All of the MCU readers described here take advantage of a design flaw of oki MCUs (and the design flaw is present on all MCUs we have seen to date). MCUs can use both internal ROM or external ROM for program memory storage, and a GND or +5v signal on _EA(EA prime - normally has line above EA) is used to control whether internal or external program memory is selected. *Oki MCUs do not latch the state of the _EA pin on startup - by some clever trickery, the internal code memory can be unmasked after the MCU has begun executing code.

All of the MCU readers described here take advantage of a design flaw of oki MCUs (and the design flaw is present on all MCUs we have seen to date). MCUs can use both internal ROM or external ROM for program memory storage, and a GND or +5v signal on _EA(EA prime - normally has line above EA) is used to control whether internal or external program memory is selected. *Oki MCUs do not Latch the state of the _EA pin on startup - by some clever trickery, the internal code memory can be unmasked after the MCU has begun executing code.

• OBD0 Oki83 C154 Reader Blundar?
• OBD1 Oki66207 Reader Doc?
• OBD2 Oki66507 Reader Nico
• OBD2 Oki66507 Reader Didier?

• OBD0 Oki83 C154 Reader - Blundar's adaptation
• OBD1 Oki66207 Reader-DIP64 - Doc's original 66207 design for DIP package chips
• OBD1 Oki66207 Reader-PLCC68 - John de sol's adapation of Doc's design for JDM SMT 66207s
• OBD2 Oki66507 Reader Nico - Nico's original reader for the 66507
• OBD2 Oki66507 Reader Didier? - Didier's revised design for a 66507 reader

A reader for other chips would require adjusting the board physical package and the code for clock speed and ROM size.

%META:TOPICINFO{author="blundar" date="1078436945" format="1.0" version="1.1"}% %META:TOPICPARENT{name="WebHome"}% All of the MCU readers described here take advantage of a design flaw of oki MCUs (and the design flaw is present on all MCUs we have seen to date). MCUs can use both internal ROM or external ROM for program memory storage, and a GND or +5v signal on _EA(EA prime - normally has line above EA) is used to control whether internal or external program memory is selected. *Oki MCUs do not latch the state of the _EA pin on startup - by some clever trickery, the internal code memory can be unmasked after the MCU has begun executing code.

All of the ROM dumpers that take advantage of this flaw operate like this:

• Manually wire an I/O pin to the _EA pin of the MCU. Use a pull up/pull down resistor if necessary.
• Use a ROM that is larger than the internal ROM of MCU. Make sure all address lines are connected as need be.
• Initialize serial port of MCU for communication with PC
• Jump above the masked ROM area (32k for 66207, 48k for 66507, ...)
• Flip state of _EA using I/O pin
• Enter delay loop long enough to allow internal ROM to be masked into memory again
• Copy ROM contents out the serial port

There are several designs that have been tested:

• OBD0 Oki83 C154 Reader Blundar?
• OBD1 Oki66207 Reader Doc?
• OBD2 Oki66507 Reader Nico
• OBD2 Oki66507 Reader Didier?