Chip-Off Firmware Extraction on a Linux Embedded Device
Vložit
- čas přidán 7. 11. 2022
- In this video, we demonstrate a chip-off firmware extraction on a Linux embedded device, using the proper amount of flux. We use the XGecu T56 universal programmer to read the firmware off the TSOP48 M29W640GT flash chip made by ST. After reading the firmware, we show how to reattach the flash chip to allow the device to be functional again.
flash chip datasheet:
media.digikey.com/pdf/Data%20...
XGecu T56 universal programmer site:
autoelectric.cn/EN/TL866_main....
Wine wrapper for XGecu software:
github.com/radiomanV/TL866
Rossmann talking about the microscope I have:
• The microscope recomme...
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#iot #firmware #soldering #rework #linux #embedded_systems - Věda a technologie
I actually believe that the error message that you got was correct.
I copied your method, including the placement of the flash ship in the socket and got the same error message. However, it wouldn't even produce a binary in my case. After some troubleshooting and continuity testing I managed to identify that the top 8 pins in the TSOP socket are actually connected to the cables and not the pins. Therefore, the flash should actually be placed 4 rows down. I did this and it worked fine with no error messages. I believe that this placement is also ilustrated in the newer XGecu software.
Otherwise, Thank you for this educational video.
Get that low melt solder, mix it in. Won’t have to get nearly aggressive with the heat. Some chips won’t tolerate that. Good video brother, stay in the game !
Interested in: Bin Dump Analysis. Partition mounting. Changing files. Building partitions in firmware dump.
Fifth, you never apply cold isopropyl on a extremely hot IC. This way, you will crack the body of the IC (epoxy) because of the quick temperature difference. Use first a silicone thermal pad to cool it down and then clean it.
I'm not an expert but I think that with this size chip you should use a bigger tip on your hot air.
It should make it a bit easier to take off the chip.
Also, maybe heating a general area around the chip to increase the temperature of the ground plane could help as well.
Overall I've just found your channel, I really like what you do, keep it up!
Nice, you’re very good at this, lots of patience. I’m trying to learn this.
Very cool video thank you. Maybe a quick look into one of the inexpensive laser measures at some point 😀?
good job man , keep goin
I'm definitely subscribing I seen a dude desolder a BIOS chip that wasn't posting and he manually flashed it and it booted so I'm curios
Hi Matt,
Great videos - going to watch some more.
My recommendation:
You need less flux (first amount was more than enough) - more heat
(buy the org. amtech flux - you got a fake one)
Qianli iNeezy Tweezers fx-03 so you don't loose grip
Please use nitrile gloves - you don't want to touch all the nasty chemicals/Lead with bare hands !
Did you have an extractor ? Don't want chemicals in you lungs.
Ultrasonic cleaner - optional
You do not want to heat the body of the chip like this guy does. Point the nozzle towards the pins and go with a circular motion around the case. Secondly, you do not place flux on the ic case, but on the solder joints. Thirdly, you should always protect the plastic connectors near the soldering area with kapton tape.
You can put flux on the case. It will insulate the die more than it will conduct heat from the pins. But definitely want to put it on the pins most importantly!
very cool video! I would also love to learn how the device and software you used, works under the hood so to speak
I think most of the videos are showing firmware extraction on NOR flash, this is the first video showing NAND flash
nice! btw I found the datasheet and will add it to the video description. turns out the reason where there are like 3 or 4 manufacturers listed for the one chip model number is because acquisitions...
Another way is to change the solder material from the pins with o lower melting point material so everything goes smoother.
Fourthly, you must use a high temperature (like 400-450 Degrees Celsius) and remove the chip very quickly, like in 10-20 seconds.
You actually don't lmfao. Your comments are hilarious.
You DON'T NEED hot air to desolder these chips : Flood all leads on all sides of chip, allowing time for cooling between sides. Lift one side at a time, allow cooling time. Wick excess solder from leads.
Done this on some devices in the past, trouble is, wanted to make changes and couldn't figure out where the CRC checksum values were stored for the firmware.
That work is really grate. But in my case, I use MX30LF2G18AC and MX35LF2G14AC memory and extract firmware file by off-chip. I'm using RT809H programmer, and it shows me a some amount of bytes verification are inconsistence. I can't use that extracted firmware if that inconsistence bytes are missing. Have you ever been encounter with that kind of problem?
is there a way to program this nand flash directly from the board ???
You should get an ultrasonic cleaner if you do hot air rework often
I do rework every now and then, however I don't have to give it back to anyone so if its all messy its something I can deal with. maybe someday that will be an item in the dream lab.
If you wanted, would you be able to save this firmware and write it to another tsop-48 with the same model number? Im thinking more along the lines if the firmware became corrupt on another device would you be able to write this firmware to another chip?
Yeah, those are tough chips to desolder. I would say your nozzle is too small for that chip. As others have said, the best things to use are purpose made nozzles that blow air on both sides of the chip at once. However even just a larger diameter round nozzle would help. I also always add a fair amount of additional solder with a standard soldering iron before I start, as it makes it much easier to melt with the air gun, and it holds its heat and stays molten for longer so you can more easily get both sides molten at once.
Simple problems have become more complex
how to connect the chip base with ST-LINK programmer to read its firmware , The chip is ATMEL microprocessor .
Is there any video tutorial on making Xgpro work on Linux? I tried following the github tutorial but it just opened and didn't detect the programmer, and if I put the setupapi.dll (I used both what was provided and what I compiled) file in the XGpro folder it doesn't open anymore. can you help? (I'm trying to make it work on Raspberry pi OS, so far I've only successfully managed to get the CH341a.)
Can you do a video on rebuilding the firmware and writing it? Also is it possible to dump the firmware without removing the chip and using clips?
basically yes if you know all the main 8points where are the going you can pick that points and can read and write nand flash with t56 programmer. otherwise there is no any clip and all available.
Hey Matt, great video.
I'm starting out. I don't have the hardware you have introduced in these videos. So far I have a cheap 8 channel Logic Analyzer, a CP2102 UART dongle, ST-Link v2 dongle, a CH341A, and a Bus Pirate. I plan to expand as I go.
I have a tv here with a shattered screen that I'm experimenting with. It has a Winbond W25Q32JV bios chip.
Is it possible for you to do a video with the Bus Pirate? I've found a LOT of information on the net about it, but a lot of it just confuses me. I love your style of explaining everything. So wondering if you can help make sense of it.
Thanks man! You've helped explain a lot so far.
To be more specific... I can't seem to get any sort of connection with the chip via SPI.
The SOIC-8 clip that came with my CH341A was useless as I never can get a connection (verified by continuity). I think its just a cheap plastic mold that is a common issue. I have soldered to the legs of the chip (still on the board), very carefully ;-) . I couldnt figure out the Logic Analyzer, as hooking it up would not allow the tv to turn on. I'm also really just learning the Saleae software.
I attempt to connect to the chip via my Bus Pirate using screen and I have to be missing something here. I'm always stuck with syntax errors.
ok
😅 fix the chip on the table with some kapton tape. It won’t run away when you use the desoldering wick.
Hey Matt, I just bricked an expensive router FW. Is it possible to contact with you? Of course not for free :)
What heat gun do you use?
Hello mr matt i need some help from you regarding top28 flag memory and t56 programer
can you show some tricks on breaking encrypted firmware using side channel or other techniques ?
The device's with encrypted firmware I've looked at in the past are sadly behind NDAs. If you have a target device that you know has encrypted firmware let me know and I'll look into it.
Are you referring to a firmware update file being encrypted? or the actual firmware on flash being encrypted?
@@mattbrwn thanks, i meaning the actual encrypted firmware in flash. i know there is a method like looking into old version unencrypted firmware where the encryption algorithm is implemented and using it to decrypt latest version and some peeps use DPA side channel attacks to break AES or other cyphers but is there any other methods than this ? and ill let you know if I find a encrypted firmware, looking forward for the video. 🙂
@@kiyotaka31337 try hashcat
@@kiyotaka31337i think t56 can give you encrypted data also in OPT column and main flash differently in another column. so add both of the data to nand can result to the original firmware. what say??
@@mattbrwn oh
You should use the braid before cleaning the is. What was the point of cleaning?😂
What is the purpose of the flux in desoldering?
To improve the heat conductivity between the heat source (e.g solder tip or hot air) and whatever it is touching. Without flux, it will be much harder for the heat to transfer to what you want. E.g., without flux, it will be very hard to get solder to melt.
you need some low melt
Removing the NAND chip is completely unnecessary in many cases. Look into 360-clips.
Something new? Don’t know of any tool to read without removal. Not of a nand chip anyway.
Don’t no much about your software skills but soldering …You know…
when you have old solder just flood it with good solder until it comes off then wick it
how to read hex from pic mcu which is locked??