Close

Hardware Teardown

A project log for Pokemon Go Plus DIY

Project to create your own pokemon go plus

deqingdeqing 09/16/2016 at 18:378 Comments

There are 3 non standard screws in the case. If you don't have tools like me. You can scratch of coating, add some flux and add a drop of very hot solder quickly so you don't melt plastic underneath. Then you can solder a pin header to unscrew it easily. You can clean solder and cut a slot for further assemble and disassemble.

There isn't a lot parts in side. I haven't investigated much but I think there is a PMIC, a SPI flash and DA14580.

The good thing is all SPI flash pins are exposed. You can even cut the trace to isolate it. This makes it easy to dump the firmware from this flash chip.

I suppose the encryption can be hacked by static analysis or move the firmware to a dev board for debugging.

Discussions

bettse wrote 10/01/2016 at 18:32 point

I sacrificed my device and removed the negative terminal to see what was below.  I damaged it more than I would have liked, but found another test pad, and more traces: https://imgur.com/a/O31Kz

  Are you sure? yes | no

SCDoc wrote 10/09/2016 at 14:23 point

Thanks for the sacrifice. I am attempting to map the pins of the processor to the board to we can hopefully tap into the SWD JTAG pins to allow debugging. 

http://imgur.com/a/Hi4hw

  Are you sure? yes | no

bettse wrote 09/29/2016 at 03:12 point

I opened my case and found the same chips, but for the 'A1 HFG 5DP' and 'D166B' slightly different markings, 'A1 HNG 5BJ' and 'D165M'.  I'm assuming they're unimportant differences, but worth documenting. https://imgur.com/a/GfljG

  Are you sure? yes | no

Sabas wrote 09/18/2016 at 05:19 point

I suspect that the three pins are T_TCK, T_TMB, TRESET or SWCLK, SWDIO, RESET

https://d3nevzfk7ii3be.cloudfront.net/igi/ZVPlRStxnIx5TOVQ.huge

  Are you sure? yes | no

Sabas wrote 09/18/2016 at 05:01 point

  Are you sure? yes | no

eyeye wrote 09/17/2016 at 12:30 point

IF DA14580 boot from ext spi flash, you can dump the whole plain firmware. 

  Are you sure? yes | no

deqing wrote 09/18/2016 at 04:57 point

That is what I'm thinking. We can hood logic analyzer to those pads to verify that and we can cut traces to dump it.

  Are you sure? yes | no