Sometimes, you mess up when toying with the firmware of an embedded device and end up “bricking” what you were working on. [Chris Bellows] had done just that with a consumer router, corrupting the onboard NAND flash to the point where recovery via normal means was impossible. Armed with a working duplicate of the router, he wondered if the corrupted NAND flash could be substituted into the working router while it was running, and reflashed in place – and decided to find out.
Key to achieving the hack was finding a way to remove the existing NAND flash in the working router without crashing the system while doing so. This required careful disconnection of the chip’s power lines once the router had booted up, as well as tying the “Ready/Busy” and “Read Enable” pins to ground. With this done, the chip could carefully be removed with a hot air tool without disrupting the router’s operation. The new chip could then be soldered in place, and flashed with factory firmware via the router’s web interface. At this point, it could be powered down and the chips swapped normally back into their own respective routers, restoring both to full functionality.
It’s a neat hack, and one that shows that it’s sometimes worth taking a punt on your crazy ideas just to see what you can pull off. It also pays to know the deeper secrets of the hardware you run on your own home network.
28 thoughts on “Can You Hot-Swap Flash Chips In A Consumer Router?”
That’s a really cool hack
sometimes it’s better to bet on crazy. in the early 90’s i did this with a lpc flash after bricking a BIOS on the pentuim “batmans revenge” mobo in a gateway p7 tower, it was also well known for bricking during bios updates and gateway sent me a new board and told me not to send the other back but just bin it, well the gauntlet had been thrown down right ? i removed the old flash and just press hold the working flash until i saw a: prompt and then swap flash to the dead one and re-run flash bios program until it eventually worked, this also works with GPU vbios system too if you dont happen to have a hand dandy buspirate or some ftdi jtag device.
The vBios is similar trick, when you have GPU with bios switch (silence/OC). You can boot from the working one, then simply switch to second bios flash on running system and reflash it :)
Bios used to be in a dip configuration in a dip socket. Easy to pull and replace while running.
So.. you can create a dip package for any chip or use automotive pin probes to flash it.
Race and automobile flash ROMs ade hard wired as well. ( Vibration ) so all you need is power leads to chip,
And io ( read write data ) pin configuration.
There is a special harness and pin access available to access most automotive chips.
Probably the pinouts are similar to one of the 25 listed here
It worked for me much easier for the BIOS flash in the days they were socketed.
When I bricked my motherboard with BIOS update I just bought the same motherboard again, hot swapped the BIOS chip and flashed it in the working computer. It went quite well. I ended up with two working motherboards instead of one dead. I guess it was quite common in those days.
I ended up reflashing the SPI flash on a motherboard I bricked by tacking a couple wires on. Thankfully the image you could download was just a raw image and writing it directly to the flash worked.
NAND flash TSOP48 socket like $0.10-2.5 depend on quantity, so it’s kinda pointless.
How about some links at those prices for quantity of 1 ?
Seriously… You can searx it for yourself:
or you can go straight to alibaba/aliexpress or ebay it’s here 99%
if you miserable failed at it, here is direct links…
if you can’t for some reason buy from alibaba here is aliexpress:
i think you missed the point. just buying a new chip wouldn’t have helped.
It’s a double or nothing betting on your own skills and some luck. Sadly I don’t usually get correct alignment on first try for fine pitch parts.
I suppose it relies upon the firmware reaching some stable state where it is no longer doing NAND flash access. If the firmware tries to do a read/write (E.g. file system access) then bad stuff will happen and you may well get a system crash. Also – if you have the software skills and know how the SoC nand flash controller works then updating the flash using JTAG (with openocd or similar) is a less fiddly option.
But why would you swap the chips back again ? Just leave the faulty but fixed one in place andsolder the always working one in the other router. the extra remove/resolder action just creates more risk on bricking the device permanently because of trace or pcb damage.
The NAND usually also contains configuration/calibration data for the WiFi etc.
Depending on the OS (eg. openWRT) you can switch the config portions of the NAND afterwards but this might’ve been easier?
This might not work or downright brick the whole thing forever. Firmware images do not usually carry radio test partitions that are individual for each router. So if you do the reflash, you’ll leave this partition empty. No Mac addresses for all interfaces and wireless performance would be super crappy, of it will start working at all.
Same goes for bootloader. Web updates often leave u-boot untouched.
Yeah, not to be only ranting – great soldering skills nevertheless. It’s great that it worked.
If the web updates don’t touch those parts, would that also mean that those parts would not be corrupted during a bad flash? And doing this method would leave them likewise intact?
Not if you flash e.g. bad image with different size or you can flash it manually from SSH where you can say exactly on which address to flash…
If there was ever a time to program a chip /before/ installing it, this was it. Still interesting that it’s possible but this screams “there is a better way”.
Unfortunately this is NAND flash, and NAND’s low level block format makes it more difficult to bit copy. You can do it as long as your reader / writer decodes and re-encodes the contents logically rather than blindly copying the low level contents.
Because NAND formatting can vary depending on the SoC and how the OS and bootloader are configured on the target, it’s probably easier to do it this way.
on a product I worked on we had a socket for flash (coffin style for SMT) and because we did a lot of power savings to power down rails. If the /dev/flash device was not open by anyone, then the rails were powered down and we’d swap out the chip and flash another from the command-line (Linux). it was helpful for doing quick releases to the team so that people could try stuff.
There were some off the shelf BIOS switchers for the old PCs that’d accept two standard chips in piggyback (iirc). You could then boot off one, flip switch, and flash the other. It saved potential electric wonkiness or slipping when attempting to hot-swap.
Later I recall them getting fancier but the era of pinned EEPROM BIOS chips had already ended.
That’s some pretty heavy wizardry here. Well done!
I honestly did not think this was possible. Very well done!
It works, I’ve done several desktop motherboards this way. But they’re much simpler and all of the ones I have done were just 8 pin SPI EEPROMs.
Congratulations Dr. Hfuhruhurr.
Please be kind and respectful to help make the comments section excellent. (Comment Policy)