All of us in childhood were armed with screwdrivers and disassembled some device in order to understand how it works. For some it has become a profession, but the years when the experimental devices did not resist the study have already passed. Now every coffee maker is trying with all its might to make sure that you cannot learn it. Is there a way out? Yes! Today we'll take a look at how to pull firmware from different devices and how developers prevent it.
As you remember, the tube receivers did not have any firmware, and the only thing that could interfere with your curiosity was the anode voltage, which, however, at least did not attack you on its own. Now everything is different: I came across devices that aggressively opposed me from the very beginning, even at the stage of disassembling the case. We will start with it.
OPENING
The first thing that can await you on the way to the cherished memory with firmware is a well-closed case. It seems to be no problem: I took a Phillips screwdriver ... Wait, is it really a Phillips screwdriver? Now there are at least a couple of dozen forms of screw heads, and, of course, not all of them are unscrewed with normal human tools. To disassemble one device, for example, I had to cut out the desired shape from a flat screwdriver with a file.
Let's say you picked up (or made) a screwdriver of the right shape. Well done! He unscrewed the screws, lifted the lid, and heard the crack of the PCB - and the device can be sent to the trash heap. This is because the board in your gadget does not just dangle inside the case, but is combined in a complex way with its different parts. This is usually done with the help of special latches that are inserted into the holes of the board, and when the case is disassembled, they break it, making further study useless.
Or the crackling was not heard. Then you connect to what you discovered, read memory, and only zeros are read. How could this happen? Modern technology makes it possible to produce tiny SMD photocells, such as phototransistors, which are commonly used in such protection. When the device detects that even a little light gets on its board (even through a small hole in the case), the controller firmware is erased, and you are left with a non-functional device. And it's good if the protection doesn't burn something physically!
The fact is that a gaze that is not used to such tricks cannot immediately distinguish a phototransistor from the same LED, and a familiar one is also unlikely to cope with it right away. If he noticed at all.
INSPECTION OF THE PAYMENT
If the autopsy did not show that the patient died from the autopsy, I first examine the board in search of pins for the debug interfaces - usually JTAG or UART. The main problem is not that the necessary contacts can be in very unexpected places, but that they are usually disconnected. Of course, even in 2021, there are still enough unique people who send devices with the UART enabled to the production, but the number of such is falling rapidly.
If you are unlucky, there are few options: either cry into your pillow, or look for a memory chip on board and read it directly.
And with this a lot of interesting things await you! Thought you just need to pull out an eight-legged mikruhu in a DIP package, similar to an old chip with BIOS? No matter how it is! Now there are at least four relatively widely used types of memory, and some of them may be so similar to each other that you cannot distinguish.
MEMORY
Before I tell you what and how to do with memory, let's first figure out what it is and how to distinguish it from other components on the board.
According to experience, the processor (in the screenshot above in the center) is usually square in shape and executed in BGA, and the memory is rectangular and is made in SOP packages.
Often in ultraportable computationally powerful devices (smartphones, for example), a sandwich of the processor and memory is used - this way the size and latency during work are less. The form factor is, of course, BGA - simply because nothing else can be crammed into a tiny case.
ROM - read-only memory - is fairly easy to distinguish. Suppose you have already found the chip with it. Now let's figure out what it is.
We are interested in EEPROM (Electrically Erasable Programmable Read-Only Memory), FRAM (ferroelectric memory) and NOR / NAND flash - they are already familiar to you. Of these, you might not have heard only about FRAM - they started using it about five years ago, so it's not very popular yet.
EEPROM
Among the features of this memory are byte read and write. Such memory is the most durable: according to calculations, it can retain information for about two hundred years! But you have to pay for reliability - mainly with the volume with which this type of memory is doing badly: the typical size of such a chip is measured in kilobytes. Due to the low volume for storing firmware, this type of memory is almost never used. Well, since they started talking about the minuses, it's worth mentioning the low speed.
EEPROM memory cell device
The cell resource is about a million rewriting cycles. Compared to modern NAND cells, in which this figure is within tens of thousands of cycles, EEPROM memory is simply unrealistically reliable.
FRAM
FRAM is a completely new type of non-volatile memory. It began to be used industrially only a few years ago, so the chance to find FRAM in some smart refrigerator is small, but soon everything may change. So far, the main problem is the price, which is slightly higher than that of other types of memory.
FRAM cell device. Sounds like DRAM, right?
It differs from EEPROM in a fundamentally different principle of storing information: it is not the charge on the gate that is stored, but the polarization sign of the ferroelectric. When voltage is applied, it is reversed, which allows such memory to be read and written to.
Due to the new principle of operation, such memory is significantly faster than EEPROM, but its durability has remained practically unchanged.
NOR / NAND Flash
NOR / NAND flash memory is simply an EEPROM assembled into an array. NOR differs from NAND only in the way it is packed into an array, but this small difference leads to rather strong differences in such memory.
NOR is faster and more reliable than NAND, but it is more expensive due to its lower packing density. NAND, on the other hand, is cheap as garbage, but has reliability issues.
NOR and NAND memory is used in SSDs and all kinds of flash drives. Due to the low reliability of NAND memory, such drives necessarily have a large pool of spare cells that are inaccessible for normal use, and a smart controller that drives the whole economy. Keeping such an overhead in a consumer smart multicooker is unforgivably expensive, so NOR is usually used, and NAND is left for user drives, where reliability problems can be passed on to a user who does not make backups. Although not - even in cheap routers, it is increasingly used due to software integrity protection mechanisms.
Pivot table
NOR memory would be perfect if not for its price, so the market decided - and now we all use NAND almost everywhere. Even in embedded technology, we have almost learned how to safely work with it - checksums, ECC codes and spare blocks. The beauty!
BODY MICROCIRCUITS
As you can see, everything is bad with the memory cases: in addition to the options shown in the picture, you can easily remember a dozen more, and it's not a fact that the manufacturer decided not to use something exclusive, which may not have a name at all.
Marking
Let's say you're lucky to find a memory chip. First of all, we need to read its markings.
If there is a marking, there is a considerable chance to meet it in exactly the same format as shown in the picture above. The first two letters are the vendor code, then the type of memory in the chip, then the internal series number - and then no clear logic can be traced.
Since there is no single standard and is not foreseen, manufacturers are free to write on their chips what they see fit. This sometimes leads to collisions, like the one shown in the same picture: two chips from different manufacturers, both 29 series, but one NOR, and the other NAND. In short, you can't guess, and such chips have to be punched through in search engines to find out at least something.
Typical design
Devices of the same segment are designed to be very similar - this is quite obvious. For example, all home routers look almost the same from the inside. The same situation is on the market of SCADA devices, which have their own canons, but they can be traced everywhere without any special changes.
Here are five categories of devices that you might need to deal with:
- PC;
- household network equipment (routers, switches, access points);
- equipment for critical applications (in factories);
- IoT - Internet of Things;
- smartphones.
PC
The device of conventional PCs implies modularity, that is, almost all parts can be easily removed. Because of this, the motherboard has only a flash drive with BIOS / UEFI from the memory elements. At the same time, the BIOS usually sits on chips of the 24th series - I2C EEPROM, and in the new models there is the 25th series of SPI NOR flash with UEFI.
If an adult Intel processor with ME support is installed, you can find a second USB flash drive of the same type on the board, but with firmware for ME. This is done for security reasons: it is more difficult to infect or replace the firmware on a physically separate microcircuit.
Intel ME
Intel Management Engine is a special system for UEFI-compatible PCs based on Intel processors. It has its own dedicated memory chip and its own processor, as well as its own channels for accessing network adapters and main RAM. It can interact without restrictions with almost anything as part of a computer, which greatly increases the requirements for its protection.
Household routers
With consumer-grade routers, everything is quite simple: here they put SPI NOR 25-series memory, if no more than 8 MB is required, or more NAND memory. You can rarely find eMMC, but I haven't come across this yet.
Devices for responsible use
Everything is a little more complicated here. The standards require strange things, so devices in this category are likely to consist of several boards connected by transition interfaces. There will be many different storage devices just to get certified.
Logs are usually written to EEPROM or FRAM of the 24th series, the bootloader is on the NOR of the 25th series, and all the firmware is placed on the NOR of the 26th, 29th series. NAND is rarely used, and if used, it is immediately used in large redundant arrays.
IoT
Now the concept of IoT is too extensible: in fact, you can write everything smart home and not even very homely there. Because of this, any memory can be there: either EEPROM or eMMC is when NAND with a host controller are packed into one chip.
Smartphones
In smartphones, usually everything is the most advanced: here you have eMMC, eUFS, and even NVMe SSD, like Apple. At the same time, whatever one may say, all these chips look plus or minus the same, so you will not confuse them with anything.
NAME DESCRIPTION
Now that you have found the desired chip and read the marking, you need to decode it. By the way, the markings are far from always readable in their entirety: some may be accidentally or intentionally hidden, or even completely forged, as the Chinese like to arrange with their details on Ali.
Particularly large manufacturers can provide chip name decoders on their websites, but almost no one does that.
A commendable example is the manufacturer Micron, who gave a clear instruction and a form on the site for obtaining a datasheet for their microcircuits.
If there is no decoder, you will have to get out. You can try to figure it out according to the diagram in the screenshot below, but, of course, without any guarantees of success. Perhaps it is even better to go straight to the Japanese - they are very fond of inadequately confusing names without known logic. It is, of course, there, but so far no one has been able to understand it.
SEARCH DOCUMENTATION
I think you can google yourself, but it may be useless to search for documentation for all kinds of exotic chips. First, the search by the first N characters of the microcircuit name is more efficient. Secondly, it is often easier to find by code on Aliexpress or other large trading platforms.
If you really like Google, try an image search - sometimes you can find there something that is not searched for by text.
There are also huge databases of chips in the software for programmers - I use software from Elnec. Often there are even datasheets there, but you shouldn't rely on it too much.
Another good place to look is GitHub. Chances are it will find something on request in the spirit of "X microcircuit read poc". Then you can rip out a link to a datasheet or something else useful. I even came across hidden service commands for locking / unlocking the chip, which, of course, is very pleasant to study.
EQUIPMENT
Here you can only say what not to do: do not take cheap tools and consumables. My favorites are solder that melts at completely unexpected temperatures, conductive flux (!) And disposable tweezers.
I would like to tell you more about cheap flux. An example is TT, also known as pink gel. It is good, but it does not wash and conducts current at high frequencies. This is not a problem in a Soviet radio or even a modern power supply unit, but on motherboards of computers with gigahertz frequencies, it is categorically contraindicated.
Removing the compound is a matter of temperature. I usually heat with a hair dryer at ~ 250 degrees, but there is one problem. And it consists in the fact that under the compound, the components can be soldered with low-temperature solder, such as Rose or Wood alloys. Yes, you will remove the compound, but half of the board will come off with it. And a cunning flash drive may not start without a heap of loose material that cannot be collected back.
What if the board is varnished? You can try to reduce it with acetone, but it can damage the textolite. Do this only if you have nothing to lose. For other cases - just shoot with a scalpel in the right places, and do not touch the rest.
When soldering, refer to the thermal profile graph at the end of the datasheet on the microcircuit. It is placed there for a reason, and in my memory there really were cases when the microcircuit died from overheating when removed. As you know, people are divided into those who do not look at the graphics in the documentation, and those who are already looking.
It often makes sense to mix a less refractory Rose or POS63 alloy, or Wood's alloy, if everything is really bad, to the factory solder. This will significantly lower the soldering temperature and increase the chances of not burning the mikruhu.
PREPARATION FOR READING
After soldering, in no case should the microcircuit be tested for temperature: let it lie down and cool down by itself, and not in alcohol - so the chances of maintaining performance are much higher. Next, you need to check if all the legs of the chip are in the same plane and if there are any jumpers between the legs from the solder. They need to be removed so as not to burn the programmer, which has no protection against this, and the chip itself too.
Remove old solder from BGA and apply new balls. When the chip is cleaned and ready for reading, do not try to shove it into the programmer with a clamp directly into the chip - there is a great chance to just crush it!
READING!
Remember that NOR flash comes from the factory without broken cells, and NAND has an acceptable scrap rate, so if you see broken cells in NAND, don't be in a hurry to get upset.
The programmer must be properly configured before reading. In particular, you need to make it read everything, including system pages at the beginning and end of memory - they can be extremely important!
Chip designers strongly recommend device designers to use their chips according to some rules. But the latter are free to disobey the former, so that system pages sometimes turn out to be a store of encryption keys or some other data. In general, read everything - it will definitely not be superfluous.
Now you have an image that you can load into IDA and dig further, but this is already a topic for a separate article.
