Dumping Firmware from SPI Flash Chips - CH341A Programmer
CH341Afirmware dumpingSPI flashhardware hacking
Description: Learn how to use the CH341A Programmer to dump firmware from SPI flash memory chips, an essential skill for electronics enthusiasts and professionals working in hardware analysis and security.
Introduction:
The CH341A programmer is a popular USB device used to read and write various types of EEPROM chips. It is commonly used in electronics for tasks like flashing BIOS, firmware, and other types of memory chips. It’s particularly valued for its affordability and versatility.
Requirements:
- CH341A Programmer
- Software
- Test Clip with Cable
- Computer with USB Port
CH341A Programmer Overview:
The CH341A Programmer bridges the gap between a computer’s USB port and various low-level communication protocols, primarily SPI, I2C, and UART. It is powered by the CH341A IC, a multifunctional chip designed by WCH (Nanjing QinHeng Electronics) to convert USB to serial communication formats.
1. Technical Design Overview:
- CH341A Chip: The core of the programmer, responsible for USB to serial conversion.
- Power Supply: Operates at different voltage levels (typically 5V and 3.3V) to support various memory chips, often selectable via a jumper.
- Interface Pins: Provides pins to interface with external devices, including GND, VCC (3.3V/5V), MOSI, MISO, CLK, CS, and other control signals for SPI and I2C communication.
- Test Clips: Commonly used for direct in-circuit programming without desoldering chips.
2. Schematic Diagram Explanation:
A simplified schematic for the CH341A programmer includes:
+5V USB
|
+----+-------+-------------------+
| | |
+----+ +----+ +-------+
| Reg| | CH | | Flash |
|3.3V| |341A| SPI/I2C/UART| Memory|
+----+ +----+ +-------+
| |
+3.3V GND
-
USB Interface: Provides power and communication to the CH341A chip.
-
Regulator: Converts USB 5V supply to 3.3V if needed.
-
CH341A IC: Interfaces between USB and the external memory chip using SPI, I2C, or UART protocols.
3. Key Use Cases:
-
Firmware Extraction and Analysis: Extracts firmware from SPI flash chips for vulnerability analysis, reverse engineering, or modification.
-
Firmware Recovery: Restores firmware on corrupted devices, commonly used in router hacking or BIOS recovery.
-
Reverse Engineering and Hardware Hacking: Analyzes firmware to discover device internals, find exploits, or clone functionality.
-
Repairing Bricked Devices: Restores functionality by reflashing the original firmware on unresponsive devices.
-
EEPROM/Flash Programming: Reprograms EEPROM or SPI flash memory, useful in electronics repair and automotive ECUs.
4. Pin Layout:
+---------------------------------------+
| CH341A Programmer Board |
+---------------------------------------+
| GND | VCC | CLK | CS | MOSI |
| MISO | SCL | SDA | RESET | TX |
+---------------------------------------+
5. CH341A Programmer with 24 and 25 Series EEPROM/Flash Chips:
The 24 series EEPROM and 25 series SPI Flash memory chips are common in routers, laptops, and IoT hardware.
24 Series (I2C EEPROM) Overview
- Protocol: I2C
- Common Chips: 24C01, 24C02, 24C64, etc.
- Pins: VCC, GND, SDA, SCL, WP
25 Series (SPI Flash) Overview
- Protocol: SPI
- Common Chips: 25C128, 25C512, W25Q64, etc.
- Pins: VCC, GND, MOSI, MISO, CLK, CS
6. Schematic Diagram Including 24 and 25 Series Chips:
+-------------------------+
| CH341A Programmer |
+-------------------------+
| MOSI | MISO |
| CLK | CS |
| GND | VCC |
+-------------------------+
| |
+-----------------------------+
| |
+---------------+ +---------------+
| 25 Series | | 24 Series |
| SPI Flash | | I2C EEPROM |
+---------------+ +---------------+
| VCC GND CLK | | VCC GND SCL |
| MOSI MISO CS | | SDA WP |
+---------------+ +---------------+
7. Programming and Use Cases for 24 and 25 Series Chips:
- Firmware and BIOS Programming (25 Series SPI Flash): Reads and writes data to SPI flash chips, useful for firmware recovery.
- Configuration Storage and Data Retrieval (24 Series I2C EEPROM): Reads, writes, or modifies configuration data or calibration settings.
- In-System Programming (ISP): Programs chips in-circuit without desoldering.
8. CH341A Programmer Software:
- AsProgrammer: Open-source tool for Windows supporting a wide range of chips.
- CH341A Programmer Software: The default software for reading and writing SPI flash memory.
- Flashrom: A cross-platform open-source utility used widely in Linux.
Firmware Dumping
Setting Up the CH341A Programmer:
- Hardware Connection
- Connect the CH341A programmer to your computer’s USB port.
- Attach the SOIC8 test clip to the SPI flash chip you wish to read. Make sure to align pin 1 on the clip with pin 1 on the chip, typically marked by a dot or notch.
Connections:
CH341A Programmer SPI Flash Chip
+--------------------+ +------------------+
| | | |
| MOSI (Pin 4) +--------+ MOSI (Pin 5) |
| MISO (Pin 5) +--------+ MISO (Pin 2) |
| CLK (Pin 6) +--------+ CLK (Pin 6) |
| CS (Pin 7) +--------+ CS (Pin 1) |
| GND (Pin 8) +--------+ GND (Pin 4) |
| VCC (Pin 2) +--------+ VCC (Pin 8) |
| | | |
+--------------------+ +------------------+
-
Installing the Software
- Install the CH341A programmer software on Ubuntu using open-source tools like
flashrom.
sudo apt-get install flashrom - Install the CH341A programmer software on Ubuntu using open-source tools like
Dumping Firmware:
-
Identifying the SPI Flash Chip
flashrom -VV -c "W25Q64.V" -p ch341a_spi -r flash_content.bin -
Reading the Firmware
sudo flashrom -p ch341a_spi -r output.bin -
Verifying the Read (Optional)
binwalk -Y binatone.bin
Conclusion:
Using the CH341A programmer to dump firmware from SPI flash chips is an effective and economical method for hobbyists and professionals. This guide provides a foundation for exploring hardware hacking and security analysis.
Further Reading and Resources
For firmware static analysis, follow this article: Firmware Static Analysis Part 1.