I have an IoT device that seems quite well locked down - it exposes UART for a short period during boot up, before that being disabled. And while RX is wired up, the TTY seems readonly. I can't do anything with the firmware downloadable from the internet (which I had to sniff with wireshark from a PC-based bit of software). The firmware download is encrypted, and only decrypted by the device itself.
So now I have the choice of the desolder or in-place attempt to read, and would like to try the latter first.
The chip is this one
https://datasheet.lcsc.com/lcsc/2008061102_Samsung-KLM4G1FETE-B041_C500273.pdf.
Here's the pinout:
I also took photos of the top and bottom, and aligned them in GIMP. I've attached those photos, along with one with the bottom flipped and 50% transparent.
Top:
Bottom:
Merged top/bottom:
The way the photo is oriented is a bit confusing, but the bottom-right with a dot is A1, then going vertically up the photo is 1 to 14, and going left is A to P.
I therefore think the resistors on the bottom right might be DAT signals, and along the bottom power/CMD/CLK signals. There's some relatively large pads, but it's not clear what they route to.
However, I'm not sure how to confirm that? I have an el-cheapo 24MHz logic analyser, but as far as this eMMC goes between 26MHz and 200MHz.
I can invest in something like a DSLogic Plus, but not even sure that's enough.
This guide shows how to identify the pins with an oscilloscope on page 11
https://www.blackhat.com/docs/us-17/wednesday/us-17-Etemadieh-Hacking-Hardware-With-A-$10-SD-Card-Reader-wp.pdf. From the screenshot that seems to be 250 MSamples/sec
In one sense desoldering seems simpler, as I can simply dead-bug it, but I've never done that.
The other thing I'm not sure about, if I've correctly found the resistors attached for DAT, is which side of the resistor to get the data from.
Any guidance on the approach here would be handy please - especially the main route/equipment to go with (in-place vs dead-bug)
Home
Help
Search
Login
Register
