0225/0401/0272 write protection beated by russian hackers !!!

[Vampirtc]

that's the external spi to a mt1339e chip -- not the mt1335we

you measured the external spi which does nothing natively

I see, so the TX replacement chip solution is implemented here: http://www.xboxhacker.org/index.php?topic=16866.0

So the only way to communicate with Winbond is by SATA? We did try your latest suggestion as well:
"I believe vcc has to rise and fall after each command. At least thats what the datasheet has lead me to believe since it explicitly states that and nothing is mentioned in the mxic."

[an01523]

http://www.team-xecuter.com/forums/showthread.php?p=398469

...First of all we are not using a PIC. We never said we were using a PIC, in fact we posted that we weren't using a PIC on the MXIC version of SPUTNIK (I can't comment wht will be used on the Winbond version as we haven't completed it yet or seen anyone who has a solution).

I just did 12 Winbond boxes. Yeah I used the Unlock PCB - guess what - it works. Who knew ?

[CasioNo15]

Yes, you can use the tx pcb addon when you use the 1339E. That one needs the external spi.

[glaze83]

that's the external spi to a mt1339e chip -- not the mt1335we

you measured the external spi which does nothing natively

I see, so the TX replacement chip solution is implemented here: http://www.xboxhacker.org/index.php?topic=16866.0

So the only way to communicate with Winbond is by SATA? We did try your latest suggestion as well:
"I believe vcc has to rise and fall after each command. At least thats what the datasheet has lead me to believe since it explicitly states that and nothing is mentioned in the mxic."

Think you can post the code you used for testing that?

[tingedace]

Just to clarify, I also don´t know how this hack really works, but I think you are forgetting one thing. You are not communicating directly with the spi, it´s all going through sata to the drive controller, so I am not really sure if you have to deal with the timings of the cs line and the rest of the spi protocol.....
I found this image at logic-sunrise and it looks correct. We are not pulling cs to ground, it´s the 3.3V line.

I agree, the MTK chip handles all that.
The issue is the Winbond has "brownout" protection, to disable writing during a low VCC condition. The MX does not.
The "pulldown" lowers vcc, enough to trick the MX, but not enough to screw the MTK sata. The Winbond detects the vcc drop and disables writing. The "timing" issue, is with regard to the vcc, trying to get past the brownout protection "feature" of the Winbond.

That's a bit of a pain! Albeit good to know thanks Tiros. So it only disables *writes* during brownout and that's why we can still seem to read back the status register value of 0x8C etc? (bit 7 of this being the SRP btw)

So what options does this leave us? Try to send the write enable very soon after dropping Vcc before the winbond "detects" it. Is there such a window?
Or slowly drop the Vcc and keep sending the write enable over and over?

[Geremia]

that's the big problem

[Vampirtc]

Any idea where we could find external Winbond, it would make real life testing easier?

[glaze83]

Any idea where we could find external Winbond, it would make real life testing easier?

http://www.onlinecomponents.com/winbond-electronics_w25p20vsnig-t-r.html?p=12744713

It would seem we just need to send a command to change the brown out detect bit and then the russian unlock would work... or do we need the russian unlock to work first before we can set that bit... which came first the chicken or the egg

[bluemimmos]

Just to clarify, I also don´t know how this hack really works, but I think you are forgetting one thing. You are not communicating directly with the spi, it´s all going through sata to the drive controller, so I am not really sure if you have to deal with the timings of the cs line and the rest of the spi protocol.....
I found this image at logic-sunrise and it looks correct. We are not pulling cs to ground, it´s the 3.3V line.

I agree, the MTK chip handles all that.
The issue is the Winbond has "brownout" protection, to disable writing during a low VCC condition. The MX does not.
The "pulldown" lowers vcc, enough to trick the MX, but not enough to screw the MTK sata. The Winbond detects the vcc drop and disables writing. The "timing" issue, is with regard to the vcc, trying to get past the brownout protection "feature" of the Winbond.

Yes, what tiros said is true, its clearly written in the datasheet
Device resets when VCC is below threshold.

so if the vcc goes low then, the device resets to protect it from writing.

[bluemimmos]

that's the big problem

From here what i got to know is the vcc(min) to /CS low is 10  micro seconds, but the write instruction execution delay is 1 to 10 milliseconds, so before we send write instruction, it delays 1 to 10 milliseconds which is higher than vcc to cs low time hence we cannot write at that particular moment. Or am i completely taking it the other way. May geremia shed some light.

[modguru]

i want to make a stupid question .
it is possible to lift the spi pins  and to solder a external spi to cooperate with the mediatek chip .  ?
like this one http://cgi.ebay.com/5pcs-Winbond-W25Q32BVSIG-32M-bit-serial-flash-memory-/320720921269?pt=LH_DefaultDomain_0&hash=item4aac74e2b5

[bluemimmos]

@modguru , i think you cannot do so, the mt1335we chip is so configured that you cannot used external spi flash without tweaking it, so beeter you need to replace the chip also.. just my 2 cents.

[modguru]

my next thoght is that 60 and 61 point it is like joined but i thing not  one is mpx01 and other is 1.2 v maybe the moment thats mpx01 go low GND the 1.2v pass and change the status 

acording the other photo this is the spi so far i have reach i hope to help some other to complete they thoghts

[glaze83]

do you have an mxic and a winbond board handy? Check the voltage at #cs when a 5ohm resistor is pulling the 3.3v point (with the cut) on the underside of the board down -- it would be expected that #cs remains high on the mxic and low on the winbond. If not, then that pin is not used for #cs with the internal flash. You'd then need to hunt around the chip for a pin which is high on the mxic and low on the winbond. That would theoretically be the #cs pin and we'd have to pull it high on the winbond.

If we can get a resistor to keep #cs pulled up then the brown out protection couldn't pull it low and the device would not reset. Perhaps a dpdt switch...

Yes I sound like I know what I"m talking about, but this is pure deductive reasoning and I have no ee background. So those with ee background please feel free to correct me.

edit:
I think I have it backwards, cs would be low on mxic and high on winbond

[modguru]

yes i have both drive here mxic and windbond i will try and i will post ..
i am not geting any voltage with my multimeter i will try with my oscyloscope to see .

results to winbond with 10 ohms resistor :  i have from 2.46 volt  to 2.05 v   
results with 17 ohm resistor :  withoyt resistor i have 2.46volt  with the resistor i have 2.18 volts
results with 5 ohm resistor : without resistor  2.46 volt   with the resistor 1.88 volt .
results with 2.5Ω  resistor : without resistor  2.46 volt  with the resistor  1.67 volt
results with 1.5Ω  resistor : without resistor 2.46 volt   with the resistor  1.51 volt 
results with 1.2Ω  resistor : without resistor 2.46 volt   with the resistor  1.42 volt  spi status 0xff - 0x8c
results with 1 Ω    resistor : without resistor 2.46 volt   with the resistor  1.37 volt  spi status 0x01 
results with 0.47Ω resistor : without resistor 2.46 volt   with the resistor  1.18 volt  spi status 0x00  but the ventro it is not recognize the flash  says unknow flash ..  the next i have see is the voltage change every second from 0.18 to 1.16 so the voltage gows for one sec 0.17  and the other sec is 1.16

[bluemimmos]

@modguru
you can go and buy 1/2 watt 4.7 ohm resistors or 1 watt 4.7 ohm resistors or 1/2 watt 10 ohm resistors and try.

you can do 3 10 ohms resister in parallel so u can get R = 3.3333ohm with high current, i have already done this trick but with 1/4 watt resistor only. You should try it with 1 watt resistors and place the result.

the result with 3 10 ohms 1/4 watt resistors in parralel is i get status 0xE0. I dont have osciloscope and my multimeter doesnt works.

[CasioNo15]

do you have an mxic and a winbond board handy? Check the voltage at #cs when a 5ohm resistor is pulling the 3.3v point (with the cut) on the underside of the board down -- it would be expected that #cs remains high on the mxic and low on the winbond. If not, then that pin is not used for #cs with the internal flash. You'd then need to hunt around the chip for a pin which is high on the mxic and low on the winbond. That would theoretically be the #cs pin and we'd have to pull it high on the winbond.

If we can get a resistor to keep #cs pulled up then the brown out protection couldn't pull it low and the device would not reset. Perhaps a dpdt switch...

Yes I sound like I know what I"m talking about, but this is pure deductive reasoning and I have no ee background. So those with ee background please feel free to correct me.

What do you mean exactly? The cs line is an input and gets controlled from the drive controller. On write operations it has to be low.

[tingedace]

Any idea where we could find external Winbond, it would make real life testing easier?

http://www.onlinecomponents.com/winbond-electronics_w25p20vsnig-t-r.html?p=12744713

It would seem we just need to send a command to change the brown out detect bit and then the russian unlock would work... or do we need the russian unlock to work first before we can set that bit... which came first the chicken or the egg

As I understand it, you need to set the WEL bit (bit 1) in the status register before writing/erasing anything. This is done by sending the Write Enable instruction (0x06).

However to send write enable, and since the SRP bit of the status register (bit 7) is set i.e. drive locked, then changes to the status register (including WEL) are controlled by the #WP pin. So you need to disable #WP, and change the SRP to a 0 (this is the ultimate goal)
Once SRP is set to 0, you can send Write Enable whenever you like, regardless of #WP because #WP is ignored when SRP is 0.

@glaze83: I don’t see any brownout detect bit or related instruction mentioned in the data sheet. Have you seen something?
If there were then I suspect you’d need to at least get off a Write Enable under the radar before changing it.

[Vampirtc]

This is from my first attempts, but it probably doesn't matter anymore:
winbond 1109:
<=2,5ohm: 0xFF
2.5ohm: 0xE0 / 1,0V (as low as 0,96V)
2,6ohm: 0xF0
2,8ohm: 0xC0
2,9ohm: 0xC2 / 1,04V
3,0ohm: 0xC6
3,2ohm: 0x84 / 1,14V (up to 1,16V)
=>3,4ohm: 0x8C

Tried with other winbonds and resaults are comparable. I used a potenciometer with 0-20ohm scale.

[Pacote-san]

This is from my first attempts, but it probably doesn't matter anymore:
winbond 1109:
<=2,5ohm: 0xFF
2.5ohm: 0xE0 / 1,0V (as low as 0,96V)
2,6ohm: 0xF0
2,8ohm: 0xC0
2,9ohm: 0xC2 / 1,04V
3,0ohm: 0xC6
3,2ohm: 0x84 / 1,14V (up to 1,16V)
=>3,4ohm: 0x8C

Tried with other winbonds and resaults are comparable. I used a potenciometer with 0-20ohm scale.

I got the same results using a 0-50 trimpot

but for me it was 3.2> 0x8c