
Practical Reverse Engineering Part 4 - Dumping the Flash - fcambus
http://jcjc-dev.com/2016/06/08/reversing-huawei-4-dumping-flash/
======
aexaey
In case you need to dump/re-flash an SPI memory chip, but don't happen to have
an FTDI programmer handy (be that as a protest to their despicable actions
with Windows drivers some time ago, or for any other reason), another (much
cheaper) alternative is Chinese CH341A, which are available on eBay and other
usual places for around $3 (complete assembled programmer board, shipped).
CH341A is well supported on both Linux [1] and Windows [2].

[1]
[https://github.com/setarcos/ch341prog](https://github.com/setarcos/ch341prog)

[2] [https://tosiek.pl/ch341-eeprom-and-spi-flash-
programmer/](https://tosiek.pl/ch341-eeprom-and-spi-flash-programmer/)

~~~
nickysielicki
If you own a Raspberry Pi, Beaglebone Black, Intel Galileo, or (honestly) any
tiny computer, you can probably read and write SPI via spidev. [1]

Another alternative is a buspirate, but it is _much_ slower. [2] If you don't
plan on doing this often, it's probably the way to go. Cheap and has the
ability to do a lot more than just SPI.

But there is definitely not a need to shell out $100+ for a dediprog.

Big warning, though, if you decide to use any of these methods with a chip
that is still on-board, you really should use a benchtop power supply. You run
the risk of damaging your device otherwise-- I damaged my Beaglebone Black
this way. Your device might be able to supply 3.3v to a small chip, but the
board probably will draw more than that depending on isolation.

If you don't have one, find a cruddy ATX PC power supply on craigslist,
probably in the free section. The orange lines are 3.3v and will work in a
pinch.

[1]: [http://linux-sunxi.org/SPIdev](http://linux-sunxi.org/SPIdev)

[2]:
[http://dangerousprototypes.com/docs/Bus_Pirate](http://dangerousprototypes.com/docs/Bus_Pirate)

~~~
aexaey
Small nit: $3 != $100+

That said, using native SPI bus on a closest laying around (embedded) Linux
board is an awesome idea hardware-wise. What about software though? Will _dd
if=file.bin of= /dev/spidev0.0_ fail to write to an SPI NOR chip?

~~~
nickysielicki
Flashrom [1] is the go-to tool for everything SPI on *nix. It knows how to
identify chips and will prevent you from doing anything stupid, if it can.

[1]: [https://www.flashrom.org/Flashrom](https://www.flashrom.org/Flashrom)

(As of January, it looks to have support for your $3 programmer!
[https://github.com/flashrom/flashrom/blob/86bb6c55dd3bb1a167...](https://github.com/flashrom/flashrom/blob/86bb6c55dd3bb1a167dec4548976d1d10748ded7/ch341a_spi.c)
)

~~~
aexaey
Never heard before about the "flashrom" tool. Looks nice, especially the long
list of supported HW. Thanks!

------
mjg59
This approach won't always work. On some boards applying enough power to bring
up the SPI will also power enough connected logic that it'll start generating
SPI traffic and your read attempts will fail. On some boards the capacitance
of unpowered logic will leave you miserable. It's definitely worth trying this
as a first step in dumping SPI, but you need to be prepared to remove the chip
and re-dump it. Also bear in mind that these things _really_ aren't designed
for multiple attach/detach cycles, so unless you want an IC with fewer legs
than it started with you shouldn't plan on being able to repeatedly remove and
reflash it without adding some sort of removable setup - sockets may not be
practical for multiple reasons, but you might be able to get away with
soldering a header onto the pads and then jumpering the chip onto that. But as
a fallback: dump the chip after you remove it the first time, keep hold of
that dump and buy some compatible parts that you can swap in if you kill it.

~~~
a1k0n
Or you could just lift the MOSI/MISO/SCK/CS pins off the board with an iron
and tweezers and power it up normally. The pin pitch on this one is relatively
big, shouldn't be too hard, definitely easier than removing.

------
fapjacks
This is such a great series! I have been an RE hobbyist for some years, but
this taught me a few tricks I didn't know about.

------
FAHED1
SDA\

