Read on Twitter
OK I didn't appreciate how jam-packed this thing is from @iFixit teardown photos. Also it's 0.3mm PCB so I'm pretty sure I broke some solder joints getting it out. Test pads are accessible w/o removing PCB so if this one isn't working will test another one.
Actually screw it, I'll use this one to take parts from and beep out. .3mm pcb is so so fast to hot air.
I can also confirm @DPAdogs got fed before this so won't be interrupted.
Ok test point mapping time
Oh wow -they left room for (I think) a smd debug header, check out traces going to test points.
So small pads are SWD pins. Let's get another yeah and keep going. Will make better annotation shortly.
Actually let's map out spi flash? Aiming that is what this was.
No obvious hit on "Z6DLW" marking. But have mapping to nrf pins might indicate. Let's see what other test point go to while here.
Very faint witness marks from test procedure on them all (hard to see in photo)
OK back to SWD/nrf. Here is what I think it is based on quick notes:
ripped pad off...4 pack might not be enough!
Round 2!
So looks like BT isn't powered up by default? The nrf side doesn't have any voltage on test pads. The issue is I don't actually have an iPhone to activate it. I might have a working iPad, but might have to wait until tomorrow as one I know is working isn't at lab.
Ok let's see if this one boots. What will airtags work with?
Ok maybe? Will need to update it and crap. May switch to other stuff in meantime...
Awwww yeah! This will take a bit, let's go back to hardware.
Ok time to think like @GregDavill. Assume this could be spi flash maybe?
Based on pcb here is pinout. Will check common WLCSP spi flash chips to see what d1/d2/d3/d4 are.
So basically this is the plan. Used a large iron to set this up, now for final soldering.
Ok I think it's there....
This was all done with tweezers + cutting tweezers!
Anyway what is this thing? Checking digikey for SPI flash, then 10-pin WLCSP has ONE hit. This looks right, do you think my VCC/GND will match though?
awwww yeah! GD25LQ32DLIGR - check this out, they give you both top & bottom view, don't even need to mirror it! And the "VCC snake" is also hitting /HOLD & /WP driving them high which makes sense too. So we've def got our pinout!
(iPad still updating)
Using Segger J-Link because honestly I love them, with J-Flash SPI. Using my CW308 board as a breakout + 1.8V power supply (no other features used, not chipwhisperering anything here). And it's detected first time! Let's see whats in this thing...
LOL! LOOK AT THIS! Those trollers!
Anyway verify it first so you don't waste time thing something is encrypted when it was just a bad read due to no decoupling caps or something...
OK tbh I figured the spi would have nothing useful, just some data storage. But strings has a lot of hits that sound.... like code.
Yeah there is probably good stuff in here for sure. It's only SPI (not QSPI) so I assume it's not running out of here? This seemed to route only to the nrf chip too (I'm not sure what's in the A1 chip).
Damn it, something went wrong, not working at all, I guess I should start with a working tag and verify it! One more left....
Ahh no it works! So there are TWO positive battery nubs,I assumed they were connected together on the PCB. They aren't for some reason, you need to wire both!! Let's check nrf now.
Reset pin is correct (need sound to hear)
No reset was not doing that, that was vcc output (oops). Here we go anyway...
There it is! So they did enable security as one would hope - but presumably device is susceptible to @LimitedResults's disclosure on these devices if you're interested in more. Anyway that is about all for the night - got a conf call in 8 hours and would like some sleep.
That's all for the night! Thanks for following with me, I'll dump pinouts and stuff into a blog post tomorrow for anyone else looking at this thing. And maybe more to come...
APPENDUM #1: See more details of what's in that SPI flash chip with @stacksmashing taking a look at it (also live/random thread, we're not writing a paper here): https://twitter.com/ghidraninja/status/1390607652984664067
APPENDUM #2: Posted some details of test points at https://github.com/colinoflynn/airtag-re to keep in one spot.
