Android Hardware Reverse Engineering

Identifying and Locating SPI Flash on Android PCBs: A Hardware RE Guide

By Antigravity Research Published May 30, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Unseen Brain of Android Hardware

In the intricate world of Android hardware reverse engineering, understanding the various components that comprise a device’s core functionality is paramount. Among these, the Serial Peripheral Interface (SPI) flash memory often holds critical bootloaders, firmware, and configuration data, making it a prime target for researchers and exploit developers. While eMMC or UFS typically store the main operating system, SPI flash often dictates how the device even begins to boot. This guide will provide an expert-level walkthrough on identifying, locating, and preparing to dump SPI flash memory on Android PCBs.

Understanding SPI Flash in Android Systems

SPI flash is a type of non-volatile memory that uses a serial interface for data transfer. It’s characterized by its small physical footprint, low pin count, and relatively fast read/write speeds, making it ideal for storing essential boot-time code (like the boot ROM, secondary bootloaders, or device-specific configuration). On Android devices, SPI flash commonly houses:

  • Initial Program Loaders (IPL) or Boot ROM extensions
  • Device tree overlays (DTBOs)
  • Secure boot keys and parameters
  • Vendor-specific firmware for peripherals (e.g., Wi-Fi, Bluetooth)
  • Emergency download modes (EDL) configurations

These components are crucial for understanding a device’s secure boot chain, identifying vulnerabilities, or even recovering bricked devices.

Common SPI Flash Packages and Manufacturers

SPI flash chips typically come in small outline packages (SOP), most commonly SOIC-8 (Small Outline Integrated Circuit, 8 pins) or WSON-8 (Very Very Thin Small Outline No-lead package, 8 pins). Less commonly, you might encounter QFN (Quad Flat No-lead) or other proprietary packages.

Key manufacturers to look for include:

  • Winbond: W25Q series (e.g., W25Q64FW, W25Q128FV)
  • Macronix: MX25L series (e.g., MX25L6406E, MX25L12835F)
  • Spansion/Cypress: S25FL series
  • GigaDevice: GD25Q series
  • Adesto Technologies: AT25DF series

The part number usually indicates the manufacturer, capacity (e.g., ’64’ for 64Mbit or 8MB, ‘128’ for 128Mbit or 16MB), and specific characteristics.

Locating SPI Flash on Android PCBs

Identifying the SPI flash on a crowded Android PCB can be challenging but follows some general heuristics.

Visual Inspection and Heuristics

  1. Proximity to SoC: SPI flash often resides physically close to the main System-on-Chip (SoC) because it needs to be accessed early in the boot process. Look for small, 8-pin chips within a few centimeters of the main processor.
  2. Small Size: Compared to eMMC/UFS (which are larger BGA packages), SPI flash chips are significantly smaller, typically 5x6mm or 6x8mm for SOIC-8 packages.
  3. Component Markings: Look for the manufacturer logos and part numbers mentioned above. A magnifying glass or a digital microscope is indispensable here.
  4. Absence of Other Major Memory: If you’ve identified the main eMMC/UFS chip, the SPI flash will be a distinct, smaller memory component.
  5. Connection to the SPI Bus: While harder to verify without a schematic, the chip will be connected to the SoC’s dedicated SPI peripheral pins.

Example Identification Process

Consider a hypothetical Android TV box PCB. You’d typically find:

  • A large SoC (e.g., Amlogic S905X3)
  • Several DDR RAM chips (often in pairs or quads)
  • A larger eMMC/UFS package (e.g., Samsung KLM8G1GETF)

Scan the area around the Amlogic SoC. You might spot a small, black SOIC-8 package. Using a microscope, you read the marking: W25Q128FV. This immediately identifies it as a Winbond 128Mbit (16MB) SPI flash chip.

Tools for SPI Flash Dumping

To successfully dump the firmware, you’ll need a few essential tools:

  • SPI Programmer: Popular options include the cheap CH341A programmer (supports 1.8V and 3.3V, but often requires voltage modification for 1.8V chips), Bus Pirate, or more advanced professional programmers like the RT809H.
  • SOIC-8 Test Clip: This is a non-destructive way to connect to SOIC-8 chips without soldering. Ensure it’s the correct size (e.g., 200mil or 150mil body width).
  • Jumper Wires/Probes: For connecting the test clip to the programmer.
  • Magnifying Glass/Digital Microscope: For clear inspection of chip markings and pins.
  • Multimeter: To verify voltage levels and continuity.
  • Fine-tip Soldering Iron & Flux (optional but recommended): If a clip isn’t feasible or for direct wire attachment.
  • Computer with Linux (recommended): For using `flashrom` software.

The Firmware Dumping Procedure

Step 1: Preparation and Verification

  1. Power Down: Ensure the Android device is completely powered off and disconnected from all power sources. Remove the battery if possible.
  2. Discharge: Briefly press the power button after disconnecting power to discharge residual capacitors.
  3. Locate & Identify: Physically locate the SPI flash chip as described above. Note its manufacturer and part number.
  4. Datasheet Lookup: Search online for the chip’s datasheet (e.g., “W25Q128FV datasheet”). Pay close attention to the pinout diagram (VCC, GND, CS, CLK, MOSI, MISO) and supported voltage levels (typically 3.3V, sometimes 1.8V). This is critical for connecting your programmer correctly.

Step 2: Connecting the SPI Programmer

The safest and easiest method is using an SOIC-8 test clip.

Align the test clip with the chip, ensuring that pin 1 on the clip (usually marked with a red wire or a small arrow) aligns with pin 1 on the chip (often indicated by a dot or a small indentation on the chip body). Gently press down until all pins make firm contact.

Connect the test clip’s wires to your SPI programmer according to the datasheet pinout. A typical connection for an SOIC-8 clip to a CH341A programmer looks like this:

CH341A Pin   | SOIC-8 Clip Pin | Function (Standard SPI)   | Chip Pin (Example: W25Q128FV) 1 (CS)     | Pin 1           | Chip Select (CS#)         | CS# (Pin 1)2 (MISO)    | Pin 2           | Master In Slave Out (DO)  | DO (Pin 2)3 (WP#)     | Pin 3           | Write Protect (WP#)       | WP# (Pin 3)4 (GND)     | Pin 4           | Ground (GND)              | GND (Pin 4)5 (MOSI)    | Pin 5           | Master Out Slave In (DI)  | DI (Pin 5)6 (CLK)     | Pin 6           | Clock (CLK)               | CLK (Pin 6)7 (HOLD#)    | Pin 7           | Hold (HOLD#)              | HOLD# (Pin 7)8 (VCC)     | Pin 8           | VCC                       | VCC (Pin 8)

Important: Ensure the VCC of the programmer matches the operating voltage of the SPI flash chip. Many modern chips run at 1.8V, while the CH341A programmer often outputs 3.3V or 5V. Using the wrong voltage can damage the chip or the PCB. If your chip is 1.8V, you MUST use a programmer that supports 1.8V or use a voltage level shifter.

Step 3: Dumping with `flashrom`

Connect your SPI programmer to your computer via USB. On a Linux system, `flashrom` is the standard tool for interacting with SPI flash.

First, detect the chip:

sudo flashrom -p ch341a_spi

If `flashrom` detects the chip successfully, it will output information about the manufacturer and chip ID. If it fails, double-check your connections, voltage, and ensure the device is completely off (some devices power the SPI flash even when ‘off’).

Next, dump the entire firmware:

sudo flashrom -p ch341a_spi -r spi_flash_dump.bin

This command reads the entire content of the SPI flash and saves it to a file named `spi_flash_dump.bin` in the current directory.

It’s good practice to perform multiple dumps and compare their SHA256 hashes to ensure data integrity:

sudo flashrom -p ch341a_spi -r spi_flash_dump_2.binsha256sum spi_flash_dump.bin spi_flash_dump_2.bins

The hashes should be identical. If not, recheck connections and try again.

Troubleshooting Common Issues

  • Chip Not Detected: The most common issue. Verify all connections, check chip voltage requirements against programmer output, ensure the device is truly off and not powering the SPI flash. Try wiggling the test clip gently to ensure good contact.
  • Read/Write Errors: Often related to poor contact, incorrect voltage, or the chip being write-protected. Some chips have a software write-protect enabled in their status registers.
  • `flashrom` Errors: Ensure you have the latest version. For CH341A, make sure you’re specifying the correct programmer type (`ch341a_spi`). Permissions might be an issue; ensure you run with `sudo`.

Conclusion

Dumping SPI flash firmware is a fundamental skill in Android hardware reverse engineering, offering unparalleled insight into a device’s boot process and security mechanisms. By carefully identifying the chip, using the right tools, and following a methodical approach, you can successfully extract this crucial data. This knowledge forms the bedrock for further analysis, vulnerability research, and even device repair, opening up a deeper understanding of the hardware underpinning the Android ecosystem.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android #CH341A #Firmware Dumping #Hardware Reverse Engineering #SPI Flash

Related Technical Guides

Decoding Samsung’s Secure Download (ODIN) Mode: Firmware Flashing & Hardware Verification Deep Dive

May 30, 2026

eMMC Chip-Off Failures: Diagnosing and Fixing Common Problems During Data Extraction

May 29, 2026

The SWD Debugger’s Playbook: Advanced Techniques for Android Bootloader Exploitation

May 30, 2026