Since when I discovered them, I really love servo testers. They are cheap, small and do exactly one thing quite well. I said quite for one reason. The range of the generated PWM duty cycle is limited from 1ms to 2ms. This generally allows you to move a servo in a 90 degrees range. But quite often you need to test a wider range of movement. I had a few of the cheapest-no-frills model. One potentiometer, one pushbutton, three LEDs, 2€ each. I didn’t care sacrificing one, so I carefully opened the paper (!) box to unveil the electronic guts. Alas the little SOP8 processor inside had its markings erased. I spent some time trying to identify it with no success. Some glue to close it again and back it was in his drawer.
A new world
I forked a few more euros for a more advanced model. A small 4 digits display and two buttons instead of one. Same range restrictions. Again I opened it (4 screws and a plastic box this time) to see what’s inside. An unknown, bigger, MCU this time complete with markings: N76E003. Never heard of it, but after some research I found that it’s quite a common beast, especially in Asia, and yet another 8051 based one. I felt a bit better because I already wet my toes in this kind of architecture reprogramming an RF receiver for remote LED strip control. To my dismay I also discovered that I needed yet another programmer to flash it, and not a particularly cheap one. At last I headed for a reasonably priced clone (12€60). The programmer is called Nu-link from the chip brand’s name: Nuvoton. I also bought a small “development board” for the very same processor for 2€. The board sports a mini USB connector but sadly that’s only for powering it, not for programming, so I had to wait 4 weeks to receive both of them and begin to experiment.
As I discovered there is no need for the NuLink programmer if the onboard chip had been already programmed with a bootloader (I guess it was); you just need a TTL serial adapter (FT232, CH340, CP2102 and so on). Sadly if you erase the chip you can’t easily find the code for the bootloader on Nuvoton site, I had to rely to some russian forum to get it and give it a try.
Meanwhile I had plenty of time to reverse engineer the servo controller and, for once, diligently document my effort. To my joy the programming pins were easily accessible thanks to five pads on the PCB. Actually on the other side of the holes sits the LED display, so you can’t easily solder a pin header, but so is life. I managed to decently solder an angled pin header so that I could even close the box again leaving it in place. Time to study some theory, obviously the datasheet, but even better I found an introduction to programming and a more advanced coding tutorial rich of examples.
Coding (at last)
If you’re interested in the same platform I would strongly recommend the tutorials I just linked. Be careful though, there are plenty of cheap “development boards” quite similar to the one in the tutorials, but slightly different. Mine has its LED on pin P1.2 instead of P1.4 for example.
Following what I learnt while waiting for the couriers to deliver, I launched Keil uVision, attached my development board to the Nu-link and started coding the classical blinky. For once everything worked as a cinch. Now I had to (hopefully temporary) destroy my servo tester erasing the chip’s flash. Obviously it comes with read protection, no way to save the firmware apparently. Luckily the so called board support package contains lots of examples. I can’t say I’m an 8051 expert, but just copying bits of the examples half understanding what was lying under was enough to get PWM working at a beautiful 50Hz, my scope confirmed. Some more quite usual coding brought ADC for the potentiometer, pushbutton debouncing, timer interrupts. All the bricks were ready since I already knew which pins were connected to what. A few hours later I had a rough replacement for the original firmware. Some more time and I cleaned up and put everything in a git repository.
What I learnt
Well, sincerely a lot. I know, the world is full of people rewriting firmware for things as complicated as routers and this is a baby’s toy if compared to that. But I think it was a great exercise for me, and event strengthened my self confidence as a reverse-engineer/hacker/you-name-it.
A few technical details. When I first tried to program a board directly from Keil I had a strange error “*** Error: Flash Verify Failed at 0x0000”. Trying to find help from Google I only found a match in a couple of chinese pages, but I did not give up. The images on the page were more than enough: you need to configure pin 2.0 as input-only pin, not external reset. This is where self-confidence works for you.
This is even harder. When I first tried to read the 2 input buttons I had some problem, they seemed to fire an input when i was just approaching my finger. I had to remove the lines configuring the input pins as “input only” and leave them in “quasi-bidirectional mode”, the classic 8051 mode where pins work as input or output without any need for explicit configuration. I won’t even try to enter the technical details, since you can get better explanations.
The last one was of great satisfaction. When the first working version was ready I noticed the LED display seemed much dimmer than before. My suspect that I was using the wrong i/o pin settings was right, and got the right brightness configuring the display pins as push-pull. From the very last link i gave you:
The push-pull mode has the same pull-low structure as the quasi-bidirectional mode, but provides a continuous strong pull-high when the port latch is written by logic 1. The push-pull mode is generally used as output pin when more source current is needed for an output driving.
A couple of new servo testers have arrived. To my great surprise they have a range of 800-2200uS!