If it is a fast drop to 0V we can assume that it is a GPIO line of some sort, if it slowly drops down to 0V, it is likely the VCC line because that slow drop is caused by capacitors that are often present on power rails After looking at these pins on shutdown we can assume that pin 1 is VCC, as it slowly drops from 3.3V to 0V over the course of 5 seconds.
Winbond Spi Flash Linux Series Of PostsWith this next series of posts, Id like to take the concepts we talked about on those platforms and demonstrate them on a more popular platform: The TP Link: ROUTERNUM.
We will explore multiple ways of attempting to extract the filesystem and outline the steps taken for each method. The EEPROM is the small black 8 pin chip in the center of the board. The flash chip in question is the Winbond W25Q16Fw, the data sheet can be found here. Bus Pirate firmware 6.1 and older does not support SPI speeds above 2 MHz. After further investigation I found that the Chip Select line was not being pulled low enough, after trying a few various pull-down resistors I decided to move on from reading it in circuit. This is a common issue with trying to do any kind of in circuit reads, in order to mitigate this one can look for a reset line for the main CPU, or attempt to get the CPU into a state where it is still powering the chip but not attempting to communicate. But since Im a little lazy, lets just remove it with hot air and dump it, see the pictures below and the output of binwalk on the flash image. Found Winbond flash chip W25Q128.V (16384 kB, SPI) on buspiratespi. I wanted to attempt to extract the SPI flash because thats more in my wheelhouse being an embedded systems guy. Winbond Spi Flash Linux Update Image HoweverHowever - the simpler path would be to go to the following link where we can find an update image However, the ability to re-write the SPI flash can be useful in case we manage to brick the platform in the future. Debug ports are often exposed via a UART and typically consist of a transmit (Tx) and receive (Rx) line. Winbond Spi Flash Linux Serial Terminals CanMethods of discovery for serial terminals can vary based on the system but there are a few things that can lead to quick wins. One of the features of using a UART over something like SPI or I2C is that since it is asynchronous, there is no clock to synchronize the signals being sent between the two. In place of using a clock the transmit line utilizes start and stop bits to outline a data packet. This means that both the transmit and receive line must know the rate at which to read bits off of the wire as they come across, this is referred to as the baud rate. This is essentially the speed of the data being transferred which is typically measured in bits per second. Lets start taking a look at the headers we outlined below and measure the voltages at each pad after the router has booted. We have 2 possible candidates for Tx. Pins 1-3. There is a good chance that one of these is our 3.3V VCC line, we can determine that by noticing the pins behavior when the platform is powered down.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |