Can the Bus Pirate be used to read the eeprom from this chip

Hacking multi-tool. Get one for $30, including worldwide shipping.

Can the Bus Pirate be used to read the eeprom from this chip

Postby surfrock66 » Sat Mar 26, 2016 3:50 pm

I apologize in advance; I have a buspirate v4 and used it to do some work months ago. I'm tasked with recovering the contents of an embedded chip, and I'm in a little bit over my head. I'm hoping for a recommendation for a guide to help me, or if someone can make sense of the chip I'm trying to decode that would be even better.

The chip is the nuvoton N79E814AT20. I've only been able to find a datasheet in Chinese (too new to post links) as the chip is for the China market only. Googling the chip does come up with results for a different chip (too new to post links), which is an 8 bit microcontroller with 16K of flash eeprom.

I'm investigating a video broadcasting device for use of custom bit of code without license attribution; I have reason to believe this should be using a linux OS as firmware and the entire firmware should be <16MB.

There's one more chip on the board, the writing on the chip is:
8101RYI
1339
23323190-ZZ

I can't find much on this; I had reason to believe for a minute that this was an audio amplifier. I'm not investigating it at this time, unless someone thinks that has a better shot.

Thoughts? Am I even headed in the right direction? If this all ends up being accurate, could the bus pirate be used to read the contents of the ROM? Thanks!
surfrock66
Newbie
Newbie
 
Posts: 16
Joined: Sat Mar 26, 2016 2:47 pm

Re: Can the Bus Pirate be used to read the eeprom from this

Postby suchende » Mon Mar 28, 2016 3:26 am

suchende
Newbie
Newbie
 
Posts: 15
Joined: Fri Mar 18, 2016 7:48 am

Re: Can the Bus Pirate be used to read the eeprom from this

Postby surfrock66 » Mon Mar 28, 2016 10:50 pm

HMM...that link makes me think that the chip I'm looking at is NOT storage. I guess my only other recourse is the 8-pin chip, the 8101 RYI. I can't find ANYTHING on it. I know the ground pin...also pin 7 on the 8101 is the same as pin 18 on the first chip. Is there a good guide to reverse engineering a total mystery chip?
surfrock66
Newbie
Newbie
 
Posts: 16
Joined: Sat Mar 26, 2016 2:47 pm

Re: Can the Bus Pirate be used to read the eeprom from this

Postby suchende » Tue Mar 29, 2016 10:18 am

On Page 9 is an overview:
Model APROM LDROM RAM data memory Package
N79E814AS20 8KB 2KB 512B 4KB SOP-20

It is for sure not a storage.
8Pin chip could be a via SPI accessed memory, but it could be anything else.

You could use: http://www.grandideastudio.com/portfolio/jtagulator/ or https://hardsploit.io/

Do you have only the chips or also the board?
suchende
Newbie
Newbie
 
Posts: 15
Joined: Fri Mar 18, 2016 7:48 am

Re: Can the Bus Pirate be used to read the eeprom from this

Postby Graham242 » Wed Mar 30, 2016 5:18 am

surfrock66 wrote:I'm investigating a video broadcasting device for use of custom bit of code without license attribution; I have reason to believe this should be using a linux OS as firmware and the entire firmware should be <16MB.


Given the very low specs of the N79E814AT20, bytes worth of RAM, no MMU, 8bit 8051 core and so on, I think it's highly unlikely to be running any version of Linux to be honest with you. I also doubt that it'll be pulling code over SPI, given the lack of RAM to store it all in.
Graham242
Jr. Member
Jr. Member
 
Posts: 57
Joined: Wed Dec 14, 2011 3:57 am

Re: Can the Bus Pirate be used to read the eeprom from this

Postby surfrock66 » Wed Mar 30, 2016 9:56 pm

My original thought was the OS was stored on the eeprom, but now I'm wondering if the 2nd chip is actually a small storage chip.

I have the board; photos below:
IMG_20160324_204119.jpg
The Circuit Board


ChipUnderMicroscope2.jpg
The smaller chip under my microscope.
ChipUnderMicroscope2.jpg (29.23 KiB) Viewed 7459 times


I've also wired connections to the 8 pins on the smaller chip.

We are analyzing 3 generations of products; gen 1 (which is confirmed to be using the java code in question without attribution on a small embedded linux), gen 2 wifi (which is confirmed to be using an alternate bit of code also on a small embedded linux), then gen 2 NON wifi which communicates with a small dedicated device over a 2.4GhZ radio which is not wifi or bluetooth. This is the device we are trying to analyze; I believe it's likely they're still using an embedded linux, and in this case it'd be likely they are still using the java code in question.
surfrock66
Newbie
Newbie
 
Posts: 16
Joined: Sat Mar 26, 2016 2:47 pm

Re: Can the Bus Pirate be used to read the eeprom from this

Postby suchende » Thu Mar 31, 2016 2:57 pm

I guess, the other chip with 8 pins is the driver for the speaker.

What do you get, if you dump the EEPROM from the 8051? Tried a dissam on that part of hex?

If the use Java Embedded, it could be there. But it is nothing like the common Java. It is more like c++ under arduino after cross compile. Some sort of heavy optimized assembler. (FYI: your SIM card in the mobile phone runs also a sort of java embedded)
suchende
Newbie
Newbie
 
Posts: 15
Joined: Fri Mar 18, 2016 7:48 am

Re: Can the Bus Pirate be used to read the eeprom from this

Postby surfrock66 » Thu Mar 31, 2016 9:47 pm

That was my assessment as well. The firmwares for the rest of these devices have ranged from 4-16MB, and they've simply dropped the 107KB .jar file onto the filesystem.

I'm a pretty big noob here...the only other time I used the bus pirate, I had a pretty thorough guide. I've accessed solder points on pins 2,3,4,5,8,9,11,12,18,19 and 20, I'm trying to find solder points I can hit for the rest. If you have any tips on how I'd dump the eeprom, it'd be appreciated.
surfrock66
Newbie
Newbie
 
Posts: 16
Joined: Sat Mar 26, 2016 2:47 pm

Re: Can the Bus Pirate be used to read the eeprom from this

Postby suchende » Sat Apr 02, 2016 3:36 pm

There are some problems.
-maybe In Circuit Programming is not possbile -> desolder the chip
-Rom is fused

but the PIN 1 to 3 seems to be assigned to ICP(page 157), so we need to translate the pdf into something readable. And there should be something, how you can read or flash the rom. At page 127ff somehing is written about ISP.
suchende
Newbie
Newbie
 
Posts: 15
Joined: Fri Mar 18, 2016 7:48 am

Re: Can the Bus Pirate be used to read the eeprom from this

Postby surfrock66 » Thu Apr 07, 2016 4:47 pm

I have a crappy translation:

Page 126:
Online Programming (the ISP)
ONProgram
Memory and Internal Data Memory Chip Programming and Hardware Support Online Programming (the ISP). Hardware's Programming in Production at Programming Programmer, IT CAN the reduce cost and at The Time. HOWEVER, IF at The Product Development at The Stage or in need at The Product to Update Firmware, Of Convenient TOO, use the ISP MODE, the make the this Process Becomes Easy. N79E815A / 814A / 813A / 8132A Support the ISP MODE android.permission Software Procedures Updating. The Update at The file aDppD5li.c5aVti o=n 3 r.e0qVu i.red Voltage: V
Not the ISP does need to Executive BE removed from at The System Controller Board. At The Common Way IS MOST through the UART at The Implementation of the Code. That IS the PC Via Serial Transmission at The new new APROM Codes, LDROM Firmware accepted and reprogrammed in APROM Command Via the ISP.
Provides the ISP Firmware The Nuvoton, Go to 'bit Microcontrollers 8The
Nuvoton at The following Website. The Select "The Nuvoton the ISP by ICPProgrammer

The ISP 20.1 the bootloader
Operation of RealTime
that Unlike at The Register, Update Data Memory Takes A Long Time. THUS, the Timing Control Complex at The need for IS ERASED, written, N79E815A / 814A / 813A / 8132A Provides A mechanism of Convenient to the Users Help Update. By Setting ISPEN (CHPCON.0 protected by TA) Enabled
After the ISP, the user can easily write 16bit
destination address ISPAH and ISPAL, ISPFD to write data to ISPCN write command, and then
Trigger ISPGO at The SET (ISPTRG.0) READY to the Perform the ISP. Note ISPTRG Also protected by at The TA.
ISPGO the Setting (ISPTRG.0), Started the ISP. Note ISPTRG Also protected by at The TA. At the this Time, the CPU to the Keep at The Program counter, the ISP Builtin
Exalted Voltage Control Power Supply's Internal, and the Timing Control Signal. The After the ISP IS Operation Completed, at The Instruction Program Continues to counter Cleared the Automatically. The If you need the ISP to the Perform Operation Again, the Users only need to REPEAT at The above Steps, the this through the User Program RAM.
Here is the ISP register.


Code: Select all
Place        Name      Description
6              ISPF         The ISP the Error Sign In Flag ( the Read Only )
                              When these conditions are met, the hardware sets this bit:
                              1. The following access is not allowed, such as,
                              (A) When APROM code at runtime, erased or programmed APROM itself.
                              (B) when APROM code at runtime, but LDUEN 0, erasing or programming LDROM.
                              (C) When APROM code at runtime, erase, program or read CONFIG bytes.
                              (D) When LDROM code at runtime, erased or programmed LDROM.
                              (E) access over the region of its size.
                              2. ISP is done by the internal program space into the external program space.
                              This bit is cleared by software
5              LDUEN    The Update LDROM Enabled
                              0 = When APROM code at runtime, prohibited from being erased or programmed LDROM, LDROM remain readonly.
                              1 = APROM code at runtime, allowing access LDROM.
4: 2          -             Retention
1              BS           Select Start
                              This bit is written or read in different ways.
                              write:
                              After resetting MCU defines the start blocks.
                              From the time you start APROM 0 = under.
                              From the time you start LDROM 1 = lower.
                              read:
                              After defining the starting blocks last reset MCU.
                              0 = last start from APROM.
                              1 = previous boot from LDROM.
0              ISPEN      The ISP the Enable
                              0 = ISP function.
                              1 = disable ISP.
                              Will the enable function at The Internal the ISP 22.1184MHz the RC Oscillator Clock. The ISP Operations SHOULD BE the Clear ISPEN
                              After the last instruction, which can stop the internal RC to reduce power consumption.


Page 131:
The ISP 20.4 the User Guide
ISP users can easily update the contents of the memory, however, the user must follow certain restrictions to ensure that the ISP is performed properly, it may cause
A Result AS, Damage to the even at The Device. Meanwhile, at The segment IS Useful for correct at The Implementation of the ISP.
(1) Not have have AN the ISP, the User of MUST at The ISPEN the Clear (CHPCON.0) of 0. The IS It Prevents Accidental at The System in Triggering from the ISP.
The RC Oscillator 22.1184MHz. The If you SELECT External Clock at The Source at The STOP IS Prohibited Will the ISP Internal 22.1184MHz the RC, CAN Achieve Note ISPEN protected by the TA.
(2) only the when CONFIG byte code at The LDROM Startup CAN BE Full Access the ISP. The After All RESET, the except bits of the CBS, new new
All bytes are activated CONFIG. The After All Software RESET RESETS the except Outside, the CBS 'bit at The new new IS activated.
(3) When the LOCK bit (CONFIG0.1) is activated, ISP read, write or erase still valid.
(4) at The the ISDPD= W 3o.0rkVin 5g. 5OVN. V
(5) APROM and LDROM own content can be read by ISP method.
Their own the Users CAN Start the Notes the ISP Program, in the Order to Protect Data Security, and Program ERASE CONFIG byte at The Last of MUST BE STEP.


Page 156/157:
the InCircuit Programming (by ICP)
ICP (In Circuit Programming) model is another way to access the EPROM memory, requires only three pins execution ICP functions, one is / RST input lead
During at The Work of MUST by ICP Foot BE pulled to the GND, the INPUT A Clock, and P1.7 Reuse, at The Device Receives AN External Serial Clock. Another IS I / O pins multiplexed with P1.6 external ICP programming at P1.7 through P1.6 pin synchronous clock data into N79E815A / 814A / 813A / 8132A memory EPROM.

By ICP at The MODE Entering the when, Will All pins quasiBidirectional BE SET MODE, at The Output IS "1." N79E815A / 814A / 813A / 8132A Memory Support
The EPROM (16K / 8K / 4K bytes APROM the EPROM), Data Memory (Page 128 bytes) and LDROM Programming. The Userselectable is Programming APROM, data memory and LDROM.

The NOTE :
1. When using the ICP update the code, /RST,P1.6 and P1.7 must be disconnected from the system board load.
2. After the ICP program, the proposed power off the system removed ICP tool, and then connect the power.
3. recommends that customers continuously erasing and editing configuration bits in two steps, do not break.
surfrock66
Newbie
Newbie
 
Posts: 16
Joined: Sat Mar 26, 2016 2:47 pm

Re: Can the Bus Pirate be used to read the eeprom from this

Postby surfrock66 » Sat Apr 16, 2016 12:22 am

So I may be lucky...the device I'm disassembling had a daughter board I ignored, which as it turns out has a "Winbond 25Q80dvsig" on it. That's an 8MB flash chip:

https://www.winbond.com/resource-files/ ... ebsite.pdf

I'm looking at this:

Read Data (03h)

The Read Data instruction allows one or more data bytes to be sequentially read from the memory. The

instruction is initiated by driving the /CS pin low and then shifting the instruction code “03h” followed
by a 24-bit address (A23-A0) into the DI pin. The code and address bits are latched on the rising edge
of the CLK pin. After the address is received, the data byte of the addressed memory location will be
shifted out on the DO pin at the falling edge of CLK with most significant bit (MSB) first. The address is
automatically incremented to the next higher address after each byte of data is shifted out allowing for
a continuous stream of data. This means that the entire memory can be accessed with a single
instruction as long as the clock continues. The instruction is completed by driving /CS high.

The Read Data instruction sequence is shown in figure 9. If a Read Data instruction is issued while an
Erase, Program or Write cycle is in process (BUSY=1) the instruction is ignored and will not have any
effects on the current cycle. The Read Data instruction allows clock rates from D.C. to a maximum of fR
(see AC Electrical Characteristics).


I may be in luck...
surfrock66
Newbie
Newbie
 
Posts: 16
Joined: Sat Mar 26, 2016 2:47 pm

Re: Can the Bus Pirate be used to read the eeprom from this

Postby sre71 » Sat Apr 16, 2016 4:36 pm

Hi surfrock66,
you are welcome!
Surely the Bus Pirate can do the job without the help of other that it itself (stand-alone).
About your last question on how read the chip's content by using command 03h(Read Data) the answer is in the datasheet you just posted, there is all you need in order to reach the goal.
Indeed it says that the instruction is initiated by driving the /CS pin low and then shifting the instruction code “03h” followed by a 24-bit address (A23-A0) into the DI pin with the data byte of the addressed memory location shifted out on the DO as most significant bit (MSB) first.
The address is automatically incremented to the next higher address after each byte of data is shifted out allowing for a continuous stream of data.
This means that the entire memory can be accessed with a single instruction as long as the clock continues.
The instruction is completed by driving /CS high.
In the Bus Pirate's syntax it is something like to this:

[(command 03h) (24bit address) (clock)]

namely for the whole content of the chip

[0x03 0x00 0x00 0x00 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192

r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192

r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192

r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192

]

where:

[ = start the command by driving the chip select to low (/CS=selected)

0x03 = the Read Data command in hexadecimal

0x00 0x00 0x00 = 24bit start address as 3bytes (1byte=8bit)

r:8192 r:8192 r:8192...= read 8192bytes repeated 128 times used as clock (total chip size=8388608bit=1048576byte=8192byte*128=8192byte*32*4)

] = stop the command by driving the chip select to high (CS=deselected)

This is another example:

[0x03 0x00 0x00 0x00 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192]

[0x03 0x04 0x00 0x00 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192]

[0x03 0x08 0x00 0x00 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192]

[0x03 0x0C 0x00 0x00 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192 r:8192]

where:

0x00 0x00 0x00 = 24bit start address as 3bytes (1byte=8bit) for the first slice

0x00 0x04 0x00 = 24bit start address as 3bytes (1byte=8bit) for the second slice

0x00 0x08 0x00 = 24bit start address as 3bytes (1byte=8bit) for the third slice

0x00 0x0C 0x00 = 24bit start address as 3bytes (1byte=8bit) for the fourth and last slice

Offset is always 40000h(262144dec) for all four readings so that even in this case their sum is the entire contents of the memory chip (40000h*4=100000h=1048576dec bytes).
As you can see there are different ways to achieve the same result.

At SPI speed of 1MHz the reading of each single block of 256kB(256bytes*1024=262144bytes=8192bytes*32) requires less than 2 minutes (1m 56s) to be carried out so the whole thing requires about ~8 minutes (~2minute*4) in order to finish collecting all the 1048576bytes which are the full contents of the memory into the Winbond 25Q80dv chip.
Due the Bus Pirate's limitation of only 256 characters for each line of instruction that can be send to it, you can't send all the commands on the same row, so you need to split them.
In these examples the reading of the whole contents is split by 4 parts of 256 KB but obviously you can arrange it in any different way taking care not to exceed the Bus Pirate's limit of 256 characters for line.
You can't even send easily the read of the whole 262144bytes or more at once due weakness of the USB communication because then many bytes will be lost by buffer's inadequacy.
For all those reasons split the command into several parts is highly advisable.
Of course by choosing the appropriate address it's even possible to read a well defined slice of memory if it's necessary.

Anyway, before you start reading it would be better perform the command 9Fh(JEDEC ID) in order to be sure that wires are hooked on the right pins and communication between the Bus Pirate hasn't any problem:

[0x9F rrr]

The right answer should be: 0xEF 0x40 0x14.

As anyone can see the Bus Pirate alone really can do the job.
It's like a Swiss knife, maybe it hasn't the efficiency of specific tools, even though it surely allows you to do several things also quite complex and difficult.
But the Bus Pirate is a powerful device which can even be controlled by external script and software, so there are also other ways to reach what you want.
For this kind of thing that you need it's perhaps better to use script or something that does automatically the job as for instance Flashrom.
You're asking for help to read the contents of the chip, here I will go before of you by saying that then you will probably need to rewrite it.
Surely the Bus Pirate can also write into the chip but as you can see from the datasheet you can't change only what you want, you need to erase all the chip and then rewrite it with the new content you need.
It's a quite complex and tedious thing to do.
So in the end simply you can use Flashrom in order to automatically manage your Bus Pirate.

http://buildbot.flashrom.org/buildresults/?M=D

http://download.flashrom.org/snapshots/?C=M;O=D

Doing so you only need to hook the Bus Pirate to the correct pins and start Flashrom which will take care of everything.
Very easy.
The syntax for the Windows version of Flashrom is something like this (for different versions refer to Flashrom's manual):

flashrom.exe -p buspirate_spi:dev=COMNnr -r NAME
(it reads the whole memory content and saves it in the NAME file)

flashrom.exe -p buspirate_spi:dev=COMnr -w NAME -V
(it writes and verifies the whole memory content of the chip with that of the NAME file)

flashrom.exe -h
(shows the online help of Flashrom)

Where:

nr = serial port number used by the Bus Pirate, for instance COM1 for the serial port 1

NAME = name for the file

Good luck!

Regards,
sre71
sre71
Jr. Member
Jr. Member
 
Posts: 62
Joined: Sat Aug 06, 2011 3:29 pm

Re: Can the Bus Pirate be used to read the eeprom from this

Postby surfrock66 » Sat Apr 16, 2016 5:22 pm

So, I soldered it all up to a breadboard so I have easy pins (I've not desoldered the chip, just put wires from the chip to the breadboard). Tested everything with a multimeter...interestingly enough, pins 3/7/8 were shorted before I even started (/WP, /HOLD, and VCC). Nevertheless, I plugged it in, got to SPI mode, hit "W"...

Code: Select all
SPI>W
VREG too low, is there a short?
Power supplies OFF


I unplugged it all, checked my connections again, wired it up...same. Interestingly enough, in rewiring it up...I ran the same command with the header to the bus pirate disconnected...same thing. Weird? I ran a self-test and everything is fine. Thoughts?
surfrock66
Newbie
Newbie
 
Posts: 16
Joined: Sat Mar 26, 2016 2:47 pm

Re: Can the Bus Pirate be used to read the eeprom from this

Postby surfrock66 » Sun Apr 17, 2016 12:26 am

Ok, it's probably a BusPirate firmware issue...Reading here: viewtopic.php?f=4&t=3415

I have FW 6.0a3....now I have no non-linux machines in my house, I'll have to see how to flash it in Linux, all the guides I've found assume windows.
surfrock66
Newbie
Newbie
 
Posts: 16
Joined: Sat Mar 26, 2016 2:47 pm

Re: Can the Bus Pirate be used to read the eeprom from this

Postby surfrock66 » Sun Apr 17, 2016 1:29 am

That did it. Took your advice, used flashrom:

Code: Select all
sudo flashrom -p buspirate_spi:dev=/dev/ttyACM0 -r chipdump1


Worked! The one trick I had to make sure to do was to tie the 3.3V to pins 7,8, and 3.

I need to figure out what to do with this now...I assume it's some sort of compiled/obfuscated thing, either that or compressed and loaded into ram. I tried to use "strings" on it...nothing. Any tips are appreciated, but I'll figure it out eventually.
surfrock66
Newbie
Newbie
 
Posts: 16
Joined: Sat Mar 26, 2016 2:47 pm

Next

Return to Bus Pirate Support