Sign in Subscribe

Chip-Off Firmware Extraction and Modification

Chip-Off Firmware Extraction and Modification

Recently I've been working on quite a few devices where I had to remove the flash chip to be able to extract the firmware and also make modifications to it. I've been making some YouTube videos showing how I do this that I wanted to let y'all know about.


If you're not familiar with what this means. On the majority of IoT devices the firmware is stored on a small flash chip. Sometimes if you're lucky you can read and write to the chip directly in the device by attaching a clip or other adapter and hooking up your flash programmer of choice. This is usually referred to as an in-circuit read.

My favourite method for in-circuit reads is using IC test clips like these

Why doesn't in-circuit always work?

There's quite a few reasons in-circuit reads won't work. The first and most obvious one is that the flash memory chip is in a package where the leads aren't accessible when it's soldered in place. The most common flash chip package I see on cheaper IoT devices is the SOIC/SOP8 (shown in the above picture), on these chips, even though they are surface mount they still have small legs that can be clipped to. On other packages like WSON or TSOP this isn't the case and the pins for the chips are hard to access in-circuit.

Back feeding power

Even with a compatible package there are lots of other things that can prevent in-circuit reads. When you hook a flash programmer up to the chip in circuit, you're also connecting it to wherever that circuit feeds to. One of the pins is the Vcc which is of course connected to the Vcc rail that provides power to the device. Sometimes this is enough power for the device to power itself on and in the boot process try to also interact with the flash memory, causing the flash programmer and the device to fight over the SPI lines preventing either from reading properly. This is usually referred to as back feeding power. In addition to back feeding, sometimes other characteristics of the circuit interfere with reads like pull-up/down resistors or just the internal impedance of the circuit. These are just a few of the more common reasons why in-circuit.

Chip-off extraction, easier than it seems

Luckily, chip-off firmware extraction is in my opinion easier than it seems and you don't need much gear to do it. A cheap hot-air solder rework station, some flux, a flash programmer like the Xgecu and a handful of adapters and you're good to go!

If you want to learn more about how my easy method for performing chip-off firmware extraction, and how to put the chip back on, and even modify the firmware while you're at it, make sure to checkout my YT series on it.

Until next time, happy hacking!