Strap in kids, this post is about me physically hacking apart Amazon’sFlash Mini to receiveentry to its firmware! No firmware used to be harmed or modified within the making of thispost… yet.
I attended the 2022 Cybertruck Fieldabout a weeks within the past, at some stage in which I realized about hacking, then proceeded to hacktrucks and truck accessories. It used to be huge enjoyable, and I made hundreds cold guests.Sadly, 70% of the issues that I did are lined below NDA, so I’m able to’tfocus on in regards to the ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇ that I▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇ the narrate of▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇ by▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇ and▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇ with the abet of ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇. Afterthree years despite the proven truth that, the NDA will expire, so preserve tuned for June 26, 2025, whenyou are going to be in a situation to be taught all about it, assuming I’m quiet working a blog round then!
As a minimal, with what I gleaned from the 20 hours of instruction and 20 hours ofhacking, I made up our minds that I ought to beget a study what I realized to a staunch tool! These$20 Blink Mini cameras that I sold about a months within the past gave the impact delight in splendidvictims to fuck round with!
About the Blink cameras
These cameras are lovely slight issues which beget a gross sequence ofcapabilities:
- A video camera that can be taught about viewed and infrared gentle
- Motion detection
- An infrared floodlight
- Wi-Fi connectivity with Wi-Fi Teach functionality
Sadly, you will want to make narrate of the Blink app to receive anything with this camera.It’s free, but it’s simplest a cell telephone app (thye don’t beget a net app) and while it is likely you’ll delight into document movies, you will want to subscribe to theirBlink Top classservice, which payments $30/year for one tool and a whopping $100/year for extragadgets! It’s also potentially why the hardware is so cheap — they made it aloss chief for thatservice.
Hypotheses before breaking into it
- There is a ROM on this tool that I’m able to dump.
- This tool runs an embedded Linux machine.
- For the reason that tool supports over-the-air firmware updates, I ought to be in a situation towrite my hang firwmare to the ROM.
I in actual fact beget 3 of these guys, they usually’re pretty cheap anyways, so I didn’t mindhaving one sacrificial lamb. I in overall factual started savagely pulling it apartand slicing issues up and hoping that I would possibly maybe presumably well additionally attain the PCB.
Nonetheless then I seen that presumably, this isn’t the upright strategy of opening it up.Maybe, somebody else has completed a teardown of it. Genuinely, I learned this YouTubevideo the place somebody did factual that.
Wow, that used to be so considerable easier than I belief it used to be!
Staring on the circuit board
There are surely two PCBs here, with a 26-pin header for talking between thetwo boards. One is the wifi/antenna board, and the different appears to be like to begetthe whole lot else.
I looked around the two boards for some ICs with markings. Here are someattention-grabbing issues I learned.
Their LinkedIn saysthat they’re “a leading provider of video and image processing chips forlinked camera functions.” Hello, that’s what I in actual fact beget!
There’sone other articlethat friends them with Blink.
Indirectly, I learnedthis Reuters articlethat says that Amazon sold Blink and Immedia for $90 million. Verticalintegration, of course.
AC1002B2… microcontroller? microprocessor?
Underneath this protect is this attention-grabbing slight BGA chip. The markings narrate:
Browsing for AC1002B2-FB, I learned a bunch of irregular world internet sites withordering pagesfor the chip. They imply that Broadcom makes these?
Shedding about a letters off the tip, despite the proven truth that, I learned about a outcomes forAC1002Bbut they’re mostly factualreports for a distinct Blink camera.On the intense facet, this confirms that this unit is certainly the CPU.
From that review, they narrate that the AC1002B is Immedia Proprietary, and has 4cores and 200MHz, which suggests it packs some severe vitality for what it is miles!
Browsing for NP6T9 offers, uh…
And making an attempt out for J-2104 yields nothing both.
The hunt for AC1002B2-FB
Google is no longer giving me any outcomes for this dreary chip besides advertising and marketingpresents and Blink-linked promoting. The closest I bought to a datasheet isthis CPUbut it appears to be like to beQFN reasonably than BGA, plus the performance specs are all fully shuffle. I’llfactual email these sketchy internet sites to beget a study within the occasion that they’ll give me anything.
W25Q32JW NOR Flash
Here is the juiciest segment that I learned. The markings narrate:
The chip says WinBond 25Q32JWIQ. Having a watch it up, I learnedthis Winbond datasheet for W25Q32JWflash ROMs, with a desk that says that 25Q32JWIQ is the WSON-8 equipment versionof it.
There seem like traces leading from the ROM to the CPU, which extra supportsmy hypothesis that this ROM contains the firmware that we need.
The W25Q32JW datasheet says that it is miles a 1.8V 4MiB SPI NOR-flash chip.Sadly, it also says that it is miles that you just’re going to be in a situation to hang so that you just can carry out some blocks ofmemory completely be taught-simplest. If we are able to receive a dump from this fucker, we are able toglean out! And that’s the exhausting segment, because I don’t know shit about that!
The Flash Chip Rabbit Gap
Please tag that I in actual fact have not any idea what I’m doing after this point.
My first belief used to be to desolder it, then be taught about on the datasheet and work togetherwith it the narrate of an Arduino. Nonetheless, apparently every SPI flash chip has hasthe an identical pinout, and their instruction sets portion identical instructions for frequentissues, delight in reading and writing.1 Also, Ada suggested that the NOR flashwould potentially tolerate being dumped in-circuit with a test clip.
Happily, there’s a million cheap SOIC-8 kits on Amazon that includethe whole lot I’d need: SOIC-8 clip2USB programmer, and a bunch of diverseadapters. Sadly, the USB dongle thing used to be delight in, 3.3V and 5V simplest? Nonetheless Ilooked round a slight bit extra tough and learned some kits with 1.8V adapters.This Indian guy on YouTubeoutlined how the whole lot fits together, and how that irregular slot-machine-having a watchadapter labored, making me a slight bit extra confident that I used to be procuring the staunch machine.
Hypotheses now, as I preserve up for the programmer to near
- The AC1002B2-FB has no on-chip flash, and the whole firmware is on the ROM.
- We are able to be in a situation to dump the ROM in-circuit and no desoldering is crucial.
- It would possibly maybe maybe presumably well additionally no longer be Linux, because it’s 4MiB and that’s in actual fact cramped. Nonetheless on theidentical time, I in actual fact beget viewed OpenWRT firmwares that are ~800kiB, so it’s no longer out ofthe realm of risk.
- No longer all of the ROM is write-locked, because otherwise, you are going to be in a situation to’t receive OTAupdates. Nonetheless, formulation of the ROM would possibly maybe presumably well additionally be locked. Particularly, I difficulty thatthe entrypoint code is locked, and that it performs digital firmware signaturevalidation.
- The chipset is a slightly frequent one, so decompiling the machine code it is milesno longer not likely. They didn’t factual carry out a total unique exotic proprietaryinstruction field factual for this chip.
I’m potentially overthinking. I ought to factual wait and see and preserve up for the flash dump.