Skip to main content
Topic: Bus Pirate v3b SPI (Read 87 times) previous topic - next topic

Bus Pirate v3b SPI

Hi all,

I am just trying to get my mind around Bus Pirate and SPI. I removed a Winbond 25Q1280VS0 SPI Flash Chip from a PCB (IP Camera). Datasheet if anyone is interested here.

Where I am trying to get my head around is two things:
1. I can write via bus pirate via SPI to the chip and I can read the written values from the chip via SPI.

After closing the terminal to the bus pirate I use flashrom (Ubuntu) and try and do a simple command:
Code: [Select]
flashrom -p buspirate_spi:dev=/dev/ttyS3 -c W25Q32.V
of which the chip specified is the Winbond in question.

However it returns no No EEPROM/flash device found.

Now context, I clobbered the U-Boot bootloader via RS232 i.e. I manged to erase the bank that the bootloader was in.

What I was trying to do (and I am learning her) was to connect directly to the SPI flash to try and reload uBoot bootloader.

Question(s):
  • Am I completely off the mark using Bus Pirate to check the SPI chip (see if i can write and read - checking if the chip is still "working"
  • With my tests I can read and write, what I was trying to do is use flashrom then to flash a bootloader specifically uBoot

I am just trying to figure out if I am on the write track here or completely off, just learning here.

Would appreciate the help

Re: Bus Pirate v3b SPI

Reply #1
Hey ya,

Question(s):

Am I completely off the mark using Bus Pirate to check the SPI chip (see if i can write and read - checking if the chip is still "working"

Definitely the right track. I have not looked at the datasheet, but a lot of flash chips use the 0x03 read command. Can you verify that you can read it from the Bus Pirate terminal? something like [ 0x03 0 0 0 r:16] for the spi flash I'm messing with at the moment is [ (cs low), 0x03 (read command), 0 0 0 (set address to read from), r:16 (read 16 bytes), ] (cs high)

    With my tests I can read and write, what I was trying to do is use flashrom then to flash a bootloader specifically uBoot

I assume you can write anything as long as you can tell it where to locate the data you're writing. I'm not familiar with flashrom at the moment.
Got a question? Please ask in the forum for the fastest answers.

Re: Bus Pirate v3b SPI

Reply #2
Hey ya,

Question(s):

Am I completely off the mark using Bus Pirate to check the SPI chip (see if i can write and read - checking if the chip is still "working"

Definitely the right track. I have not looked at the datasheet, but a lot of flash chips use the 0x03 read command. Can you verify that you can read it from the Bus Pirate terminal? something like [ 0x03 0 0 0 r:16] for the spi flash I'm messing with at the moment is [ (cs low), 0x03 (read command), 0 0 0 (set address to read from), r:16 (read 16 bytes), ] (cs high)

    With my tests I can read and write, what I was trying to do is use flashrom then to flash a bootloader specifically uBoot

I assume you can write anything as long as you can tell it where to locate the data you're writing. I'm not familiar with flashrom at the moment.

Thank you for the response @ian I will try using the 0x03 read command. If I do a simple [ r:10 ] I do get 10 0x0FF back from the SPI flash.

Lucky I bought some "play around" cameras as I have hacked to bits 4 of them already. I guess that is what testing and learning is for. In two of them I removed the SPI flash off the board and other two I left on.

My understanding (which I am now starting to question and if you do know please educate me) was that the bootloader is stored in the SPI flash. As I understood it, you have CPU and then SPI flash of which you get volatile and non volatile in the same SPI flash chip.

If my understand was / is correct then the bootloader (uBoot) would be in the non volatile portion of the flash.

Trying to piece this together that would then mean I would have to flash the bootloader (uBoot) to that area of the flash. The part I havent figured out though is can you use the normal Bus Pirate interface (terminal) to flash the bootloader directly. The reason I am asking is anywhere I did research it pointed back to using flashrom to flash it back. The issue with flashrom:

1. While it has a long list of SPI chips it does lack some of the common ones.
2. Even though I can "read" from the chip using the Bus Pirate terminal interface, when I try flashroom to flash back on or even read the firmware it just says it can't find any EEPROM.

Now I am not sure if I should turn the Power on to the chip with BP first in the terminal and then try or not (tried both doesnt work) and tried it on different SPI chips which are marked as supported by the flashrom documentation.

 

Re: Bus Pirate v3b SPI

Reply #3
My guess is flashrom tries to read out the (JEDEC?) id and it is unknown or fails. The chip should be powered somehow, yes.

[ r:10 ] this just reads 10 bytes. However I think the chip, if it is typical SPI flash, probably needs a command (read/fast read/write/fast write/read JEDEC ID/etc) before it will do anything. r:10 just writes 10 * 0xff to the bus, the chip probably ignores it.

I'm not familiar with the uboot stuff or how the microcontroller in a camera loads from flash.
Got a question? Please ask in the forum for the fastest answers.