SPI 102: Firmware Extraction

Security Icon




Table of Contents

  1. Introduction
  2. Tools Required
  3. Understanding the CH341A Programmer
  4. SOIC8 / SOP8 Test Clip
  5. Connecting CH341A to SOIC8 to DIP8 Adapter
  6. Connecting the SOIC8 Clip to the Target Chip
  7. Flashrom: Overview and Setup on Linux
  8. Extracting the BIN File with Flashrom
  9. Conclusion
  10. What’s Next

Introduction

Now that we’ve covered the basics of SPI communication and flash memory, it’s time to put that knowledge into action.

In this part of the series, we’ll walk through the essential tools and setup needed to interface with SPI flash chips. This includes choosing the right programmer, understanding physical connection methods, and using open-source software to communicate with the chip.

We’ll specifically cover:

    • An introduction to the CH341A programmer and how it works.
    • How to use an SOIC8/SOP8 clip and SOIC8 to DIP8 Adapter to physically connect to a flash chip.
    • The role of Flashrom, a powerful tool for reading and writing SPI memory.
    • Step-by-step instructions on how to extract a binary (bin) file from a device.

By the end of this post, you’ll be able to confidently set up your hardware and software environment and perform your first firmware extraction from an SPI flash chip.

Tools Required

  • CH341A USB Programmer – for interfacing with the SPI flash chip
  • SOIC8 to DIP8 Adapter – converts surface-mount layout to DIP for easier handling
  • SOIC8 Test Clip – connects to the chip in-circuit without desoldering
  • Target Device – any hardware containing a compatible SPI flash memory chip
  • Flashrom Utility – open-source software used to read/write the chip

Understanding the CH341A Programmer

The CH341A is a USB-based EEPROM and SPI flash programmer commonly used in hardware hacking, BIOS recovery, and firmware extraction tasks. It's affordable, widely available, and supported by tools like Flashrom.

Key Uses:

    • Reading and writing SPI flash chips (e.g., 25 series chips)
    • Programming I2C EEPROMs (e.g., 24 series chips)
    • Recovering or modifying BIOS/firmware on devices

SPI diagram

Front Side Overview:

    • IC Block/ZIF Socket (DIP8) – Insert DIP or SOIC chips (using adapter) for direct programming
    • Program/Power Pins– Available for using with clips, jumpers, or manual connection
    • USB Interface– Plugs directly into a computer for power and data communication

SPI diagram

Back Side (Labeling):

You'll often see labels like:

  • 25 SPI – for 25 series SPI flash memory
  • 24 EEPROM – for 24 series I2C EEPROMs

This makes it easier to match your target chip with the correct mode and connection.

Important Notes:

  • The 25 series(e.g., W25Q32, MX25L8005) is the most common SPI flash memory type used in BIOS and firmware storage.
  • The 24 series chips use the I2C protocol and are not the focus of SPI-based firmware extraction.
  • Always confirm the chip series before selecting the mode and connection method.
  • Some chips operate at 1.8V a voltage adapter is required in such cases to avoid damage.

SOIC8 to DIP8 Adapter

The SOIC8 to DIP8 adapter is a small PCB used to convert an 8-pin surface mount flash chip (SOIC-8) into a standard 8-pin DIP layout, which fits into the ZIF socket of the programmer.


SPI diagram

Why It’s Needed:

  • SPI flash chips are usually in SOIC-8 (Surface-Mount) form and can’t be plugged directly into a programmer.
  • This adapter routes the pins to the correct DIP spacing (2.54mm) so they can be used with tools like the CH341A.

Common Use Cases:

  • When the chip has been desoldered from the target board.
  • When using a test clipthe clip wires often go through this adapter before connecting to the programmer.

Note:Always check pin 1 orientation when inserting the adapter into the programmer.

SOIC8 / SOP8 Test Clip

The SOIC8 clip is a specialized tool that allows you to connect to SPI flash chips directly on the circuit board without removing them. It grips the chip from the top, making temporary electrical contact with all 8 pins.

Why It’s Useful:

  • Enables in-circuit programming (no need to desolder the chip)
  • Works with common 8-pin SPI flash chips found in routers, laptops, TVs, and more

SPI diagram

Important Points:

  • Pin 1 alignment is critical always match the clip’s pin 1 with the chip’s pin 1.
  • Ensure firm and stable contact; loose connections can cause read/write errors.
  • Use in combination with the SOIC8 to DIP8 adapter to route the clip to the programmer.
  • Works best when the target device is powered off and fully discharged to avoid interference or damage.

Tip: If the device draws too much power or has interfering components on the SPI bus, consider desoldering the chip for a cleaner dump.

Connecting CH341A to SOIC8 to DIP8 Adapter

Once you have your CH341A programmer and SOIC8 to DIP8 adapter ready, you need to connect them properly to ensure reliable communication with the SPI flash chip.

Step-by-Step Guide:

  1. Set the programmer to SPI Mode

    2. The CH341A supports both 24 and 25 series chips.

    • For SPI flash (e.g., Winbond, Macronix), you're working with the 25 series.
    • This means your chip or adapter should be placed on the 25 SPI BIOS side of the ZIF socket (usually labeled on the PCB).

  2. Identify Pin 1 on the adapter
    • Pin 1 of the 25 SPI BIOS section is the top-right corner, closest to the latch lever of the ZIF socket.

      • SPI diagram

  3. Insert adapter into ZIF socket
    • Place the SOIC8 to DIP8 adapter into the programmer so that Pin 1 of the adapter is aligned with Pin 1 of the ZIF socket.
    • If you're unsure, a reliable rule is:

    Pin 1 of the adapter should face the direction of the latch lever on the ZIF socket.

  4. Lock the adapter
    • Once aligned, close the latch gently to secure the adapter in the socket.
    • Double-check the orientation before powering the device via USB.

      • SPI diagram

Connecting the SOIC8 Clip to the Target Chip

Once your CH341A and SOIC8 to DIP8 adapter are properly connected, the next step is to attach the SOIC8 clip to the SPI flash chip on the target device.

Step-by-Step Instructions:

  1. Locate the SPI flash chip
    • Look for an 8-pin SOIC chip on the target board (usually labeled with names like W25Q32, MX25L8005, etc.).
    • Confirm it's a 25-series SPI chip by checking its part number online or in the datasheet.

  2. Identify Pin 1 on the chip

    3. Pin 1 is usually marked by:

    • A dot or dimple on the top of the chip
    • A notch on one end of the chip body
      • SPI diagram
  3. Attach the SOIC8 clip
    • Carefully press the clip over the chip so that Pin 1 on the clip aligns with Pin 1 on the chip. The Pin 1 on clip is color coded PINK.
    • The clip should grip firmly and all pins must make proper contact.
    • Don’t force it make sure the chip is clean and the clip sits squarely.

  4. Connect the clip to the adapter
    • The clip’s wires (often color-coded) go into the SOIC8 to DIP8 adapter.
    • Make sure the wire for Pin 1 goes to Pin 1 of the adapter (which should already be inserted into the 25 SPI BIOS side of the programmer, facing thelatch).
      • SPI diagram

Best Practices:

  • Power off target devicecompletely before connecting the clip.
  • Press and hold the clip in place gently during read/write operations if needed.
  • Use proper lighting and a magnifier if necessary misalignment can corrupt data or damage hardware.
SPI diagram

Flashrom: Overview and Setup on Linux

What is Flashrom?

Flashrom is an open-source tool for SPI flash memory access (read/write/verify/erase).

Key Features:

  • Works with many programmers and chipsets
  • Supports reading and writing flash memory non-destructively
  • Runs on Linux, macOS, Windows (best supported on Linux)

Installing Flashrom on Linux:

Use command:

sudo apt update sudo apt install flashrom

Extracting the BIN File with Flashrom

Step-by-Step:

Check if CH341A is Detected:

Before using Flashrom, check that the CH341A is properly recognized by your system:

lsusb

You should see a line like:

ID 1a86:5512 QinHeng Electronics CH341A Serial Converter

Read the Flash Chip:

Use the following command to read and save the contents of the SPI flash chip:

sudo flashrom --programmer ch341a_spi -r Dlink.bin

  • --programmer ch341a_spi tells Flashrom to use the CH341A in SPI mode.
  • -r Dlink.binsaves the dump to a file named Dlink.bin.
SPI diagram
SPI diagram

Result::This command creates a binary file containing the raw contents of the flash chip, which can later be analyzed, modified, or used for restoration.

Conclusion

In this post, we covered all the essential tools and steps needed to successfully extract firmware from an SPI flash chip using a CH341A programmer. We introduced the key hardware components including the SOIC8 clip, SOIC8 to DIP8 adapter, and the CH341A and demonstrated how to make proper connections, identify pin orientation, and safely interact with the target chip. We also walked through setting up Flashrom on Linux and using it to dump the contents of the chip into a .bin file.

With this knowledge, you now have the ability to access low-level firmware data from devices a crucial step in hardware hacking, reverse engineering, and system recovery.

What’s Next

In the final post, we’ll explore the .bin file we extracted how to inspect its contents, identify useful data, and understand the structure of firmware.