freemyipod - User contributions [en]

Nano2G HW analysis

2009-07-12T05:02:47Z

Sto: /* getting code execution ? */

[[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]]
[[File:Bot_annote.jpg|200px|thumb|Bottom layer]]
[[File:2G_frt_annotation.png|300px]]
[[File:2G_bck_annotation.png|300px]]
== previous work ==

See [[Hardware#2G_Nano_2]].

== SOC analysis ==

[[S5L8701_analysis]]

== Circuit analysis ==

After desoldering all components, the circuit was analyzed with a continuity tester.

Small test needles (nailbed needles are great) were used for contacting.

For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad.

Not all connection were routed, mainly the connections to the S5L8701 SOC.

Results are a [http://f4eru.free.fr/8701/ detailed pinout of the 8701]

See also [[S5L8701_analysis]].

== JTAG ==

The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later)
There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why).

But now we have the locations of the pins : see picture [[Image:Top_annote.jpg|40px|thumb|pin locations]].

The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins).

After connecting a xilinx paralell cable, and installing openwince, we can try to connect to the JTAG :

'''The screen freezes directly when we use the JTAG.''' This seems to be a protection against hackers, but it could also be an issue with openocd.
In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches.

== JTAG cache dumps ==

As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes).

We used some [http://f4eru.free.fr/8701/openocd_config.zip openocd and bash scripts]. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at [http://f4eru.free.fr/8701/openocd_config.zip dumpsoorter.py]).

Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary.
Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery.

[http://f4eru.free.fr/8701/dump_example.txt Dump example]

== getting code execution ? ==

[[Nano2G getting exec]]

Main Page

2009-07-12T05:02:05Z

Sto: /* iPod Firmware */

This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. IRC logs are located [http://logs.clustur.com/%23linux4nano-dev/ here]. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod.

'''Feel free to add information and make changes!''' This is a wiki after all. Just make sure you are logged in before you try to edit.

==This wiki==
[[About]]
==iPod Firmware==
===Obtaining===
[[Dumping firmware]]

[[Extracting firmware]]

[[Disassembling bootrom]]

[[Disassembling firmware]]
===Analysis===
[[Bootrom]]

[[Firmware]]

[[Bootstrapping sequence]]

[[Firmware encryption]]

=== 2G hacking and unencrypted firmware analysis ===
[[Nano2G getting exec]]

==iPod Hardware==
[[Hardware]]

[[Hardware annotation]]

[[Nano2G%2BHW%2Banalysis]] and [[S5L8701 analysis]]

[[Modes]]

[[Chronology]]

Notes vulnerability

2009-07-12T04:59:29Z

Sto: Created page with '== Notes vulnerability == === Basics === The notes functionnality is basically a htm browser included in the ipod. Some doc can be found [http://developer.apple.com/ipod/iPodNot...'

== Notes vulnerability ==
=== Basics ===

The notes functionnality is basically a htm browser included in the ipod.
Some doc can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here].

Basic rules are :
*64kB files are loaded just after the boot of the nano
*each file is limited to 4kB
*the links point to other files, or to other notes, or to media files.
*the link is limited to 256 chars. apple documents this limit, but they don't say it can cause a buffer overflow ;)

There seem to be 2 buffers : one which is a perfect copy of the disc file, including BOM, etc..., and one conteining many files, but after UTF16 processing

=== File loading ===

The htm file is converted to UTF-16 first. This limits the possible char sequences.
The best thing to to have most charset possibilities is encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16].

forbidden values are :
*FE FF : UTF16 BOM
*D8 00 up to DF FF : not checked what happens if inserting them
*00 00 : would stop string processing

The opcodes to execute will be placed in the body of the htm file.

=== Link overflow ===

After loading the file, the links are then checked against the file system.
Many modified copiues of this string are present on the stack.
We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different):

*Fist, the link is extracted from the file, and copied to some heap or fixed buffers
*The link is converted to UTF8. Every char >7F is encoded in many bytes
*Then it is passed through an uppercase function
*The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like)
*Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress.

For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 < xx <= 7F.

== Exploiting, getting execution ==

To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers.

In my case, i had to put a second file to influence the buffer's location, in order to have a return adress which fits an UTF8 (no byte of the return adress >7F).

An example of a working overflow file set [http://f4eru.free.fr/8701/Notes_overflow_example.zip here].
the file "Brokenlink.htm" contains first an UTF16 BOM, then "AA" as padding, then the overflowing link (return addr is 08640D60), then a NOP (opcode E1A01001) landing zone, and finlly a "while(1);"

This while(1) does not freeze or reset the ipod, but instead just crashes the background task. You can still scroll the menus, but hte ipod will freeze as soon as you press "play" or if you enter the notes menu, etc...

The processor arrives to the notes in supervisor state, with interrupts activated (menu scrolling), etc.
Caches are activated, recommendation is to disable them if making complex IO & DMA stuff, else they can interfere.

== Dumping memories ==

For dumping, first the cache was used (JTAG dumps), but very soon it turned out that the UART is more flexible.
The UART is exactly the same than described in the datasheet.

See [http://pargon.nl/?p=6 here] how to build an UART cable.

my complete setup is a little bit more complex : [[File:Nanofighter.jpg|200px|thumb|left|nanofighter]]
*left board : DLC5 jtag interface, modified for reset and USB switching
*right board : some programmer board, only the ST232 is used
*upper board : this was the jtag scanner, now only the power supply and 5V regulator are used
*middle board : all the switching stuff

To automatically enter DFU mode, i wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel.

== USB ==
Because UART needs HW, USB will be used to debug in the future

== Analysis of the dumps ==

to be documented

File:Nanofighter.jpg

2009-07-12T04:51:02Z

Sto:

Nano2G HW analysis

2009-07-12T03:44:08Z

Sto:

Hardware

2009-06-14T09:04:55Z

Sto: /* 2G Nano */

Although iPods have many other components, here we are only listing the components that might be relavent to cracking firmware encryption. If you have any suggestions for any other components to add, just post on the talk page or IRC. Links to datasheets are important if they can be found. For a visual hardware reference, visit the [[Hardware annotation]] page.

For information about the S5L8700 datasheet, see the [[S5L8700 datasheet]] page.
==1G Nano==
{| border="1" cellpadding="5" cellspacing="0"
! Component !! Details
|-
| CPU
| Portal Player PP5021C-TDF. This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it.
|-
| RAM
| [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here].
|-
| Utility Flash
| [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF400A SST39WF400A]. This chip is documented very well as is a similar chip on the 2G Nano.
|}
==2G Nano==
{| border="1" cellpadding="5" cellspacing="0"
! Component !! Details
|-
| CPU
| [[S5L8700 datasheet|Samsung S5L8701]] System On Chip (SoC), includes ARM940T(SAM44X?) central processor, advanced DSP, 50kb boot ROM, 256kb SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701.
|-
| RAM
| [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&partnum=K4M56163PG Samsung K4M56163PG] - [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the iPod 1G Nano. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead.
|-
| Utility Flash
| [http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39WF800A SST SST39WF800A],stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on.
|-
| DSP
| Combination of Samsung 16-bit CalmRisc16 and Samsung 24-bit CalmMAC2424. Performance - up to 40MIPS (24x24 operation per cycle). During boot performs [[Bootstrapping sequence|data verification and decryption]].
|
|}

==3G Nano==
{| border="1" cellpadding="5" cellspacing="0"
! Component !! Details
|-
| CPU
| [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. The package itself is Apple-branded and marked 337S3473 8702.
|-
| RAM
| Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=137&partnum=K4X56163PG&&ppmi=1209 K4X56163PI]. Another similar one that is sometimes used is the [http://www.qimonda.com/mobile-ram/ddr-18/index.html Qimonda HYE18M169CX75].
|-
| Utility Flash
| [http://www.sst.com/products.xhtml/serial_flash/25/3.0V/SST25VF080B SST25VF080B]. Like the other SST chips, this one is also extremely well documented.
|}
==4G Nano==
{| border="1" cellpadding="5" cellspacing="0"
! Component !! Details
|-
| CPU
| [[S5L8700 datasheet|Samsung S5L8701]] ARM940T processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor.
|-
| RAM
| Integrated into the processor, similar to the iPod Touch and iPhone lines.
|-
| Utility Flash
| Possibly the chip on the lower part of the 4G board? See [[Hardware annotation]].
|}
==Helpful pages==
http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware)

http://www.ipodlinux.org/wiki/Generations (Be careful! This is extremely inaccurate.)

http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues
===1G Nano===
http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx

http://arstechnica.com/apple/reviews/2005/09/nano.ars/4

[http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board]

[http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - The pictures listed
===2G Nano===
[[Nano2G%2BHW%2Banalysis]]

[[S5L8701 analysis]]

http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf

http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1

http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4

===3G Nano===
http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx#

http://content.techrepublic.com.com/2346-13636_11-170826-1.html

http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1

http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html

[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board]
===4G Nano===
http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1
===Other (for comparison)===
http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx

http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx

S5L8701 analysis

2009-06-14T08:51:45Z

Sto:

[[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|View of the bonding via X-ray]]
[[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|View of the top layer]]
[[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|View of the bottom layer]]
== Introduction ==

The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players.

We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information.
Knowing the location of some JTAG pins could be very helpful.

There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701/ here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post].

== Structure of the packaging ==

The chip is a 226-pin TFBGA with a pitch of 0.5mm.
This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package]

The chip is glued to a small double side PCB substrate.
the electrical current passes through :
-a pad of the chip die
-a bonding wire
-the top layer of the substrate
-a via
-the bottom layer
-finally, the BGA ball

The [[S5L8700 datasheet|known datasheet]] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout).
In order to do this, we make an analysis of the bonding and PCB.

== Packaging analysis ==

Following steps were made :
-desoldering of the IC
-removing of the balls and filler glue
-X-ray picture
-microscope picture of the bottom layer
-removing the bottom layer and most of the substrate (by careful manual grinding)
-microscope picture of the top layer
-superposition of these views, and path finding from the die to the ball

== Guessed pinout table ==

the pinout is currently under study. See [http://f4eru.free.fr/8701/ here] for the actual status.
This is not an easy part of the work, each pad has to be tested for connections all over the board (most IC's removed). See [[Nano2G%2BHW%2Banalysis]] for further PCB analysis.

Main Page

2009-06-14T08:50:32Z

Sto: /* iPod Hardware */

This is the wiki page for the Linux4nano project. [http://home.gna.org/linux4nano/ Here] is the project homepage, and [http://mail.gna.org/public/linux4nano-dev/ here] is a link to the project's mailing list. Linux4nano also has a fairly active IRC channel, #linux4nano-dev @ irc.freenode.net. [http://theiphonewiki.com/wiki/index.php?title=Main_Page The iPhone Wiki] is an excellent resource to use when researching, because much of the hardware and software aspects are similar to that of the iPod.

'''Feel free to add information and make changes!''' This is a wiki after all. Just make sure you are logged in before you try to edit.

==This wiki==
[[About]]
==iPod Firmware==
===Obtaining===
[[Dumping firmware]]

[[Extracting firmware]]

[[Disassembling firmware]]
===Analysis===
[[Firmware]]

[[Bootstrapping sequence]]

[[Firmware encryption]]
==iPod Hardware==
[[Hardware]]

[[Hardware annotation]]

[[Nano2G%2BHW%2Banalysis]] and [[S5L8701 analysis]]

[[S5L8700 datasheet]]

[[Modes]]

[[Chronology]]

Nano2G HW analysis

2009-06-14T08:48:15Z

Sto: Created page with 'Top layer, including JTAG Bottom layer 300px [[File:2G_bck_annotation.png|3...'

[[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]]
[[File:Bot_annote.jpg|200px|thumb|Bottom layer]]
[[File:2G_frt_annotation.png|300px]]
[[File:2G_bck_annotation.png|300px]]
== previous work ==

See [[Hardware#2G_Nano_2]].

== SOC analysis ==

[[S5L8701_analysis]]

== Circuit analysis ==

After desoldering all components, the circuit was analyzed with a continuity tester.

Small test needles (nailbed needles are great) were used for contacting.

For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad.

Not all connection were routed, mainly the connections to the S5L8701 SOC.

Results are a [http://f4eru.free.fr/8701/ detailed pinout of the 8701]

See also [[S5L8701_analysis]].

== JTAG ==

The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later)
There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why).

But now we have the locations of the pins : see picture [[Image:Top_annote.jpg|40px|thumb|pin locations]].

The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins).

After connecting a xilinx paralell cable, and installing openwince, we can try to connect to the JTAG :

$ sudo jtag
JTAG Tools 0.5.1
Copyright (C) 2002, 2003 ETC s.r.o.
JTAG Tools is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for JTAG Tools.

Warning: JTAG Tools may damage your hardware! Type "quit" to exit!

Type "help" for help.

jtag> cable ppdev /dev/parport0 DLC5
Initializing Xilinx DLC5 JTAG Parallel Cable III on ppdev port /dev/parport0
Error: Cable initialization failed!
jtag> cable parallel 0x378 DLC5
Initializing Xilinx DLC5 JTAG Parallel Cable III on parallel port at 0x378
jtag> detect
IR length: 4
Chain length: 1
Device Id: 0
chain.c(110) Part 0 without active instruction
chain.c(133) Part 0 without active instruction
chain.c(110) Part 0 without active instruction
jtag> discovery
Detecting IR length ... 4
Detecting DR length for IR 1111 ... 1
Detecting DR length for IR 0000 ... -1
Detecting DR length for IR 0001 ... 1
Detecting DR length for IR 0010 ... 5
Detecting DR length for IR 0011 ... -1
Detecting DR length for IR 0100 ... 1
Detecting DR length for IR 0101 ... 1
Detecting DR length for IR 0110 ... 1
Detecting DR length for IR 0111 ... 1
Detecting DR length for IR 1000 ... 1
Detecting DR length for IR 1001 ... 1
Detecting DR length for IR 1010 ... 1
Detecting DR length for IR 1011 ... 1
Detecting DR length for IR 1100 ... -1
Detecting DR length for IR 1101 ... 1
Detecting DR length for IR 1110 ... 32
jtag>

We can see the instruction length is 4 bits. the screen freezes directly when we use the JTAG.

We currently do not know if this interface is the JTAG of the ARM or the CALM processor. In the 8700 doc, there seems to be a switch pin. However, here, the switch pin (P10) is an output at H level. Even by forcing it to GND. there seems to be no change in the JTAG structure.
Other pins were tried, no jtag commutation was found.

== Todo ==
-find which processor is connected
-check the doc of the ARM and the CALM for JTAG info
-try to use an ARM debugging program ?
-find a commutation pin
-if the JTAG does not help, we can probably make a SDRAM sniffing (clock frequency was only about 12 MHZ !)

File:Bot annote.jpg

2009-06-14T07:58:24Z

Sto: bot layer of the ipod nano 2G pcb. some signals and testpoints noted

bot layer of the ipod nano 2G pcb. some signals and testpoints noted

File:Top annote.jpg

2009-06-14T07:57:23Z

Sto: top layer of the ipod nano 2G pcb. some signals noted, including JTAG

top layer of the ipod nano 2G pcb. some signals noted, including JTAG

S5L8701 analysis

2009-05-31T13:38:17Z

Sto:

== Introduction ==

The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players.

We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information.
Knowing the location of some JTAG pins could be very helpful.

There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701/ here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post].

== Structure of the packaging ==

The chip is a 226-pin TFBGA with a pitch of 0.5mm.
This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package]

The chip is glued to a small double side PCB substrate.
the electrical current passes through :
-a pad of the chip die
-a bonding wire
-the top layer of the substrate
-a via
-the bottom layer
-finally, the BGA ball

The [[S5L8700 datasheet|known datasheet]] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout).
In order to do this, we make an analysis of the bonding and PCB.

== Packaging analysis ==

Following steps were made :
-desoldering of the IC
-removing of the balls and filler glue
-X-ray picture
-microscope picture of the bottom layer
-removing the bottom layer and most of the substrate (by careful manual grinding)
-microscope picture of the top layer
-superposition of these views, and path finding from the die to the ball

[[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|left|View of the bonding via X-ray]]
[[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|left|View of the top layer]]
[[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|left|View of the bottom layer]]

== Guessed pinout table ==

the pinout is currently under study. See [http://f4eru.free.fr/8701/ here] for the actual status.
This is not an easy part of the work, each pad has to be tested for connections all over the board (most IC's removed)

unfortunately, the board suffered from the unsoldering, some fragile pads are gone, so one more broken nano 2G is wanted.

S5L8701 analysis

2009-05-31T13:33:25Z

Sto:

S5L8701 analysis

2009-05-12T16:04:41Z

Sto:

== Introduction ==

The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players.

We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very usefull for integrating user SW. Probably containing crypto information.
Knowing the location of some JTAG pins could be very helpfull.

== Structure of the packaging ==

The chip is a 226-pin TFBGA with a pitch of 0.5mm.
This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package]

The chip is glued to a small double side PCB substrat.
the electrical current passes through :
-a pad of the chip die
-a bonding wire
-the top layer of the substrate
-a via
-the bottom layer
-finally, the BGA ball

The [[known datasheet]S5L8700_datasheet] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout).
In order to do this, we make an analysis of the bonding and PCB.

== Packaging analysis ==

Following steps were made :
-desoldering of the IC
-removing of the balls and filler glue
-X-ray picture
-microscope picture ot the bottom layer
-removing the bottom layer and most of the substrate (by careful manual grinding)
-microscope picture of the top layer
-superposition of these views, and path finding from the die to the ball

[[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|left|View of the bonding via X-ray]]
[[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|left|View of the top layer]]
[[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|left|View of the bottom layer]]

== Guessed pinout table ==

to come soon...

S5L8701 analysis

2009-05-12T15:49:32Z

Sto: Created page with '== Introduction == The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players. We currently know nearly nothi...'

== Introduction ==

The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players.

We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very usefull for integrating user SW. Probably containing crypto information.
Knowing the location of some JTAG pins could be very helpfull.

== Structure of the packaging ==

The chip is a 226-pin TFBGA with a pitch of 0.5mm.
This is the structure of a BGA package : [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package]

The chip is glued to a small double side PCB substrat.
the electrical current passes through :
-a pad of the chip die
-a bonding wire
-the top layer of the substrate
-a via
-the bottom layer
-finally, the BGA ball

The [[known datasheet]S5L8700_datasheet] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout).
In order to do this, we make an analysis of the bonding and PCB.

== Packaging analysis ==

Following steps were made :
-desoldering of the IC
-removing of the balls and filler glue
-X-ray picture
-microscope picture ot the bottom layer
-removing the bottom layer and most of the substrate (by careful manual grinding)
-microscope picture of the top layer
-superposition of these views, and path finding from the die to the ball

[[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|left|View of the bonding via X-ray]]
[[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|left|View of the top layer]]
[[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|left|View of the bottom layer]]

File:S5L8701 bottom layer bot view 2.jpg

2009-05-12T15:32:53Z

Sto: top layer of the 8701 substrate

top layer of the 8701 substrate

File:S5L8701 top layer bottom view 2.jpg

2009-05-12T15:31:24Z

Sto: bottom layer of the 8701 substrate

bottom layer of the 8701 substrate

File:S5L8701 bonding wires via x-ray bottom view 2.jpg

2009-05-12T15:12:10Z

Sto: x ray of the 8701 showing the bonding wires

x ray of the 8701 showing the bonding wires