CuVoodoo

the sorcery of copper

User Tools

Site Tools


dump_spi_flash

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
dump_spi_flash [2021/04/12 19:45]
kingkevin created
dump_spi_flash [2021/04/19 10:11] (current)
kingkevin [BX48] add database explorer
Line 19: Line 19:
 The difference between models is mainly the size (obviously), and features (i.e. speed). The difference between models is mainly the size (obviously), and features (i.e. speed).
  
- +{{:spi_flash:flash-soic.jpg?0x200|}} 
-{{:spi_flash:soic.png?0x250|}} +{{:spi_flash:soic.png?0x200|}} 
-{{:spi_flash:pinout_soic.png?0x250|}} +{{:spi_flash:pinout_soic.png?0x200|}} 
-{{:spi_flash:pinout_bga.png?0x250|}}+{{:spi_flash:pinout_bga.png?0x200|}}
  
 ====== dumping tools ====== ====== dumping tools ======
Line 35: Line 35:
 The cheapest, and crudest, way to read/write SPI flash is using a CH341A based programmer. The cheapest, and crudest, way to read/write SPI flash is using a CH341A based programmer.
 You can find them for less than $3. You can find them for less than $3.
 +
 +{{:spi_flash:ch341_prog.jpg?0x200|}}
 +
  
 Solder the SPI flash to a DIP-8 adapter board, and place it in the ZIF socket (Zero-Insertion-Force). Solder the SPI flash to a DIP-8 adapter board, and place it in the ZIF socket (Zero-Insertion-Force).
 Insert it as depicted on the side for the 25xx (furthest away from the lever, with pin 1 notch facing the lever). Insert it as depicted on the side for the 25xx (furthest away from the lever, with pin 1 notch facing the lever).
 +To avoid soldering the chip on an adapter board, use sockets with spring contacts (the contacts need to be clean for it to work well).
 Be sure the jumper shorts pin 1 and 2 on the side (shorting pins 2 and 3 switched the CH341A to UART mode). Be sure the jumper shorts pin 1 and 2 on the side (shorting pins 2 and 3 switched the CH341A to UART mode).
 +
 +{{:spi_flash:soic-dip-board.jpg?0x200|}}
 +{{:spi_flash:ch341a-adapter.jpg?0x200|}}
 +{{:spi_flash:ch341a-socket.jpg?0x200|}}
  
 As software we will use [[https://github.com/setarcos/ch341prog|ch341prog]]. As software we will use [[https://github.com/setarcos/ch341prog|ch341prog]].
Line 64: Line 72:
   * slow speed (128 kbyte/s)   * slow speed (128 kbyte/s)
   * no power supply protection (if you insert the chip the wrong way around, you will fry it since VCC and GND/VSS get switched)   * no power supply protection (if you insert the chip the wrong way around, you will fry it since VCC and GND/VSS get switched)
-  * operating voltage is 5V (you can [[https://eevblog.com/forum/repair/ch341a-serial-memory-programmer-power-supply-fix/|modify it]] to 3.3V by lifting top right pin 28, put tape over the pad, connect pin to C4 on the bottom and middle pin of voltage regulator AMS1117). Most flash chip operate at 3.3V, and while 5V is outside of the maximum rating, they still seem to support it (at least for a short time) +  * operating voltage is 5V (you can [[https://eevblog.com/forum/repair/ch341a-serial-memory-programmer-power-supply-fix/|modify it]] to 3.3V by lifting top right pin 28, put tape over the pad, connect pin to C4 on the bottom and middle pin of voltage regulator AMS1117). Most flash chip operate at 3.3V, and while 5V is outside of the maximum rating, they still seem to support it (at least for a short time, and it is still not recommended
-  * to support 1.8V flash chips, use an adapter board with level shifter+  * to support 1.8V flash chips, interpose an adapter board with level shifter 
 + 
 +{{:spi_flash:ch341a-mod.jpg?0x150|}} 
 +{{:spi_flash:adapter_1.8v.jpg?0x150|}} 
 + 
 +==== MiniPRO ==== 
 + 
 +The [[http://autoelectric.cn/EN/TL866_main.html|TL866A]] (aka. MiniPRO) is the next step up, and still cheap (< $30). 
 + 
 +{{:spi_flash:tl866a.jpg?0x200|}} 
 + 
 +Advantages: 
 + 
 +  * supports 3.3-6.5V VCC, allowing to properly power 3.3V and 5.0V flash 
 +  * has over-current protection, in case you inserted the chip wrongly 
 +  * does signature checking (this is just a software check though) 
 +  * supports up to 21V VPP and has flexible pin configuration, allowing plenty of other EEPROM chips or MCU to be flashed 
 + 
 +Disadvantages: 
 + 
 +  * does not support 1.8V (you can still use the same adapter as for the CH341A). the newer TL866II+ claims to support 1.8V, but from the [[https://github.com/radiomanV/TL866/raw/master/docs/TL866II.pdf|schematic]] I don't see how they do this properly 
 +  * also slow (~ 100 kbyte/s) 
 + 
 +For more information about the device (including reversed schematic), see [[https://proghq.org/wiki/index.php/TL866|this wiki]] or [[https://github.com/radiomanV/TL866|this repo]]. 
 + 
 +To dump SPI flash, we will use [[https://gitlab.com/DavidGriffith/minipro/|minipro]]. 
 + 
 +<code> 
 +# search for the right part using the top marking on the chip 
 +minipro --search 25q32bv 
 + 
 +Found TL866A 03.2.86 (0x256) 
 +W25Q32BV 
 +W25Q32BV@WSON8 
 +W25Q32BV@SOIC8 
 +W25Q32BV@SOIC16 
 +W25Q32BV(OTP) 
 +W25Q32BV(OTP)@WSON8 
 +W25Q32BV(OTP)@SOIC8 
 +W25Q32BV(OTP)@SOIC16 
 + 
 + 
 +# read the device ID to be sure the connection work (it's not get_id as in the help, but read_id) 
 +minipro --device 'W25Q32BV@SOIC8' --read_id 
 +Found TL866A 03.2.86 (0x256) 
 +Chip ID OK: 0xEF4016 
 + 
 + 
 +# alternatively, let it find which 25xx SPI 8-pin flash it is 
 +minipro --auto_detect 8 
 + 
 +Found TL866A 03.2.86 (0x256) 
 +Autodetecting device (ID:0xEF4016) 
 +S25FL032K@SOIC8 
 +W25Q32@MLP8 
 +W25Q32(OTP)@MLP8 
 +W25Q32BV 
 +W25Q32BV@WSON8 
 +W25Q32BV@SOIC8 
 +W25Q32BV(OTP) 
 +W25Q32BV(OTP)@WSON8 
 +W25Q32BV(OTP)@SOIC8 
 +W25Q32FV 
 +W25Q32FV@WSON8 
 +W25Q32FV@SOIC8 
 +W25Q32FV(OTP) 
 +W25Q32FV(OTP)@WSON8 
 +W25Q32FV(OTP)@SOIC8 
 +W25Q32V@MLP8 
 +W25Q32V(OTP)@MLP8 
 +17 device(s) found. 
 + 
 + 
 +# now read the memory 
 +minipro --device 'W25Q32BV@SOIC8' --read spi.bin 
 + 
 +Found TL866A 03.2.86 (0x256) 
 +Chip ID OK: 0xEF4016 
 +Reading Code...  40.53Sec  OK 
 +</code> 
 + 
 +==== BX48 ==== 
 + 
 +The [[https://www.batronix.com/shop/programmer/BX48/index.html|Batronix BX48 Batego]] is my high end programmer. 
 + 
 +{{:spi_flash:bx48.jpg?0x200|}} 
 + 
 +Yes, it is expensive (> $500), but the hardware is good, and what you pay for is the support. 
 +And I have to say that it is excellent. 
 +Is a chip missing? 
 +Just ask them and they will swiftly add support for it. 
 + 
 +Note: This device is obsolete now, replaced by the [[https://www.batronix.com/shop/programmer/BX48/batego-II.html|BX48 Batego II]]. 
 +The main difference is that the Batego I does not support VPP > 15V (only required by very old NMOS EPROM). 
 +It still seems to be supported though. 
 + 
 +The software is [[https://www.batronix.com/shop/software/prog-express/index.html#tabs-4|Prog-Express]], and there is even support for Linux (a bit lagging the Windows release). 
 +There is an auto-detect function, but I am too concerned it accidentally damages the chip. 
 +Therefor I still select the target chip by hand. 
 + 
 +On my setup it is not able to open the file dialog to allow me setting where I want to load/save the file (using version 3.8.8). 
 +To circumvent the issue I open the built-it hex-editor. 
 +There I can save read/write the data content, and save/load it. 
 + 
 +To get the latest chip database (particularly if the Linux release it lagging), here how I update it ([[https://flashdb.cuvoodoo.info/|here]] you can also explore the database): 
 + 
 +<code> 
 +wget https://www.batronix.com/downloads/ChipDBUpdate/ChipDB.zip 
 +unzip ChipDB.zip 
 +sudo mv /usr/lib/prog-express/ChipDB.db3 /usr/lib/prog-express/ChipDB.db3.bak 
 +sudo mv ChipDB.db3 /usr/lib/prog-express/ChipDB.db3 
 +rm ChipDB.zip 
 +</code> 
 + 
 +===== in-circuit ===== 
 + 
 +In-circuit flash programming is a lot more tricky. 
 +The issue is that the flash chip needs to be powered, but the MCU using this memory is probably on the same power real. 
 +Thus the MCU might use the flash chip, interference with your operation. 
 +SPI is a point to point connection protocol. 
 +On the SPI lines there should be only one master. 
 +This master drive the SCK and MOSI lines in push-pull mode. 
 +If your programmer sets a line low while the MCU sets it high, a lot of current might go through this line as both device try to drive the line (particularly if not inline protection resistor is used). 
 + 
 +There are several solution to prevent this battle and be able to program the chip: 
 + 
 +  * MCU often have a RST line (active low): driving this line will prevent the MCU to boot and drive the lines, leaving them floating for you to use 
 +  * lift the VCC pin of the flash chip: now you can power the chip individually, without powering the MCU and preventing to to drive the lines 
 +  * if there are inline protection resistor on the SPI lines, remove them from the board, preventing the MCU to drive them (be sure to connect your programmer on the flash side of the lines) 
 + 
 +Once this is done, the easiest way to connect to the flash chip is to use a clip. 
 +This will allow you the clip on all pin of the package, while it is soldered on the board. 
 + 
 +{{:spi_flash:clip.jpg?0x200|}} 
 + 
 +If the flash chip package is not a SOIC (or any where the leads are accessible), such a BGA, you will have to find inline protection resistors, remove them, and connect wires to the pads. 
 + 
 +Now you can use your programmer. 
 +But it is very important that it sets the right operating voltage. 
 +Providing 5.0V on 3.3V or 1.8V power rails might damage any of the devices using this power rails. 
 +Also don't forget to drive the MCU reset line (if this is the solution you are using) since the programmer won't do it. 
 + 
 +==== J-Link ==== 
 + 
 +The [[jtag#segger_j-link|J-Link]] is a JTAG programmer, but it recently also got [[https://www.segger.com/products/debug-probes/j-link/tools/j-flash-spi/|SPI programming capabilities]]. 
 + 
 +{{:spi_flash:J-Link_BASE.jpg?0x200|}} 
 + 
 +It particularly fits in-circuit programming because it uses the target power instead of providing it, supports 1.8-5.0V, and provides a nRST output to hold the MCU under reset. 
 +It also allows to [[https://wiki.segger.com/J-Flash_SPI#Custom_Command_Sequences|perform some operations]] before and after talking to the flash chip. 
 + 
 +While it provides a pin to hold the MCU under reset, is does not provide a pin to release reset from the SPI flash chip (which also often has a nRST/nHOLD pin). 
 +You will have to pull is up yourself if the board doesn't do it already. 
 + 
 +Note that you need hardware [[https://wiki.segger.com/Software_and_Hardware_Features_Overview|version 10 or later]]. 
 +Hardware version 8 does not support SPI flashing, and version 9 releases nCS just before talking to the chip (this seems to be an issue [[https://www.segger.com/downloads/jlink/ReleaseNotes_JLink.html|fixed for version 10 with software version 6.86c from 2020-10-06]] but is still present as of 2021-04-14 with firmware version 2021-02-02 and software version 7.00 from 2021-04-08, and setting CS in the init steps does not solve the issue). 
 + 
 +====== your programmer ====== 
 + 
 +Finally, you can make your own programmer using a micro-controller. 
 +Ideally it has a hardware SPI peripheral (most do), but even software bit-banging is possible because there are no tight tolerances. 
 +This allows to customize the programmer to your needs and setup (regarding voltage level, clock speed, nRST pin of flash and MCU, ...). 
 + 
 +===== electrical electrical ===== 
 + 
 +The most important part is using the right voltage so you don't damage the target chip or board. 
 +Select the right voltage to power the target, if it doesn't already have power on its own. 
 +You can use any level shifter for the data lines (they don't need to be bi-directional). 
 +Connect the target voltage and your MCU voltage on each side, and the job is done. 
 + 
 +===== data interface ===== 
 + 
 +The most common lines are the following: 
 + 
 +  * flash nRST/nHOLD: active low reset line. Set it high so the chip is activated 
 +  * MCU nRST (optional): active low reset line of the micro-controller using the SPI flash on the target board. Hold it low so the MCU does not drive the data lines 
 +  * nWP: active low write protect. Set it low if you only intend to read out the flash and don't want to accidentally erase data. Set it high if you want to write it 
 +  * CLK: clock line with clock polarity: idle low, and clock phase: sample data on rising edge. Since SPI is a synchronous protocol, the data traffic is synchronized to this clock, provided by the master (your programmer). This allows you to set the frequency: very low for more reliable traffic (there is not lower limit), or very high for fast transfer (often up to 100 MHz). The clock also does not need to be periodic (allowing sloppy big-banging implementation) and the edge time not strict (allowing any voltage shifter technology) 
 +  * nCS: chip select line, active low. You must set it low to start a new transaction. It also allows to have multiple flash chips (SPI slaves) on the same data lines (you then just select the one you want to talk too) 
 +  * MOSI/DI: master output slave input (flash chip data input). You will send the commands on this pin 
 +  * MISO/DO: master input slave output (flash chip data output). You will receive the replies and data on this pin 
 + 
 +possible additional aspects (specific for your setup): 
 + 
 +  * some lines (like nRST) might already be set on the board 
 +  * if you don't find the nRST line for the MCU of the target board, there might be inline protection resistor on the lines (you will often have to desolder the flash chip to find them first). Desolder them and connect to the pads on the flash chip side. This way the MCU won't be able to interfere 
 +  * to increase the speed, you can either increase the CLK clock frequency, or use the optional dual/quad-mode capabilities. This can be activated using a command, and might re-use the nWP/nRST pins 
 +  * in theory the data lines need to be driven as push-pull, but you can also drive them as open-drain (allowing using level shifter as the BSS138-based ones). But be aware that the chip will drive DO (and other lines in dual/quad mode) as push-pull 
 +  * each setup is different, and you have to find things out by yourself. Just don't forget to read the appropriate data sheet 
 + 
 +===== instruction interface ===== 
 + 
 +The instructions are sent in 8-bit packets, most significant bit first. 
 +There are a couples of instructions common to most SPI flash chips, which allow you to perform basic operations: 
 + 
 +  * 0x9F, JEDEC ID: you will then read 3 bytes allowing you to identify the chip (manufacturer, memory type, capacity). This is how most programmers verify the chip type 
 +  * 0x03, Read Data: followed by 3 bytes of data where you specify the start address of the data you want to read. After that you can read out as much data as you want
dump_spi_flash.1618249544.txt.gz · Last modified: 2021/04/12 19:45 by kingkevin