imagotag-hack icon indicating copy to clipboard operation
imagotag-hack copied to clipboard
verified publisher icon andrei-tatar

The myserious 8-pin chip

Open ospilos opened this issue 5 years ago • 6 comments

is in fact just an ordinary SPI flash to store and hold the image data.

ospilos avatar Apr 15 '21 19:04 ospilos

Thanks for the info. Do you know the part number/datasheet? Would like to update the docs. Help other hackers :)

andrei-tatar avatar Apr 16 '21 09:04 andrei-tatar

Hi, IIRC it was Winbond 25V10 or more probably W25X10 1Mbit SPI flash in USON package, hence those cryptic markings. The funny thing was that the CC2510 had not enough RAM to write whole 4K flash pages to the device, so it only contained 8 b&w images. EDIT: Looking at the datsheet it seems that it was some other device that was unable to use the whole flash capacity. The 25X01 is programmable by 256 byte chunks, which is definitely possible with CCxx10.
EDIT1: I digged out my reverse engineering remarks on the board and the flash is indeed W25X10CLUXIG, see https://cz.mouser.com/datasheet/2/949/w25x10cl_revg_021714-1489755.pdf

ospilos avatar Apr 22 '21 20:04 ospilos

Hello @ospilos, hope you're well! I've dumped the firmware image from my flash too, but can't decode it to pictures, I used binwalk with various combinations of args, but to no avail. Could you please share your solution?

medvm avatar May 21 '22 10:05 medvm

By the way, my version of the board is slightly different from all yours, but the main components are the same. Pictures with captions attached

Top side

Bottom side

medvm avatar May 21 '22 10:05 medvm

After numerous attempts, I managed to open the dump as an image, but the image seems to be damaged. It seems that the vertical columns are mixed up in places... mixed-up_columns

medvm avatar May 21 '22 18:05 medvm

Parsed the picture in a normal way. I wonder if the image on the display will be updated after writing a new picture to the flash?.. res39

medvm avatar May 21 '22 22:05 medvm

@medvm hi, can you show the way on how you managed to fix the dump?

lols avatar May 08 '23 19:05 lols

@lols
If I remember correctly, it was mostly an empirical method. I realised there was definitely something wrong with the on-board winbound flash, so I fixed the dump manually and repeated the remapping sequence for the rest of the dump

medvm avatar May 12 '23 19:05 medvm

@medvm

Hey if you ever get a moment could you please brush up and/or clarify what the challenge here was and how you resolved it? I'm looking at trying to mod and repurpose some of these tags myself and I'm just trying to tie together all the scraps on this repo and maybe even write up a more succinct workflow to help out others. I would really really appreciate it!

Kickbut101 avatar Dec 22 '23 18:12 Kickbut101