Android Hardware Reverse Engineering

Real-World SPI Flash Dumping: A Case Study on a Modern Android Device

By Antigravity Research Published May 30, 2026 ⏱️ 5 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to SPI Flash Dumping in Android Devices

In the realm of embedded systems and mobile security, the Serial Peripheral Interface (SPI) flash memory holds critical firmware, including bootloaders, vendor-specific code, and sometimes even the entire operating system image for simpler devices. Dumping this firmware is a foundational step in hardware reverse engineering, enabling researchers to analyze proprietary code, identify vulnerabilities, recover from bricked devices, or understand the low-level boot process of a modern Android device. This article serves as a comprehensive guide to performing a real-world SPI flash dump, focusing on the practical steps and considerations when dealing with an Android device.

Understanding the contents of an SPI flash allows for deep insights into how a device operates at its most fundamental level. For Android devices, this typically means accessing the primary bootloader (PBL) or secondary bootloader (SBL), device trees, and other hardware initialization routines that precede the Android kernel load. Incorrectly handling these procedures, however, can damage the device, so careful execution is paramount.

Identifying the Target SPI Flash Chip

Physical Location and Visual Identification

The first step in any hardware-level reverse engineering task is physically locating the component. For an SPI flash, this involves carefully disassembling the Android device. SPI flash chips are usually small, often found in SOP8, WSON, or USON packages, and are typically situated near the main System-on-Chip (SoC) or a dedicated microcontroller. Look for chips from common manufacturers like Winbond (e.g., W25Q series), Macronix (e.g., MX25L series), GigaDevice, or Spansion.

Once identified, note the part number printed on the chip. This part number is crucial for finding the chip’s datasheet, which provides essential information such as pinout, voltage requirements, and supported commands. Without the datasheet, proceeding blindly is risky and can lead to device damage.

Datasheet Research: Pinout and Voltage

Using the part number (e.g., W25Q128FV), search online for its datasheet. Key information to extract includes:

  • Pinout Diagram: Which pins correspond to CS, SO, SI, SCLK, VCC, and GND.
  • Operating Voltage: Typically 3.3V, but some chips might operate at 1.8V or 5V. Supplying incorrect voltage can permanently damage the chip.
  • Capacity: The total storage size of the flash chip.

For a standard 8-pin SPI flash, the common pinout is:

  • Pin 1: CS (Chip Select)
  • Pin 2: SO (Serial Data Output / MISO)
  • Pin 3: WP (Write Protect)
  • Pin 4: GND (Ground)
  • Pin 5: SI (Serial Data Input / MOSI)
  • Pin 6: SCLK (Serial Clock)
  • Pin 7: HOLD (Hold)
  • Pin 8: VCC (Power Supply)

Note that WP and HOLD pins are often pulled high or low internally or by the circuit and may not require direct connection for a read operation, though it’s good practice to ensure they are at the correct state if possible.

Essential Tools and Hardware Setup

Hardware Programmer

To communicate with the SPI flash, you’ll need a hardware programmer. Popular choices include:

  • CH341A Programmer: An inexpensive and widely available USB-based programmer, suitable for 3.3V and 5V SPI/I2C chips.
  • Bus Pirate: A versatile open-source multi-protocol tool.
  • Raspberry Pi/Arduino: Can be configured to act as an SPI programmer using GPIOs, but may require more setup.
  • Dediprog/TL866II Plus: More professional and faster solutions for frequent use.

For this case study, we’ll assume the use of a CH341A programmer due to its popularity and cost-effectiveness.

Connection Methods

Connecting to the flash chip without desoldering is usually preferred to minimize device alteration. Common methods include:

  • SOP8 Test Clip (SOIC clip): This spring-loaded clip attaches directly to the chip, providing a non-invasive connection. It is highly recommended.
  • Soldering Wires: If a clip cannot make good contact or the chip package is not SOP8, carefully soldering thin enamel wires to the chip’s pins is an alternative. This requires steady hands and fine-tipped soldering equipment.
  • Pin Headers/Sockets: For chips mounted on detachable modules, direct connection to headers might be possible.

Ensure your connections are firm and stable. Any intermittent contact can lead to corrupted reads.

Software Utility: `flashrom`

`flashrom` is a free, open-source utility for identifying, reading, writing, verifying, and erasing flash chips. It supports a wide range of programmers and chip types, making it the de facto standard for this task. It runs on Linux, macOS, and Windows.

Establishing the Connection: Pinout and Wiring

This is the most critical step. Incorrect wiring can damage your chip, programmer, or even the entire device. Based on your chip’s datasheet and the CH341A programmer’s pinout (refer to its silkscreen or manual), make the following connections:

CH341A Programmer Pins  ->  SPI Flash Chip Pins (Standard SOP8)  ->  Function
-----------------------------------------------------------------------------------------
Pin 1 (CS)              ->  Pin 1 (CS)                           ->  Chip Select
Pin 2 (MISO)            ->  Pin 2 (SO)                           ->  Serial Data Output (Master Input, Slave Output)
Pin 3 (MOSI)            ->  Pin 5 (SI)                           ->  Serial Data Input (Master Output, Slave Input)
Pin 4 (SCK)             ->  Pin 6 (SCLK)                         ->  Serial Clock
Pin 5 (GND)             ->  Pin 4 (GND)                          ->  Ground
Pin 9 (3.3V)            ->  Pin 8 (VCC)                          ->  Power Supply (3.3V)

Powering the Target Device

This is where caution is paramount. The SPI flash chip needs to be powered at its correct operating voltage (e.g., 3.3V). There are generally two safe approaches:

  1. Programmer Powers the Chip (Device Off): If the flash chip can be electrically isolated from the rest of the board’s power rails (e.g., by removing a jumper, lifting a VCC pin, or if the board is completely de-energized and doesn’t back-power), the CH341A can supply 3.3V to the chip’s VCC pin. This is ideal as it completely isolates the flash operation.
  2. Device Powers the Chip (Device Off/Low Power): More commonly, the flash chip remains powered by the device’s internal power management even when the device is

    Android Mobile Specs & Compare Directory

    Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

    Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Reverse Engineering #Firmware Extraction #Flashrom #Hardware Hacking #SPI Flash Dumping

Related Technical Guides

Android Keymaster Protocol Sniffing: Intercepting and Manipulating Secure Enclave Communication

May 29, 2026

Real-World Android RE: A Case Study on Reverse Engineering an Embedded SPI Peripheral

May 29, 2026

Reverse Engineering Android Bootloaders with SWD: A Hands-On Lab

May 30, 2026