The CH341A is A POWERFUL tool for people who want to get into bug hunting. • this vulnerability sho... 🏫 COURSES 🏫 Learn to code in C at lowlevel.academy 🔥 SOCIALS 🔥 Come hang out at lowlevel.tv
He doesn't mention this in the video, but that CH341 device doesn't always work to read flash chips without desoldering. The problem is that in order to read from the flash chip, you have to power it. The CH341 can power a flash chip, but it can only output a limited amount of current. If the VCC rail connected to the flash chip is directly connected to other components too, it's possible the CH341 won't be able to power all those components, including the flash chip. In these cases, it's often best to just desolder the flash chip. Alternatively, you could connect a logic analyzer to the DI and DO pins of the flash chip, then power up the device. Use the logic analyzer to record the data stream as the CPU reads the flash contents. You may need to write a small program to convert the recording back into binary data though.
Just my experience, YYMV, but I used one to read and flash the BIOS of a Dell laptop. It functioned perfectly. I had to buy a second clip that connects to the chip since the first one refused to work.
@@MrWaalkman Yeah I'd say based on my experience that it works without desoldering about 80% of the time. It really just depends on whether your flash reader can provide enough power to the part of the board you're connected to.
Before unsoldering, just try plugging in the power cord in the device (but don't turn it on ofc) so it gets standby power to the chip. I've had this work on several devices. Some laptops require you to unplug the main battery as well if doing this.
1. add a electrolytic cap to the power rail (it looks odd, but, works) 100uF iirc. 2. Hold the reset pin on the uC low/high to stop the uC booting (if the bootloader uses the SPI bus it will corrupt your data). I had to do this to a tapo 200v3 to dump the firmware.
Afaik there are different versions of this board. The actual CH341 chip is both 3.3V and 5V compatible (which is why the mod even works to begin with) although some boards don't use the integrated 3.3V circuit others do.
Alternately, there are CH341 dongles with blue PCBs that have just a bunch of pin headers, rather than a fancy socket. This has a proper design: it has a jumper that lets you select between powering the CH341 chip from either USB power or an onboard 3.3v regulator, which is what determines the logic voltage (per the datasheet). You have to think about how to hook it up a little bit more since you don't have the socket, but if you're not confident modifying a PCB it'd probably be an overall better purchase - usually it's a little bit cheaper too.
@@ryjelsum Yes right! I have same dongle as Ed, and mine has 3v3 bug. I juat want to warn and inform to be carefull, some IC will not tolerate 5v as data pulses
IMO, consumers should either: 1. Legally have FULL access to firmware OR 2. The C-Suite should be held legally liable for security breaches and face legal consequences equal to someone who makes and distributes malware as that's what they sold you.
Not really. They should not be forced. 1. Is their IP 2. Anybody can do mistakes. I think it's more simple: we should stop using the ones that we don't trust or like you said, the ones that don't open source their firmware.
I agree that this isn't the best. Just as a thought, imagine the law was done that way, then that means that if a company does give the full source of the firmware, then that would indemnify them and full onus would be on the buyer (and the vast majority of people wouldn't even be able to follow it, let alone detect vulnerabilities in it). It would be the equivalent of all of the ToS you agree to going forward being in a foreign language, and onus being on you for not knowing the language it is written in.
@marklonergan3898 No, that's dumb. You guys like, "uh hey excuse me, can you make things secure?". My point is that these people know exactly what they are doing by cutting corners and not making security the forefront of a product they are selling you. We need a major shift in policy regarding selling IoT electronics that punches a giant hole in your security because a group of c-suite asshole don't care about you or your data. It like Apple vs Arch Linux. We have at least two opitons: 1. Companies take responsibility for and are held liable for blatant security vulnerabilities. Im not talking zero days where you follow INDUSTRY STANDARDS but there are always going to be small vulnerabilities. I'm talking blatant bullshit like when an IP camera company leaves that admin password as, "password" and also hardcodes it. That is absolutely disgustingly lazy and should be prosecuted. OR 2. The company can release the firmware unencrypted and fully accessible to the user and they take full responsibility for their security knowing they chose the DIY. You either get to chose a company that takes over the liability for you, or you take it on yourself. It's literally not complicated like you're making it.
@@marklonergan3898 that is already what happens to most users. People play Minecraft without knowing English and the EULA has no translation. Same for most games and most SaaS. You not knowing the language of the contract you signed or not knowing the language of the code you have access to and are running doesn't exempt you from your responsibility. They wrote the EULA and distributed it, that is their part. So it would not be without precedent to requiring it to be open and leave the responsibility for the user.
Good points and good arguments! I’ll go ahead and add that while I totally agree with OP in PRINCIPLE, fining companies as criminals for distributing malware accidentally would immediately make most tech business unviable, since every piece of software I have ever seen has some flaw or breach of some kind.
What is the point of this "ethics" if part of the firmware can be used in rare cases for a device of another model. The only downside for the manufacturer is if new functions were added to the old product, for example, NVME support to the old system board. Because of this, slightly fewer users will buy a new product with NVME support.
You actually get the right to use a copy of the firmware, not the firmware itself. That being said, I can also see why some people would try. Putting not encrypted firmware on an embedded device, and the SPI flash is also not included in the SOC. Its an open invitation at this point
the most effective thing you can do with your time is to make instructions on how to do this, because at some point if this is again a problem for you. you might not have to remake another bios that some one made because they learned from your instructions.
This is the first time I have encountered someone pronouncing SPI as ‘SPY’. I have only heard ‘S-P-I’ previously. Thank you for the info. As an embedded software developer, I can say that if someone stores unencrypted firmware on an external flash, you are free to read it.
@@tavershimaako7034 Well it is said that way sometimes ... sucks to read people trying pretend they have the corner of being right ... google initialism vs acronyms. If you want S.P.I., then be more diligent with your language. Both are correct, and vary depending on the crowd.
I actually used one of these for the first time recently! I bricked my Chromebook while flashing the stock firmware after having windows on it 😅. Pretty fun tool to mess around with and see how things work :)
I wish more new devices were still using SPI flash for more than eeprom config storage these days. TSOP isn’t too bad but requires more expensive readers and BGA just makes me want to cry.
The only special thing about this product is the ZIF socket you're not even using for its purpose. For general SPI dumping you can use any old arduino or rpi lying around. Or if you get a more feature rich product such as bus pirate or tigard, you can do i2c, uart and others in addition to dumping SPI chips' memories.
Just used one of these devices this weekend to flash a modified bios on my AsRock motherboard, to enable ReBar support. AsRock has there instant flash locked down to only accept there signature. So it does have valid uses, which like many things, can be twisted to do bad things. Also you can easily do this with a raspberry pi.
Misleading. The Router doesn't route the Internet into the house. The Modem does that. the router distributes the data between devices and the modem. But I am sure you all know that. 😊
Why are you looking slightly to the left of the camera? It looks like you're being interviewed. If it's because that's where your teleprompter is, then why not just have the camera slightly above it?
You read 16384 kB and you tried to write ~16777kB... that's bit more than just an extra character! Vim corrupted the file? You should have used hex editor. What happened to the device?
FYI the device wouldn't boot, as vim adds additional metadata about the text layout such as line breaks to the file, and you're right, he should have used hex editor.
you're saying "spy" instead of SPI so many times, maybe I'll get used to it in the end... never mind it's impossible for me to get used to it, but I tried 😅 Nice video though, great work! ☺️
10:30 if it uses GPL-like licensed parts, like linux, you actually need to be able to replace that bit. Of course, the root file system may contain other parts. And - if you report a bug, prepare to get sued.
Openwrt is awesome, I had a couple of routers that I didn't use, after discovering openwrt I could use for something useful, but unfortunately the routers only had 4mb of flash and 32mb of ram, so I modified the openwrt partition system for my device to fit inside an 16mb chip, so now I had more storage, but the ram was still an issue, so I flashed a custom bootloader that could work with different ram chips, and then I replaced the ram with a 128mb and now the router has the latest update and I'm able to use all the extra features of openwrt, this is only possible because openwrt is opensource, thank you all for that :D
Lol "its not spy, its s-p-i" Tow-may-toe Tow-mah-toe Nobody cares how its spoken. We all know the reference. Besides, most of the people that utilize these in the general public (including the euros) pronounce it "spy" In addition to all this nonsense, you can also link this very specific kit (along with some intermediate components) with SDR and recreate the RAMBO hack. You can also directly pull CPU signals too- one method being "Wireless" and the other connecting directly the the spi bus on the soc/cpu. The "wireless" method is very discreet and pretty much requires you to shield your project from other radio signals. I had to put my old laptop in a cardboard box wrapped in foil and another box (Faraday "cage") Its very similar to hertzbleed, but most of what I've seen is either nonsense or instructions I've manually passed. (Haven't gotten anywhere with the wireless yet.)
I used one of these to unbrick my G75VX laptop in college after asus quoted me $900 to fix it after the laptop bricked when I told it to boot off the dvd drive lol
Vim probably appended a newline after your file when you changed the string. By changing it to U-boo you would have changed the alignment of everything after so you probably would not have had it boot correctly.
Be careful with this device. It needs a modification to use 3.3V signals for the target chip! By default the board of this programmer is outputing 5V for signals (not the power supply!) to CH341 to the target chip. You can find on the internet how to modify the design and set the CH341 as 3.3V signals for the target chip. In some circumstances you can burn the target chip if is not 5V tolerant!
tried both this one and the fixed version and still cannot read a chip. Bought many different clips, cables etc and every time I read it with three different software it post different dumb, which at the end is corrupted, cannot hacked/cracked. So BS. If anyone in the UK reads this, where I can find cheap place where people will flash me three chips?
This is the first time in my life I've ever heard anyone pronounce SPI as "SPY". But you're obviously a way superior low-level and embedded programmer than I am, so I'll follow your pronounciation from now on :D
you should really make longer and more detailed videos. I'd rather sit here for 20-40 minutes listening about a single topic (one that can even be talked about for that long - this one is great for that) than watching multiple short vids of different topics.
Learn to solder, it is not that hard to get that chip off and solder it back on. It works better than the clip. Sorry, I should be nice. I have been soldering for 30 years any my parents used to own a factory that would make computer boards and my mom was a really good at soldering.
Most of well developed electronics will not have an easy access flash storage for their code. Either they use an encrypted binary on their flash or they use internal flash, which is not that easy to access.
So I clicked on this video thinking that USB device would find BUGS as in covert listening devices in my home or AirBnB rental, and not to pull firmware off of a router. 😂
The title is misleading, as the tool makes reading firmware easier, but hunting bugs is a completely different matter which requires the source code or disassembling the binary.
Only one criticism: Never once said 'ess pee eye' spy? Serial Peripheral Interconnect is what it is, confusing is what it is if you say spy instead. Maybe edit and flash 'SPI' on screen each time you say it? That should help the newbies get it. Sometimes we don't know what we know 'too well', and it's a bit difficult for newcomers to hear what we mean, because they hear different meanings. I think your channel would be much improved in value to your target demographic if you visually flashed up pronounced acronyms.
I mean, I don't really care about whether it should be pronounced one way or the other - but if you're introducing new vocabulary audibly, you should at least give people a change to see how it's spelt. Otherwise there's just confusion. The spy vs SPI fight can go where the vi vs emacs fight went.
Cool video. Ive always wanted to get into these things so maybe I'll get going now knowing you can download firmware without soldering experience. No hate, but I much rather have the classical home office setting instead of the green screen. I guess that might be subjective preference though.
I think I actually preferred the old camera style and video background (or lack thereof). Do like seeing new things though. Props for adding in pizzaz :)
I wonder if modern cars are spying on me such ans sending my coordinates to manufacturers, how easy would it be to make privacy related modifications with this device? Or if I am annoyed by auto stop-start feature, how easy would it be to permanently disable it with this thing?
I do something similar when key programming for automotives, except mine uses eeprom instead of SPI? Or does eeprom only refer to the type of chip, since those clips you have we usually call the eeprom reader.
