Skip to main content

Topics

This section allows you to view all Topics made by this member. Note that you can only see Topics made in areas you currently have access to.

Topics - bordplate

1
Bus Pirate Support / Issues reading SPI ROM chip (MX25L3206E) via Bus Pirate v3.6
I've got a NETGEAR WNR2000v5 that I want to dump the firmware for, it has a Macronix MX25L3206E chip that I've wired the BP up to. The chip is still soldered to the NETGEAR board. My Bus Pirate is currently on the v5.10 firmware and v4.4 bootloader.

When I try to hit W to turn on 3.3v to the chip, I keep getting VREG too low, is there a short?, that I've understood can be normal when trying to hook up to a chip that is still on a board. However if I connected the AUX wire to Vcc on the chip and set it to HIGH and left 3.3v off, I got a stable connection and sending [0x9f rrr] consistently got me the Manufacturer and Device ID as is specced in the data sheet for the chip. I also tried reading some bytes with the "fast read" functionality ([0x0b r:1024], and it sent me some data that I believe to be the chip's data, but it was either encrypted or the middle of some compressed archive.

I wanted to use flashrom to dump the firmware, but of course it doesn't understand that I wanted to use the AUX-wire to power the chip, so I kept trying to find out how to do it correctly. I found some russian blog post that seemed to recommend upgrading the BP to community firmware v7.0, so I tried that. Upgrading didn't really help me, the only noticeable difference was that I could no longer attempt to send commands without first powering on with W, it would only hang and I'd need to disconnect and connect the BP. I downgraded the firmware back to 5.10 because I had more luck with that.

After my upgrading and downgrading dance (I tried multiple versions of 6.x as well) my AUX trick no longer worked (so there might have been something more to it when I did it earlier). I've also tried turning on the NETGEAR board while leaving the 3.3v off the chip and then try to read, but I just get repeating 0x00, so that's obviously not working either. I've also noticed that when I have the BP connected to the chip in SPI-mode, the NETGEAR board does not boot, judging by the LED lights on the board, it just hangs.

I also tried to do SPI-sniffing, but I only get repeating messages of Couldn't keep up. At this point I'm still on BP firmware version 5.10, which I believe has a limit of 1MHz reading, and I haven't tried sniffing with v7.0 (which has a limit of 2MHz reading speed on BP 3.6, right?).

So I'm looking for some help trying to work this out. I know the chip is working, because the router is booting up correctly if I disconnect the BP.
This is my first time trying to dump a flash chip outside of a workshop environment, and I've run out of ideas.

( ! ) Fatal error: Uncaught exception 'Elk_Exception' with message 'Please try again. If you come back to this error screen, report the error to an administrator.' in /var/www/dangerousprototypes/forum/sources/database/Db-mysql.class.php on line 696
( ! ) Elk_Exception: Please try again. If you come back to this error screen, report the error to an administrator. in /var/www/dangerousprototypes/forum/sources/database/Db-mysql.class.php on line 696
Call Stack
#TimeMemoryFunctionLocation
10.01182269096session_write_close ( )...(null):0
20.01212400696ElkArte\sources\subs\SessionHandler\DatabaseHandler->write( )...(null):0
30.01212401472Database_MySQL->query( ).../DatabaseHandler.php:119
40.05672540208Database_MySQL->error( ).../Db-mysql.class.php:273