The ST9 family of microprocessors is pretty old, and currently end-of-life. They can still be found in devices being sold though. One thing that really intrigued me is that the approach to programming them involves loading a program into the microprocessor memory and executing it. The commercial programmer for these devices is no longer available. Also, it looks like it ran in MS-DOS. So, I made my own using an Arduino Uno. See st9-interface.

Programming pads

If the board you have has an ST9 microprocessor, it likely has programming pads similar to these:

The st9-interface Arduino Uno R3 project will interface with these pads to load a program, and in the examples I provide, dump memory areas back to your computer.

Picture of an ST92F124 microprocessor

For reference, here’s a picture of an ST9 microprocessor on a board:

Dumping the firmware

Getting code to execute took some time. The st9-dump repo contains a python script that uses the Arduino to load an ST9 program to dump different areas of memory. If the ST9 has read-out protection enabled for the Flash and/or TestFlash areas, all you’ll get back is 0xFF bytes. Make sure to use this utility to dump the E3 memory - the E3 or Emulated EEPROM does not have read or write protection. It is possible, in the worse case, if you use a different TestFlash revision, to corrupt or delete your E3 memory. If you dump it first, it’s not difficult to program back, but you can’t go back in time. Better be safe than sorry.

Upon further investigation, the TestFlash area is essentially STMicro boot code. It also has the highest authority to execute instructions. If you can find and execute an instruction inside TestFlash, it will always execute. If that instruction will copy memory from one area to another - you have a read out protection bypass. This code here in the st9-poc repo will do just that. It’s a modified copy of the previous code, but has a function that sets up the stack and calls into TestFlash for copying memory from any location back into RAM and then sending it back over the serial line.

The st9-dump, without the PoC, will copy out at approximately 13KBps. It would take about 5min to dump from the entire 4MB memory range - although the majority of that is not used. The PoC ends up executing at about 4KBps and will dump every area including Flash and TestFlash even if those areas are set to prevent it.

ST9 References

Datasheet Website PDF

Programmer’s Guide PDF

AN1450: ST9 Flash programming PDF

AN1528: ST92F120/F124/150/F250 testflash PDF

Obsolete Programmer

Includes a picture showing the no longer available programmer Mouser