Hardware Hacking/ Flash Chip Reading: SOIC Clips & In-Circuit Extraction / Tools & Setup

Tools & Setup

theory

Tools & Setup

Three components make up the extraction chain: the programmer (CH341A), the software (flashrom), and the mechanical interface (SOIC clip). Each has failure modes you need to know before touching hardware.

The CH341A Programmer

The CH341A is a USB bridge IC produced by WCH. In programmer mode it speaks SPI and I2C. It costs under $5, is universally available, and flashrom has native support for it via the ch341a_spi programmer identifier.

What it does well: - Reliable SPI communication for standard NOR flash reads - USB bus-powered — no external supply needed - Works on Linux, macOS, and Windows without special drivers on modern kernels

The critical voltage problem:

Most CH341A programmers sold as "25 series flash programmers" output 5V on the SPI lines by default. This is a hardware design flaw in the common purple/black board variant.

Many flash chips — specifically anything with a V, L, or similar suffix in the part number — operate at 3.3V maximum. Driving 5V SPI signals into a 3.3V chip's MOSI and SCK inputs exceeds the chip's absolute maximum ratings. In practice, you may get away with it short-term, but you risk: - Permanent damage to the flash chip - Damage to other components sharing the bus - Corrupted reads that look valid but aren't

Solutions: 1. Buy the CH341A with a built-in 3.3V voltage regulator and level shifters (some variants exist, verify before purchase) 2. Modify the board — bridge a 3.3V regulator and add level-shifting ICs (documented on several hardware hacking blogs) 3. Use a dedicated programmer with proper voltage selection (Flashcat USB, DediProg SF100, Bus Pirate with voltage selection) 4. Use a separate level-shifter module between the CH341A and the clip (see below)

For a beginner setup: get a CH341A variant that explicitly states 3.3V output, or add a level shifter. Do not proceed without resolving this.

Pinout of the CH341A ZIF/clip header (25xx series mode):

Pin 1: CS   (Chip Select)
Pin 2: MISO (data from chip)
Pin 3: WP   (Write Protect — tie to VCC for reads)
Pin 4: GND
Pin 5: MOSI (data to chip)
Pin 6: CLK  (SCK)
Pin 7: HOLD (tie to VCC for reads)
Pin 8: VCC  (3.3V or 5V depending on board)

This matches the SOIC-8 flash chip pinout for the W25Q/MX25L/GD25Q families.

Flashrom

flashrom is the open-source flash chip programmer utility. It handles probing, reading, writing, and erasing. Its chip database contains thousands of entries.

Install:

# Debian/Ubuntu
sudo apt install flashrom

# Arch
sudo pacman -S flashrom

# Build from source (for latest chip support)
git clone https://review.coreboot.org/flashrom.git
cd flashrom
make
sudo make install

Basic command structure:

flashrom -p <programmer> [-c <chip>] [-r|-w|-e] [file] [options]
Flag Meaning
-p ch341a_spi Use CH341A as the programmer
-c "W25Q128JV" Force a specific chip (skip autodetect)
-r dump.bin Read flash to file
-w image.bin Write image to flash
-e Erase flash
-V Verbose output (shows detected chip, bus, timing)
--spispeed 512 Set SPI clock to 512 kHz (slow, for bad connections)

Verify your setup before reading:

# List all supported chips containing "W25Q"
flashrom -p ch341a_spi --list-supported | grep W25Q

# Probe only — no read, no write, safe
flashrom -p ch341a_spi -V

If flashrom detects a chip without -c, it prints the chip name and size. If it returns "No EEPROM/flash device found" or hangs, you have a connection or voltage problem.

The supported chips database:

# See all supported chips
flashrom -p ch341a_spi --list-supported

# Count total supported chips
flashrom --list-supported | wc -l

The database is extensive but not exhaustive. GigaDevice chips sometimes appear under manufacturer-specific identifiers. If your chip isn't listed, check the flashrom wiki and try forcing with -c unknown --force.

The SOIC-8 Clip

The SOIC-8 clip (also called a test clip or Pomona clip) is a spring-loaded housing that grips all 8 pins of a SOIC-8 chip simultaneously. The clip connects to the CH341A via a ribbon cable or individual jumpers.

Clip variants: - Pomona 5250 — the reference SOIC-8 clip. Reliable, correctly spaced, built to last. The one to buy. - Generic clones — cheap, usable, but contact reliability is lower. Acceptable for learning, problematic for production use. - SOIC-16 clips — for 16-pin chips. Not interchangeable with SOIC-8.

Pin 1 alignment:

Every SOIC chip has a pin 1 indicator: a small dot, chamfer, or notch on one corner of the chip body. Pin 1 on a SOIC-8 flash chip (W25Q128 etc.) is always CS. Getting pin 1 wrong means you're connecting CS where VCC should be — this destroys chips.

The clip has a matching indicator: a red wire, a notch, or a label. The clip's pin 1 connector must match the chip's pin 1. There is no universal "clip this way up" rule — you must verify against the chip's datasheet pinout every time.

Standard SOIC-8 NOR flash pinout (W25Q/MX25L/GD25Q):

Pin 1: CS#   Pin 8: VCC
Pin 2: MISO  Pin 7: HOLD# (or RESET#)
Pin 3: WP#   Pin 6: SCK
Pin 4: GND   Pin 5: MOSI

Level Shifter: When You Need One

A level shifter translates voltage levels bidirectionally. You need one when your programmer's I/O voltage doesn't match the chip's I/O voltage.

Required if: - Your CH341A outputs 5V and your chip is a 3.3V part - Your chip is a 1.8V part (requires a 3.3V-to-1.8V shifter)

Not required if: - Your CH341A is confirmed to output 3.3V and your chip is a 3.3V part

A common module is the TXS0108E-based bidirectional level shifter. Connect OE to VCC, tie VCCA to the programmer voltage, VCCD to the chip's VCC. Route all four SPI lines through it.

For 1.8V chips: standard CH341A cannot reliably drive 1.8V I/O even with a level shifter. Use a programmer with native 1.8V support or an SPI adapter that handles low-voltage operation.

Complete Read Workflow: Commands

# Step 1: Probe the chip (identify it)
flashrom -p ch341a_spi -V

# Step 2: Read with identified chip name (fill in from probe output)
flashrom -p ch341a_spi -c "W25Q128JV" -r dump1.bin

# Step 3: Read again to a second file
flashrom -p ch341a_spi -c "W25Q128JV" -r dump2.bin

# Step 4: Verify the two reads match
md5sum dump1.bin dump2.bin

If the MD5 hashes differ, you have a bad connection or a bus conflict. Do not analyze a dump until the two reads match. A corrupted dump will send you on a false trail for hours.

For unreliable connections:

# Drop SPI clock to 512 kHz
flashrom -p ch341a_spi -c "W25Q128JV" --spispeed 512 -r dump1.bin

Lower clock speed reduces the impact of signal integrity problems from long cables, poor clip contact, or marginal PCB traces.