Ficara Emilio Pietro Giovanni ~ Using SPI programmer to revive bricked Android Tablet

And finally the fully populated board...

I used a ZIF TexTool socket from 3M (RS catalog code 766-980) and modified the resistor values from the original schematic. The reason for this change is to protect the device under programming, 'cause the SPI flash memories are powered at 3V and the parallel port of PC may run at 5V. So, increasing the resistor values gives less current to the protection diodes built in the memory chip. In practice, the excess voltage coming from the parallel port falls on the resistor and the total current flowing thru the internal protection diode is (Vpp-Vcc) / R where Vpp is the voltage out from parallel port, Vcc is the flash IC supply (3V battery in this case) and R is the resistor placed between the parallel port and the IC. Note that the flash data output has lower value resistor: this is mandatory 'cause the parallel port has pull-up resistors inside and therefore the LOW level (zero logical) coming from the flash IC makes partition with the series resistor and the pull-up, and rises in value. If the series resistor is too high, the LOW level goes in the zone that is considered UNSTABLE or HIGH for the parallel port input pin and your device will not work !!! Obviously, this means that the data-out pin is not protected as well as the other pins, but for occasional use it may be considered safe enough to operate. A better solution will be to add some level-translation logic. Note the copper band in the picture: it's only to make easier to unplug the parallel port connector... don't remove that connector pulling by the wires ! You easily have to solder them again...

Well, now I will describe the step-by-step procedure to program a flash IC with this programmer. You can download here a zip file containing some batch files to run for every procedure's step and a txt file that's simply a copy of the help screen of the SPIPGM program.

--- Who needs for SPI flash programming ? ---
The man that has bricked his Android Tablet changing the wrong bytes with hex editor !
As me...

The last chance, in such horrible situation, is to reprogram the U-boot and W-boot that are on the flash chip near the microprocessor. In my WM8650 based Android Tablet, that flash was the 25P40 from ST. It's a SOIC 8 package, so isn't too complicate to unsolder from the board. NOTICE: the IC will "die" when unsoldered, as mine did, but if you have the binary file needed to fill the new one, there will be no problems.
Note that in the batch file I used, as source for flash burning, one .bin file called 2711942B.bin ; this strange filename comes from a WM8650.bin I found on the internet, renamed with the value of its CRC32 checksum. I did this 'cause there are different binary files with the same purpose (reflashing Android Boot), but in my specific tablet only the one with such CRC32 did the job. Obviously, you need to download the file somewhere (I can't remember where found it) and rename as mentioned to use the batch file without modifications.
Oops, you also need for a flash IC to program :-)
The original 25P40 from ST was impossible to find in my country, but an equivalent from Atmel is available in the Farnell catalog with code: 171 5441 (AT25DF041A-SSH-B). The component's electronic signature is unknown for the SPI programmer, but works fine as generic Atmel. As the original one, this flash IC has 4 Megabits (512 KBytes) of reprogrammable memory and costs around 1 Euro for single piece.

--- Pay attention to static charges ! Connect your body to GND when handling IC ---

Now, let's start to program the chip; follow this step-by-step sequence, please...
- insert the IC in the ZIF socket with DB25 Printer Port Connector and 3V Battery Clip both DISCONNECTED !
- connect the battery clip to the 3V battery pack with special attention to the polarity ! (reverse = destroy)
- start the "identify.bat" batch file, still without connecting the programmer to the parallel port

(this initializes the parallel port outputs to a safe condition). Obviously, there are errors, 'cause the programmer is still disconnected.
- connect the DB25 to the parallel port and run again the "identify.bat" batch.

this time you can see the chip ID that is 1F4401h, that's specific for the AT25DF041A, but not recognized by program for the type, only for manufacturer (Atmel), but it's enough.
- now, run the "unlock.bat" batch. This is necessary to enable the memory to accept writings.

even if the result is "failed", the unlock has been done.
- now erase the memory running the "erase.bat" batch. This is not needed for a new IC, but better to do it anyway...

this will take a couple of seconds if all right. If program terminates immediatly, there's something wrong.
- and now, run the "program.bat" batch...

- the program doesn't know this type of memory, so prompts for size in Kb; type 512 and go... (note that this step is skipped if the memory chip is fully recognized by the program)

programming has been executed (it will require a couple of minutes or less for the BIN file used).
- finally, read the programmed flash contents running "dump.bat" batch. It will read the flash contents and store them to arbitrary file name rd_spi.bin ; this will be useful to compare the source file with this readout.

- again the program doesn't know this type of memory, so prompts for size in Kb; once again 512 and go... (note that this step is skipped if the memory chip is fully recognized by the program)

operation complete... now use a binary file comparision to check if source and readout are equal (I suggest the great open source Frhed to do this job). In alternative you can compare the CRC32, MD5, SHA-1 of both files using the free program HashTab that integrates in Windows shell.

The flash IC is programmed, now follow this sequence to disconnect: - with the IC still in the socket and the battery connected, detach the DB25 connector from the parallel port. - detach the clip connector from the 3V battery pack. - open the ZIF and get the programmed IC.