The video omits crucial details aside from the physical act of removing the original and soldering the new NAND. I know for a fact failing to copy original details results in failure to restore iOS with specific error codes, so I wonder what this video did. I've successfully done this many times back in the iPhone 6S days where the original chip was desoldered, read by a Chinese-made reader, and finally the identifiers cloned to the new chip. I sold phones upgraded from 16GB to 128GB for a meager profit, but it was for fun.
How can the new chip work if the original chip is milled off completely? I would be surprised if you could read all necessary identifiers through iOS/USB software before milling unless the device was jailbroken and read that way. Seems like a big oversight for Apple not to implement simple countermeasures to make it a little bit harder, or that Apple would undo protections they had back in the iPhone 6S days.
Just out of curiosity, what was the fail rate for that rework?
I don't repair/upgrade iPhones or anything, and I'm an EE not a trained technician, but I do need to swap BGAs from time to time and my rework rate for 0.4mm pitch BGAs is not the best. It works say, 3 of 4 times. But compared to colleagues I'm pretty good. But that rate is way too low to run any kind of viable business, I would think.
In this situation you're doing literally the same rework over and over, which helps, and probably have equipment and stencils specific to the job, which helps.
So I'm curious what kind of success rate was achieved if you don't mind sharing.
SysCfg with serial number etc has been on a separate NOR chip for quite some time [1]. I wouldn't be surprised if Apple allowed DFU restore to initialize a blank flash as mere optimization in the production process.
Your link only lists NOR sizes for the original iPhone and the iPhone 3G and then goes on to say "iPod touch (3rd generation) and beyond -- The NOR is replaced with a dedicated partition of NAND"
... As I said... it's not enough to just plop on a new chip from somewhere else and do the standard iOS factory image restore process without extracting info from the original and putting it in the new before soldering. This information prior to the milling is omitted from the video.
There's a tool for that (many, many of them), both software-based and physical-based tools that can copy out the SysCFG block and write it into a new chunk of flash.
I’ve seen several videos by reputable fixers that demonstrate empty NANDs working fine with DFU factory restore.
Same situation on Mn MacBooks.
Would be weird in the actual mass production process if the flash would need to be pre-programmed somehow; one DFU process IMO must be able to do everything needed.
After watching a couple of videos, that works with some older versions of DFU software and not new ones. Might be an arbitrary restriction by the DFU update software rather than the hardware. I'm sure they know this and work around it of course when doing these FLASH swaps.
Also if there are two flash chips they need to be installed in a certain order. Not sure of the rationale behind that precisely. I doubt it's a hardware difference.
Me, watching video: so now they're going to desolder the original flash chip, put it into a chip programmer and copy data to the new one, resizing the file system as needed.
They: casually proceed to turn the original chip into fine dust
I had the same thought. Got a chuckle out of @challenger2205's comment[1]:
> Apple: our NAND flash is so integrated, that it's impossible to replace unless you literally machine it off the board. Surely no repair shop would do that!
The care taken can only be described as mesmerizing. If you want proof that Apple is full of it and the whole "bootleg parts can compromise security," then here it is. Apparently, a lid close sensor is a major security risk - where NAND is not?
Let’s say you travel to a foreign country that has some level of corruption in immigration.
Your devices might have or receive information their government or just some company in the country wants.
You get detained for extra questioning. Your belongings get taken for review.
What parts could a reasonably skilled person quickly replace in less than 30 minutes that would compromise security? THOSE are the parts they’re worried about.
The threat model of someone trying to secretly grind off and replace your NAND without your knowledge is what, exactly?
That's cherry-picking an intentionally silly example. Replacing the NAND is within the realm of possibility for an evil maid, and even more likely prior to a resale.
Now, considering that the lid close sensor DRM leaves the laptop in the state that a hostile entity would want (including your example) - the laptop doesn't automatically lock, what is the security argument there?
> Apparently, a lid close sensor is a major security risk - where NAND is not?
Nobody sane would ever try to design a secure system that trusted commodity NAND parts. Secure boot and encrypted storage are literally the first things to tackle when trying to secure/lock down a device against hardware-based attacks.
And isn't the lid sensor issue more a matter of calibration rather than a security measure?
Yeah I guess I shouldn’t be surprised but the depth of that mill has to be fairly precise to not rip into the pads but still remove enough of the nand package. Very impressive - looked pretty straightforward after the jig is set up.
This is cool, no doubt about that. And fascinating due to the sheer complexity and amount of fine detail work required. But. Uh. For all that work, Why not upgrade it to an amount of storage you couldn’t otherwise get? Or at least max it out?
>Why not upgrade it to an amount of storage you couldn’t otherwise get
He's running a repair shop, so used market.
>But. Uh. For all that work
The difference between 128GB and 512GB on the used iPhone 15 market is $200+. he's probably buying the 512GB NAND IC for $25-40. If you're a repair shop you already have all the needed tools and jigs except the maybe the CNC mill, which is about $3-4K. The only things we don't know is how long it takes and the failure rate, but the process (especially the CNC milling part) looks pretty consistent and repeatable, so I'd not be surprised to learn he's profiting off this.
I was mistaken—yes it would be possible to upgrade to a 1TB NAND. I'm going to guess it wasn't cost-effective to source or it was hard to find an iCloud-locked/activation-locked 1TB iPhone 15 Pro/Pro Max motherboard.
I started watching this assuming that the nand is either slotted in or would be de-sodered. Then the micrometer scale calibration gauges for the milling machine came out and I realized what was about to happen. Quality work!
If you have the equipment, it's the most consistent and least risky option. Purpose designed CNC mills are not even that expensive in terms of shop equipment, maybe 3-4k.
> KingSener is a registered trademark of our company in China, United Kingdom, United States and European Union. Our company specializes in supplying premium quality laptop batteries for global customers. We have more than 10 years experience in this industry,cost-effective products for customers and also produce customized products (OEM/ODM) as per buyers requirements.
Yes, absolutely. However, it seems to me that he is not using official Apple tools. I am familiar with them and they are similar, but they are not built by Apple. To me, they seem like a copy, and he’s not using the official Apple software to calibrate the device.
This is the new upgrade status quo. I wouldn’t do it on a phone but some hot air work on a MacBook to upgrade the SSD would not scare me at all. I did do board rework a long time ago though.
What does scare me is the software side of doing a change like that!
I once tried to replace a screen on an iPhone, and accidentally knocked a barely visible capacitor next to the connector right off the board. When I say barely visible, I’m not exaggerating. I did try to solder it back onto the board under a microscope with my cheap reflow station, but it was absolutely futile. Which is to say, as difficult as this video looks, this is being done by a person who has done similar things many times, and you’re very unlikely to be successful at this the first time around. Tread carefully.
This is impressive, but... what is so terrible about a Micro SD slot? Knowing, of course, that Apple products don't have one as a rule but my current (cheap) Android phone still does, and storage expansion is a matter of spending $30 at Costco.
If you rely on one for anything professional you know what's so terrible about a Micro SD slot.
Even pro DSLR camera bodies using top of the line Micro SD tend to fail, that's why they come with two slots that you write to in parallel.
// Also, iPhones since getting rid of SIM tray work after days to weeks under fresh or even salt water. That's harder to pull off with slots. More people need their phone to keep working after dropped in water than really need a MicroSD slot.
Excruciatingly slow, mechanically and electrically unreliable, obscenely large. Inconsistent-to-zero quality of the inserted device leading to people complaining about how “you” lost the data on their US$3.00 card.
If you have high confidence the CNC is well-calibrated and safe to use, then milling is the better choice. There is a significant amount of resin gluing the original NAND which could rip pads when pulled, and hot air risks damaging nearby components.
GPU, Phones and Laptops are going to get chip modded. Chip modding was the process of making game consoles run any copied game. So modders would chip modify them to bypasss console manufacturers copy protection. Since other manufacturers are now selling memory expansion at highers margin rate there are going to be chip soldering possibilities.
I would have assumed as per previous iphone models that they needed to desolder the nand and put it into jc pro or similar in order to clone it to the new nand. Interesting that they just grind the old one off and do a dfu restore. I wonder what was done for that process.
Are there separate radios for BT/WiFi (Apple) and LTE modem (Qualcomm)? If so, it might be possible to turn off just the LTE modem by pulling down one pin, while allowing the rest of the phone to function normally without OS/firmware modification.
WiFi can be locked to whitelisted SSIDs via Apple Configurator.
He's applying flux (appears to be a kind of rosin) by vaporizing it. Oxidation contaminates or prevents solder from joining, soldering flux (often rosin) is an acid that removes oxidation.
This is ridiculous Apple should just include a microSD slot. Who even uses 512GB of storage on a phone? It's a stupid way to try to rip off the wealthy.
It is not ridiculous. SD slot is much slower than the built-in NAND. iPhone SSD read speeds are about 1200 MB/sec, about 500 MB/sec write. The OS is optimized to take advantage of that fast, contiguous, and reliable memory.
So what? How is that additional bandwidth relevant to 99% of phone users? All they have is photos, and most of the photos sit on internal storage for an hour before being uploaded to iCloud. UHS-III goes to 620 MB/s that's more than enough. The OS would be fine with 100GB internal storage
Similar to the lightning cable, generates an artificial market. Making design choices against the best interests of the customer. Not sure why anyone would be Ok w that. Restricting users options, taking advantage really
How can the new chip work if the original chip is milled off completely? I would be surprised if you could read all necessary identifiers through iOS/USB software before milling unless the device was jailbroken and read that way. Seems like a big oversight for Apple not to implement simple countermeasures to make it a little bit harder, or that Apple would undo protections they had back in the iPhone 6S days.
reply