[016] IT9919 Hacking - part 1 - Reading firmware with flashrom

Thanks for this good tutorial!
On the STM32 bluepill you do not need to first remove the 10K resistor - just solder a 1K8 resistor on top of it. The parallel resistance then comes to 1K5. This gives less risk of damaging the board.

I still think that this series had some of the most lucid reverse engineering information I've ever seen on TH-cam.

One trick you can use to read flash in circuit is to keep on board processor in reset state. When in reset most of the pins are in high impedance state, and obviously application processor will not interfere.

Have to love it when you talk for 30 minutes about a device and 5 boards all of which I have lying around. Instead of a hoarder I now feel 1337 :)

YEY! welcome back. At work now but can't wait to see it!

I'm so pleased you're back, I really love your channel and was worried you had given up on YT. Another interesting video btw, like the rest.

I never clicked so quick! Where have you been?? How dare you have a real life! ;-)

I really enjoy your videos. So well presented and clear structure. And also so many Open Source ideas and lots of tools for our toolbox. Didn't know about that serial firmware, never thought something like that would even exist. Looking forward to any progress on this very cool project.

Great stuff man! It'll be interesting to see what the outcome will be - especially when you introduce a fpga into the mix (that's worth a whole mini-series on it's own,btw)
Thanks for posting this brainfood mate!

Very interesting project. Love the separation of the Winbond. Code is a little bit of a hurtle for me but taking it like a hot bath. Your interpretation is key! Regards.

ooh, fascinating! can't wait to see how this goes
also, welcome back

you are alive. i found your channel a few weeks ago. its really interesing

I'm 8 minutes in and I'm still gobsmacked that a company (ITE) believes that making their product/chips 100% opaque to anyone that is not a customer is a good way of interfacing with the world. Who cares if non customers know what your ISA is? Why be this secretive? It's even more amazing that a customer would signup to this kind of secrecy. But what do I know?
Fascinating video for sure!

Welcome Back! I am learning a lot. Keep up your good work.

Good to have you back. Waiting to see how this goes.

Nice to see you back , last week i went thru my subscriptions to see if i not accidently deleted you.

As always great tips and links to interesting firmware! Blue Pills rock!

I've just come back for a re-watching.... I was looking for you flashing a blue pill over serial.... found the right vid first guess...
But it's also interesting, having seen the whole series, realising how little you and "the blogs" knew at this early stage and where you got to from there....

Oooh... tweezer soldering iron, A? I've been putting off an appointment with some evil 0402 links for rather too long now.... maybe a tweezer iron could help me out.
That was great stuff... I'm not that interested in HDMI capture meself... but you covered SO many other subjects on the way there had to be something for all of us.
And I learned a new and very useful technical term today: "spew".
Welcome back!!!! ........ Your cat's a lovely colour.

This channel is a gold mine

11:19 Just FYI, most computers don't care about that 10K resistor and work just fine with a vanilla blue pill. I'd recommend trying it out and only swapping the resistor if you really need to.

Thank you for interesting video. Keep your board in the vise.

Great to have a new OpenTechLab video!
Interestingly I was able to make a dump (and later restore this after a brick with a dodgy upgrade file!) of the LKV373's flash chip using `flashrom`via the Raspberry Pi's SPI interface without having to extract the flash chip.

@OpenTechLab: The compression algorithm could be the "Softdisk Library Format" seems to be used from time to time in firmware

Great! Next upload. We've spoken some time ago, nice to see you again

Exited to see this, one of my favorite channels.

I *KNEW* I was in for a treat when OpenTechLab rose from the grave*. Didn't disappoint!
*) Altered Beast reference.

Hi, nice to see your work again!
Cheers.

Great spelunking! btw you should totally make the inverse of the soic adapter for soldering in place of the chip on the original board, similar those game console easy-solder mod boards! Where there are little solder cups/U shaped cutouts.

You are back. That’s great!

So glad you’re back :)

1. Welcome back! This video a quintessence of hacking and a hacker mindset and it makes me think how far we can go with a bit of curiosity and some knowledge, also, it shows how vast the value of free software and open hardware is.
2. Is there a specific reason why you avoided using a flash/SPI programmer based on CH341A (there are compatibility patchwork for flashrom)? It might have been much easier to read from the soldered SPI chips using something like that along with the alligator clip.

Quality soldering tip !

OMG he is back!

Helpful video 👍 I like it

this first time I watch your videos and I sub from first 10s

this is awsome. Thank you!

Hey, welcome back!

Yes! You're back!

Welcome back !

Good Video! You made a working board :)

Amazing!!👍👍

Yayyyyy OpenTechLab is back!!!

WELCOME BACK!!!

The FT232R can also be used with OpenGDB, for example for in-circuit debugging of the ESP32. Maybe that's part of a future video.

I think that the location in the SMAZ for those strings is the dictionary table. Basically all lossless compression algorithms use a dictionary, that is created on the fly as the compressor compresses. The compressed output will have the dictionary and the references (the compressed data) to dictionary.
It is quite probably the hash/crc check do not pass on the edited data you uploaded, and it is very interesting that the board has a secondary storage for known last firmware, pretty cool. It avoids the problem of converting the device into a paper weight if upgrade does not go thru as expected.
The w25q32 chips has a write protect pin. I wonder, if you re upload modified code, then disable write via pin, and boot it? Maybe the code will just try to write, and assume it went thru, and reload, and then maybe it will apply? maybe it will go into a loop? no idea, but will give more details on how it works.

You are my hero!

you can desolder the ground leg and raise it off the pad, then hook everything else up normally and since the ground is only connected on the ROM but not the board, you should be able to get a better signal.

Can you load a bad checksum image into the main eeprom, then monitor the addresses being accessed from the eeprom and the on board backup. I feel that at some point the main processor will need to make a decision that the checksum was bad and then reach out to the backup to do a re-image of the eeprom. This could tell you which bytes of the main eeprom are related to the decision the processor needs to make for the checksum and potentially give you a subset of the whole eeprom that would be interesting, and which would contain the checksum byte, even its location.

Great video - the first I've sen from you but not the last. I had a thought about reading the SPI Flash more conveniently than removing it from the system. Could you just isolate the power pin? That way when you drive it from your external setup none of the rest of the host board is powered and so might be less intrusive, and when you power it from the host board it's back home. You could have a 2-way switch to select. Just a thought.

Woop! Welcome back!!

just noticed at 21.50 left bottom corner chip, two pins are soldered together, is that common practice ..... ? great clip informative thanks

32:54... Perhaps it's time for a Tip Cleaning Solder Sponge and perhaps a new Tip....:/

I wonder if holding the main ASIC in reset at power up would tri-state the SPI bus, allowing you to read out the firmware without desoldering.

What shell are you using/what is your configuration? I've just broken away from the standard unchanged bash, and I'm weighing up my options. Yours looks cool, especially with the knowledge of git branches, etc.

Can you link to the blogs mentioned in the description? Thanks!

The dump clearly shows a crc. All compression algorithms have a dictionary. Most if not all compilers afaik, make a constants table to all constants in the source and then links to them. It's not just strings but ints, floats, books, or any base data type. Crocs have a broken 2nd order resistance collision, and I believe a pre image collision. Find the crc.

SOIC or SOP which one is it now or does it work for both?

Why not simply stack a resistor on top, i.e. in parallel? That's usually an easier operation than removing a resistor...

Is that a duct tape band-aid?

Awesome video but please improve your audio feed. You have allot of noise maybe ground loop or radiation.

that soldering iron

use bmd Capture Card for SDI, and BMD UpDownCross if you have HDMI Signal. work fine without any Problem. feel free to ask.

I am interested at reverse engineering my marantz sr5600 home theater receiver. To reduce noise. To increase amplifier output. To modify speaker impedance on the multiroom channels. Add hdmi 2.2 ports. Add usb 3.2 input, bluetooth input, 1.5mm. Adding the newest dolby digital encoding, adding 4k encoding and upscaling.
What about modifying an older Asus wifi router running opensource firmware and upgrading it to 802.11ax and any newer security features/ programming?
How about reverse engineering a Roku or Firestick 4k to run solely off of Linux?

Great video! You should get some proper chisel type soldering tip. It's way better than this one you are using.

In the video you mention, danman? Is this correct and is a TH-cam channel? Excuse me if 'danman' is the wrong spelling

Stahp eet it's illeeeeghul

what can i do if i cant order from amazon bause the delivery is more than the product in price.
also im totally new to this how can i understand the video better?

how you make your terminal look like that at 14:24 ?
edit: not only on 14:24, all the video. how you make the prompt look like a blue arrow?

Need firmware for hard disk ST350413AS JC66 firmware as bios ic is corrupted

Disable writing to the eeprom from the controller... perhaps it will just drop through after it thinks it has re written it.

Couldn't you hot air desolder the ram and get a read on it then?
Edit: should have watched the whole video before asking.

Using duck tape as a band aid 28:44

I need some answers

"This would be easier if I had this in a vise"
*AvE wants to know your location.*

SMAZ - github.com/antirez/smaz

Why not use a black pill?

I can help you dissolve some chinese problems in the future, if you like to.

imagine for a moment that that Chip was sentient(as in high sentient)......
we are the aliens who has no abducted it and is probing it up the arse...... to understand how it ticks
am i the only one with these weird imaginations ? i need to have a word with my weed guy!!!!

I wonder if this is the same SMAZ? github.com/antirez/smaz

Could this be the SMAZ you are looking for? github.com/antirez/smaz

You might be interested in qspimux: felixheld.de/projects/qspimux/

Surely yourself and others have seen this, but I was doing some random googling and found: github.com/antirez/smaz
Is this related at all?

#ShamefulSoldering

absolutely zero soldering skills...0603 piece of cake for me... i could do it with my eyes closed!

flux, flux flux.....