0225/0401/0272 write protection beated by russian hackers !!!

[modguru]

if you decap the ic it is possible to tell us witch pin is the write protect to lift it from the pcb,  and to solder a wire and a double swich to vcc or gnd  depents from the situation ?
thanks ..

[jenipapo]

if you decap the ic it is possible to tell us witch pin is the write protect to lift it from the pcb,  and to solder a wire and a double swich to vcc or gnd  depents from the situation ?
thanks ..

Oggy said #36 is the WP.
http://forums.xbox-scene.com/index.php?showtopic=733580

[CoDeFl@sher]

Hi,
With acid, in a mt1335, i disconnected the wp wire from gnd and wired it to vcc.
I was able to unlock the winbond spi and now i would like to relock it.
I'm wondering if it is possible to modify the russian tool to send the lock cdb?
Regards

which acid did u used, and can u give detail picture of wp wire that need to be cut? if u can pls post high resolution pics and acid that u used.

Will like to try this, and what can i use to secure wires after decaping with acid ? is it ok to use hotglue to secure the pit that is opened with acid?

I don't remember if it is nitric or sulfuric, i'll have a look on the label.
For pictures, i'll do my best, but i only have a 20x magnifier.
The wire i disconnected is the longest one, which we can see on geremia's picture.
I glued a thin wire on the chip and soldered it on the wp wire.
Be careful, acid is highly dangerous and soldering very hard.
On another mt1335 chip, i disconnected wp from gnd and tried the russian tool with an adjustable resistor.
At 1.9 ohms, i was able to unlock the winbond spi.
What i did not understood, is that when i flashed with lt firmware, it was locked again. Backups were working fine.
At this time, i thought that JF relocked the spi, but with the chip unlocked by wiring wp to vcc, it is different.
Saddly, i do not have this drive anymore (used for flash).

Bonx please forgive my lack of faith, but it's hard to believe without evidence. show us something of your work!

[modguru]

ok i have lift the 36 pin  now for that i have read , i must conect a wire on the pin  and to connect it to vcc 3.3 v is that corect ?

[bonx]

Hi,
With acid, in a mt1335, i disconnected the wp wire from gnd and wired it to vcc.
I was able to unlock the winbond spi and now i would like to relock it.
I'm wondering if it is possible to modify the russian tool to send the lock cdb?
Regards

which acid did u used, and can u give detail picture of wp wire that need to be cut? if u can pls post high resolution pics and acid that u used.

Will like to try this, and what can i use to secure wires after decaping with acid ? is it ok to use hotglue to secure the pit that is opened with acid?

I don't remember if it is nitric or sulfuric, i'll have a look on the label.
For pictures, i'll do my best, but i only have a 20x magnifier.
The wire i disconnected is the longest one, which we can see on geremia's picture.
I glued a thin wire on the chip and soldered it on the wp wire.
Be careful, acid is highly dangerous and soldering very hard.
On another mt1335 chip, i disconnected wp from gnd and tried the russian tool with an adjustable resistor.
At 1.9 ohms, i was able to unlock the winbond spi.
What i did not understood, is that when i flashed with lt firmware, it was locked again. Backups were working fine.
At this time, i thought that JF relocked the spi, but with the chip unlocked by wiring wp to vcc, it is different.
Saddly, i do not have this drive anymore (used for flash).

Bonx please forgive my lack of faith, but it's hard to believe without evidence. show us something of your work!

I understand.
Here's a few pictures, i did quickly.
http://Http://gbonx.free.fr/spip.php?article36

[bonx]

ok i have lift the 36 pin  now for that i have read , i must conect a wire on the pin  and to connect it to vcc 3.3 v is that corect ?

No! It would be too simple.
Spi gnd and mtk gnd are connected on this pin.
If you send vcc on this pin you'll have a short circuit.

[bonx]

Really? That worked?

Here's a version of the russian tool that can lock the spi:
http://www.rigid360.co.uk/ccount/click.php?id=11

Note it sends 0x9C to the status register but It should maybe be 0x8C

Let me know if it works

I tried your version, it works great.
I relocked and re-unlocked with no problem.
The spi status was 0x9C instead of 0x8C as you said. Could you compile a version with an input field for status register or change it to 0x8C ?
Regards

[tingedace]

Yes, sure. Gimme a couple of hours.

[tingedace]

I tried your version, it works great.
I relocked and re-unlocked with no problem.
The spi status was 0x9C instead of 0x8C as you said. Could you compile a version with an input field for status register or change it to 0x8C ?
Regards

Done, just re-download from the same link.

[bonx]

Done, just re-download from the same link.

Wouah! Works perfectly.
I was able to lock to 0x8c and unlock again (only when the switch is on vcc)

[_javi_]

congrats bonx, it seems u made it!

so cutting the trace for WE inside the decapped chip and doing the russian method with 1.9ohm (for winbond) is all thats needed to flash it?
could you plz explain how to identify that trace in the chip?

well done!

[asapreta]

congrats bonx, it seems u made it!

so cutting the trace for WE inside the decapped chip and doing the russian method with 1.9ohm (for winbond) is all thats needed to flash it?
could you plz explain how to identify that trace in the chip?

well done!

Yes, he made it, but its not THAT simple to get there. 
As the WE point is grounded together to another point, its not that simple, we can`t lift a pin and make the magic happens.

But for sure its a start.

[_javi_]

i know 
sounds easy but it's a difficult task. i know it's not lifting a pin, but cutting a trace from a decapped chip.

time to look for the dremel... like the D2B wii chipset with legs cut, grinded to expose the inner traces.

[bonx]

i know 
sounds easy but it's a difficult task. i know it's not lifting a pin, but cutting a trace from a decapped chip.

time to look for the dremel... like the D2B wii chipset with legs cut, grinded to expose the inner traces.

I was not sure if the mtk chip was keeping somewhere the spi status and avoiding any attempt to change status.
I can confirm that changing wp state just before clicking the unlock button is enough.

[misterfly]

Hi,
With acid, in a mt1335, i disconnected the wp wire from gnd and wired it to vcc.
I was able to unlock the winbond spi and now i would like to relock it.
I'm wondering if it is possible to modify the russian tool to send the lock cdb?
Regards

which acid did u used, and can u give detail picture of wp wire that need to be cut? if u can pls post high resolution pics and acid that u used.

Will like to try this, and what can i use to secure wires after decaping with acid ? is it ok to use hotglue to secure the pit that is opened with acid?

I don't remember if it is nitric or sulfuric, i'll have a look on the label.
For pictures, i'll do my best, but i only have a 20x magnifier.
The wire i disconnected is the longest one, which we can see on geremia's picture.
I glued a thin wire on the chip and soldered it on the wp wire.
Be careful, acid is highly dangerous and soldering very hard.
On another mt1335 chip, i disconnected wp from gnd and tried the russian tool with an adjustable resistor.
At 1.9 ohms, i was able to unlock the winbond spi.
What i did not understood, is that when i flashed with lt firmware, it was locked again. Backups were working fine.
At this time, i thought that JF relocked the spi, but with the chip unlocked by wiring wp to vcc, it is different.
Saddly, i do not have this drive anymore (used for flash).
Lol bonx you decapeed  (and not know the acid?)and soldered inside?? i think you never see 1 decapped,and im sure you not hawe a machine whirebonding for soldering

Gold Whire is 25 micron and see now at 35x

[modguru]

my thoght is that to lift the pin is like to cut the wire from inside exept if the WP it is not going straight to a pin but go to another part of the ic .. can anyone confirm that ?

[misterfly]

my thoght is that to lift the pin is like to cut the wire from inside exept if the WP it is not going straight to a pin but go to another part of the ic .. can anyone confirm that ?

if you lift the pin is really impossible cut only 1 whire you not know the dept and again the wire is 25 μm impossible cut only this,inside u hawe a lot of other whire to go mt .....really really really small (or invisible whitout microscope)

[glaze83]

grounds are linked internally -- it's really just for heat dissipation

[bluemimmos]

well, bonx the picture is now not accessible??
can u make the pictures of all the steps you performed, so we can have a look at the comp-lexity?
is removing the chip necessary before doing this step. i think if we remove and decap , then it will be a problem when putting the chip back in board.

anyway your full pictures with step will be a good guide to semi pros.

[bonx]

my thoght is that to lift the pin is like to cut the wire from inside exept if the WP it is not going straight to a pin but go to another part of the ic .. can anyone confirm that ?

if you lift the pin is really impossible cut only 1 whire you not know the dept and again the wire is 25 μm impossible cut only this,inside u hawe a lot of other whire to go mt .....really really really small (or invisible whitout microscope)

The wp wire is on the left, and you can see the solder.
I do not have a bondering machine and never said that.
Do you want a video with locking and unlocking steps?