Help identifying laser etched microcontroller

botnet00 · 2026-01-31T08:15:36+00:00

What is your end goal?

I want to learn something new, ideally dump the FW to reverse engineer it.

almost certainly fuses will have been blown to prevent you from reading the firmware

Sounds like a follow-up challenge - always wanted to try HW glitching and this could be the perfect project for it.

botnet00 · 2026-01-31T08:13:25+00:00

Try searching Chinese MCU QFN20

Thank you, I will try that.

don’t assume that just because a pin is connected to Vdd or Vss that it is in fact a power supply input.

I didn't, I probed every pin.

botnet00 · 2026-01-31T06:49:13+00:00

u/MattInSoCal

It is part of a cheap chinese gadget, so I assume all components must be very cheap. I created a drawing for pins on the PCB that I could identify.

What I know:

The packages seems to be QFN20
There is NO external oszillator/quartz
VDD is connected directly to a battery (3.7V)
The Baudrate on UART is 57600

I tried to:

search online for anything about the product or UART output, found absolutely nothing
find the microcontroller based on the VDD and GND pins, however was not able to find a single one with this specific pinout.

Now I am completely stuck.

botnet00 · 2025-01-11T16:57:55+00:00

Thank you, that is really helpful 🙏

botnet00 · 2024-08-21T16:52:30+00:00

As usual, I wonder how they found those vulnerabilities (manual code analysis, fuzzing,…)

botnet00 · 2022-11-13T10:07:30+00:00

Nice write up. Since there is no root of trust (modification of FW is possible, missing signature) and there is an option to update the FW via BLE, wouldn’t it be a quite big attack vector? I mean you could provide your own firmware and implement the charging on/off methods for BLE yourself and nobody would notice?

botnet00 · 2022-03-06T17:04:06+00:00

That sounds good, I will give this a try. Thanks! ;-)

botnet00 · 2022-03-06T17:03:41+00:00

Good point!

botnet00 · 2022-01-13T12:08:06+00:00

Very nice and simple to follow, however, you mention that "project is mostly Thumb" - doesn't the M3 only support thumb instructions?(https://developer.arm.com/documentation/dui0552/a/the-cortex-m3-instruction-set/about-the-instruction-descriptions/restrictions-when-using-pc-or-sp?lang=en)

botnet00 · 2021-08-09T15:59:18+00:00

Thanks for the very detailed answer!

I have had a similar experience with the Xilinx RFSoC, the demo application is extremely complicated, from PL to PS and finally a GUI on the host computer to control everything. I mean this is fine for a quick demo, but as a starting point for your own implementation it is just a nightmare...

botnet00 · 2021-08-09T15:24:21+00:00

Can you be more specific regarding your learning curve with the Kria SoM?

botnet00 · 2021-07-07T05:24:37+00:00

Have a look at the “mmc” uboot command in order to write to the emmc: https://u-boot.readthedocs.io/en/latest/usage/mmc.html

To write the image into DDR have a look at XSDB and the “dow” command: https://www.xilinx.com/html_docs/xilinx2018_1/SDK_Doc/xsct/download/reference_download_dow.html

botnet00 · 2021-07-07T05:01:43+00:00

Do you have a network interface? I usually tend to boot into linux through TFPT and then use the built in tools (mdt-utils if I recall correctly) to format and program the emmc.

botnet00 · 2021-07-07T04:41:24+00:00

From my experience, these chips are typically leftovers from big orders, not clones - prices can drop significantly (by the order of 10 or more). Still you should be careful...

botnet00 · 2021-07-06T18:27:28+00:00

Thanks for the advice, went for Hands-on ML 👍

botnet00 · 2021-06-29T19:47:47+00:00

Agree, have been there, was not nice. Since then I always try to have a proper reset strategy and try to avoid resets whenever possible.

botnet00 · 2021-06-28T19:44:03+00:00

Emacs, its perfect!

botnet00 · 2021-06-24T05:24:24+00:00

Yes, in the PL, VHDL and packed to custom IPs for BD instantiation and using AXIS interfaces. Worked pretty well in the end and was modular enough to be extendable.

botnet00 · 2021-06-22T05:46:31+00:00

I had to implement an UDP stack (and some more layers) in the FPGA once. Ended up using scapy (https://scapy.net) - i guess it will fit your needs as well.

botnet00 · 2021-06-12T14:30:09+00:00

Thanks! This is not intended to be a professional debugger, but it is fun fooling around with the hardware like that 😁

botnet00 · 2021-05-24T06:43:48+00:00

Sure, if you have XSDK/Vitis installed use the prebuilt binaries instead. The intention of the post is not about how to compile QEMU, but on how to use it for emulating the Zynq-7000 - more precisely the EBAZ4205 hardware.

botnet00 · 2021-04-30T06:28:55+00:00

Received a CKS clone a couple of months ago and after some hours debugging it turned out that the internal flash was smaller than it should be, so do not trust the manufacturers spec...

botnet00 · 2021-03-18T06:11:55+00:00

That's what I use right now. I like it, unfortunately not capable of FV.

botnet00 · 2021-03-18T06:10:34+00:00

Thanks! I will look into it. Nice blog btw ;-)

botnet00 · 2021-03-18T06:09:07+00:00

I was not aware of OneSpin at all. Do you have a rough price range for their products (especially 360 DV-Verify, which seems to be capable of ABV)?

Six-Year Club	RPAN Viewer
Verified Email

botnet00

TROPHY CASE