ParsingEEPROM image data

[kelemvor]

Geez, I hope this sort of thing isn't frowned upon here.  I'm guessing not since there are many threads about hacking products like oscilloscopes.

First things first, I'm a total amateur.  That will become obvious to you as you read this post.

So I've been interested in checking out the firmware in various devices I own.   I started with cheap serial interface tools like the Xipiter Shikra (FTDI device) and recently bought an XGecu t56 and a Rigol logic probe for my RigLol mso5354.  There's a life lesson about drinking alcohol and watching hardware-hacking videos during tax season.

I've been most recently looking at my (four) eero pro 6e routers.   I did find some previous work done by oz_paulb here: http://www.hackspot.net/eeroBlog/

I can get read-only serial console access to the eero with the debug connection on the main PCB.  As oz_paulb discovered, the console is output only, and there's no boot delay.  I thought I'd try modifying the EEPROM to add a boot delay, solder it back onto the router, and Bob's your uncle (and my father -- Hey, brother!).

I removed the EEPROM (ON Semi Cat24C256 https://www.onsemi.com/pdf/datasheet/cat24c256-d.pdf) and read it with the EEPROM programmer.  That appears to have worked, but tools like binwalk are thumbing their nose in my direction.  I do have several blocks of data in the EEPROM dump.  Nothing at all human readable in ASCII mode.  Any suggestions on where I might go next?  I can see in the serial console output that there's a u-boot Linux image somewhere.    This is the first time I've used a proper EEPROM programmer; perhaps I've done something wrong and got lousy output?  The XGecu software seemed to indicate things were going well. 

[kelemvor]

Well..it was stupidity on my part.  That's just a 32KB EEPROM, it probably stores settings or something like that.  Under one of those cans was a Kingston EMMC04G-M627 4GB MLC NAND.   That's a much more reasonable size for the OS on this thing. 

I don't have the BGA153 adapter for my programmer yet, so I may have to get creative or order one.

[artag]

Modern devices with large eeproms may divide them up using some sort of filesystem that can be parsed by binwalk, but older ones may just have simple binary images that are copied into RAM or accessed as structures by the firmware.

For these sort of images, dumping the code as hex/ascii  can show up some recognisable patterns such as vector tables, unused areas of 00 or FF, or readable strings. The first tool I tend to use on an unknown binary is 'strings' which may give an idea of what unknown functionality exists in there.

[AndyBeez]

Are you trying to find the bootloader section or just looking in general? If the router is a Linux (busybox) distro, the EEPROM is mapped by the Kernel into sections that are described in the Kernel bootlog. You should see the Bootlog over your serial connection when the router is cold starting.

The kernel bootlog might look something like:

Code: [Select]

00000000:0001ffff u-boot
00020000:0011ffff kernel
00120000:007dffff rootfs
007e0000:007effff config
007f0000:007fffff art
Although everything is compiled binaries, there might be some interesting strings in the rootfs - such as the configuration web pages.

+ You might come across 'UBI volumes', which are used to partition big NAND flash EEPROMs, generally not little 32K chips.

[kelemvor]

A bit of both. I'm curious but I also want to change the boot settings so I can interact with it. 

There's loads of test pads on the pcb but unfortunately it's a multilayer board so I can't see which ones connect to the storage chip visually.

[kelemvor]

Can anyone help me ID this chip? I believe the package is QFN20. Pins 19 and 20 are connected to the serial console test pads (tx, rx).   It's directly adjacent to the USB-C (power) port (Pins 2,3,4). However, there's a separate TI TPS25750 USB controller.

It's 3mm²

I haven't traced out the connections from the USB controller and this yet.  Takes a bit of time because they use vias and connect everything along the bottom of the pcb.   

I suspect it's a level converter.  Any help would be appreciated.

[kelemvor]

I think it's a custom chip that TI made for someone else.   

The top row indicates customer part number.
The middle row indicates Texas Instruments, 1AI indicates 2021, October, TI Clark (manufacture site). 
The bottom row indicates lot number.

Based on this post: https://e2e.ti.com/support/power-management-group/power-management/f/power-management-forum/1066521/tps54320-tps54320rhlr