SPI Flash Basics

Before you attach any clip to a PCB, you need to understand what you're talking to. SPI flash is simple by design — four wires, a straightforward command set, and decades of industry standardization. That simplicity is what makes it so readable.

The SPI Protocol: Four Wires

SPI (Serial Peripheral Interface) is a synchronous serial protocol. The master (your programmer) drives the clock and initiates all transactions. The flash chip is always the slave.

Pin	Full Name	Direction	Function
SCK	Serial Clock	Master → Slave	Clocks data in and out. Data is sampled on a defined edge (typically rising).
MOSI	Master Out Slave In	Master → Slave	Commands and write data travel on this line.
MISO	Master In Slave Out	Slave → Master	Read data and status bytes come back on this line.
CS	Chip Select	Master → Slave	Active-low enable. When CS is pulled low, the chip listens. When CS is high, the chip ignores everything on the bus.

Some sources use the names SDO/SDI (Serial Data Out/In from the chip's perspective) — same signals, different naming convention. JEDEC now recommends SDO/SDI, but flashrom and most documentation still use MOSI/MISO.

There is no separate reset pin on standard SPI flash. Chip select is the gate for all communication.

SPI Transaction Flow

A typical read looks like this:

Master pulls CS low
Master sends the READ opcode (0x03) on MOSI, clocked by SCK
Master sends the 3-byte (24-bit) address of the byte it wants
Chip drives MISO with the data starting at that address
Master keeps clocking; chip keeps streaming bytes until CS goes high
Master pulls CS high — transaction ends

Write and erase sequences are more complex (they require enabling writes first via WREN opcode 0x06), but for extraction you only care about reads.

Flash Chip Package Types

The package determines how the chip sits on the board and which extraction method is practical.

SOIC-8 (Small Outline IC, 8 pins) This is the most common flash package in consumer IoT. Eight pins in two rows of four, 1.27 mm pitch. A standard SOIC-8 clip fits perfectly. This is what you want to find on a target board.

SOIC-16 (16 pins) Less common for plain SPI flash. Larger body, same 1.27 mm pitch. Clips exist for this package. Some dual-die chips come in SOIC-16.

WSON-8 (Very thin small outline no-lead, 8 pins) Flat package, no gull-wing leads — the pads are underneath. Physically smaller than SOIC-8. No clip works here without a socket adapter. Requires soldering fine wires to pads or desoldering. Increasingly common in newer devices as manufacturers reduce board space.

BGA (Ball Grid Array) Balls are underneath the chip, hidden. Used in eMMC and some high-density NOR flash. Requires hot air or IR rework to remove, or specialized probing equipment. Out of scope for clip-based extraction.

For in-circuit extraction, SOIC-8 is the target. If you see a WSON or BGA chip, adjust your approach accordingly.

Common Flash Chip Families

You will see these families on almost every IoT board you open.

Winbond W25Q series The most prevalent NOR flash family. Chips range from 512 Kbit (W25Q512) to 256 Mbit (W25Q256). The W25Q64 (64 Mbit / 8 MB) and W25Q128 (128 Mbit / 16 MB) are extremely common. Winbond chips are well-supported by flashrom and have clean, public datasheets.

Macronix MX25L series Second most common. Very similar command set to Winbond. MX25L12835F (128 Mbit) appears on routers constantly. Also well-supported by flashrom.

GigaDevice GD25Q series A Chinese manufacturer that has rapidly gained market share. GD25Q64 and GD25Q128 are drop-in pin-compatible replacements for Winbond equivalents. Occasionally listed under different identifiers in flashrom; if autodetect fails, try the Winbond equivalent.

ISSI IS25LP series Seen on industrial and embedded devices. Less common in consumer IoT. flashrom support is partial.

Reading a Chip Marking

The marking on top of the chip is your primary source of information. Learn to decode it before reaching for the programmer.

Example: W25Q128JV

Component	Value	Meaning
W	W	Winbond (vendor)
25	25	SPI NOR flash product line
Q	Q	Quad SPI capable (supports x4 I/O)
128	128	128 Mbit = 16 MB capacity
J	J	Generation/revision indicator
V	V	3.3V operation (critical)

Voltage suffix matters: V = 3.3V, U = 1.8V. Applying 5V to a 3.3V chip during read can damage it. Always check the suffix or the datasheet before connecting.

Example: MX25L6406E

MX = Macronix
25 = SPI NOR line
L = low voltage (3.3V)
6406 = 64 Mbit (6 = 64M, 40 = address mode, 6 = internal detail)
E = revision

Macronix markings are denser — read the full part number against the datasheet numbering scheme.

Finding Flash Chips on a PCB

Flash chips have a consistent visual signature:

Small, rectangular IC near the main SoC or CPU
8-pin package (SOIC-8) with the characteristic gull-wing leads
Usually within 5–15 mm of the main processor (short trace = less signal degradation)
Often labeled on the silkscreen (U1, U2, U10, etc.)
Sometimes hidden under a RF shield — remove the shield first

Look for chips that are isolated from the RF/power sections. Flash chips do not need heatsinking and are never near inductors or capacitors that filter power rails for high-current components.

A useful shortcut: follow the SoC's data bus. The flash chip is always on the other end.

Chip Marking to Datasheet Workflow

Read the full marking from the chip top (use a loupe or macro photo if needed)
Search [full part number] datasheet — the manufacturer's PDF is always the authoritative source
Confirm: package type, voltage range, capacity, SPI mode (standard/dual/quad)
Check the pinout: SOIC-8 pin 1 is always marked with a dot or chamfer on the chip body — confirm it matches the datasheet
Note any special features: write protection bits, security registers, dual-die configurations

Datasheets are free. There is no excuse for skipping this step. A wrong voltage assumption or a misidentified pin 1 can destroy a chip you cannot replace.