I just uploaded a file PI2_I2C_Test_1.txt which contains the I2C decode from running a logic analyzer on the PI Cameras I2C bus while running Raspi Still. Based on the messages it looks like the I2C device is a ATSHA204A. Why on earth do they need a crypto IC on the raspberry PI camera I wonder. Does the sensor require some special keys to communicate with it? I'm a bit short on time lately so if someone wants to dig into it and figure out whats going on that would be awesome, if not I'll get around to it eventually.

You can see this bytes being read from the device which match the sequence on page 24 of the datasheet of the ATSHA204A.

0.516076750000000,5,d (0x64),'4' (0x04),Read,NAK

0.516295000000000,6,d (0x64),'17' (0x11),Read,ACK

0.516385000000000,6,d (0x64),3 (0x33),Read,ACK

0.516475000000000,6,d (0x64),C (0x43),Read,NAK

I also found a forum post mentioning this device with address 0x64. The camera sensor is at I2C address 0x10 it would appear. Oddly enough running a eeprom dump on the camera sensor did produce information, not sure if its anything valid but it was consistent.

Getting some boards from OSH park tommorow so hopefully I'll be able to let you know if I successfuly transfer a camera sensor to them or not. Looks like I may have to use the same U4 from the old board if that crypto IC is used in any meaningfull way.

Update:

Turns out I'm a liar and I did have time to figure out what the I2C data was. It gets the devices serial number. Then it gets a Nonce and HMAC digest from it. Not sure what it does with it though:

Command
        Length: 0x07
        Opcode: 0x02 Read 4 bytes from device
        Param 1: Zone Config 4 Bytes
        Param 2: Address 0x0000 Serial Number [0:3]
        Checksum: 0x2D1E

Response
        Length: 0x07
        Data: SN[0:3] 01230B59
        Checksum: 0x413F

Command
        Length: 0x07
        Opcode: 0x02 Read 4 bytes from device
        Param 1: Zone Config 4 Bytes
        Param 2: Address 0x0002 Serial Number [4:7]
        Checksum: 0xAD18

Response
        Length: 0x07
        Data: SN[4:7] 8C196D83
        Checksum: 0xC465

Command
        Length: 0x07
        Opcode: 0x02 Read 4 bytes from device
        Param 1: Zone Config 4 Bytes
        Param 2: Address 0x0003 SN[8] Res I2CEN Res
        Checksum: 0x112D

Response
        Length: 0x07
        Data: SN[8] 0xEE Res 0x13 I2CON 0x01 Res 0x00

Command
        Length: 0x1B
        Command: 0x16 Generate a 32-byte random number and an internally stored nonce
        Param 1: Mode combine the new random number with NumIn, store in TempKey. Automatically update EEPROM seed only if necessary prior to random number generation
        Param 2: ZEROS
        Input Value: 5805F3C898C3133154498E082F2E703516F2DBD1
        Checksum: 0x2C82

Response
        Length: 0x23
        Nonce Response: B66B48272C80EA2D2E778162FD300728E2E7E8F04CB0C645BFD0206CC0E7E772
        Checksum: 0x4574

Command
        Length: 0x07
        Opcode: 0x11 Calculate response from key and other internal data using HMAC/SHA-256
        Param 1: Mode include the 48 bits SN[2:3] and SN[4:7] in the message
        Param 2: SlotID 0
        Checksum: 0x8D14

Resonse
        Length: 0x23
        HMAC Digest: 283AE84222422456DEB86CA33D2DFB3A9443E59F2828ABFA71037E34AAA27B2D
        Checksum: 0x445B