Android Hardware Reverse Engineering

Mastering Android SPI Flash Dumping: A Comprehensive Hardware RE Tutorial

By Antigravity Research Published May 30, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: Unlocking the Android Core through SPI Flash

In the intricate world of Android hardware reverse engineering (RE), gaining access to the device’s firmware is often the holy grail. While JTAG and eMMC/UFS forensics offer pathways, a fundamental and often critical component for initial analysis, especially concerning bootloaders and secure environments, is the SPI (Serial Peripheral Interface) flash memory. This comprehensive tutorial will guide you through the process of identifying, connecting to, and dumping the contents of an Android device’s SPI flash, providing you with a foundational skill for advanced hardware RE.

Understanding SPI Flash in Android Devices

SPI flash memory is a type of non-volatile memory commonly used in embedded systems, including Android devices, for storing critical boot-up code, configuration data, and sometimes parts of the Trusted Execution Environment (TEE). Unlike larger eMMC or UFS storage that holds the main Android OS, SPI flash typically houses:

  • Boot ROM/Bootloader: Initial code executed when the device powers on.
  • Firmware for specific components: Wi-Fi, Bluetooth, or other peripheral firmware.
  • Security-related data: Keys, digital signatures, and secure boot configurations.

Identifying the SPI flash chip on an Android PCB is the first crucial step. These chips are usually small, often eight-pin (SOP8, WSON8, QFN) packages, though larger variations exist. Look for manufacturer logos like Winbond, MXIC (Macronix), Spansion, or GigaDevice, and model numbers typically starting with a `25Q` or similar series indicator.

Prerequisites: Tools of the Trade

Before you begin, gather the following essential tools:

Hardware:

  • Android Device: A target device, preferably one you’re willing to potentially brick.
  • SPI Programmer: A reliable SPI programmer like a CH341A (black edition recommended for 3.3V support), Bus Pirate, Raspberry Pi (with `flashrom` support), or Dediprog. Ensure it supports the voltage of your target chip (usually 3.3V or 1.8V).
  • SOP8 Clip/Adapter: A test clip (often called ‘SOIC8 clip’) for on-board programming. For WSON/QFN packages, you’ll need specialized adapters or fine soldering skills.
  • Soldering Iron & Solder: For desoldering or making direct connections if clips aren’t feasible.
  • Multimeter: To verify voltage and continuity.
  • Magnifying Glass/Microscope: To read tiny chip markings and inspect solder joints.
  • Logic Analyzer (Optional): Useful for debugging SPI communication issues.

Software:

  • Flashrom: An open-source utility for identifying, reading, writing, verifying, and erasing flash chips.
  • Binwalk: A firmware analysis tool.
  • Hex Editor: For examining raw binary data.

Step-by-Step Guide to SPI Flash Dumping

1. Device Disassembly and Chip Identification

Carefully disassemble your Android device. Once the PCB is exposed, begin the hunt for the SPI flash chip. Look for small, black ICs near the main SoC or power management ICs. Once you locate a potential candidate:

  1. Read Markings: Use your magnifier to read the chip’s markings. Note the manufacturer and model number (e.g., W25Q64FV, MX25L12835F).
  2. Consult Datasheet: Search online for the chip’s datasheet. This will provide its pinout (VCC, GND, CS, CLK, MOSI, MISO) and operational voltage. This is critical for correct connection.

2. Connecting the SPI Programmer

Connecting the programmer requires precision. You have two primary methods:

Method A: Using an SOIC Clip (On-Board)

This is the preferred method as it avoids desoldering. Ensure the device is powered off and ideally, remove the battery. Align the SOIC clip with Pin 1 of the SPI flash chip (usually indicated by a dot or notch on the chip). Securely attach the clip, ensuring good contact with all 8 pins.

Connect the clip to your SPI programmer according to the pinout from the datasheet. A common CH341A pinout to SPI flash pinout might look like this:

  • CH341A Pin 1 (CS) -> Flash Pin 1 (CS)
  • CH341A Pin 2 (MOSI) -> Flash Pin 2 (DO/MOSI)
  • CH341A Pin 3 (GND) -> Flash Pin 3 (WP#/HOLD#) – Note: Pin 3 on flash is often WP#/HOLD#, not directly connected to GND of programmer unless specified by datasheet to tie low. Be careful.
  • CH341A Pin 4 (GND) -> Flash Pin 4 (GND)
  • CH341A Pin 5 (MISO) -> Flash Pin 5 (DI/MISO)
  • CH341A Pin 6 (CLK) -> Flash Pin 6 (CLK)
  • CH341A Pin 7 (VCC) -> Flash Pin 7 (HOLD#/WP#) – Note: Pin 7 on flash is often HOLD#/WP#, not directly connected to VCC of programmer unless specified by datasheet to tie high. Be careful.
  • CH341A Pin 8 (VCC) -> Flash Pin 8 (VCC)

Important Safety: Verify the voltage supplied by your programmer matches the flash chip’s operating voltage (e.g., 3.3V). Many Android devices use 1.8V SPI flash, and a 3.3V programmer can damage it. Some CH341A programmers have a voltage switch.

Method B: Desoldering the Chip (Off-Board)

If the SOIC clip doesn’t make good contact, or the chip is in a difficult-to-reach package (WSON, QFN), desoldering might be necessary. Use flux and a hot air rework station or soldering iron to carefully remove the chip. Place it into an appropriate breakout adapter (e.g., a WSON8 to DIP8 adapter) and connect the adapter to your programmer.

3. Software Configuration and Dumping with Flashrom

With your programmer connected, install `flashrom` on your Linux system. Most distributions have it in their repositories:

sudo apt update sudo apt install flashrom

Now, let’s interact with the chip:

Detecting the Chip:

Run `flashrom` to detect the connected chip. You might need to specify your programmer type. For a CH341A, it’s typically:

sudo flashrom -p ch341a_spi

If successful, `flashrom` will output information about the detected chip, including its manufacturer and model. If it fails, double-check your connections, power supply, and ensure the device is truly off (sometimes internal capacitors keep a residual charge).

Reading (Dumping) the Flash Memory:

Once detected, you can dump the entire contents to a file:

sudo flashrom -p ch341a_spi -r android_spi_dump.bin

This command reads the flash and saves it as `android_spi_dump.bin`. The process can take several minutes depending on the flash size (e.g., 8MB, 16MB, 32MB).

Verifying the Dump:

It’s crucial to read the flash multiple times and compare the dumps to ensure data integrity. A corrupted dump is useless. Perform the read operation twice and compare the resulting files using `diff` or `md5sum`:

sudo flashrom -p ch341a_spi -r android_spi_dump1.bin sudo flashrom -p ch341a_spi -r android_spi_dump2.bin md5sum android_spi_dump1.bin android_spi_dump2.bin

The MD5 hashes should be identical. If they differ, troubleshoot your connection or try another programmer. Sometimes, capacitors on the board interfere; adding a capacitor across VCC/GND near the flash chip can help stabilize power.

4. Basic Firmware Analysis (Post-Dumping)

With a verified dump, you can begin preliminary analysis using `binwalk`:

binwalk -Me android_spi_dump.bin

The `-Me` flags tell `binwalk` to recursively extract known file systems and archives. This will often reveal bootloaders (like U-Boot or Little Kernel), configuration files, device tree blobs (DTBs), and sometimes even small file systems. Examine the output and extracted files for clues about the device’s architecture, boot sequence, and potential vulnerabilities.

binwalk --entropy android_spi_dump.bin

Entropy analysis can highlight areas of the firmware that are compressed or encrypted, which often correlate to executable code or sensitive data.

Advanced Considerations and Troubleshooting

  • Write Protection: Some SPI flash chips have a hardware write-protect pin (WP#) or software write-protection registers. Ensure these are not active if you ever intend to modify or reflash the chip.
  • Voltage Mismatch: As reiterated, using the wrong voltage (e.g., 3.3V programmer on a 1.8V chip) can permanently damage the chip or the device. Always confirm chip voltage from the datasheet.
  • Multiple SPI Flashes: Some complex devices might have more than one SPI flash chip. Identify all of them if your analysis requires it.
  • Signal Integrity: Long wires or noisy environments can affect SPI communication. Keep connections short and direct.

Conclusion

Mastering SPI flash dumping is an invaluable skill in the Android hardware reverse engineering toolkit. It provides a direct window into the earliest stages of device boot-up, revealing crucial firmware that is often inaccessible through software-only methods. By carefully following these steps, you can successfully extract and begin analyzing this critical component, paving the way for deeper security research, vulnerability discovery, and custom firmware development.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android RE #Firmware Dumping #Hardware Hacking #Reverse Engineering #SPI Flash

Related Technical Guides

Mapping the Android Modem Firmware Attack Surface: From Bootloader to Baseband

May 30, 2026

Unmasking Mediatek BROM: Advanced Fuzzing Techniques for New Vulnerability Identification

May 30, 2026

Reverse Engineering Android Gyroscope Data: From I2C Wires to Raw Values

May 30, 2026