stacksmashingThe new AirTags 2 just arrived!
Time to take them apart 🧵
My first issue: I couldn't get the battery cover removed! Instead I used an x-acto knife to just cut out the entire battery assembly 😵💫
Impatient? Me? Never!
Not much new on the backside! The accelerometer (black blob on top) seems to still be there, and otherwise just caps.. And a lot of test-points that look quite similar to the ones from the first AirTag (see second picture of the first generation by Colin O'Flynn)
On the other side we have again have a plastic cover - and we can already see the UWB shine through (the silver thing) and a nice antenna connection!
Now, the question we've all been wondering: Which microcontroller did they use this time?
It's the NRF52840 - a chip very similar to the one in the first AirTag - and that, at least in earlier revisions, is vulnerable to the same fault-injection attack!
Time to dive in!
Now interestingly this chip variant - CKABD0 - does not appear in the official datasheet.
Package variant: CK (WLCSP)
Function variant: AB - not listed in the datasheet
Hardware revision: D
Production device identifier: 0
Likely that this version has enhanced AP protection 😭
But there's at least something to dump - the SPI flash chip seems to be a Winbond W25Q64
Numbered the test-pins on the back of the device - let's try to document the signals!
Pulled off the flash and soldered on some magnet-wire on all of the pins to get a decent pin-out. This stuff is smol! 🤏
For those playing along at home: Preliminary flash pin-out!
13 - SPI Flash CLK
16 - SPI Flash DI / MOSI
18 - SPI Flash DO / MISO
19 - SPI Flash VCC
20 - SPI Flash CS
9d3e36fc632d77f24c810cb89892dd1959dfb05b output.bin
(Created from multiple dumps, something is messing with the signal)
The PCB is suuuper sensitive. I ripped off three pads so far... To get to chip-select I had to solder onto the tiny tiny tiny via barrel😵💫
Stefan Baur 8 * 💉@stacksmashing Stop - in the Name of Love?
Otávio Pinheiro@stacksmashing Never saw ascii art on bin dumps before (not that I’ve seen many anyway) haha neat!
@tavisco This one I know from way back - the iPod firmware used to have that in it too!
Mäh W.@stacksmashing @tavisco kind of funny that 16 byte width seems to be the expected default (yes, it makes sense address-wise; but could also be 32 bytes, etc.).
Flam@stacksmashing @tavisco "Copyright 2001" makes it sound as if they reused parts of the old iPod firmware, too?!
@draconigen @stacksmashing whoa! Good catch! Very interesting indeed
@tavisco @draconigen There's nothing from the old iPod firmwares in there :) I think it's just a nice easter-egg
Andy@stacksmashing Hammer time?
Dźwiedziu@stacksmashing
What's the surface? Array of suction cups?
What's the surface? Array of suction cups?
@dzwiedziu just a random QFP chip carrier I had laying on the table
Addison@stacksmashing bin laden hiding spot?
@stacksmashing do you have an idea why there is an additional external flash even though there's alway 1 MByte of flash in the uC itself... which may be harder to access than dumping an external flash?
Marcus Müller@maehw @stacksmashing might just be that they prefer to have an immutable internal bootloader, to make bricking the device during OTA updates much harder, so that they don't need to do fit their firmware in 512 kB if they want to be able to fall back to a working revision after a failed update.
Or, plain, the firmware was too large to fit that 1 MB. (it does seem unlikely given the functionality, but maybe they're reserving space so you can play Beethoven's ninth as alert sound?)
@maehw @stacksmashing also, to Nordic apple is a high volume customer with non-public part number – unless you know there's working flash in-package, I wouldn't assume; this might be a mask ROM variant, even (though then the numbering in regular HW revisions seems questionable)
kloenk@stacksmashing doesn't the nrf52840 usualy have internal flash? is this version different or is there something else on the external flash?
Koutsie 
@stacksmashing lets go, what could've even changed hehe
idkrn@stacksmashing any possibility of a new video for this?