Perhaps this could lead to LiftMAME, where the real logic is emulated and uses Skyscrapersim, real lift or mini toy lego lift for the physical part! It will be like PinMAME and Visual Pinball for lifts!
Well at 3:15 the 2 flash chips in the center are Macronix Chip short name (MX) with TSOP48 package there are probably the Firmware/BIOS of the mainboard. does this lift controller have Microcontrollers on it ?
The NVRam is probably accessible through a JTAG connector. You'll need a JTAG adapter and some software to probe the bus and see what devices are connected to the JTAG. Also, if you mean pin 2 and 3 need to be reversed on the serial port, that's common. That's not even "security by obscurity", that's just DTE vs DCE pin outs of the port. A standard cable called a "null modem" cable flips those pins for you.
Oh, I watched it again, you need to reverse engineer the serial protocol, which would require some reverse engineering of the code that's running on the processor (it looks like it's a 68000)? You'd have to read the code out of the ROM, and decompile it using something like IDA. You should still be able to access the NVRAM directly through the JTAG, but then you'll need to know what you're looking for, and what has to be changed. The easiest is to have one board that's unlocked, and another board that's locked, read the chips from both, and compare the differences.
NVRAM is a RAM memory that also contains an EEPROM, so you can save/recall non-volatile data directly from/to RAM. This maximizes EEPROM lifespan, since you only need to write to EEPROM upon power-down and RAM does not suffer from write cycle limitations. It's the best of both worlds, really!
Maybe dave from the EEVBLOG can reverse engineer it for you. It looks just like an pc mainboard or an arcade game board. What cpu is it? Is it some ARM based chip? That serial looks like RS 232. My dad programs Atmel microcontrollers for hobby, maybe the nvram uses I2C bus to communicate with the cpu?
I wonder if it's a Z-80 or a 68000 the chips that ower belowed Megadrive is mode off... But I bet an Arm chip is more likely. Whenever I see ARM chip I think of my dad's old Acorn Archimedes 310.......
Buy a Bus Pirate. The serial port is going to be RS232, probably 9600 or 115200BPS 8N1. A bus pirate will be your friend. You can probably hook it up directly to the NVRAM instead of having to dump the config from the serial port. Voltage is probably gonna be either 12 or 24 volts by the size of the connector. Follow the traces from the power connector and see if you can find any voltage regulators on the board - look up their datasheet and find their input voltage. If all else fails it you could probably bring the elevator up to the cabinet and probe the connectors with a meter. I'd be willing to run the SD image through some tools I have - do you mind sending me a link to the image?
AT 4:36 this are not NVRAM chips they are Flash chips. this type of TSOP48 package is mostly used on Blue-Ray Disc players they contain the firmware for the device but Macronix flash chips have a data retention of 10 years.
Ha. What are you checking with the multimeter, since there is no voltage until you supply it?? Sure, supply 12V and meter will read 12V. Likewise supply a nice blowupy 170V and the meter will read that too.
I suspect they'd be using good old RS232, 9600 baud rate, sending simple plain-text commands. That's how I'd do it, anyway. Download a RS232 terminal program for the PC and get cracking. Good luck!
Firmware from all electronic devices containing on the flash chips are in Hex (machine language) I do lots of Firmware dumps from this kind of chips :-)
Beno Lifts: write on google Macronix and the numer of the 1st line under the MX name you can see the type of the chip write it on google and write datasheet to the end and you can know what kind of chip it is :-) capacity and operating voltage normaly 2,6 -3,7 V of this chips at 8:34
The white one is. Power supply. Why not ask a lift engineer I've done. Electronics engineering and programming it normaly as it on board try Google it. Or ask kone if you. Send them a picture off board there will know the one a bought the digital display
ok so we know that it definatly isnt FTP but it could be MTP, CTP or Mass Storage like on mobile phones. You should probably plug in an RS242 Serial Cable to USB into the board & your PC & see what comes up on it because windows might detect that it is lift logic & may allow you to transfer files to the board
Isn't it easier to create the logic by yourself using cheap prototyping hardware like Arduino? You've got the buttons and displays there. And later create a model lift shaft, add a motor, drive and a few sensors and you have a working model. I made one already and i can give you a few ideas to get started. Here's mine: www.flickr.com/photos/conznl/31273029203/in/dateposted-public/
Your model lift looks very impressive. I have made a model of a twin lift using a raspberry pie. The aim of the Kone LCE hacking isn't to make a model, but is to unlock proprietary restrictions that Kone have created to forces people to come back to Kone for maintenance contracts.
That's not going to be easy! Have you looked for a debug/programming header on the board (JTAG for example, the 6 or 10 pin variety) that you can use? Most devices (including almost every router) have one. The DB9 serial port is almost always just for simple fault finding and configuration by engineers with standard qualifications. The programming header can be used to (re)program the main CPU or exposes extra configuration menus via the serial bus. Very often the programming bus is al TTL level where the DB9 port is at standard 232 levels.
Nice board!! Yes take a multimeter with you to the working lift and maybe have a probe around?
Perhaps this could lead to LiftMAME, where the real logic is emulated and uses Skyscrapersim, real lift or mini toy lego lift for the physical part! It will be like PinMAME and Visual Pinball for lifts!
Omg yes
Have you since had more luck with it? Also, maybe it's possible to do stuff via something on an SD card?
Well at 3:15 the 2 flash chips in the center are Macronix Chip short name (MX) with TSOP48 package there are probably the Firmware/BIOS of the mainboard. does this lift controller have Microcontrollers on it ?
Absolutely love your videos! You're amazing!!
Any updates on this?
Please could you do a video showing all of your Ecodisc parts
The NVRam is probably accessible through a JTAG connector. You'll need a JTAG adapter and some software to probe the bus and see what devices are connected to the JTAG. Also, if you mean pin 2 and 3 need to be reversed on the serial port, that's common. That's not even "security by obscurity", that's just DTE vs DCE pin outs of the port. A standard cable called a "null modem" cable flips those pins for you.
Oh, I watched it again, you need to reverse engineer the serial protocol, which would require some reverse engineering of the code that's running on the processor (it looks like it's a 68000)? You'd have to read the code out of the ROM, and decompile it using something like IDA. You should still be able to access the NVRAM directly through the JTAG, but then you'll need to know what you're looking for, and what has to be changed. The easiest is to have one board that's unlocked, and another board that's locked, read the chips from both, and compare the differences.
NVRAM is a RAM memory that also contains an EEPROM, so you can save/recall non-volatile data directly from/to RAM. This maximizes EEPROM lifespan, since you only need to write to EEPROM upon power-down and RAM does not suffer from write cycle limitations. It's the best of both worlds, really!
What exactly do you say to engineers when you find one working on a lift?
I ask them if they have any buttons for my collection
For some reason I didn't think it would be as simple as that? How many of them generally say yes?
What does it store on the sdcard?
Is there any markings on the board for the voltages? Normally devices like that run from 3.3, 5 and 12 volts.
Lol it's not a pc motherboard mate. You're more likely to see stuff like this powered by 24V and having an on-board dc-dc converter.
If you want to know the board's voltage, measure a working ecodisc board's power input voltage with a multimeter.
Maybe dave from the EEVBLOG can reverse engineer it for you. It looks just like an pc mainboard or an arcade game board. What cpu is it? Is it some ARM based chip? That serial looks like RS 232. My dad programs Atmel microcontrollers for hobby, maybe the nvram uses I2C bus to communicate with the cpu?
Oooooooh !! Yes Dave Jones! Would love to know what that CPU is too, maybe an old design that just works?
I wonder if it's a Z-80 or a 68000 the chips that ower belowed Megadrive is mode off... But I bet an Arm chip is more likely. Whenever I see ARM chip I think of my dad's old Acorn Archimedes 310.......
Even the board says "KAPTON TAPE" near the battery compartment, where the tape is
It will undoubtedly be some proprietary protocol, probably whatever the firmware guy came up on the fly with when he did the code.
Buy a Bus Pirate. The serial port is going to be RS232, probably 9600 or 115200BPS 8N1. A bus pirate will be your friend. You can probably hook it up directly to the NVRAM instead of having to dump the config from the serial port. Voltage is probably gonna be either 12 or 24 volts by the size of the connector. Follow the traces from the power connector and see if you can find any voltage regulators on the board - look up their datasheet and find their input voltage. If all else fails it you could probably bring the elevator up to the cabinet and probe the connectors with a meter. I'd be willing to run the SD image through some tools I have - do you mind sending me a link to the image?
Can we get some high-res pics of the board, all parts, both sides? TIA :)
The white connector you pointed out is not for power supply.
AT 4:36 this are not NVRAM chips they are Flash chips. this type of TSOP48 package is mostly used on Blue-Ray Disc players they contain the firmware for the device but Macronix flash chips have a data retention of 10 years.
The volatage is probably 12V but you should check it with a multimeter...
If this is the case then you should try using something like an ATX Power Supply such as the one in your computer..........
Ha. What are you checking with the multimeter, since there is no voltage until you supply it?? Sure, supply 12V and meter will read 12V. Likewise supply a nice blowupy 170V and the meter will read that too.
just increase the voltage by 1V until it starts smoking, then back it down a couple. should be fine.
+Race Chapman noooo once it starts smoking significant damage has probably already been done to the chips by over volting.
@@ELPaso1990TX I somehow think that was tongue in cheek sarcasm.
I suspect they'd be using good old RS232, 9600 baud rate, sending simple plain-text commands. That's how I'd do it, anyway.
Download a RS232 terminal program for the PC and get cracking. Good luck!
7 month old video but maybe it could use AT protocol/commands via serial?
Firmware from all electronic devices containing on the flash chips are in Hex (machine language) I do lots of Firmware dumps from this kind of chips :-)
Asynchronous Serial Communication Protocol (RS 232)?
If your gonna make your own Ecodisc don't you need the Buttons and the indecator? and most important, The ecodisc logo!
Oh
Beno Lifts: write on google Macronix and the numer of the 1st line under the MX name you can see the type of the chip write it on google and write datasheet to the end and you can know what kind of chip it is :-) capacity and operating voltage normaly 2,6 -3,7 V of this chips at 8:34
Any updates? Please :)
The white one is. Power supply. Why not ask a lift engineer I've done. Electronics engineering and programming it normaly as it on board try Google it. Or ask kone if you. Send them a picture off board there will know the one a bought the digital display
If I could make out the numbers on the main processor I could probably tell what CPU it is (its a Freescale Semiconductor part)
Wow!
For the protocol from the serial port have you tried FTP or MTP?
FTP??? It is low level, it isn't going to have a webserver on it
I'm pretty sure that I read somewhere that Kone were planning to add FTP to some of their lift logic but IDK.
This board is all low level. It has a real time operating system, and the system for writing chips will also be low level.
ok so we know that it definatly isnt FTP but it could be MTP, CTP or Mass Storage like on mobile phones. You should probably plug in an RS242 Serial Cable to USB into the board & your PC & see what comes up on it because windows might detect that it is lift logic & may allow you to transfer files to the board
Nice
If the serial is switched, try the RJ11, it may not be switched.
Beno, get a high res image online so we can see the chip numbers...
How can you get that ?? :D
Lift engineers. He said it at the start of the video.
Please upload all the voice sounds?
Isn't it easier to create the logic by yourself using cheap prototyping hardware like Arduino? You've got the buttons and displays there. And later create a model lift shaft, add a motor, drive and a few sensors and you have a working model. I made one already and i can give you a few ideas to get started. Here's mine: www.flickr.com/photos/conznl/31273029203/in/dateposted-public/
Your model lift looks very impressive. I have made a model of a twin lift using a raspberry pie.
The aim of the Kone LCE hacking isn't to make a model, but is to unlock proprietary restrictions that Kone have created to forces people to come back to Kone for maintenance contracts.
That's not going to be easy! Have you looked for a debug/programming header on the board (JTAG for example, the 6 or 10 pin variety) that you can use? Most devices (including almost every router) have one. The DB9 serial port is almost always just for simple fault finding and configuration by engineers with standard qualifications. The programming header can be used to (re)program the main CPU or exposes extra configuration menus via the serial bus. Very often the programming bus is al TTL level where the DB9 port is at standard 232 levels.
At the start you sound like me off my meds
You'll want to make sure that you're using the correct serial baud. Most common is usually 9600 baud.
first
Stagecoach :)
Arriva
London General
Php2,000,000
second
minute
6th
? I don't get it.
+Rahan You only do bus or train operators when someone comment First because First is a bus operator
I thought that is why there is only a game for 1st and 2nd, to avoid every comment being which comment it is.