The video omits crucial details aside from the physical act of removing the original and soldering the new NAND. I know for a fact failing to copy original details results in failure to restore iOS with specific error codes, so I wonder what this video did. I've successfully done this many times back in the iPhone 6S days where the original chip was desoldered, read by a Chinese-made reader, and finally the identifiers cloned to the new chip. I sold phones upgraded from 16GB to 128GB for a meager profit, but it was for fun.
How can the new chip work if the original chip is milled off completely? I would be surprised if you could read all necessary identifiers through iOS/USB software before milling unless the device was jailbroken and read that way. Seems like a big oversight for Apple not to implement simple countermeasures to make it a little bit harder, or that Apple would undo protections they had back in the iPhone 6S days.
xw38011 12 days ago [-]
Just out of curiosity, what was the fail rate for that rework?
I don't repair/upgrade iPhones or anything, and I'm an EE not a trained technician, but I do need to swap BGAs from time to time and my rework rate for 0.4mm pitch BGAs is not the best. It works say, 3 of 4 times. But compared to colleagues I'm pretty good. But that rate is way too low to run any kind of viable business, I would think.
In this situation you're doing literally the same rework over and over, which helps, and probably have equipment and stencils specific to the job, which helps.
So I'm curious what kind of success rate was achieved if you don't mind sharing.
HHad3 12 days ago [-]
SysCfg with serial number etc has been on a separate NOR chip for quite some time [1]. I wouldn't be surprised if Apple allowed DFU restore to initialize a blank flash as mere optimization in the production process.
Your link only lists NOR sizes for the original iPhone and the iPhone 3G and then goes on to say "iPod touch (3rd generation) and beyond -- The NOR is replaced with a dedicated partition of NAND"
pquki4 12 days ago [-]
I suspect they intentionally skipped that part because it contains "proprietary" techniques they don't want to make public.
HeatrayEnjoyer 12 days ago [-]
Security though obscurity is...
droopyEyelids 12 days ago [-]
A widely misunderstood concept, seldom applied where it is relevant
... As I said... it's not enough to just plop on a new chip from somewhere else and do the standard iOS factory image restore process without extracting info from the original and putting it in the new before soldering. This information prior to the milling is omitted from the video.
There's a tool for that (many, many of them), both software-based and physical-based tools that can copy out the SysCFG block and write it into a new chunk of flash.
0xPIT 12 days ago [-]
I’ve seen several videos by reputable fixers that demonstrate empty NANDs working fine with DFU factory restore.
Same situation on Mn MacBooks.
Would be weird in the actual mass production process if the flash would need to be pre-programmed somehow; one DFU process IMO must be able to do everything needed.
cjk2 12 days ago [-]
After watching a couple of videos, that works with some older versions of DFU software and not new ones. Might be an arbitrary restriction by the DFU update software rather than the hardware. I'm sure they know this and work around it of course when doing these FLASH swaps.
Also if there are two flash chips they need to be installed in a certain order. Not sure of the rationale behind that precisely. I doubt it's a hardware difference.
tw1984 12 days ago [-]
> read by a Chinese-made reader, and finally the identifiers cloned to the new chip
sounds like a national security threat to me
swores 12 days ago [-]
Maybe save worrying about that until Apple phones aren't actually being manufactured in China?
Me, watching video: so now they're going to desolder the original flash chip, put it into a chip programmer and copy data to the new one, resizing the file system as needed.
They: casually proceed to turn the original chip into fine dust
miles 12 days ago [-]
I had the same thought. Got a chuckle out of @challenger2205's comment[1]:
> Apple: our NAND flash is so integrated, that it's impossible to replace unless you literally machine it off the board. Surely no repair shop would do that!
The care taken can only be described as mesmerizing. If you want proof that Apple is full of it and the whole "bootleg parts can compromise security," then here it is. Apparently, a lid close sensor is a major security risk - where NAND is not?
cududa 12 days ago [-]
Let’s say you travel to a foreign country that has some level of corruption in immigration.
Your devices might have or receive information their government or just some company in the country wants.
You get detained for extra questioning. Your belongings get taken for review.
What parts could a reasonably skilled person quickly replace in less than 30 minutes that would compromise security? THOSE are the parts they’re worried about.
The threat model of someone trying to secretly grind off and replace your NAND without your knowledge is what, exactly?
zamalek 10 days ago [-]
That's cherry-picking an intentionally silly example. Replacing the NAND is within the realm of possibility for an evil maid, and even more likely prior to a resale.
Now, considering that the lid close sensor DRM leaves the laptop in the state that a hostile entity would want (including your example) - the laptop doesn't automatically lock, what is the security argument there?
wtallis 12 days ago [-]
> Apparently, a lid close sensor is a major security risk - where NAND is not?
Nobody sane would ever try to design a secure system that trusted commodity NAND parts. Secure boot and encrypted storage are literally the first things to tackle when trying to secure/lock down a device against hardware-based attacks.
And isn't the lid sensor issue more a matter of calibration rather than a security measure?
odiroot 12 days ago [-]
I mostly admire their patience. Can imagine flipping a table or two during this process.
justinclift 12 days ago [-]
Cool. Haven't seen anyone doing precision chip removal with a CNC mill/router before, but it makes sense for this situation and was done well. :)
wzdd 12 days ago [-]
This was amazing to me. I'll think about it next time I'm trying to desolder something with hot air and solder wick like a chump.
mr_sturd 12 days ago [-]
The specialised fixture for the board was impressive, too!
etrautmann 12 days ago [-]
Yeah I guess I shouldn’t be surprised but the depth of that mill has to be fairly precise to not rip into the pads but still remove enough of the nand package. Very impressive - looked pretty straightforward after the jig is set up.
miyuru 12 days ago [-]
I have seen HDD disks destroyed for security, but this took it to another level.
ShakataGaNai 12 days ago [-]
This is cool, no doubt about that. And fascinating due to the sheer complexity and amount of fine detail work required. But. Uh. For all that work, Why not upgrade it to an amount of storage you couldn’t otherwise get? Or at least max it out?
xnyan 12 days ago [-]
>Why not upgrade it to an amount of storage you couldn’t otherwise get
He's running a repair shop, so used market.
>But. Uh. For all that work
The difference between 128GB and 512GB on the used iPhone 15 market is $200+. he's probably buying the 512GB NAND IC for $25-40. If you're a repair shop you already have all the needed tools and jigs except the maybe the CNC mill, which is about $3-4K. The only things we don't know is how long it takes and the failure rate, but the process (especially the CNC milling part) looks pretty consistent and repeatable, so I'd not be surprised to learn he's profiting off this.
pquki4 12 days ago [-]
Because... When you bought the phone 2 years ago you didn't anticipate you would need more than 128GB of storage?
jijijijij 12 days ago [-]
I think they mean with the new chip, not the initial purchase. Eg. putting 4TB into the phone instead of 500GB.
usui 12 days ago [-]
-
mrb 12 days ago [-]
But Apple sells a 1TB version of the iPhone 15 Pro. Are you saying the 1TB version uses a different motherboard?
usui 12 days ago [-]
I was mistaken—yes it would be possible to upgrade to a 1TB NAND. I'm going to guess it wasn't cost-effective to source or it was hard to find an iCloud-locked/activation-locked 1TB iPhone 15 Pro/Pro Max motherboard.
diziet 12 days ago [-]
I started watching this assuming that the nand is either slotted in or would be de-sodered. Then the micrometer scale calibration gauges for the milling machine came out and I realized what was about to happen. Quality work!
Havoc 12 days ago [-]
Definitely a "wait where is this going" moment.
Had no idea CNCing away BGA chips is a thing
xnyan 12 days ago [-]
If you have the equipment, it's the most consistent and least risky option. Purpose designed CNC mills are not even that expensive in terms of shop equipment, maybe 3-4k.
tempodox 12 days ago [-]
This is a joy to watch.
And this person had better stay anonymous. If Apple knew their identity, they'd be excommunicated on the spot.
> KingSener is a registered trademark of our company in China, United Kingdom, United States and European Union. Our company specializes in supplying premium quality laptop batteries for global customers. We have more than 10 years experience in this industry,cost-effective products for customers and also produce customized products (OEM/ODM) as per buyers requirements.
giuliomagnifico 12 days ago [-]
Yes, absolutely. However, it seems to me that he is not using official Apple tools. I am familiar with them and they are similar, but they are not built by Apple. To me, they seem like a copy, and he’s not using the official Apple software to calibrate the device.
justinclift 12 days ago [-]
The end of the video seems to show the hardware mac address for the phone, so it probably wouldn't take too much effort for Apple to figure out.
cjk2 12 days ago [-]
This is the new upgrade status quo. I wouldn’t do it on a phone but some hot air work on a MacBook to upgrade the SSD would not scare me at all. I did do board rework a long time ago though.
What does scare me is the software side of doing a change like that!
neilv 12 days ago [-]
At 5 minutes is when it shifts gears from the merely brave/experienced.
ein0p 12 days ago [-]
I once tried to replace a screen on an iPhone, and accidentally knocked a barely visible capacitor next to the connector right off the board. When I say barely visible, I’m not exaggerating. I did try to solder it back onto the board under a microscope with my cheap reflow station, but it was absolutely futile. Which is to say, as difficult as this video looks, this is being done by a person who has done similar things many times, and you’re very unlikely to be successful at this the first time around. Tread carefully.
MarkusWandel 12 days ago [-]
This is impressive, but... what is so terrible about a Micro SD slot? Knowing, of course, that Apple products don't have one as a rule but my current (cheap) Android phone still does, and storage expansion is a matter of spending $30 at Costco.
Terretta 12 days ago [-]
If you rely on one for anything professional you know what's so terrible about a Micro SD slot.
Even pro DSLR camera bodies using top of the line Micro SD tend to fail, that's why they come with two slots that you write to in parallel.
// Also, iPhones since getting rid of SIM tray work after days to weeks under fresh or even salt water. That's harder to pull off with slots. More people need their phone to keep working after dropped in water than really need a MicroSD slot.
95014_refugee 12 days ago [-]
Excruciatingly slow, mechanically and electrically unreliable, obscenely large. Inconsistent-to-zero quality of the inserted device leading to people complaining about how “you” lost the data on their US$3.00 card.
MarkusWandel 11 days ago [-]
That's why I do pay $30 at Costco, where it is exceedingly likely that the Sandisk memory card actually is one.
Euphorbium 12 days ago [-]
Cool, anybody doing that to macbooks, which are much more storage constrained?
Why did he mill the NAND rather than removing it using his hot air station?
usui 12 days ago [-]
If you have high confidence the CNC is well-calibrated and safe to use, then milling is the better choice. There is a significant amount of resin gluing the original NAND which could rip pads when pulled, and hot air risks damaging nearby components.
acd 12 days ago [-]
GPU, Phones and Laptops are going to get chip modded. Chip modding was the process of making game consoles run any copied game. So modders would chip modify them to bypasss console manufacturers copy protection. Since other manufacturers are now selling memory expansion at highers margin rate there are going to be chip soldering possibilities.
Super impressive to watch, person clearly knows what they’re doing.
But saving $200 to then need to expend this effort seems hardly worth it, never mind that it likely voids the warranty.
Maybe if it was already a few years old it might be worth it.
I suspect the video is to show off expertise rather than advertise this as a particular service they could economically offer.
benbojangles 12 days ago [-]
I would have assumed as per previous iphone models that they needed to desolder the nand and put it into jc pro or similar in order to clone it to the new nand. Interesting that they just grind the old one off and do a dfu restore. I wonder what was done for that process.
hilbert42 12 days ago [-]
What a lot of mucking about. With a microSD card it's done in seconds.
It only took me several seconds to put a 512GB SD card in my Moto phone.
BenjiWiebe 12 days ago [-]
MicroSD is much worse performance than eMMC.
transpute 12 days ago [-]
Can an iPhone work as an iPod with better screen/storage/battery, if the LTE radio is removed?
White_Wolf 12 days ago [-]
In theory, it would be possible.
In practice(as a bare minimum):
- you need to patch the firmware for the new display
- patch out the radio
- ? patch battery capacity or re-init
Not sure how much of the patching part is possible atm.
transpute 12 days ago [-]
Are there separate radios for BT/WiFi (Apple) and LTE modem (Qualcomm)? If so, it might be possible to turn off just the LTE modem by pulling down one pin, while allowing the rest of the phone to function normally without OS/firmware modification.
WiFi can be locked to whitelisted SSIDs via Apple Configurator.
MOARDONGZPLZ 12 days ago [-]
It can do this without even removing the LTE radio.
dev_tty01 12 days ago [-]
No need to remove it. Just turn off the LTE radio in settings.
throw986477 12 days ago [-]
What's going on around 7:40 when it looks like something is being vaporized onto the new chip?
xnyan 12 days ago [-]
He's applying flux (appears to be a kind of rosin) by vaporizing it. Oxidation contaminates or prevents solder from joining, soldering flux (often rosin) is an acid that removes oxidation.
frappuccino_o 12 days ago [-]
Can he do the same on my GPU?
underlogic 12 days ago [-]
This is ridiculous Apple should just include a microSD slot. Who even uses 512GB of storage on a phone? It's a stupid way to try to rip off the wealthy.
dev_tty01 12 days ago [-]
It is not ridiculous. SD slot is much slower than the built-in NAND. iPhone SSD read speeds are about 1200 MB/sec, about 500 MB/sec write. The OS is optimized to take advantage of that fast, contiguous, and reliable memory.
trogdor 12 days ago [-]
Just tested my iPhone 15 Pro Max. Read 1600 MB/s, write 1017 MB/s.
Sequential, 512 MB test size, 65536 test count.
underlogic 12 days ago [-]
So what? How is that additional bandwidth relevant to 99% of phone users? All they have is photos, and most of the photos sit on internal storage for an hour before being uploaded to iCloud. UHS-III goes to 620 MB/s that's more than enough. The OS would be fine with 100GB internal storage
Similar to the lightning cable, generates an artificial market. Making design choices against the best interests of the customer. Not sure why anyone would be Ok w that. Restricting users options, taking advantage really
wtallis 12 days ago [-]
Do UHS-III microSD cards actually exist?
Rendered at 12:35:01 GMT+0000 (Coordinated Universal Time) with Vercel.
How can the new chip work if the original chip is milled off completely? I would be surprised if you could read all necessary identifiers through iOS/USB software before milling unless the device was jailbroken and read that way. Seems like a big oversight for Apple not to implement simple countermeasures to make it a little bit harder, or that Apple would undo protections they had back in the iPhone 6S days.
I don't repair/upgrade iPhones or anything, and I'm an EE not a trained technician, but I do need to swap BGAs from time to time and my rework rate for 0.4mm pitch BGAs is not the best. It works say, 3 of 4 times. But compared to colleagues I'm pretty good. But that rate is way too low to run any kind of viable business, I would think.
In this situation you're doing literally the same rework over and over, which helps, and probably have equipment and stencils specific to the job, which helps.
So I'm curious what kind of success rate was achieved if you don't mind sharing.
[1] https://www.theiphonewiki.com/wiki/NOR
https://en.m.wikipedia.org/wiki/Trade_secret
There's a tool for that (many, many of them), both software-based and physical-based tools that can copy out the SysCFG block and write it into a new chunk of flash.
Would be weird in the actual mass production process if the flash would need to be pre-programmed somehow; one DFU process IMO must be able to do everything needed.
Also if there are two flash chips they need to be installed in a certain order. Not sure of the rationale behind that precisely. I doubt it's a hardware difference.
sounds like a national security threat to me
https://www.solveyourtech.com/uncovering-where-iphones-are-m...
They: casually proceed to turn the original chip into fine dust
> Apple: our NAND flash is so integrated, that it's impossible to replace unless you literally machine it off the board. Surely no repair shop would do that!
> The repair shop: https://www.youtube.com/watch?v=JbSDdU8bJI0&t=324s
[1] https://www.youtube.com/watch?v=JbSDdU8bJI0&lc=Ugxs-u-AdfmJn...
Your devices might have or receive information their government or just some company in the country wants.
You get detained for extra questioning. Your belongings get taken for review.
What parts could a reasonably skilled person quickly replace in less than 30 minutes that would compromise security? THOSE are the parts they’re worried about.
The threat model of someone trying to secretly grind off and replace your NAND without your knowledge is what, exactly?
Now, considering that the lid close sensor DRM leaves the laptop in the state that a hostile entity would want (including your example) - the laptop doesn't automatically lock, what is the security argument there?
Nobody sane would ever try to design a secure system that trusted commodity NAND parts. Secure boot and encrypted storage are literally the first things to tackle when trying to secure/lock down a device against hardware-based attacks.
And isn't the lid sensor issue more a matter of calibration rather than a security measure?
He's running a repair shop, so used market.
>But. Uh. For all that work
The difference between 128GB and 512GB on the used iPhone 15 market is $200+. he's probably buying the 512GB NAND IC for $25-40. If you're a repair shop you already have all the needed tools and jigs except the maybe the CNC mill, which is about $3-4K. The only things we don't know is how long it takes and the failure rate, but the process (especially the CNC milling part) looks pretty consistent and repeatable, so I'd not be surprised to learn he's profiting off this.
Had no idea CNCing away BGA chips is a thing
And this person had better stay anonymous. If Apple knew their identity, they'd be excommunicated on the spot.
> KingSener is a registered trademark of our company in China, United Kingdom, United States and European Union. Our company specializes in supplying premium quality laptop batteries for global customers. We have more than 10 years experience in this industry,cost-effective products for customers and also produce customized products (OEM/ODM) as per buyers requirements.
What does scare me is the software side of doing a change like that!
Even pro DSLR camera bodies using top of the line Micro SD tend to fail, that's why they come with two slots that you write to in parallel.
// Also, iPhones since getting rid of SIM tray work after days to weeks under fresh or even salt water. That's harder to pull off with slots. More people need their phone to keep working after dropped in water than really need a MicroSD slot.
But I’ve never saw a real service that offers that or anything after M1 (I didn’t look though)
Wikipedia modchip https://en.m.wikipedia.org/wiki/Modchip
But saving $200 to then need to expend this effort seems hardly worth it, never mind that it likely voids the warranty.
Maybe if it was already a few years old it might be worth it.
I suspect the video is to show off expertise rather than advertise this as a particular service they could economically offer.
It only took me several seconds to put a 512GB SD card in my Moto phone.
In practice(as a bare minimum):
- you need to patch the firmware for the new display
- patch out the radio
- ? patch battery capacity or re-init
Not sure how much of the patching part is possible atm.
WiFi can be locked to whitelisted SSIDs via Apple Configurator.
Sequential, 512 MB test size, 65536 test count.
Similar to the lightning cable, generates an artificial market. Making design choices against the best interests of the customer. Not sure why anyone would be Ok w that. Restricting users options, taking advantage really