Bootloader Extracted from iPod Nano 2nd Generation?

[xBrandonx]

Quote:

tof wrote us to give us some update about his work on dumping the SST39WF800A, he finally succeded on a second attempt but here is what he wrote us about the first attempt:
« This week I tried to extract the bootloader from a flash, but the chip was damaged during the soldering, either by the iron heat, or static electricity, or mechanical stress during "unsoldering".
What I did:
"Unsolder" the flash by pulling it (brutal, next time I will unsolder by hot air);
Glue it to a test board;
Solder 40 coil wires to the balls;
Check electrically the connections via the clamp diodes presence. I automated this step;
Check shorts between wires (automated);
Read it out with a microcontroller and send the results to a serial port.
The electrical tests fail, there are some clamp diodes lacking (failed pins, especially /OE).
Some photos of the different steps are available further down.
I will try again as soon as I find another broken nano.
A few advises:
For the unsoldering, I lifted the chip with a blade. This probably cracked the die, so next time I will try unsoldering with hot air. the BGA is glued down, so I do not know how the glue will behave in the hot air. lifting the chip was not too difficult, the glue was not too strong.
If the hot air fails, another method is to bend the PCB, then the balls remain on the chip and not on the board like I had. I tried it after with the ram chip, it seems to work.
Use very thin wires, I first tried with thicker ones, but it makes mechanical stress on the solder joints use a very thin iron tip, not too hot, because we solder directly to the chip.
Use a good magnifying glass and thin tweezers.
Static electricity counter measures are needed.
First put solder on 1/2 mm of wire to get rid of the lackering. the iron heat together with the flux burns away the lackering. You can use a second iron with a normal tip and hotter setting for this part.
then gently and very quickly press the end of the wire onto the ball with the iron tip. then place, cut and solder the other end of the wire.
We now can extract the bootloader, but we really need your help !!
We need broken nanos II to succeed ) »
Here are the pictures and few comments from tof who tried to dump the content of the chip.



http://home.gna.org/linux4nano/pictures/P3301371.JPG
Extracting the chip from its socket was more difficult than expected, the chip was damaged during the process. You should be using a heatgun if you want to do it.


http://home.gna.org/linux4nano/pictures/P5011407.JPG
Connecting the chip to the microcontroller in order to extract data from it.


http://home.gna.org/linux4nano/pictures/P5011409.JPG
A close up from the previous.


http://home.gna.org/linux4nano/pictures/P5011410.JPG
The whole thing.

~http://home.gna.org/linux4nano/dumping_SST39WF800A.html

[EnmanuelMC]

This would be way better if you actually read the entire thing and just posted a summary... because I really didn't understand anything....

[xBrandonx]

Well? What don't you understand?

[xxDriveNxx]

Amazing news, I just read the page there and the emails, as well.

Finally some promise in the 2G world! If this succeeds, it opens up a whole new chapter in iPod hacking!

[xBrandonx]

Yeah and if they discover this out it might lead to the new iPods gettin' cracked too since don't they use the same encyption..

[xxDriveNxx]

Quote:

Originally Posted by xBrandonx

Yeah and if they discover this out it might lead to the new iPods gettin' cracked too since don't they use the same encyption..

The key would be different, but my assumption is that they would be able to find it by using the same methods that they will use to locate this one (that is if it is located).

[knoxy]

awesome! finally if this works i can help my nano friends!

It's only a matter of time before the firmware gets decrypted.

I can't to have linux on my 2nd generation nano.

[bounci.rabbit.123]

so he succeeded in extracting the bootloader? or wasn't he...? since the chip was damaged the first time....I'm confused. haha

[xxDriveNxx]

Quote:

Originally Posted by bounci.rabbit.123

so he succeeded in extracting the bootloader? or wasn't he...? since the chip was damaged the first time....I'm confused. haha

He was. It took him two attempts to succeed. The post is a bit misleading, but the news it great.