toniebox-reverse-engineering / teddycloud

teddyCloud is an open source server replacement for the Boxine Cloud
https://toniebox-reverse-engineering.github.io/docs/tools/teddycloud/
GNU General Public License v2.0
454 stars 34 forks source link

[CC3235] How to proper dump and flash IS25LP032D Flash memory with CH341A bios flasher + Clamp - Photo included #232

Open inonoob opened 19 hours ago

inonoob commented 19 hours ago

This is a how to do it from my experience and it went well, I wanted to share it with the community so they don't do the same mistakes I went through :).

Maybe something for the documentation part.


  1. CC325

To extract the certificates, you need to read out the IS25LP032D Flash memory of the Toniebox. In order to do that, it is possible to either desolder the chip or to use SOP8 clamp. From experience, we recommend using a CH341A programmer with the different add-ons and the tool Flashrom. Only buy the black version with a gold line and round edge.

1.1 Disassemble your Toniebox

1.2 Extract image from IS25LP032D Flash memory

1.2.1 Preparation

sudo apt-get install flashrom 
lsusb 

~$ lsusb
Bus 004 Device 012: ID 1a86:5512 QinHeng Electronics CH341 in EPP/MEM/I2C mode, EPP/I2C adapter
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

If your output look different then it might be that the little bridge between pin 1 and 2 on the CH341A is not set. Once that is confirmed unplug the CH341A from the USB port. That was a check if everything is all right.

Ensure that the SOP8 module included in the CH341A kit and the clamp is plugged as shown in the picture.

Only if perperation are finish, we can start the extraction process

1.2.2 IS25LP032D Flash memory dump

Connect the clamp to the IS25LP032D Flash memory. Ensure that the red clamp cable is position where the IS25LP032D Flash memory has a dot on the chip. That marking represents pin 1. (see picture). If the clamp is not holding then you might still collides with the clamp against the black block next to it. Remove a bit more plastic. Don't connect the CH341A yet. Re-check if all cable are correct.

Once you feel ready plug the CH341A into the USB port of the computer. The Toniebox light should be steady green. If it flickers the clamp is not well positioned, disconnect the CH341A from the USB port and re-position the clamp and retry. You want to make sure the connection is good !

Once the LED is solid green, you should have a good connection. Open a terminal on your PC and type the following:

sudo flashrom -p ch341a_spi -r backupCC3235-1.bin

Redo that at least 3 times

sudo flashrom -p ch341a_spi -r backupCC3235-2.bin

Once you have done 3 times. Check if all dumps are the same

diff backupCC3235-1.bin backupCC3235-2.bin #no output = equal

Once you confirm all versions are ok, we can proceed to extract the certificates

remove the CH341A from the USB port of the computer and remove the Clamp. That ensure to not cause any short or other issue if by accident the clamps moves.

1.3 Extract certificates from dump

You can use the cc3200tool to extract your certificates from the flash dump afterwards.

cc3200tool -if backupCC3245.bin -d cc32xx read_all_files extract/

IMG_20241030_131415 IMG_20241030_131136 IMG_20241030_131129 IMG_20241030_131126

IMG_20241030_131124 IMG_20241030_131117 IMG_20241030_131054 IMG_20241030_131041 IMG_20241030_131015 IMG_20241030_131007 IMG_20241030_131000 IMG_20241030_130954 IMG_20241030_130945 IMG_20241030_130929 IMG_20241030_130917 IMG_20241030_130910

henryk86 commented 15 hours ago

Thanks for the details and the pictures. I will extend the current guide with these.

Just one thing: Next time please use a white paper as underground ;) that is easier to handle

inonoob commented 15 hours ago

@henryk86 my bad sorry :). I just had today a couple of min without the kids. I start to get very good in opening the toniebox and having the clamp on :). So I though, I can quick make some picture and give a bit back to the community for the fantastic job everyone has already done.

henryk86 commented 12 hours ago

here is a first version:

image

i added some of the sop8 clamp images to the help collapse

henryk86 commented 11 hours ago

So. restructured it again... moved all preparations to the first preparation page.

image image

Now it would be great if you @inonoob can also provide the steps for Flashing the CA

inonoob commented 11 hours ago

I check my bash history. I can try to write the flash method. @henryk86 I think you mean the current special case where we need to use the external certgen.sh because the docker container creation process is not working for the CC3235.

henryk86 commented 10 hours ago

no, the flashing of the ca.cert actually. That part:

image

This is specially for the pico approach. but with the CH341A programmer it is different i would say?

At least this call?

flashrom -p serprog:dev=/dev/ttyACM0:921600 -w cc32xx-flash.bin --progress

Edit:

I assume this must be

flashrom -p ch341a_spi -w cc32xx-flash.bin --progress

for the CH341A. Can you confirm?

inonoob commented 25 minutes ago

Hey @henryk86,

I checked my console history. Correct can confirm.

I needed to use sudo as my user on the bananapi was not in the usb group.

sudo flashrom -p ch341a_spi -w backupCC3235-1.bin

I didn't use the --progress option.

I hope that helps