procmenu prints the string).
Can you use the a/A/@ to control both CS and AUX?
( from the newterm thread: )
c aux pin assignment (aux=aux)
C aux pin assignment (aux=cs)
a AUX low
A AUX hi
@ read AUX
Otherwise it needs some twiddling in the protocol, or adding a couple of macro's to apply vpp, reset and normal run. I could only test it with your (ganderous :D) prototype.
By quick looking at the sheet:
Code: [Select]
[4]r[6]
Will read a word and increment the pc, if you repeat this it will dump (eventually) the pic :D
I notice it had two types of programming mode, and a different way of entering programming mode (first apply 13v, then vcc and tie pgm low). See page 6.
So....
PIC> m
1. HiZ
2. 1-WIRE
3. UART
4. I2C
5. SPI
6. 2WIRE
7. 3WIRE
8. KEYB
9. LCD
10. PIC
x. exit(without change)
(1)> 10
Commandmode
1. 6b cmd/14b data
2. 4b cmd/16b data
(1)> 1
Delay in ms
(1)>
READY
PIC>
I entered into PIC mode and used the default command/data setting and delay.
PIC> W
POWER SUPPLIES ON
PIC>
I hit W to enable the power supplies that feed the boost regulator on the programming adapter.
PIC> P
Pull-up resistors ON
PIC>
The PIC programming mode requires external pullup resistors. The HVP adapter connects the target power supply to the Bus Pirate vpullup pin, just hit P to enable the pull-ups.
[4]r[6]
Sjaak suggests this command to read through the memory. First I want to figure out what it means.
PIC> [4]r[6]
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
DTA
PIC>
The command gives this output, so the [] start and stop command mode. This sends command 4, reads a 14bits, then sends 6.
Table 2-3 on page 5 of the programming spec show the commands. 4 (100) is Read Data from Program Memory. 6 (110) is Increment Address.
Otherwise it needs some twiddling in the protocol, or adding a couple of macro's to apply vpp, reset and normal run. I could only test it with your (ganderous :D) prototype.
Just noticed this. I'm going to figure out what it means and then see how to work around it :)
Entering HVP mode, table from page 6.
The thing is this can't really be right. I program 16f628a in circuit all the time with ICD2, and it doesn't manipulate the power supply at all.
I'm going to write a script that will increment to 0x2000 and see if I can read the program and device ID.
This won't work :D You first need to enter the [ 0 ]0 (load config word) to set the upper bit of the pc to '1' (can't be changed anymore, except by removing the power), after this you can increment and read it using the [4]r and [6] commands.
edit: display square brackets
Thanks, I see that now.
PIC> A
AUX HIGH
PIC> a
AUX LOW
AUX LOW
PIC> [4]r[6] [4]r[6][4]r[6][4]r[6][4]r[6][4]r[6][4]r[6][4]r[6][4]r[6]
CMD6 WRITE: 0x04
DTA
READ: 0x3E02
CMD6 WRITE: 0x06
DTA
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
DTA
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
DTA
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
DTA
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
DTA
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
DTA
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
DTA
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
DTA
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
DTA
PIC>
Here's the first 8 bytes of flash. It seems to read consistently, but I don't think the chip is programmed yet.
PIC> A
AUX HIGH
PIC> a
AUX LOW
AUX LOW
PIC> [0]0
CMD6 WRITE: 0x00
DTA
WRITE: 0x0000
PIC> [4]r[6][4]r[6][4]r[6][4]r[6][4]r[6][4]r[6][4]r[6][4]r[6]
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
DTA
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
DTA
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
DTA
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
DTA
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
DTA
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
DTA
CMD6 WRITE: 0x04
DTA
READ: 0x3A1C
CMD6 WRITE: 0x06
DTA
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
DTA
PIC>
If I read configuration I get this consistently. Byte 7 is the device ID. It should be 01 0000 011 x xxxx (0x1060 + x xxxx). I'm not sure if 0x3A1C is correct (I'm guessing not).
ICD2 says this is rev 0x08, so the ID should be 01 0000 011 0 1000 (0x1068). I'm going to try again and make sure the PGC and PGD weren't crossed.
No such luck so far.
PIC> Aa[4]r[6]
AUX HIGH
AUX LOW
AUX LOW
CMD6 WRITE: 0x04
DTA
READ: 0x3E02
CMD6 WRITE: 0x06
DTA
PIC>
The first program memory location should read 0x2804, and instead it consistently reads 0x3e02.
I'm going to leave this alone for now and maybe tomorrow try to write a perl script to test it with the raw2wire binary mode. If anyone sees anything I might have done wrong please let me know.
Just asking. You are tieing PGM to gnd? If PGM is high it enters lvp (dunno what the difference is with HVP). Also the datasheet mention to first apply 13v and then +5 . With the PIC10f It didn't bother much, but perhaps with this one it does..
I think I have a 628 in an old pic programmer (wisp628) somewhere. I could try it tonight, but dunno if it is codelocked or what Im expecting to read so I can't be really sure. I don't want to erase the chip and reprogram it for obvious reasons ;)
PGM is tied to ground, yes. I'm not so worried about the 13v before 5v because the programmer can't control the power when the chip is in-circuit, so it must be possible to hold reset at 0 then rise to 13v and enter programming mode. I guess that could be it and ICD2/pikckit use a different programming algo.
I guess it is the way the voltages are applied. It did some testing with a 12f675, I first tried with a 16f628a but after some testing it didn't responded anymore, but i got the same values as you.
At first it responded with weird values for the device id and config fuses. Later when I direct applied the Vdd and Vpp I got results that made more sense. I wanted it to reproduce but now it is giving back expected results :S
Anyways this is what I getting now:
HiZ> m 10 1 2
PIC (mod dly)=(6 2)
READY
PIC> WP
POWER SUPPLIES ON
Pull-up resistors ON
PIC> [0]0[4]r[6 4]r[6 4]r[6 4]r[6 4]r[6 4]r[6 4]r[6 4]r[6 4]r
CMD6 WRITE: 0x00
DTA
WRITE: 0x0000
CMD6 WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
WRITE: 0x04
DTA
READ: 0x3FFF
CMD6 WRITE: 0x06
WRITE: 0x04
DTA
READ: 0x0FCF
CMD6 WRITE: 0x06
WRITE: 0x04
DTA
READ: 0x31FF
CMD6 WRITE: 0x06
WRITE: 0x04
DTA
READ: 0x3FFF
PIC>
0xFCF is the device ID together with the revision ID: 00 1111 110 (devid) and 0 1111(revid)
0x31FF is the fuse; bit 9-11 are supposed to be zero, so looks also ok.
I guess it needs a macro for applying the voltage ;)
@ian: Could you try this on the 628?
I added a new binmode to the svn, perhaps it is of any help.
The binmode is 7 (i noticed openocd already taken mode 6) and available commands:
0000 0000 return to main
0000 0001 id=PIC1
0000 0010 6b cmd
0000 0011 4b cmd
0000 01xx xx ms delay
0000 1xxx unimplemented
0001 0xyz PWM|VREG|PULLUP
0001 1xyz AUX|MISO|CS
01xx xxxx just send cmd xxxxxxx
10xx xxxx send cmd xxxxxxx and next two bytes (14/16 bits)
11xx xxxx send cmd xxxxxxx and read two bytes
PWM enables a 100KHz 50% PWM signal (fixed).
I'm having the same issue with a 12f683. I can read something consistently, but not the right thing.
In this programming spec it has seperate VPP first/ VDD first diagrams. The 16f628a only had the vpp first one... I don't get it though, because we should be able to program in-circuit without manipulating VDD. I think it's just resetting (VPP=0) and hitting VPP=12v fast enough, but....
I looked at the USBPICPROG, and they do control the VDD and have switches for it in the code. They also have a new page that documents the protocol:
http://usbpicprog.org/?page_id=15 (http://usbpicprog.org/?page_id=15)
I'm going to mod my HVP adapter board to power the circuit from the Bus Pirate 5volt and see if it works any better.
I did use the buspirate powersupply to supply both the SMPS and the pic. With the WP command it supplies Vcc to the PIC (W) and the pullups (P) enable the Vpp.
Couldn't you first supply the Vpp and then switch on the Vcc (I presume you use an external powersuppy?).
I could try with a separate 12v powersupply and with some transistors if I can reproduce it. You are using the schematic you posted in the HVP topic ( http://dangerousprototypes.com/forum/in ... 03#msg3503 (http://dangerousprototypes.com/forum/index.php?topic=265.msg3503#msg3503) )
Ian, how are the fuses programmed?
By looking at the datasheet if the MCLRE=1 and external oscillator is selected, it doesn't matter if Vpp is applied before Vdd or not., *I think*. I also studied the datasheet of the mcc34063, but I couldn't find any rising times. Is the voltage stable at 12-13v before applying it to Vpp?
Edit1: Also I found this: http://www.voti.nl/wisp628/n_index.html (http://www.voti.nl/wisp628/n_index.html) (scroll down halfway to additional circuit) However it will take another pin..
edit2: I also found a schematic of an ICD2 ( http://www.nebadje.org/doku.php?id=neblab:icd2clone (http://www.nebadje.org/doku.php?id=neblab:icd2clone) ) There is a lot of magic in the supplies, but I don't see a short like on the Voti page, but perhaps I'm wrong. Let´s hope it shed some light ;)
I also made a simple hex to commandline convertor. It basicly converts the hex, without any checking and without looking at the memory location, to commands the piclibrary understands.
I tested it on a pic12f675 and it seems to work (I can read back what I did program, but it was suppose to blink a led but it doesn't) I copied the program from someone else, so I don't know if it right, or if I copied/pasted it right. Currently it blinks just once, and it just stops (which let me think i made a small error with copy/paste).
Take special care of the configword (mostly it is the last statement in a hex file). the convertor does _NOT_ look at the addressing.
Anywayz here it is: