Get that low melt solder, mix it in. Won’t have to get nearly aggressive with the heat. Some chips won’t tolerate that. Good video brother, stay in the game !
I actually believe that the error message that you got was correct. I copied your method, including the placement of the flash ship in the socket and got the same error message. However, it wouldn't even produce a binary in my case. After some troubleshooting and continuity testing I managed to identify that the top 8 pins in the TSOP socket are actually connected to the cables and not the pins. Therefore, the flash should actually be placed 4 rows down. I did this and it worked fine with no error messages. I believe that this placement is also ilustrated in the newer XGecu software. Otherwise, Thank you for this educational video.
The images are indeed updated, at least for the chips I've used in my t56 that is the case. Since the image is package specific, there's quite a few to update. I wouldn't be surprised if some didn't get updated.
The flux goes onto the pins, since it helps the solder melt, it does no good on top of the plastic of the package. Heat the PCB, not the chip using a circular motion and consider using Kapton tape to protect other surrounding components from the heat. I wouldn't disable pin detect, its a quick way to ensure you have a good electrical connection on all pins, before you try and read, thus it ensures you get a reliable read or write. This is particularly important on parallel devices, where the data may look OK as many of the pins read OK, but you will end up reading the wrong addresses, or missing some bits on the data pins. All of which will not help in your reverse engineering later. I find it best to check the pins for remaining solder, similarly to how you did with the braid, but not putting any sideways pressure on the pins, since they will bend, which make reading and reassembly more difficult. Secondly, once the chip has cooled, clean its top and bottom with some isopropyl Alcohol, to remove any contaminants and the flux from the pins. A small toothbrush and some IPA and a gentle brushing action from the chip centre to the outside is the best way. I'll often use paper towel under the IC, so it can absorb all the contamination rather than just brushing it around. Once done, you will get a high probability of the pin check passing, you also won't contaminate your adapters with flux. The device ID test fails for the same reason, one or more missing pins means that the ID will not read properly as the badly connected pins corrupt the data. Finally, if you get an XGeku T56, which is needed for the larger memory devices, then don't forget to connect the ribbon from the top port to the header on the adapter, since this provides the extra pins needed to support the higher pin count devices. I'm not sure if the T48 works in the same way, so thats worth checking too. This is generally shown on the device layout, but its not immediately clear what they mean, so its caught me out a couple of times.
I'm not an expert but I think that with this size chip you should use a bigger tip on your hot air. It should make it a bit easier to take off the chip. Also, maybe heating a general area around the chip to increase the temperature of the ground plane could help as well. Overall I've just found your channel, I really like what you do, keep it up!
nice! btw I found the datasheet and will add it to the video description. turns out the reason where there are like 3 or 4 manufacturers listed for the one chip model number is because acquisitions...
Hi Matt, Great videos - going to watch some more. My recommendation: You need less flux (first amount was more than enough) - more heat (buy the org. amtech flux - you got a fake one) Qianli iNeezy Tweezers fx-03 so you don't loose grip Please use nitrile gloves - you don't want to touch all the nasty chemicals/Lead with bare hands ! Did you have an extractor ? Don't want chemicals in you lungs. Ultrasonic cleaner - optional
You shouldn't be heating the chip like that mate. Grab some lead solder and put a bunch of it on the pins and wick it off to dilute the lead free stuff. The chip will come off a lot easier. If it's particularly large, use a bismuth based solder like quick chip.
Done this on some devices in the past, trouble is, wanted to make changes and couldn't figure out where the CRC checksum values were stored for the firmware.
You DON'T NEED hot air to desolder these chips : Flood all leads on all sides of chip, allowing time for cooling between sides. Lift one side at a time, allow cooling time. Wick excess solder from leads.
Is there any video tutorial on making Xgpro work on Linux? I tried following the github tutorial but it just opened and didn't detect the programmer, and if I put the setupapi.dll (I used both what was provided and what I compiled) file in the XGpro folder it doesn't open anymore. can you help? (I'm trying to make it work on Raspberry pi OS, so far I've only successfully managed to get the CH341a.)
Yeah, those are tough chips to desolder. I would say your nozzle is too small for that chip. As others have said, the best things to use are purpose made nozzles that blow air on both sides of the chip at once. However even just a larger diameter round nozzle would help. I also always add a fair amount of additional solder with a standard soldering iron before I start, as it makes it much easier to melt with the air gun, and it holds its heat and stays molten for longer so you can more easily get both sides molten at once.
That work is really grate. But in my case, I use MX30LF2G18AC and MX35LF2G14AC memory and extract firmware file by off-chip. I'm using RT809H programmer, and it shows me a some amount of bytes verification are inconsistence. I can't use that extracted firmware if that inconsistence bytes are missing. Have you ever been encounter with that kind of problem?
If you wanted, would you be able to save this firmware and write it to another tsop-48 with the same model number? Im thinking more along the lines if the firmware became corrupt on another device would you be able to write this firmware to another chip?
I do rework every now and then, however I don't have to give it back to anyone so if its all messy its something I can deal with. maybe someday that will be an item in the dream lab.
Takes a damn while to unsolder that chip: six full minutes!! Couldn't you just blow hot air on the pins instead of the package, and make a continuous rectangular pattern? In addition, use a regulated pre-heater to rise the temperature 120-150°C underneath the board. All these precautions would accelerate the process and avoid you to destroy the inner chip by exceeding it's max temperature. And one more thing: adding flux doesn't help make the solder melt; instead the cold flux lowers the temperature.
basically yes if you know all the main 8points where are the going you can pick that points and can read and write nand flash with t56 programmer. otherwise there is no any clip and all available.
The device's with encrypted firmware I've looked at in the past are sadly behind NDAs. If you have a target device that you know has encrypted firmware let me know and I'll look into it. Are you referring to a firmware update file being encrypted? or the actual firmware on flash being encrypted?
@@mattbrwn thanks, i meaning the actual encrypted firmware in flash. i know there is a method like looking into old version unencrypted firmware where the encryption algorithm is implemented and using it to decrypt latest version and some peeps use DPA side channel attacks to break AES or other cyphers but is there any other methods than this ? and ill let you know if I find a encrypted firmware, looking forward for the video. 🙂
@@kiyotaka31337i think t56 can give you encrypted data also in OPT column and main flash differently in another column. so add both of the data to nand can result to the original firmware. what say??
Hey Matt, great video. I'm starting out. I don't have the hardware you have introduced in these videos. So far I have a cheap 8 channel Logic Analyzer, a CP2102 UART dongle, ST-Link v2 dongle, a CH341A, and a Bus Pirate. I plan to expand as I go. I have a tv here with a shattered screen that I'm experimenting with. It has a Winbond W25Q32JV bios chip. Is it possible for you to do a video with the Bus Pirate? I've found a LOT of information on the net about it, but a lot of it just confuses me. I love your style of explaining everything. So wondering if you can help make sense of it. Thanks man! You've helped explain a lot so far.
To be more specific... I can't seem to get any sort of connection with the chip via SPI. The SOIC-8 clip that came with my CH341A was useless as I never can get a connection (verified by continuity). I think its just a cheap plastic mold that is a common issue. I have soldered to the legs of the chip (still on the board), very carefully ;-) . I couldnt figure out the Logic Analyzer, as hooking it up would not allow the tv to turn on. I'm also really just learning the Saleae software. I attempt to connect to the chip via my Bus Pirate using screen and I have to be missing something here. I'm always stuck with syntax errors.
To improve the heat conductivity between the heat source (e.g solder tip or hot air) and whatever it is touching. Without flux, it will be much harder for the heat to transfer to what you want. E.g., without flux, it will be very hard to get solder to melt.
Not inclined to buy from china if I can possibly avoid it, and no way in hell am I gonna run windoze, or wine for that matter. If they can't provide software that runs under linux, I'll deal with somebody else.
Get that low melt solder, mix it in. Won’t have to get nearly aggressive with the heat. Some chips won’t tolerate that. Good video brother, stay in the game !
I actually believe that the error message that you got was correct.
I copied your method, including the placement of the flash ship in the socket and got the same error message. However, it wouldn't even produce a binary in my case. After some troubleshooting and continuity testing I managed to identify that the top 8 pins in the TSOP socket are actually connected to the cables and not the pins. Therefore, the flash should actually be placed 4 rows down. I did this and it worked fine with no error messages. I believe that this placement is also ilustrated in the newer XGecu software.
Otherwise, Thank you for this educational video.
The images are indeed updated, at least for the chips I've used in my t56 that is the case. Since the image is package specific, there's quite a few to update. I wouldn't be surprised if some didn't get updated.
Interested in: Bin Dump Analysis. Partition mounting. Changing files. Building partitions in firmware dump.
The flux goes onto the pins, since it helps the solder melt, it does no good on top of the plastic of the package. Heat the PCB, not the chip using a circular motion and consider using Kapton tape to protect other surrounding components from the heat.
I wouldn't disable pin detect, its a quick way to ensure you have a good electrical connection on all pins, before you try and read, thus it ensures you get a reliable read or write. This is particularly important on parallel devices, where the data may look OK as many of the pins read OK, but you will end up reading the wrong addresses, or missing some bits on the data pins. All of which will not help in your reverse engineering later.
I find it best to check the pins for remaining solder, similarly to how you did with the braid, but not putting any sideways pressure on the pins, since they will bend, which make reading and reassembly more difficult. Secondly, once the chip has cooled, clean its top and bottom with some isopropyl Alcohol, to remove any contaminants and the flux from the pins. A small toothbrush and some IPA and a gentle brushing action from the chip centre to the outside is the best way. I'll often use paper towel under the IC, so it can absorb all the contamination rather than just brushing it around. Once done, you will get a high probability of the pin check passing, you also won't contaminate your adapters with flux.
The device ID test fails for the same reason, one or more missing pins means that the ID will not read properly as the badly connected pins corrupt the data.
Finally, if you get an XGeku T56, which is needed for the larger memory devices, then don't forget to connect the ribbon from the top port to the header on the adapter, since this provides the extra pins needed to support the higher pin count devices. I'm not sure if the T48 works in the same way, so thats worth checking too. This is generally shown on the device layout, but its not immediately clear what they mean, so its caught me out a couple of times.
I'm not an expert but I think that with this size chip you should use a bigger tip on your hot air.
It should make it a bit easier to take off the chip.
Also, maybe heating a general area around the chip to increase the temperature of the ground plane could help as well.
Overall I've just found your channel, I really like what you do, keep it up!
Nice, you’re very good at this, lots of patience. I’m trying to learn this.
I think most of the videos are showing firmware extraction on NOR flash, this is the first video showing NAND flash
nice! btw I found the datasheet and will add it to the video description. turns out the reason where there are like 3 or 4 manufacturers listed for the one chip model number is because acquisitions...
Hi Matt,
Great videos - going to watch some more.
My recommendation:
You need less flux (first amount was more than enough) - more heat
(buy the org. amtech flux - you got a fake one)
Qianli iNeezy Tweezers fx-03 so you don't loose grip
Please use nitrile gloves - you don't want to touch all the nasty chemicals/Lead with bare hands !
Did you have an extractor ? Don't want chemicals in you lungs.
Ultrasonic cleaner - optional
You shouldn't be heating the chip like that mate.
Grab some lead solder and put a bunch of it on the pins and wick it off to dilute the lead free stuff. The chip will come off a lot easier.
If it's particularly large, use a bismuth based solder like quick chip.
Another way is to change the solder material from the pins with o lower melting point material so everything goes smoother.
I'm definitely subscribing I seen a dude desolder a BIOS chip that wasn't posting and he manually flashed it and it booted so I'm curios
Done this on some devices in the past, trouble is, wanted to make changes and couldn't figure out where the CRC checksum values were stored for the firmware.
You DON'T NEED hot air to desolder these chips : Flood all leads on all sides of chip, allowing time for cooling between sides. Lift one side at a time, allow cooling time. Wick excess solder from leads.
Neat video! Question: how come the plastic package doesn't melt at nearly 400°C ?
Chip-off at 12:09, for those wondering.
to do this faster and easier next time, use a hot plate to remove (assuming no ICs in the way on flip side) and solder paste to replace
Very cool video thank you. Maybe a quick look into one of the inexpensive laser measures at some point 😀?
Is there any video tutorial on making Xgpro work on Linux? I tried following the github tutorial but it just opened and didn't detect the programmer, and if I put the setupapi.dll (I used both what was provided and what I compiled) file in the XGpro folder it doesn't open anymore. can you help? (I'm trying to make it work on Raspberry pi OS, so far I've only successfully managed to get the CH341a.)
how to connect the chip base with ST-LINK programmer to read its firmware , The chip is ATMEL microprocessor .
is there a way to program this nand flash directly from the board ???
Yeah, those are tough chips to desolder. I would say your nozzle is too small for that chip. As others have said, the best things to use are purpose made nozzles that blow air on both sides of the chip at once. However even just a larger diameter round nozzle would help. I also always add a fair amount of additional solder with a standard soldering iron before I start, as it makes it much easier to melt with the air gun, and it holds its heat and stays molten for longer so you can more easily get both sides molten at once.
That work is really grate. But in my case, I use MX30LF2G18AC and MX35LF2G14AC memory and extract firmware file by off-chip. I'm using RT809H programmer, and it shows me a some amount of bytes verification are inconsistence. I can't use that extracted firmware if that inconsistence bytes are missing. Have you ever been encounter with that kind of problem?
very cool video! I would also love to learn how the device and software you used, works under the hood so to speak
If you wanted, would you be able to save this firmware and write it to another tsop-48 with the same model number? Im thinking more along the lines if the firmware became corrupt on another device would you be able to write this firmware to another chip?
Thnaks for the video and info
Simple problems have become more complex
You should get an ultrasonic cleaner if you do hot air rework often
I do rework every now and then, however I don't have to give it back to anyone so if its all messy its something I can deal with. maybe someday that will be an item in the dream lab.
Dozens years ago I put a circuit in an ultrasonic cleaner: the TTL got destroyed! Never again...
Waiting is very uncomfortable, T56 can greatly reduce your waiting time
Takes a damn while to unsolder that chip: six full minutes!! Couldn't you just blow hot air on the pins instead of the package, and make a continuous rectangular pattern? In addition, use a regulated pre-heater to rise the temperature 120-150°C underneath the board. All these precautions would accelerate the process and avoid you to destroy the inner chip by exceeding it's max temperature.
And one more thing: adding flux doesn't help make the solder melt; instead the cold flux lowers the temperature.
Can you do a video on rebuilding the firmware and writing it? Also is it possible to dump the firmware without removing the chip and using clips?
basically yes if you know all the main 8points where are the going you can pick that points and can read and write nand flash with t56 programmer. otherwise there is no any clip and all available.
can you show some tricks on breaking encrypted firmware using side channel or other techniques ?
The device's with encrypted firmware I've looked at in the past are sadly behind NDAs. If you have a target device that you know has encrypted firmware let me know and I'll look into it.
Are you referring to a firmware update file being encrypted? or the actual firmware on flash being encrypted?
@@mattbrwn thanks, i meaning the actual encrypted firmware in flash. i know there is a method like looking into old version unencrypted firmware where the encryption algorithm is implemented and using it to decrypt latest version and some peeps use DPA side channel attacks to break AES or other cyphers but is there any other methods than this ? and ill let you know if I find a encrypted firmware, looking forward for the video. 🙂
@@kiyotaka31337 try hashcat
@@kiyotaka31337i think t56 can give you encrypted data also in OPT column and main flash differently in another column. so add both of the data to nand can result to the original firmware. what say??
@@mattbrwn oh
What heat gun do you use?
Hey Matt, great video.
I'm starting out. I don't have the hardware you have introduced in these videos. So far I have a cheap 8 channel Logic Analyzer, a CP2102 UART dongle, ST-Link v2 dongle, a CH341A, and a Bus Pirate. I plan to expand as I go.
I have a tv here with a shattered screen that I'm experimenting with. It has a Winbond W25Q32JV bios chip.
Is it possible for you to do a video with the Bus Pirate? I've found a LOT of information on the net about it, but a lot of it just confuses me. I love your style of explaining everything. So wondering if you can help make sense of it.
Thanks man! You've helped explain a lot so far.
To be more specific... I can't seem to get any sort of connection with the chip via SPI.
The SOIC-8 clip that came with my CH341A was useless as I never can get a connection (verified by continuity). I think its just a cheap plastic mold that is a common issue. I have soldered to the legs of the chip (still on the board), very carefully ;-) . I couldnt figure out the Logic Analyzer, as hooking it up would not allow the tv to turn on. I'm also really just learning the Saleae software.
I attempt to connect to the chip via my Bus Pirate using screen and I have to be missing something here. I'm always stuck with syntax errors.
ok
good job man , keep goin
Hey Matt, I just bricked an expensive router FW. Is it possible to contact with you? Of course not for free :)
What is the purpose of the flux in desoldering?
To improve the heat conductivity between the heat source (e.g solder tip or hot air) and whatever it is touching. Without flux, it will be much harder for the heat to transfer to what you want. E.g., without flux, it will be very hard to get solder to melt.
the UFPI programmer is much better + ecc corrections available
you need some low melt
Removing the NAND chip is completely unnecessary in many cases. Look into 360-clips.
Something new? Don’t know of any tool to read without removal. Not of a nand chip anyway.
Not inclined to buy from china if I can possibly avoid it, and no way in hell am I gonna run windoze, or wine for that matter. If they can't provide software that runs under linux, I'll deal with somebody else.
when you have old solder just flood it with good solder until it comes off then wick it
how to read hex from pic mcu which is locked??
Hello mr matt i need some help from you regarding top28 flag memory and t56 programer