Hmm. New problem. The SPI flash chip on my WiFi access point is not sufficiently isolated from the rest of the board to be accessed while the board is powered off.
The AP actually seemed to boot up when I plugged in the programmer...
Conversation
Notices
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 16:55:34 JST 
Ryan Castellucci :nonbinary_flag:
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 17:04:23 JST
Ryan Castellucci :nonbinary_flag:
It looks like it was designed to allow in-system programming...
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 17:08:40 JST
Ryan Castellucci :nonbinary_flag:
@gsuberland I tried taking the chip off one of the dead boards, and ended up having to use a heat gun. I don't have hot air rework stuff, and most of the reason I want to do this is to experiment with the boot loader. I guess if it comes down to it I can probably get someone to socket the chip, but it's SOIC-16....
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 06-Feb-2025 17:08:41 JST 
Graham Sutherland / Polynomial
@ryanc although I usually just end up lifting the whole chip 'cos by the time I'm breaking out the iron I might as well take it off completely lol
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 06-Feb-2025 17:08:42 JST
Graham Sutherland / Polynomial
@ryanc soldering iron and tweezers, lift the power leg slightly, put paper or kapton tape under it.
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 17:15:04 JST
Ryan Castellucci :nonbinary_flag:
@gsuberland It's SPI, but supports 2 and 4 bit at a time modes as well. Winbond W25Q256JVFIQ. Works in the socket on the CH341A.
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 06-Feb-2025 17:15:06 JST
Graham Sutherland / Polynomial
@ryanc SOIC-16? interesting. that sounds... not SPI? usually those are SOIC-8. QSPI or something?
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 17:16:09 JST
Ryan Castellucci :nonbinary_flag:
@gsuberland I don't think lifting the power pin will help because a bare chip doesn't work in the test clip.
-
Embed this notice
Koos van den Hout (khoos@infosec.exchange)'s status on Thursday, 06-Feb-2025 17:17:33 JST 
Koos van den Hout
@ryanc I have read about a trick with a short-circuit across the clock crystal to stop bootup from happening.
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 17:18:48 JST
Ryan Castellucci :nonbinary_flag:
@KHoos Which would be all well and good, but the programmer can't initialize with that much power being drawn through it.
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 17:19:21 JST
Ryan Castellucci :nonbinary_flag:
@gsuberland What about cutting the VCC line on the wire to the test clip?
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 06-Feb-2025 17:19:23 JST
Graham Sutherland / Polynomial
@ryanc yeah might be a full removal job then unfortunately.
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 17:20:10 JST
Ryan Castellucci :nonbinary_flag:
@gsuberland might need to also cut the write protect and reset/hold lines and connect them to VCC board-side...
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 17:24:07 JST
Ryan Castellucci :nonbinary_flag:
@gsuberland Power DUT normally, wait for it to boot so it's done with the SPI, or maybe hold the CPU in reset if I can figure out how.
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 06-Feb-2025 17:24:08 JST
Graham Sutherland / Polynomial
@ryanc wouldn't that just not power the chip, so it won't respond? you won't be able to read it with the DUT powered on as it'll be asserting the SPI signals - best case no bueno, worst case you'll cook the MCU's IOs.
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 17:27:10 JST
Ryan Castellucci :nonbinary_flag:
@gsuberland bleh, but i want to write
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 06-Feb-2025 17:27:11 JST
Graham Sutherland / Polynomial
@ryanc (this is why I always pull the chip. it's a huge pain in the ass to do it in-system and I can't guarantee a good read)
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 06-Feb-2025 17:27:12 JST
Graham Sutherland / Polynomial
@ryanc the SPI IOs will still be asserted, they don't go hi-Z.
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 17:29:34 JST
Ryan Castellucci :nonbinary_flag:
@gsuberland all of the above plus a bus pirate, but i want to experiment with the bootloader which will probably end up bricking the device at least once...
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 06-Feb-2025 17:29:36 JST
Graham Sutherland / Polynomial
@ryanc got an Arduino, ESP8266, or ESP32 board to hand? pretty easy to wire up and write a little program to write to it if your existing tools won't do it.
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 17:30:53 JST
Ryan Castellucci :nonbinary_flag:
@gsuberland I was seeing some information about doing in-system programming on motherboards by powering them up and holding the CPU in reset?
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 17:33:09 JST
Ryan Castellucci :nonbinary_flag:
@manawyrm I don't seem to be skilled enough to remove the chip without damaging something... :-(
-
Embed this notice
Manawyrm | Sarah (manawyrm@chaos.social)'s status on Thursday, 06-Feb-2025 17:33:11 JST 
Manawyrm | Sarah
@ryanc if all else fails, I do crap like this:
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 17:45:38 JST
Ryan Castellucci :nonbinary_flag:
@gsuberland It runs unsigned firmware, I doubt they bothered...
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 06-Feb-2025 17:45:39 JST
Graham Sutherland / Polynomial
@ryanc that requires an ICSP or JTAG header, and may not work if the security config on the chip says no (you can disable everything but boundary scan, for example, which will prevent debug and firmware upload)
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 17:48:07 JST
Ryan Castellucci :nonbinary_flag:
@manawyrm @gsuberland There's a couple of test pins broken out, labeled FG1, FG2, FG3, FG4.
-
Embed this notice
Manawyrm | Sarah (manawyrm@chaos.social)'s status on Thursday, 06-Feb-2025 17:48:09 JST
Manawyrm | Sarah
@gsuberland @ryanc IPQ40xx (like in Ryan's AP) will go High-Z on the flash chips when in reset, though, I've done this in the past.
-
Embed this notice
Manawyrm | Sarah (manawyrm@chaos.social)'s status on Thursday, 06-Feb-2025 17:48:10 JST
Manawyrm | Sarah
@gsuberland @ryanc yeah, I've been there... this happened to me on a NXP QorIQ PowerPC platform and then I had to add an inline resistor with the CS line like this:
That was a bit tricky...
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 06-Feb-2025 17:48:11 JST
Graham Sutherland / Polynomial
@manawyrm @ryanc holding the CPU in reset would not necessarily put the SPI IOs in a hi-Z state though, and I have seen folks kill boards by trying to assert CS and essentially dead-shorting the low-side output FET on the MCU's GPIO across the rails. with sufficient resistance you can avoid that but it requires calculating the necessary value based on the max sink current rating for the chip, and then you have to think about IO thresholds with any existing pull-ups/pull-downs... it gets messy.
-
Embed this notice
Manawyrm | Sarah (manawyrm@chaos.social)'s status on Thursday, 06-Feb-2025 17:48:12 JST
Manawyrm | Sarah
@ryanc yeah, that does require a bit of pratice first... :(
holding the CPU in reset would probably work, but I didn't see anything that looks like JTAG pins on your board.
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 17:50:25 JST
Ryan Castellucci :nonbinary_flag:
@manawyrm @gsuberland openwrt.org doesn't say anything, but I do have two totally dead boards (don't power on at all) to play with
-
Embed this notice
Manawyrm | Sarah (manawyrm@chaos.social)'s status on Thursday, 06-Feb-2025 17:50:26 JST
Manawyrm | Sarah
@ryanc @gsuberland no, those are sadly just fiducial markers:
https://en.wikipedia.org/wiki/Fiducial_marker#Printed_circuit_boardsI don't see any relevant pins/testpoints on the photos on openwrt.org, maybe something below the RF shielding? hmm..
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 18:01:21 JST
Ryan Castellucci :nonbinary_flag:
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 06-Feb-2025 18:01:22 JST
Graham Sutherland / Polynomial
@ryanc @manawyrm looks like the shielding comes off with just two screws? if you can get a photo with the shielding off on that side, might be possible to spot some goodies
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 18:01:36 JST
Ryan Castellucci :nonbinary_flag:
@manawyrm @gsuberland I also have a glasgow
-
Embed this notice
Manawyrm | Sarah (manawyrm@chaos.social)'s status on Thursday, 06-Feb-2025 18:01:37 JST
Manawyrm | Sarah
@gsuberland @ryanc yeah, glasgow can just do that upstream these days.
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 06-Feb-2025 18:01:39 JST
Graham Sutherland / Polynomial
@ryanc I think wq wrote a thing for Glasgow for doing JTAG pinout identification? either that or I dreamed it lol, hard to tell these days
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 06-Feb-2025 18:01:40 JST
Graham Sutherland / Polynomial
@ryanc if it does have JTAG somewhere and you can find it and identify the pinout, you'll want a knock-off Segger J-Link. cheap one off eBay or AliExpress, don't bother paying them for the real deal, the cheapo ones work identically. I've seen them for less than £20.
whatever you do, don't bother with OpenOCD's BusPirate JTAG thing, it's literally never worked, you'll spend hours and get nowhere, they really need to pull it from the project.
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Thursday, 06-Feb-2025 18:01:41 JST
Graham Sutherland / Polynomial
@ryanc you'd be surprised how often they do fuse off JTAG, even with no firmware signing. it's the minority case where I find a commercial product with JTAG debug enabled and working.
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 18:10:45 JST
Ryan Castellucci :nonbinary_flag:
@manawyrm @gsuberland Hmm. It still seems to me like the board is intended to allow something to be done with a test clip. The flash chip only uses 9 of 16 pins. Maybe they broke the reset pin out there?
-
Embed this notice
Manawyrm | Sarah (manawyrm@chaos.social)'s status on Thursday, 06-Feb-2025 18:10:46 JST
Manawyrm | Sarah
@ryanc @gsuberland hmm, sad -- I don't see anything very helpful :/
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 18:51:47 JST
Ryan Castellucci :nonbinary_flag:
@manawyrm @gsuberland I should just email one of the engineers that worked on it...
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 18:53:41 JST
Ryan Castellucci :nonbinary_flag:
@manawyrm @gsuberland The APs were pulls from this place, and I've considered calling them to try to get the password: https://www.loscoyotescc.com/
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 18:57:06 JST
Ryan Castellucci :nonbinary_flag:
@manawyrm @gsuberland another thought - if I could sniff the SPI bus I could at least get the password hash...
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 06-Feb-2025 19:51:18 JST
Ryan Castellucci :nonbinary_flag:
@manawyrm @gsuberland oh, this looks useful, if I can find someone to mod the board for me... https://thepihut.com/products/smt-socket-wide-soic-16
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 07-Feb-2025 02:51:31 JST
Ryan Castellucci :nonbinary_flag:
@gsuberland @manawyrm I think maybe I could remove the chip with chipquik?
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Friday, 07-Feb-2025 02:51:32 JST
Graham Sutherland / Polynomial
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 07-Feb-2025 04:19:00 JST
Ryan Castellucci :nonbinary_flag:
@gsuberland @manawyrm yes?
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Friday, 07-Feb-2025 04:19:02 JST
Graham Sutherland / Polynomial
-
Embed this notice
Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 07-Feb-2025 05:15:03 JST
Ryan Castellucci :nonbinary_flag:
@gsuberland @manawyrm No, I'm not going to try to take the CPU off. Just going to remove the flash chip - gonna try the chipquik since that seems to be the least likely to damage the board and the chip.
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Friday, 07-Feb-2025 05:15:04 JST
Graham Sutherland / Polynomial
@ryanc @manawyrm although if you mean the main CPU, I don't think that'll get you anywhere
-
Embed this notice
Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Friday, 07-Feb-2025 05:15:06 JST
Graham Sutherland / Polynomial
@ryanc @manawyrm hot air and flux would be how I'd remove it if you were taking the chip off.
-
Embed this notice
All GNU social JP content and data are available under the