He doesn't mention this in the video, but that CH341 device doesn't always work to read flash chips without desoldering. The problem is that in order to read from the flash chip, you have to power it. The CH341 can power a flash chip, but it can only output a limited amount of current. If the VCC rail connected to the flash chip is directly connected to other components too, it's possible the CH341 won't be able to power all those components, including the flash chip. In these cases, it's often best to just desolder the flash chip. Alternatively, you could connect a logic analyzer to the DI and DO pins of the flash chip, then power up the device. Use the logic analyzer to record the data stream as the CPU reads the flash contents. You may need to write a small program to convert the recording back into binary data though.
Just my experience, YYMV, but I used one to read and flash the BIOS of a Dell laptop. It functioned perfectly. I had to buy a second clip that connects to the chip since the first one refused to work.
@@MrWaalkman Yeah I'd say based on my experience that it works without desoldering about 80% of the time. It really just depends on whether your flash reader can provide enough power to the part of the board you're connected to.
Before unsoldering, just try plugging in the power cord in the device (but don't turn it on ofc) so it gets standby power to the chip. I've had this work on several devices. Some laptops require you to unplug the main battery as well if doing this.
1. add a electrolytic cap to the power rail (it looks odd, but, works) 100uF iirc. 2. Hold the reset pin on the uC low/high to stop the uC booting (if the bootloader uses the SPI bus it will corrupt your data). I had to do this to a tapo 200v3 to dump the firmware.
Afaik there are different versions of this board. The actual CH341 chip is both 3.3V and 5V compatible (which is why the mod even works to begin with) although some boards don't use the integrated 3.3V circuit others do.
Alternately, there are CH341 dongles with blue PCBs that have just a bunch of pin headers, rather than a fancy socket. This has a proper design: it has a jumper that lets you select between powering the CH341 chip from either USB power or an onboard 3.3v regulator, which is what determines the logic voltage (per the datasheet). You have to think about how to hook it up a little bit more since you don't have the socket, but if you're not confident modifying a PCB it'd probably be an overall better purchase - usually it's a little bit cheaper too.
@@ryjelsum Yes right! I have same dongle as Ed, and mine has 3v3 bug. I juat want to warn and inform to be carefull, some IC will not tolerate 5v as data pulses
IMO, consumers should either: 1. Legally have FULL access to firmware OR 2. The C-Suite should be held legally liable for security breaches and face legal consequences equal to someone who makes and distributes malware as that's what they sold you.
Not really. They should not be forced. 1. Is their IP 2. Anybody can do mistakes. I think it's more simple: we should stop using the ones that we don't trust or like you said, the ones that don't open source their firmware.
I agree that this isn't the best. Just as a thought, imagine the law was done that way, then that means that if a company does give the full source of the firmware, then that would indemnify them and full onus would be on the buyer (and the vast majority of people wouldn't even be able to follow it, let alone detect vulnerabilities in it). It would be the equivalent of all of the ToS you agree to going forward being in a foreign language, and onus being on you for not knowing the language it is written in.
@marklonergan3898 No, that's dumb. You guys like, "uh hey excuse me, can you make things secure?". My point is that these people know exactly what they are doing by cutting corners and not making security the forefront of a product they are selling you. We need a major shift in policy regarding selling IoT electronics that punches a giant hole in your security because a group of c-suite asshole don't care about you or your data. It like Apple vs Arch Linux. We have at least two opitons: 1. Companies take responsibility for and are held liable for blatant security vulnerabilities. Im not talking zero days where you follow INDUSTRY STANDARDS but there are always going to be small vulnerabilities. I'm talking blatant bullshit like when an IP camera company leaves that admin password as, "password" and also hardcodes it. That is absolutely disgustingly lazy and should be prosecuted. OR 2. The company can release the firmware unencrypted and fully accessible to the user and they take full responsibility for their security knowing they chose the DIY. You either get to chose a company that takes over the liability for you, or you take it on yourself. It's literally not complicated like you're making it.
@@marklonergan3898 that is already what happens to most users. People play Minecraft without knowing English and the EULA has no translation. Same for most games and most SaaS. You not knowing the language of the contract you signed or not knowing the language of the code you have access to and are running doesn't exempt you from your responsibility. They wrote the EULA and distributed it, that is their part. So it would not be without precedent to requiring it to be open and leave the responsibility for the user.
Good points and good arguments! I’ll go ahead and add that while I totally agree with OP in PRINCIPLE, fining companies as criminals for distributing malware accidentally would immediately make most tech business unviable, since every piece of software I have ever seen has some flaw or breach of some kind.
This is the first time I have encountered someone pronouncing SPI as ‘SPY’. I have only heard ‘S-P-I’ previously. Thank you for the info. As an embedded software developer, I can say that if someone stores unencrypted firmware on an external flash, you are free to read it.
What is the point of this "ethics" if part of the firmware can be used in rare cases for a device of another model. The only downside for the manufacturer is if new functions were added to the old product, for example, NVME support to the old system board. Because of this, slightly fewer users will buy a new product with NVME support.
You actually get the right to use a copy of the firmware, not the firmware itself. That being said, I can also see why some people would try. Putting not encrypted firmware on an embedded device, and the SPI flash is also not included in the SOC. Its an open invitation at this point
the most effective thing you can do with your time is to make instructions on how to do this, because at some point if this is again a problem for you. you might not have to remake another bios that some one made because they learned from your instructions.
I actually used one of these for the first time recently! I bricked my Chromebook while flashing the stock firmware after having windows on it 😅. Pretty fun tool to mess around with and see how things work :)
I actually have one of these lying around, I once bought to fix a broken BIOS. Interesting to see what you can do with them. I had no idea how common these kind of chips where. Or that you could use the flashrom command line tool to interact with it. You always learn something new!
I think I actually preferred the old camera style and video background (or lack thereof). Do like seeing new things though. Props for adding in pizzaz :)
Openwrt is awesome, I had a couple of routers that I didn't use, after discovering openwrt I could use for something useful, but unfortunately the routers only had 4mb of flash and 32mb of ram, so I modified the openwrt partition system for my device to fit inside an 16mb chip, so now I had more storage, but the ram was still an issue, so I flashed a custom bootloader that could work with different ram chips, and then I replaced the ram with a 128mb and now the router has the latest update and I'm able to use all the extra features of openwrt, this is only possible because openwrt is opensource, thank you all for that :D
I wish more new devices were still using SPI flash for more than eeprom config storage these days. TSOP isn’t too bad but requires more expensive readers and BGA just makes me want to cry.
I used one of these to unbrick my G75VX laptop in college after asus quoted me $900 to fix it after the laptop bricked when I told it to boot off the dvd drive lol
Suggestion: the bit people are interested in starts at 5:38. Pull that bit to the front. Then compress the first part down to 2 min and put it later in the video.
Just used one of these devices this weekend to flash a modified bios on my AsRock motherboard, to enable ReBar support. AsRock has there instant flash locked down to only accept there signature. So it does have valid uses, which like many things, can be twisted to do bad things. Also you can easily do this with a raspberry pi.
Wow thanks for that video! Just got mine ch341a and into ezviz camera to see what dodgy stuff (that I saw on wireshark) they are actually doing. Least to say private keys are handled on a plate and they even managed to ship C source code into production so I don't even need gidhra 🙃 It's amazing how security assumptions were defeated with an 8$ chinese tool. Thanks again!
Why are you looking slightly to the left of the camera? It looks like you're being interviewed. If it's because that's where your teleprompter is, then why not just have the camera slightly above it?
you're saying "spy" instead of SPI so many times, maybe I'll get used to it in the end... never mind it's impossible for me to get used to it, but I tried 😅 Nice video though, great work! ☺️
The title is misleading, as the tool makes reading firmware easier, but hunting bugs is a completely different matter which requires the source code or disassembling the binary.
The only special thing about this product is the ZIF socket you're not even using for its purpose. For general SPI dumping you can use any old arduino or rpi lying around. Or if you get a more feature rich product such as bus pirate or tigard, you can do i2c, uart and others in addition to dumping SPI chips' memories.
So I clicked on this video thinking that USB device would find BUGS as in covert listening devices in my home or AirBnB rental, and not to pull firmware off of a router. 😂
I really like the Gov't suing people when people find out the Gov't has no security and does stuff like display your social security card in the html for some reason, gets your information stolen and then files charges for you finding it on the 'dark web', etc.
I actually use this a lot with hardware hacking and tinkering cause its fun and i like that you can back up the whole device flash menaing i can mess with the firmware as much as i want and not having to worry about it never being able to function normally again or for it to become bricked forever. Also its fun to see 99% embedded devices running Linux and busybox. Alao often they ditch the gpl and dont comply which is lovely cause more fun trying to crack the software of a device and unveiling its secrets
literally just started playing with mine last night, pulled a BIOS off an old device, if you have a flipper you can also do this with the SPI memory application, raspi can do this as well, that's what I used back in my coreboot days. I found the soic-8 clip on this particular model to be much better quality than some of the other ones i've seen on amazon.
You read 16384 kB and you tried to write ~16777kB... that's bit more than just an extra character! Vim corrupted the file? You should have used hex editor. What happened to the device?
FYI the device wouldn't boot, as vim adds additional metadata about the text layout such as line breaks to the file, and you're right, he should have used hex editor.
Vim probably appended a newline after your file when you changed the string. By changing it to U-boo you would have changed the alignment of everything after so you probably would not have had it boot correctly.
Most of well developed electronics will not have an easy access flash storage for their code. Either they use an encrypted binary on their flash or they use internal flash, which is not that easy to access.
I do something similar when key programming for automotives, except mine uses eeprom instead of SPI? Or does eeprom only refer to the type of chip, since those clips you have we usually call the eeprom reader.
you should really make longer and more detailed videos. I'd rather sit here for 20-40 minutes listening about a single topic (one that can even be talked about for that long - this one is great for that) than watching multiple short vids of different topics.
I wonder if modern cars are spying on me such ans sending my coordinates to manufacturers, how easy would it be to make privacy related modifications with this device? Or if I am annoyed by auto stop-start feature, how easy would it be to permanently disable it with this thing?
Cool video. Ive always wanted to get into these things so maybe I'll get going now knowing you can download firmware without soldering experience. No hate, but I much rather have the classical home office setting instead of the green screen. I guess that might be subjective preference though.
At 5:50 the 8 header pins are in backwards. Pin 1 is marked with the red wire and should be facing away from the USB connector There's also a common modification people do to these CH341 boards to use 3.3v on the SPI and I2C bus as it does 5v by default which is too much for these chips When dumping a flash chip, always dump multiple times and then compare hashes of the dumps to make sure they are all identical
You make it sound like this is some special hardware tool with special bug hunting capabilities. Its not, ist just a normal SPI programmer, there are TONS of these for all different kinds of memory chips, many with a lot more features and capabilities which are actually useful for debugging and bug hunting.
Be careful with this device. It needs a modification to use 3.3V signals for the target chip! By default the board of this programmer is outputing 5V for signals (not the power supply!) to CH341 to the target chip. You can find on the internet how to modify the design and set the CH341 as 3.3V signals for the target chip. In some circumstances you can burn the target chip if is not 5V tolerant!
10:30 if it uses GPL-like licensed parts, like linux, you actually need to be able to replace that bit. Of course, the root file system may contain other parts. And - if you report a bug, prepare to get sued.