The FPC adapter shown soldered between the BGA chip and the phone's mainboard, with the phone shown to have successfully booted, displaying an unlock prompt on the screen

IPhone 6S NVMe Chip Tapped Using A Flexible PCB

Psst! Hey kid! Want to reverse-engineer some iPhones? Well, did you know that modern iPhones use PCIe, and specifically, NVMe for their storage chips? And if so, have you ever wondered about sniffing those communications? Wonder no more, as this research team shows us how they tapped them with a flexible printed circuit (FPC) BGA interposer on an iPhone 6S, the first iPhone to use NVMe-based storage.

The research was done by [Mohamed Amine Khelif], [Jordane Lorandel], and [Olivier Romain], and it shows us all the nitty-gritty of getting at the NVMe chip — provided you’re comfortable with BGA soldering and perhaps got an X-ray machine handy to check for mistakes. As research progressed, they’ve successfully removed the memory chip dealing with underfill and BGA soldering nuances, and added an 1:1 interposer FR4 board for the first test, that proved to be successful. Then, they made an FPC interposer that also taps into the signal and data pins, soldered the flash chip on top of it, successfully booted the iPhone 6S, and scoped the data lines for us to see.

This is looking like the beginnings of a fun platform for iOS or iPhone hardware reverse-engineering, and we’re waiting for further results with bated breath! This team of researchers in particular is prolific, having already been poking at things like MITM attacks on I2C and PCIe, as well as IoT device and smartphone security research. We haven’t seen any Eagle CAD files for the interposers published, but thankfully, most of the know-how is about the soldering technique, and the paper describes plenty. Want to learn more about these chips? We’ve covered a different hacker taking a stab at reusing them before. Or perhaps, would you like to know NVMe in more depth? If so, we’ve got just the article for you.

We thank [FedX] for sharing this with us on the Hackaday Discord server!

PCIe For Hackers: External PCIe And OCuLink

We’ve seen a lot of PCIe hacks on Hackaday, and a fair few of them boil down to hackers pulling PCIe somewhere it wasn’t meant to be. Today, we routinely can find PCIe x1, x2 and x4 links sitting around in our tech, thanks to the proliferation of things like NVMe SSDs, and powerful cheap SoCs that make PCIe appear at your fingertips.

In the PCIe For Hackers series, we’ve talked about PCIe and how cool it is, all the benefits it has for hackers, gave you layout and interconnection rules, and even went into things like PCIe switches and bifurcation. However, there’s one topic we didn’t touch much upon, and that’s external PCIe links.

Today, I’d like to tell you about OCuLink – a standard that hackers might not yet know as an option whenever we need to pull PCIe outside of your project box, currently becoming all that more popular in eGPU space. Essentially, OCuLink is to PCIe is what eSATA is to SATA, and if you want to do an eGPU or an external “PCIe socket”, OCuLink could work wonders for you.

Respectable Capabilities

Just like any high-speed standard, PCIe has some tight requirements when things get fast. Even though PCIe is known to be not as sensitive to lower-quality links due to its link training and generation downgrade abilities, at higher link speeds, even through-hole vs SMD sockets can make a difference. So, if you want to go high-throughput, you want proper cabling and connectors, intended for out-of-chassis use – and OCuLink gives you all of this, at a low price.

Continue reading “PCIe For Hackers: External PCIe And OCuLink”

Getting PCIe Working On The New Pi 5

After the Pi 4 released, a discovery was quickly made that the internals of the popular single-board computer use PCIe to communicate with each other. This wasn’t an accessible PCIe bus normally available in things like desktop computers for expansion cards, though; this seemed to be done entirely internally. But a few attempts were made to break out the PCIe capabilities and connect peripherals to it anyway, with varying levels of success. The new Pi 5 seems to have taken that idea to its logical conclusion and included a PCIe connector, and [George] is showing us a way to interface with this bus.

The bus requires the port to be enabled, but once that’s done it’s ready to be used. First, though, some support circuitry needs to be worked out which is why [George] is reverse engineering the system to see what’s going on under the hood. There are a few handshakes that happen before it will work with any peripherals, but with that out of the way a PCIe card can be connected. [George] removed the connector to solder wires to the board directly in order to connect a proper PCIe port allowing a variety of cards to be connected, in this case a wireless networking card and an old Firewire card. This specific build only allows Gen 1 speeds, but the bus itself supports faster connections in theory with better wiring and support circuitry.

While it might not be the prettiest solution, as [George] admits, it does a great job of showing the inner workings of this communication protocol and its use in the new, more powerful Raspberry Pi 5. This makes a lot of things more accessible, such as high-speed PCIe HATs allowing for a wide range of expansion for these popular single-board computers, which wouldn’t have been possible before. If you’re still stuck with a Pi 4, though, don’t despair. You can still access the PCIe bus on these older models but it’ll take a little bit more work.

Thanks to [CJay] for the tip!

Continue reading “Getting PCIe Working On The New Pi 5”

The IMac GPU Becomes Upgradeable, With PCIe

Over its long lifetime, the Apple iMac all-in-one computer has morphed from the early CRT models through those odd table-lamp machines into today’s beautiful sleek affairs. They look pretty, but is there anything that can be done to upgrade them? Maybe not today’s ones, but the models from the mid-2000s can be given some surprising new life. [LowEndMac] have featured a 2006 24″ model that’s received a much more powerful GPU, something we’d have thought to be impossible.

The iMacs from that era resemble a monitor with a slightly chunkier back, in which resides the guts of the computer. By then the company was producing machines with an x86 processor, and their internals share a lot of similarities with a laptop of the period. The card is a Mac Radeon model newer than the machine would ever be used with, and it sits in a chain of mini PCIe to PCIe adapters. Even then it can’t drive the original screen, so a replacement panel and power supply are taken from another monitor and grafted into the iMac case. This along with a RAM and SSD upgrade makes this about the most upgraded a 2006 iMac could be.

Of course, another approach is to simply replace the whole lot with an Intel NUC.

Running A Modern Graphics Card In A 33 MHz PCI Slot

If you ever looked at a PCI to PCIe x16 adapter and wondered what’d happen if you were to stick a modern PCIe GPU in it, the answer apparently is ‘it works’ according to an attempt by [Circuit Rewind]. As long as you accept needing to supply external power with even a low-end GT 1030 card – as the PCI slot cannot provide enough power – and being limited to a single PCIe lane. This latter point isn’t so much of an issue as a single PCIe lane offers more bandwidth than the (shared) PCI bus anyway.

Despite the somewhat improvised setup, the GT 1030 card provided a decent 1080p experience in a range of games, after removing half of the 8 GB of system RAM before the configuration would work, probably due to VRAM mapping issues. Since the mainboard used also offered PCIe, the same card was run in a PCIe x4 slot, as well as in an x1 configuration, both with noticeably higher performance and putting the ‘why’ in ‘try’.

Perhaps unsurprisingly, a RTX 3080 also booted fine with external power and only 4 GB system RAM installed. Despite the PCIe x1 link, the system was able to finish a 3D benchmark and play Doom 2016, but with only 4 GB of system RAM and an old Athlon quad-core CPU, it was a terrible experience. Perhaps the most fascinating lesson to learn from this is that PCI and PCIe are amazingly compatible with only a simple translation bridge, even if high-performance graphics aren’t quite what PCI was meant for. After all, that’s why we got cursed with AGP for many years.

Continue reading “Running A Modern Graphics Card In A 33 MHz PCI Slot”

PCIe For Hackers: Our M.2 Card Is Done

We’ve started designing a PCIe card last week, an adapter from M.2 E-key to E-key, that adds an extra link to the E-key slot it carries – useful for fully utilizing a few rare but fancy E-key cards. By now, the schematic is done, the component placement has been figured out, and we only need to route the differential pairs – should be simple, right? Buckle up.

Getting Diffpairs Done

PCIe needs TX pairs connected to RX on another end, like UART – and this is non-negotiable. Connectors will use host-side naming, and vice-versa. As the diagram demonstrates, we connect the socket’s TX to chip’s RX and vice-versa; if we ever get confused, the laptop schematic is there to help us make things clear. To sum up, we only need to flip the names on the link coming to the PCIe switch, since the PCIe switch acts as a device on the card; the two links from the switch go to the E-key socket, and for that socket’s purposes, the PCIe switch acts as a host.

While initially routing this board, I absolutely forgot about one more important thing for PCIe – series capacitors on every data pair, on the host TX side of the link. We need three capacitor pairs here – on TX of the PCIe switch uplink, and two pairs on TX side of the switch – again, naming is host-side. I only remembered this after having finished routing all the diffpairs, and, after a bit of deliberation, I decided that this is my chance to try 0201 capacitors. For that, I took the footprints from [Christoph]‘s wonderful project, called “Effect of moon phase on tombstoning” – with such a name, these footprints have got to be good.

We’ve talked about differential pair calculations before in one of the PCIe articles, and there was a demo video too! That said, let’s repeat the calculations on this one – I’ll show how to get from “PCB fab website information” to “proper width and clearance diffpairs”, with a few fun shortcuts. Our setup is, once again, having signals on outer layers, referenced to the ground layer right below them. I, sadly, don’t yet understand how to calculate differential impedance for signal layers sandwiched between two ground planes, which is to say – if there’s any commenters willing to share this knowledge, I’d appreciate your input tremendously! For now, I don’t see that there’d be a tangible benefit to such an arrangement, anyway.

Continue reading “PCIe For Hackers: Our M.2 Card Is Done”

PCIe For Hackers: An M.2 Card Journey

I’ve designed a few M.2 adapters for my own and my friends’ use, and having found those designs online, people have asked me for custom-made adapters. One of these requests is quite specific – an adapter that adds one more PCIe link to an E-key M.2 slot, the kind of slot you will see used in laptops for WiFi cards.

See, the M.2 specification allows two separate PCIe links connected to the E-key slot; however, no WiFi cards use this apart from some really old WiGig-capable ones, and manufacturers have long given up on connecting a second link. Nevertheless, there are some cards like the Google Coral M.2 E-key dual AI accelerator and the recently announced uSDR, that do indeed require the second link – otherwise, only half of their capacity is available.

It’s not clear why both Google and WaveletSDR designed for a dual-link E-key socket, since those are a rare occurrence; for the Google card, there are plenty of people complaining that the board they bought just doesn’t fully work. In theory, all you need to do to help such a situation, is getting a second PCIe link from somewhere, then wiring it up to the socket – and a perfect way to do it is to get a PCIe switch chip. You will lose out on some bandwidth because the uplink PCIe connection of the switch can only go so fast; for things like this AI accelerator, it’s not much of a problem since the main point is to get the second device accessible. For the aforementioned SDR, it might turn out useless, or you might win some but lose some – can’t know until you try! Continue reading “PCIe For Hackers: An M.2 Card Journey”