The purpose of this is to reverse engineer a gift card that has a scrolling marquee made out of a matrix of LEDs. The end goal of this is to eventually get a display that can be connected to a microcontroller. These gift cards were acquired around 2007 by purchasing them with small amounts of money on them.
- XGecu TL866II
- 2X Banana cable
- Kynar Wire wrap wire
- Jonard Tools ST-500 Adjustable Precision Wire Stripper, 20-30 AWG (these are amazing)
- Extech 382260: 80W Switching Mode DC Power Supply
- Hot air soldering gun
- Soldering iron/supplies
- Scrap lexan
- Scrap angle bracket
- Banana jacks
- Hot glue
- 8 pin dip socket
- 8 pin SOIC to DIP socket breakout
A hot air soldering gun was used to remove the EEPROM. EEPROM was then soldered to a 8 pin SOIC to DIP socket breakout. Device PCB had fly wires attached to a 8 pin dip socket so the EEPROM could be removed during device reverse engineering and socketed into the TL866II reader/programmer.
Reverse engineering steps:
- Take backup of device EEPROM before starting (do not brick it)
- Power up device and modify using built in buttons, make sure to notate what was modified
- Power down device, remove EEPROM and read EEPROM using TL866II reader/programmer
- Save EEPROM reading as a hex dump, at this point it can be diffed using a tool like kdiff3 to compare to previous dumps
- go to step 1.
If at any point the system gets bricked it was possible to re-flash using image taken in step zero. This tended to happen when the device was operated in ways the user could not interact with. For example the device allows for changing the message scrolling speed with a value between 1 and 6, setting this to say 15 decimal using the programmer causes the device to output garbage.
Notes on how the device memory is mapped and behavior:
Device appears to have multiple different message storage locations. This mostly focuses on “message 1” but it should be trivial to figure out the other locations.
The message length for message 1 is stored at 0x11. The value is in hex. For the example below the device would display the entire alphabet in lowercase. The message starts at 0x100. The message length can be set to the full 0xFF value and the gift card will display it.
The gift card also allows for speed selection. This is set at 0x28. The value can be between 0x01 and 0x06 any value over 0x06 makes the badge crash and print the character it represents for 0x255 .
For some reason the badge does not quite map to the ascii table, for example 0x41 should be an uppercase A but instead it prints as a lowercase a. To decode a letter mapping it is fairly easy to set the message up to contain it and see what hex value it is mapped to. The uppercase letters start with A at 0x21 and increment through the alphabet upwards.
If the device and EEPROM power were separated and the EEPROM was multiplexed using a digital switch it should be possible to use this as a display for a microcontroller.