Sky ER115 Router teardown

This is a quick teardown of the Sky ER115 Router with a copy of the extracted firmware.  I binned the PCB by mistake in a clear out so the components list is limited to the CPU which is a BCM63168UKFEBG.  The JTAG interface is active on these boards but I was unable to extract the firmware.  The UART interface is present but not connected.

Before you extract your own firmware you will need a copy of a Kali Linux (for ease or use), soldering iron, microscope, sharp knife and a RT809H or equivalent.

A copy of the firmware can be found here https://drive.google.com/file/d/12eQiopCbozvPSTg_UW1-bCREemghDf4t/view?usp=sharing

1. Front view

2. Rear view

3. Remove the outer plastic ring using a pry tool.

4. Remove the 4 screw marked in red and the bottom should pull away.

5. Unclip the antenas then the antena housing can just be pulled off.

6. Rear PCB.

7. Front PCB.

8. The firmware is stored on a 32Mb Spansion S25FL128S SPI chip.  FAC024 24 BGA package in a 4 x 6 configuration.   The cheap CH341A EPROM programers will not read this chip for some reason you will need a RT809H.  There are programing sockets available for BGA 24 4x6 but are fairly expensive for a one off job and what fun would that be.  Get your hot air station out and desolder the SPI chip then solder wires on to the pads as shown in the below image.  Desoldering may not be necessary you can try and solder to the to the caps on the traces.  For the trace marked in yellow you will have to scrape away the solder mask and solder to the exposed copper.

9. Front PCB traces.

10. Rear PCB traces.

11. Spansion S25FL128S pinout.

12. binwalker outputs the following:

14292         0x37D4          LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 253440 bytes
524288        0x80000         Broadcom 96345 firmware header, header size: 256, firmware version: "68", board id: "SKYB_VIPER", ~CRC32 header checksum: 0xA9F81301, ~CRC32 data checksum: 0xD0156E8A
524544        0x80100         Squashfs filesystem, little endian, version 4.0, compression:xz, size: 10443976 bytes, 1195 inodes, blocksize: 131072 bytes, created: 2019-03-21 11:37:54
10969356      0xA7610C        LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 4936672 bytes
15073280      0xE60000        Broadcom 96345 firmware header, header size: 256, firmware version: "68", board id: "SKYB_VIPER", ~CRC32 header checksum: 0xE4A501F, ~CRC32 data checksum: 0x44E96574
15073536      0xE60100        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 10443168 bytes, 1196 inodes, blocksize: 131072 bytes, created: 2019-06-07 14:26:55
25518348      0x185610C       LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 4936672 bytes

13. To extract the image use these commands:

dd if=S25FL256SXXNXX00@WSON8_20210314_1317.BIN of=sky1.bin bs=1 count=14292  skip=0
dd if=S25FL256SXXNXX00@WSON8_20210314_1317.BIN of=sky2.bin bs=1 count=524288  skip=14292
dd if=S25FL256SXXNXX00@WSON8_20210314_1317.BIN of=sky3.bin bs=1 count=524544  skip=524288
dd if=S25FL256SXXNXX00@WSON8_20210314_1317.BIN of=sky4.bin bs=1 count=10969356  skip=524544
dd if=S25FL256SXXNXX00@WSON8_20210314_1317.BIN of=sky5.bin bs=1 count=15073280  skip=10969356
dd if=S25FL256SXXNXX00@WSON8_20210314_1317.BIN of=sky6.bin bs=1 count=15073536  skip=15073280
dd if=S25FL256SXXNXX00@WSON8_20210314_1317.BIN of=sky7.bin bs=1 count=25518348  skip=15073536