Hacker News new | past | comments | ask | show | jobs | submit login
Practical Reverse Engineering Part 4 - Dumping the Flash (jcjc-dev.com)
107 points by fcambus on June 8, 2016 | hide | past | favorite | 10 comments



In case you need to dump/re-flash an SPI memory chip, but don't happen to have an FTDI programmer handy (be that as a protest to their despicable actions with Windows drivers some time ago, or for any other reason), another (much cheaper) alternative is Chinese CH341A, which are available on eBay and other usual places for around $3 (complete assembled programmer board, shipped). CH341A is well supported on both Linux [1] and Windows [2].

[1] https://github.com/setarcos/ch341prog

[2] https://tosiek.pl/ch341-eeprom-and-spi-flash-programmer/


If you own a Raspberry Pi, Beaglebone Black, Intel Galileo, or (honestly) any tiny computer, you can probably read and write SPI via spidev. [1]

Another alternative is a buspirate, but it is much slower. [2] If you don't plan on doing this often, it's probably the way to go. Cheap and has the ability to do a lot more than just SPI.

But there is definitely not a need to shell out $100+ for a dediprog.

Big warning, though, if you decide to use any of these methods with a chip that is still on-board, you really should use a benchtop power supply. You run the risk of damaging your device otherwise-- I damaged my Beaglebone Black this way. Your device might be able to supply 3.3v to a small chip, but the board probably will draw more than that depending on isolation.

If you don't have one, find a cruddy ATX PC power supply on craigslist, probably in the free section. The orange lines are 3.3v and will work in a pinch.

[1]: http://linux-sunxi.org/SPIdev

[2]: http://dangerousprototypes.com/docs/Bus_Pirate


Small nit: $3 != $100+

That said, using native SPI bus on a closest laying around (embedded) Linux board is an awesome idea hardware-wise. What about software though? Will dd if=file.bin of=/dev/spidev0.0 fail to write to an SPI NOR chip?


Flashrom [1] is the go-to tool for everything SPI on *nix. It knows how to identify chips and will prevent you from doing anything stupid, if it can.

[1]: https://www.flashrom.org/Flashrom

(As of January, it looks to have support for your $3 programmer! https://github.com/flashrom/flashrom/blob/86bb6c55dd3bb1a167... )


Never heard before about the "flashrom" tool. Looks nice, especially the long list of supported HW. Thanks!


Wanted to mention the SPI flash work done by the person behind thunderstrike.[1] "This device can read the chip in tens of seconds, write it in less than a minute."[2]

[1] https://trmm.net/SPI_flash [2] https://trmm.net/Thunderstrike_31c3


This approach won't always work. On some boards applying enough power to bring up the SPI will also power enough connected logic that it'll start generating SPI traffic and your read attempts will fail. On some boards the capacitance of unpowered logic will leave you miserable. It's definitely worth trying this as a first step in dumping SPI, but you need to be prepared to remove the chip and re-dump it. Also bear in mind that these things really aren't designed for multiple attach/detach cycles, so unless you want an IC with fewer legs than it started with you shouldn't plan on being able to repeatedly remove and reflash it without adding some sort of removable setup - sockets may not be practical for multiple reasons, but you might be able to get away with soldering a header onto the pads and then jumpering the chip onto that. But as a fallback: dump the chip after you remove it the first time, keep hold of that dump and buy some compatible parts that you can swap in if you kill it.


Or you could just lift the MOSI/MISO/SCK/CS pins off the board with an iron and tweezers and power it up normally. The pin pitch on this one is relatively big, shouldn't be too hard, definitely easier than removing.


This is such a great series! I have been an RE hobbyist for some years, but this taught me a few tricks I didn't know about.


SDA\




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: