Chip-Off Firmware Extraction on a Linux Embedded Device

preview_player
Показать описание
In this video, we demonstrate a chip-off firmware extraction on a Linux embedded device, using the proper amount of flux. We use the XGecu T56 universal programmer to read the firmware off the TSOP48 M29W640GT flash chip made by ST. After reading the firmware, we show how to reattach the flash chip to allow the device to be functional again.

flash chip datasheet:

XGecu T56 universal programmer site:

Wine wrapper for XGecu software:

Rossmann talking about the microscope I have:

IoT Hackers Hangout Community Discord Invite:

🛠️ Stuff I Use 🛠️

🪛 Tools:

🫠 Soldering & Hot Air Rework Tools:

🔬 Microscope Setup:

About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.

- Soli Deo Gloria

💻 Social:

#iot #firmware #soldering #rework #linux #embedded_systems
  1. Matt Brown
Рекомендации по теме
Chip-Off Firmware Extraction 0:39:42

Chip-Off Firmware Extraction on a Linux Embedded Device

Hacking The Mojo 0:40:11

Hacking The Mojo C-75 - Chip-Off Firmware Extraction

Chip-Off Firmware Extraction 0:31:08

Chip-Off Firmware Extraction and Reverse Engineering of Arris SB6121 Cable Modem

Extracting and Modifying 0:21:03

Extracting and Modifying Firmware with JTAG

Extracting Firmware from 0:18:41

Extracting Firmware from Embedded Devices (SPI NOR Flash) ⚡

Hacking a Knockoff 0:25:04

Hacking a Knockoff Google Chromecast - Firmware Extraction

IoT This Week 0:10:30

IoT This Week | Firmware Extraction Video 1

I'M BACK: Firmware 0:10:13

I'M BACK: Firmware Extraction Tips and Tricks

Hacking a Tiny 0:15:58

Hacking a Tiny Security Camera - VStarcam CB73 Firmware Extraction

Let's Hack: Extracting 1:03:59

Let's Hack: Extracting Firmware from Amazon Echo Dot and Recovering User Data

Hacking the Arlo 0:40:58

Hacking the Arlo Q Security Camera: Firmware Extraction

Whiteboard Wednesday: Extracting 0:03:35

Whiteboard Wednesday: Extracting Firmware from Microcontrollers

Extracting Firmware from 0:07:59

Extracting Firmware from External Memory via JTAG

#04 - How 0:34:08

#04 - How To Get The Firmware - Hardware Hacking Tutorial

This Chip Holds 0:00:59

This Chip Holds All Of Your Data… #technology

[016] IT9919 Hacking 0:32:55

[016] IT9919 Hacking - part 1 - Reading firmware with flashrom

IoT Hacking - 0:33:53

IoT Hacking - Polycom Conference Phone - Firmware Extraction

Whiteboard Wednesday: Memory 0:03:39

Whiteboard Wednesday: Memory Extraction from SPI Flash Devices

UFS/eMMC Firmware Extraction 0:17:26

UFS/eMMC Firmware Extraction - UFI Box

Intro to Hardware 0:12:07

Intro to Hardware Reversing: Finding a UART and getting a shell

Intro to hardware 0:21:00

Intro to hardware security: UART access and SPI firmware extraction

Extracting Firmware from 0:12:27

Extracting Firmware from Linux Router using the U-Boot Bootloader and UART

IoT Hacking - 0:30:27

IoT Hacking - Netgear AC1750 NightHawk - Firmware Extraction via Root Shell

Simple Firmware Extraction 0:05:04

Simple Firmware Extraction w/ Device Programmer

Комментарии
Автор

I actually believe that the error message that you got was correct.

I copied your method, including the placement of the flash ship in the socket and got the same error message. However, it wouldn't even produce a binary in my case. After some troubleshooting and continuity testing I managed to identify that the top 8 pins in the TSOP socket are actually connected to the cables and not the pins. Therefore, the flash should actually be placed 4 rows down. I did this and it worked fine with no error messages. I believe that this placement is also ilustrated in the newer XGecu software.

Otherwise, Thank you for this educational video.

alin
Автор

Get that low melt solder, mix it in. Won’t have to get nearly aggressive with the heat. Some chips won’t tolerate that. Good video brother, stay in the game !

CirePC
Автор

Interested in: Bin Dump Analysis. Partition mounting. Changing files. Building partitions in firmware dump.

lqgwsjn
Автор

Fifth, you never apply cold isopropyl on a extremely hot IC. This way, you will crack the body of the IC (epoxy) because of the quick temperature difference. Use first a silicone thermal pad to cool it down and then clean it.

brmelectronics
Автор

Nice, you’re very good at this, lots of patience. I’m trying to learn this.

Vazzible_gaming
Автор

I'm not an expert but I think that with this size chip you should use a bigger tip on your hot air.
It should make it a bit easier to take off the chip.
Also, maybe heating a general area around the chip to increase the temperature of the ground plane could help as well.

Overall I've just found your channel, I really like what you do, keep it up!

MCgranat
Автор

Very cool video thank you. Maybe a quick look into one of the inexpensive laser measures at some point 😀?

dainazinas
Автор

I'm definitely subscribing I seen a dude desolder a BIOS chip that wasn't posting and he manually flashed it and it booted so I'm curios

DeepFrydTurd
Автор

Hi Matt,

Great videos - going to watch some more.
My recommendation:
You need less flux (first amount was more than enough) - more heat
(buy the org. amtech flux - you got a fake one)
Qianli iNeezy Tweezers fx-03 so you don't loose grip
Please use nitrile gloves - you don't want to touch all the nasty chemicals/Lead with bare hands !
Did you have an extractor ? Don't want chemicals in you lungs.
Ultrasonic cleaner - optional

larsmojo
Автор

very cool video! I would also love to learn how the device and software you used, works under the hood so to speak

grantscott
Автор

Done this on some devices in the past, trouble is, wanted to make changes and couldn't figure out where the CRC checksum values were stored for the firmware.

maxvideodrome
Автор

is there a way to program this nand flash directly from the board ???

boutahirsalaheddine
Автор

Another way is to change the solder material from the pins with o lower melting point material so everything goes smoother.

davidezequielborges
Автор

I think most of the videos are showing firmware extraction on NOR flash, this is the first video showing NAND flash

kiyotaka
Автор

You do not want to heat the body of the chip like this guy does. Point the nozzle towards the pins and go with a circular motion around the case. Secondly, you do not place flux on the ic case, but on the solder joints. Thirdly, you should always protect the plastic connectors near the soldering area with kapton tape.

brmelectronics
Автор

Fourthly, you must use a high temperature (like 400-450 Degrees Celsius) and remove the chip very quickly, like in 10-20 seconds.

brmelectronics
Автор

If you wanted, would you be able to save this firmware and write it to another tsop-48 with the same model number? Im thinking more along the lines if the firmware became corrupt on another device would you be able to write this firmware to another chip?

RejectedManiac
Автор

You should get an ultrasonic cleaner if you do hot air rework often

Finrow
Автор

You DON'T NEED hot air to desolder these chips : Flood all leads on all sides of chip, allowing time for cooling between sides. Lift one side at a time, allow cooling time. Wick excess solder from leads.

JeremySpidle
Автор

Yeah, those are tough chips to desolder. I would say your nozzle is too small for that chip. As others have said, the best things to use are purpose made nozzles that blow air on both sides of the chip at once. However even just a larger diameter round nozzle would help. I also always add a fair amount of additional solder with a standard soldering iron before I start, as it makes it much easier to melt with the air gun, and it holds its heat and stays molten for longer so you can more easily get both sides molten at once.

lptf