Chip-Off Firmware Extraction on a Linux Embedded Device

  Рет қаралды 19,542

Matt Brown

Matt Brown

Күн бұрын

Пікірлер: 58
@Cire3PC
@Cire3PC Жыл бұрын
Get that low melt solder, mix it in. Won’t have to get nearly aggressive with the heat. Some chips won’t tolerate that. Good video brother, stay in the game !
@alin636
@alin636 Жыл бұрын
I actually believe that the error message that you got was correct. I copied your method, including the placement of the flash ship in the socket and got the same error message. However, it wouldn't even produce a binary in my case. After some troubleshooting and continuity testing I managed to identify that the top 8 pins in the TSOP socket are actually connected to the cables and not the pins. Therefore, the flash should actually be placed 4 rows down. I did this and it worked fine with no error messages. I believe that this placement is also ilustrated in the newer XGecu software. Otherwise, Thank you for this educational video.
@KG4JYS
@KG4JYS Ай бұрын
The images are indeed updated, at least for the chips I've used in my t56 that is the case. Since the image is package specific, there's quite a few to update. I wouldn't be surprised if some didn't get updated.
@АнатолийП-у3к
@АнатолийП-у3к 2 жыл бұрын
Interested in: Bin Dump Analysis. Partition mounting. Changing files. Building partitions in firmware dump.
@timc3600
@timc3600 4 ай бұрын
The flux goes onto the pins, since it helps the solder melt, it does no good on top of the plastic of the package. Heat the PCB, not the chip using a circular motion and consider using Kapton tape to protect other surrounding components from the heat. I wouldn't disable pin detect, its a quick way to ensure you have a good electrical connection on all pins, before you try and read, thus it ensures you get a reliable read or write. This is particularly important on parallel devices, where the data may look OK as many of the pins read OK, but you will end up reading the wrong addresses, or missing some bits on the data pins. All of which will not help in your reverse engineering later. I find it best to check the pins for remaining solder, similarly to how you did with the braid, but not putting any sideways pressure on the pins, since they will bend, which make reading and reassembly more difficult. Secondly, once the chip has cooled, clean its top and bottom with some isopropyl Alcohol, to remove any contaminants and the flux from the pins. A small toothbrush and some IPA and a gentle brushing action from the chip centre to the outside is the best way. I'll often use paper towel under the IC, so it can absorb all the contamination rather than just brushing it around. Once done, you will get a high probability of the pin check passing, you also won't contaminate your adapters with flux. The device ID test fails for the same reason, one or more missing pins means that the ID will not read properly as the badly connected pins corrupt the data. Finally, if you get an XGeku T56, which is needed for the larger memory devices, then don't forget to connect the ribbon from the top port to the header on the adapter, since this provides the extra pins needed to support the higher pin count devices. I'm not sure if the T48 works in the same way, so thats worth checking too. This is generally shown on the device layout, but its not immediately clear what they mean, so its caught me out a couple of times.
@kiyotaka31337
@kiyotaka31337 2 жыл бұрын
I think most of the videos are showing firmware extraction on NOR flash, this is the first video showing NAND flash
@mattbrwn
@mattbrwn 2 жыл бұрын
nice! btw I found the datasheet and will add it to the video description. turns out the reason where there are like 3 or 4 manufacturers listed for the one chip model number is because acquisitions...
@MCgranat999
@MCgranat999 2 жыл бұрын
I'm not an expert but I think that with this size chip you should use a bigger tip on your hot air. It should make it a bit easier to take off the chip. Also, maybe heating a general area around the chip to increase the temperature of the ground plane could help as well. Overall I've just found your channel, I really like what you do, keep it up!
@maxvideodrome4215
@maxvideodrome4215 Жыл бұрын
Done this on some devices in the past, trouble is, wanted to make changes and couldn't figure out where the CRC checksum values were stored for the firmware.
@ShadyNetworker
@ShadyNetworker 2 ай бұрын
Neat video! Question: how come the plastic package doesn't melt at nearly 400°C ? Chip-off at 12:09, for those wondering.
@Vazzible_gaming
@Vazzible_gaming Жыл бұрын
Nice, you’re very good at this, lots of patience. I’m trying to learn this.
@larsmojo
@larsmojo Жыл бұрын
Hi Matt, Great videos - going to watch some more. My recommendation: You need less flux (first amount was more than enough) - more heat (buy the org. amtech flux - you got a fake one) Qianli iNeezy Tweezers fx-03 so you don't loose grip Please use nitrile gloves - you don't want to touch all the nasty chemicals/Lead with bare hands ! Did you have an extractor ? Don't want chemicals in you lungs. Ultrasonic cleaner - optional
@davidezequielborges392
@davidezequielborges392 Жыл бұрын
Another way is to change the solder material from the pins with o lower melting point material so everything goes smoother.
@razorr1920
@razorr1920 23 күн бұрын
Awesome as always. Can you try and read the application program on a Toshiba TMPM374FWUG mostly found in refrigeration systems and other consumer grade electricals
@boutahirsalaheddine1431
@boutahirsalaheddine1431 Жыл бұрын
is there a way to program this nand flash directly from the board ???
@dainazinas
@dainazinas 7 ай бұрын
Very cool video thank you. Maybe a quick look into one of the inexpensive laser measures at some point 😀?
@Finrow1
@Finrow1 2 жыл бұрын
You should get an ultrasonic cleaner if you do hot air rework often
@mattbrwn
@mattbrwn 2 жыл бұрын
I do rework every now and then, however I don't have to give it back to anyone so if its all messy its something I can deal with. maybe someday that will be an item in the dream lab.
@yenaurapourtoulmonde
@yenaurapourtoulmonde Ай бұрын
Dozens years ago I put a circuit in an ultrasonic cleaner: the TTL got destroyed! Never again...
@waelbadr4724
@waelbadr4724 6 ай бұрын
how to connect the chip base with ST-LINK programmer to read its firmware , The chip is ATMEL microprocessor .
@JurandyRafael
@JurandyRafael 9 ай бұрын
Is there any video tutorial on making Xgpro work on Linux? I tried following the github tutorial but it just opened and didn't detect the programmer, and if I put the setupapi.dll (I used both what was provided and what I compiled) file in the XGpro folder it doesn't open anymore. can you help? (I'm trying to make it work on Raspberry pi OS, so far I've only successfully managed to get the CH341a.)
@DeepFrydTurd
@DeepFrydTurd Жыл бұрын
I'm definitely subscribing I seen a dude desolder a BIOS chip that wasn't posting and he manually flashed it and it booted so I'm curios
@narniaphuket
@narniaphuket 2 ай бұрын
to do this faster and easier next time, use a hot plate to remove (assuming no ICs in the way on flip side) and solder paste to replace
@dr.decapod7032
@dr.decapod7032 11 ай бұрын
What heat gun do you use?
@grantscott1686
@grantscott1686 Жыл бұрын
very cool video! I would also love to learn how the device and software you used, works under the hood so to speak
@NerdThingsAndMore
@NerdThingsAndMore 4 ай бұрын
Thnaks for the video and info
@kiyotaka31337
@kiyotaka31337 2 жыл бұрын
can you show some tricks on breaking encrypted firmware using side channel or other techniques ?
@mattbrwn
@mattbrwn 2 жыл бұрын
The device's with encrypted firmware I've looked at in the past are sadly behind NDAs. If you have a target device that you know has encrypted firmware let me know and I'll look into it. Are you referring to a firmware update file being encrypted? or the actual firmware on flash being encrypted?
@kiyotaka31337
@kiyotaka31337 2 жыл бұрын
@@mattbrwn thanks, i meaning the actual encrypted firmware in flash. i know there is a method like looking into old version unencrypted firmware where the encryption algorithm is implemented and using it to decrypt latest version and some peeps use DPA side channel attacks to break AES or other cyphers but is there any other methods than this ? and ill let you know if I find a encrypted firmware, looking forward for the video. 🙂
@cosmicrider5898
@cosmicrider5898 2 жыл бұрын
@@kiyotaka31337 try hashcat
@rajuradios
@rajuradios Жыл бұрын
@@kiyotaka31337i think t56 can give you encrypted data also in OPT column and main flash differently in another column. so add both of the data to nand can result to the original firmware. what say??
@phr3ui559
@phr3ui559 Жыл бұрын
@@mattbrwn oh
@dtnicholls1
@dtnicholls1 4 ай бұрын
You shouldn't be heating the chip like that mate. Grab some lead solder and put a bunch of it on the pins and wick it off to dilute the lead free stuff. The chip will come off a lot easier. If it's particularly large, use a bismuth based solder like quick chip.
@KyawThiha-f6n
@KyawThiha-f6n 6 ай бұрын
That work is really grate. But in my case, I use MX30LF2G18AC and MX35LF2G14AC memory and extract firmware file by off-chip. I'm using RT809H programmer, and it shows me a some amount of bytes verification are inconsistence. I can't use that extracted firmware if that inconsistence bytes are missing. Have you ever been encounter with that kind of problem?
@JeremySpidle
@JeremySpidle 11 ай бұрын
You DON'T NEED hot air to desolder these chips : Flood all leads on all sides of chip, allowing time for cooling between sides. Lift one side at a time, allow cooling time. Wick excess solder from leads.
@JasonScottHamilton
@JasonScottHamilton Жыл бұрын
What is the purpose of the flux in desoldering?
@alin636
@alin636 Жыл бұрын
To improve the heat conductivity between the heat source (e.g solder tip or hot air) and whatever it is touching. Without flux, it will be much harder for the heat to transfer to what you want. E.g., without flux, it will be very hard to get solder to melt.
@RejectedManiac
@RejectedManiac 8 ай бұрын
If you wanted, would you be able to save this firmware and write it to another tsop-48 with the same model number? Im thinking more along the lines if the firmware became corrupt on another device would you be able to write this firmware to another chip?
@lptf5441
@lptf5441 Жыл бұрын
Yeah, those are tough chips to desolder. I would say your nozzle is too small for that chip. As others have said, the best things to use are purpose made nozzles that blow air on both sides of the chip at once. However even just a larger diameter round nozzle would help. I also always add a fair amount of additional solder with a standard soldering iron before I start, as it makes it much easier to melt with the air gun, and it holds its heat and stays molten for longer so you can more easily get both sides molten at once.
@user-ui8my9zs7o
@user-ui8my9zs7o Жыл бұрын
Can you do a video on rebuilding the firmware and writing it? Also is it possible to dump the firmware without removing the chip and using clips?
@rajuradios
@rajuradios Жыл бұрын
basically yes if you know all the main 8points where are the going you can pick that points and can read and write nand flash with t56 programmer. otherwise there is no any clip and all available.
@electronicsideas1361
@electronicsideas1361 7 ай бұрын
how to read hex from pic mcu which is locked??
@chengcheng422
@chengcheng422 Жыл бұрын
Simple problems have become more complex
@kagandemirarslan872
@kagandemirarslan872 2 жыл бұрын
good job man , keep goin
@_efault
@_efault 2 ай бұрын
Waiting is very uncomfortable, T56 can greatly reduce your waiting time
@zsbalak
@zsbalak 2 жыл бұрын
Hey Matt, I just bricked an expensive router FW. Is it possible to contact with you? Of course not for free :)
@BrainTumorAndChill
@BrainTumorAndChill 2 жыл бұрын
Hey Matt, great video. I'm starting out. I don't have the hardware you have introduced in these videos. So far I have a cheap 8 channel Logic Analyzer, a CP2102 UART dongle, ST-Link v2 dongle, a CH341A, and a Bus Pirate. I plan to expand as I go. I have a tv here with a shattered screen that I'm experimenting with. It has a Winbond W25Q32JV bios chip. Is it possible for you to do a video with the Bus Pirate? I've found a LOT of information on the net about it, but a lot of it just confuses me. I love your style of explaining everything. So wondering if you can help make sense of it. Thanks man! You've helped explain a lot so far.
@BrainTumorAndChill
@BrainTumorAndChill 2 жыл бұрын
To be more specific... I can't seem to get any sort of connection with the chip via SPI. The SOIC-8 clip that came with my CH341A was useless as I never can get a connection (verified by continuity). I think its just a cheap plastic mold that is a common issue. I have soldered to the legs of the chip (still on the board), very carefully ;-) . I couldnt figure out the Logic Analyzer, as hooking it up would not allow the tv to turn on. I'm also really just learning the Saleae software. I attempt to connect to the chip via my Bus Pirate using screen and I have to be missing something here. I'm always stuck with syntax errors.
@phr3ui559
@phr3ui559 Жыл бұрын
ok
@yenaurapourtoulmonde
@yenaurapourtoulmonde Ай бұрын
Takes a damn while to unsolder that chip: six full minutes!! Couldn't you just blow hot air on the pins instead of the package, and make a continuous rectangular pattern? In addition, use a regulated pre-heater to rise the temperature 120-150°C underneath the board. All these precautions would accelerate the process and avoid you to destroy the inner chip by exceeding it's max temperature. And one more thing: adding flux doesn't help make the solder melt; instead the cold flux lowers the temperature.
@scrypto
@scrypto 3 ай бұрын
the UFPI programmer is much better + ecc corrections available
@stevensgarage6451
@stevensgarage6451 Жыл бұрын
you need some low melt
@johnbinns893
@johnbinns893 Жыл бұрын
Removing the NAND chip is completely unnecessary in many cases. Look into 360-clips.
@Cire3PC
@Cire3PC Жыл бұрын
Something new? Don’t know of any tool to read without removal. Not of a nand chip anyway.
@Roy_Tellason
@Roy_Tellason 3 ай бұрын
Not inclined to buy from china if I can possibly avoid it, and no way in hell am I gonna run windoze, or wine for that matter. If they can't provide software that runs under linux, I'll deal with somebody else.
@rjbrake
@rjbrake 2 жыл бұрын
when you have old solder just flood it with good solder until it comes off then wick it
@aumdallymohammadalfaad7094
@aumdallymohammadalfaad7094 9 ай бұрын
Hello mr matt i need some help from you regarding top28 flag memory and t56 programer
Hacking the Arlo Q Security Camera: Firmware Extraction
40:58
Matt Brown
Рет қаралды 26 М.
DEF CON 24 - Hardware Hacking Village - Matt DuHarte - Basic Firmware Extraction
45:50
DEF CON Hardware Hacking Village
Рет қаралды 100 М.
24 Часа в БОУЛИНГЕ !
27:03
A4
Рет қаралды 7 МЛН
Почему Катар богатый? #shorts
0:45
Послезавтра
Рет қаралды 2 МЛН
IoT Hacking - Polycom Conference Phone - Firmware Extraction
33:53
Finding UART and Getting a Root Shell on a Linux Router
20:11
Matt Brown
Рет қаралды 41 М.
Hacking The Mojo C-75 - Chip-Off Firmware Extraction
40:11
Matt Brown
Рет қаралды 33 М.
Xgecu T56 programmer teardown and review
10:37
N-audio
Рет қаралды 18 М.
Extracting and Modifying Firmware with JTAG
21:03
Matt Brown
Рет қаралды 48 М.
Embedded Linux Booting Process (Multi-Stage Bootloaders, Kernel, Filesystem)
33:13