CuVoodoo

the sorcery of copper

User Tools

Site Tools


dump_spi_flash

This is an old revision of the document!


these are my notes on how I dump SPI flash.

SPI flash

Since flash uses kind of another technology, it is often hard or expensive to add flash memory in integrated circuits (IC), mainly micro-controller (MCU). Thus MCU have either very limited flash size (< 1 MB), or you have to provide it externally. Externally dedicated flash is very common and inexpensive. Some system on a chip (SoC) even just add the flash die next to the MCU die (this is called package in/on package).

The most common package for flash is SOIC-8 (surface mount, 8 pins, 1.27 mm pin pitch, 200 mil wide body). More compact alternatives are WSON/LGA (without external lead) and BGA (allowing more pins underneath). Whenever you find such a chip with 25 on the top marking, it is very probably a flash chip.

The most common interface is Serial Peripheral Interface (SPI). It allows extremely fast transfer rates (clock frequency > 100 MHz) and is supported by most MCU. For even faster communication, high-end chips even provide quad output support (QSPI).

The pinout is (almost) always the same to provide interoperability. The difference between models is mainly the size (obviously), and features (i.e. speed).

dumping tools

chip-off

By far the easiest method is to de-solder the chip and place it in a dedicated programmer. The only disadvantage is that you will have to de-solder and re-solder the chip every time you want to read or write it.

CH341A

The cheapest, and crudest, way to read/write SPI flash is using a CH341A based programmer. You can find them for less than $3.

Solder the SPI flash to a DIP-8 adapter board, and place it in the ZIF socket (Zero-Insertion-Force). Insert it as depicted on the side for the 25xx (furthest away from the lever, with pin 1 notch facing the lever). To avoid soldering the chip on an adapter board, use sockets with spring contacts (the contacts need to be clean for it to work well). Be sure the jumper shorts pin 1 and 2 on the side (shorting pins 2 and 3 switched the CH341A to UART mode).

As software we will use ch341prog. Verify if the chip is detected correctly, then read the memory out:

ch341prog --info

Device reported its revision [4.03]
Manufacturer ID: ef
Memory Type: 4016
No CFI structure found, trying to get capacity from device ID. Set manually if detection fails.
Capacity: 16
Chip capacity is 4194304 bytes


ch341prog --read spi.bin

...
Read started!

Limitations:

  • slow speed (128 kbyte/s)
  • no power supply protection (if you insert the chip the wrong way around, you will fry it since VCC and GND/VSS get switched)
  • operating voltage is 5V (you can modify it to 3.3V by lifting top right pin 28, put tape over the pad, connect pin to C4 on the bottom and middle pin of voltage regulator AMS1117). Most flash chip operate at 3.3V, and while 5V is outside of the maximum rating, they still seem to support it (at least for a short time, and it is still not recommended)
  • to support 1.8V flash chips, interpose an adapter board with level shifter

MiniPRO

The TL866A (aka. MiniPRO) is the next step up, and still cheap (< $30).

Advantages:

  • supports 3.3-6.5V VCC, allowing to properly power 3.3V and 5.0V flash
  • has over-current protection, in case you inserted the chip wrongly
  • does signature checking (this is just a software check though)
  • supports up to 21V VPP and has flexible pin configuration, allowing plenty of other EEPROM chips or MCU to be flashed

Disadvantages:

  • does not support 1.8V (you can still use the same adapter as for the CH341A). the newer TL866II+ claims to support 1.8V, but from the schematic I don't see how they do this properly
  • also slow (~ 100 kbyte/s)

For more information about the device (including reversed schematic), see this wiki or this repo.

To dump SPI flash, we will use minipro.

# search for the right part using the top marking on the chip
minipro --search 25q32bv

Found TL866A 03.2.86 (0x256)
W25Q32BV
W25Q32BV@WSON8
W25Q32BV@SOIC8
W25Q32BV@SOIC16
W25Q32BV(OTP)
W25Q32BV(OTP)@WSON8
W25Q32BV(OTP)@SOIC8
W25Q32BV(OTP)@SOIC16


# read the device ID to be sure the connection work (it's not get_id as in the help, but read_id)
minipro --device 'W25Q32BV@SOIC8' --read_id
Found TL866A 03.2.86 (0x256)
Chip ID OK: 0xEF4016


# alternatively, let it find which 25xx SPI 8-pin flash it is
minipro --auto_detect 8

Found TL866A 03.2.86 (0x256)
Autodetecting device (ID:0xEF4016)
S25FL032K@SOIC8
W25Q32@MLP8
W25Q32(OTP)@MLP8
W25Q32BV
W25Q32BV@WSON8
W25Q32BV@SOIC8
W25Q32BV(OTP)
W25Q32BV(OTP)@WSON8
W25Q32BV(OTP)@SOIC8
W25Q32FV
W25Q32FV@WSON8
W25Q32FV@SOIC8
W25Q32FV(OTP)
W25Q32FV(OTP)@WSON8
W25Q32FV(OTP)@SOIC8
W25Q32V@MLP8
W25Q32V(OTP)@MLP8
17 device(s) found.


# now read the memory
minipro --device 'W25Q32BV@SOIC8' --read spi.bin

Found TL866A 03.2.86 (0x256)
Chip ID OK: 0xEF4016
Reading Code...  40.53Sec  OK

BX48

The Batronix BX48 Batego is my high end programmer.

Yes, it is expensive (> $500), but the hardware is good, and what you pay for is the support. And I have to say that it is excellent. Is a chip missing? Just ask them and they will swiftly add support for it.

Note: This device is obsolete now, replaced by the BX48 Batego II. The main difference is that the Batego I does not support VPP > 15V (only required by very old NMOS EPROM). It still seems to be supported though.

The software is Prog-Express, and there is even support for Linux (a bit lagging the Windows release). There is an auto-detect function, but I am too concerned it accidentally damages the chip. Therefor I still select the target chip by hand.

On my setup it is not able to open the file dialog to allow me setting where I want to load/save the file (using version 3.8.8). To circumvent the issue I open the built-it hex-editor. There I can save read/write the data content, and save/load it.

To get the latest chip database (particularly if the Linux release it lagging), here how I update it:

wget https://www.batronix.com/downloads/ChipDBUpdate/ChipDB.zip
unzip ChipDB.zip
sudo mv /usr/lib/prog-express/ChipDB.db3 /usr/lib/prog-express/ChipDB.db3.bak
sudo mv ChipDB.db3 /usr/lib/prog-express/ChipDB.db3
rm ChipDB.zip

in-circuit

In-circuit flash programming is a lot more tricky. The issue is that the flash chip needs to be powered, but the MCU using this memory is probably on the same power real. Thus the MCU might use the flash chip, interference with your operation. SPI is a point to point connection protocol. On the SPI lines there should be only one master. This master drive the SCK and MOSI lines in push-pull mode. If your programmer sets a line low while the MCU sets it high, a lot of current might go through this line as both device try to drive the line (particularly if not inline protection resistor is used).

There are several solution to prevent this battle and be able to program the chip:

  • MCU often have a RST line (active low): driving this line will prevent the MCU to boot and drive the lines, leaving them floating for you to use
  • lift the VCC pin of the flash chip: now you can power the chip individually, without powering the MCU and preventing to to drive the lines
  • if there are inline protection resistor on the SPI lines, remove them from the board, preventing the MCU to drive them (be sure to connect your programmer on the flash side of the lines)

Once this is done, the easiest way to connect to the flash chip is to use a clip. This will allow you the clip on all pin of the package, while it is soldered on the board.

If the flash chip package is not a SOIC (or any where the leads are accessible), such a BGA, you will have to find inline protection resistors, remove them, and connect wires to the pads.

Now you can use your programmer. But it is very important that it sets the right operating voltage. Providing 5.0V on 3.3V or 1.8V power rails might damage any of the devices using this power rails. Also don't forget to drive the MCU reset line (if this is the solution you are using) since the programmer won't do it.

The J-Link is a JTAG programmer, but it recently also got SPI programming capabilities.

It particularly fits in-circuit programming because it uses the target power instead of providing it, supports 1.8-5.0V, and provides a nRST output to hold the MCU under reset. It also allows to perform some operations before and after talking to the flash chip.

While it provides a pin to hold the MCU under reset, is does not provide a pin to release reset from the SPI flash chip (which also often has a nRST/nHOLD pin). You will have to pull is up yourself if the board doesn't do it already.

Note that you need hardware version 10 or later. Hardware version 8 does not support SPI flashing, and version 9 releases nCS just before talking to the chip (this seems to be an issue fixed for version 10 with software version 6.86c from 2020-10-06 but is still present as of 2021-04-14 with firmware version 2021-02-02 and software version 7.00 from 2021-04-08, and setting CS in the init steps does not solve the issue).

your programmer

Finally, you can make your own programmer using a micro-controller. Ideally it has a hardware SPI peripheral (most do), but even software bit-banging is possible because there are no tight tolerances. This allows to customize the programmer to your needs and setup (regarding voltage level, clock speed, nRST pin of flash and MCU, …).

electrical electrical

The most important part is using the right voltage so you don't damage the target chip or board. Select the right voltage to power the target, if it doesn't already have power on its own. You can use any level shifter for the data lines (they don't need to be bi-directional). Connect the target voltage and your MCU voltage on each side, and the job is done.

data interface

The most common lines are the following:

  • flash nRST/nHOLD: active low reset line. Set it high so the chip is activated
  • MCU nRST (optional): active low reset line of the micro-controller using the SPI flash on the target board. Hold it low so the MCU does not drive the data lines
  • nWP: active low write protect. Set it low if you only intend to read out the flash and don't want to accidentally erase data. Set it high if you want to write it
  • CLK: clock line with clock polarity: idle low, and clock phase: sample data on rising edge. Since SPI is a synchronous protocol, the data traffic is synchronized to this clock, provided by the master (your programmer). This allows you to set the frequency: very low for more reliable traffic (there is not lower limit), or very high for fast transfer (often up to 100 MHz). The clock also does not need to be periodic (allowing sloppy big-banging implementation) and the edge time not strict (allowing any voltage shifter technology)
  • nCS: chip select line, active low. You must set it low to start a new transaction. It also allows to have multiple flash chips (SPI slaves) on the same data lines (you then just select the one you want to talk too)
  • MOSI/DI: master output slave input (flash chip data input). You will send the commands on this pin
  • MISO/DO: master input slave output (flash chip data output). You will receive the replies and data on this pin

possible additional aspects (specific for your setup):

  • some lines (like nRST) might already be set on the board
  • if you don't find the nRST line for the MCU of the target board, there might be inline protection resistor on the lines (you will often have to desolder the flash chip to find them first). Desolder them and connect to the pads on the flash chip side. This way the MCU won't be able to interfere
  • to increase the speed, you can either increase the CLK clock frequency, or use the optional dual/quad-mode capabilities. This can be activated using a command, and might re-use the nWP/nRST pins
  • in theory the data lines need to be driven as push-pull, but you can also drive them as open-drain (allowing using level shifter as the BSS138-based ones). But be aware that the chip will drive DO (and other lines in dual/quad mode) as push-pull
  • each setup is different, and you have to find things out by yourself. Just don't forget to read the appropriate data sheet

instruction interface

The instructions are sent in 8-bit packets, most significant bit first. There are a couples of instructions common to most SPI flash chips, which allow you to perform basic operations:

  • 0x9F, JEDEC ID: you will then read 3 bytes allowing you to identify the chip (manufacturer, memory type, capacity). This is how most programmers verify the chip type
  • 0x03, Read Data: followed by 3 bytes of data where you specify the start address of the data you want to read. After that you can read out as much data as you want
dump_spi_flash.1618485844.txt.gz · Last modified: 2024/01/07 17:49 (external edit)