Sky ER115 Router teardown
This is a quick teardown of the Sky ER115 Router with a copy of the extracted firmware. I binned the PCB by mistake in a clear out so the components list is limited to the CPU which is a BCM63168UKFEBG. The JTAG interface is active on these boards but I was unable to extract the firmware. The UART interface is present but not connected.
Before you extract your own firmware you will need a copy of a Kali Linux (for ease or use), soldering iron, microscope, sharp knife and a RT809H or equivalent.
A copy of the firmware can be found here https://drive.google.com/file/d/12eQiopCbozvPSTg_UW1-bCREemghDf4t/view?usp=sharing
1. Front view
2. Rear view
3. Remove the outer plastic ring using a pry tool.
4. Remove the 4 screw marked in red and the bottom should pull away.
5. Unclip the antenas then the antena housing can just be pulled off.
6. Rear PCB.
7. Front PCB.
8. The firmware is stored on a 32Mb Spansion S25FL128S SPI chip. FAC024 24 BGA package in a 4 x 6 configuration. The cheap CH341A EPROM programers will not read this chip for some reason you will need a RT809H. There are programing sockets available for BGA 24 4x6 but are fairly expensive for a one off job and what fun would that be. Get your hot air station out and desolder the SPI chip then solder wires on to the pads as shown in the below image. Desoldering may not be necessary you can try and solder to the to the caps on the traces. For the trace marked in yellow you will have to scrape away the solder mask and solder to the exposed copper.
9. Front PCB traces.
10. Rear PCB traces.
11. Spansion S25FL128S pinout.
12. binwalker outputs the following:
14292 0x37D4 LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 253440 bytes
524288 0x80000 Broadcom 96345 firmware header, header size: 256, firmware version: "68", board id: "SKYB_VIPER", ~CRC32 header checksum: 0xA9F81301, ~CRC32 data checksum: 0xD0156E8A
524544 0x80100 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 10443976 bytes, 1195 inodes, blocksize: 131072 bytes, created: 2019-03-21 11:37:54
10969356 0xA7610C LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 4936672 bytes
15073280 0xE60000 Broadcom 96345 firmware header, header size: 256, firmware version: "68", board id: "SKYB_VIPER", ~CRC32 header checksum: 0xE4A501F, ~CRC32 data checksum: 0x44E96574
15073536 0xE60100 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 10443168 bytes, 1196 inodes, blocksize: 131072 bytes, created: 2019-06-07 14:26:55
25518348 0x185610C LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 4936672 bytes
13. To extract the image use these commands:
dd if=S25FL256SXXNXX00@WSON8_20210314_1317.BIN of=sky1.bin bs=1 count=14292 skip=0
dd if=S25FL256SXXNXX00@WSON8_20210314_1317.BIN of=sky2.bin bs=1 count=524288 skip=14292
dd if=S25FL256SXXNXX00@WSON8_20210314_1317.BIN of=sky3.bin bs=1 count=524544 skip=524288
dd if=S25FL256SXXNXX00@WSON8_20210314_1317.BIN of=sky4.bin bs=1 count=10969356 skip=524544
dd if=S25FL256SXXNXX00@WSON8_20210314_1317.BIN of=sky5.bin bs=1 count=15073280 skip=10969356
dd if=S25FL256SXXNXX00@WSON8_20210314_1317.BIN of=sky6.bin bs=1 count=15073536 skip=15073280
dd if=S25FL256SXXNXX00@WSON8_20210314_1317.BIN of=sky7.bin bs=1 count=25518348 skip=15073536