The video omits crucial details aside from the physical act of removing the original and soldering the new NAND. I know for a fact failing to copy original details results in failure to restore iOS with specific error codes, so I wonder what this video did. I've successfully done this many times back in the iPhone 6S days where the original chip was desoldered, read by a Chinese-made reader, and finally the identifiers cloned to the new chip. I sold phones upgraded from 16GB to 128GB for a meager profit, but it was for fun.
How can the new chip work if the original chip is milled off completely? I would be surprised if you could read all necessary identifiers through iOS/USB software before milling unless the device was jailbroken and read that way. Seems like a big oversight for Apple not to implement simple countermeasures to make it a little bit harder, or that Apple would undo protections they had back in the iPhone 6S days.
Just out of curiosity, what was the fail rate for that rework?
I don't repair/upgrade iPhones or anything, and I'm an EE not a trained technician, but I do need to swap BGAs from time to time and my rework rate for 0.4mm pitch BGAs is not the best. It works say, 3 of 4 times. But compared to colleagues I'm pretty good. But that rate is way too low to run any kind of viable business, I would think.
In this situation you're doing literally the same rework over and over, which helps, and probably have equipment and stencils specific to the job, which helps.
So I'm curious what kind of success rate was achieved if you don't mind sharing.
SysCfg with serial number etc has been on a separate NOR chip for quite some time [1]. I wouldn't be surprised if Apple allowed DFU restore to initialize a blank flash as mere optimization in the production process.
Your link only lists NOR sizes for the original iPhone and the iPhone 3G and then goes on to say "iPod touch (3rd generation) and beyond -- The NOR is replaced with a dedicated partition of NAND"
... As I said... it's not enough to just plop on a new chip from somewhere else and do the standard iOS factory image restore process without extracting info from the original and putting it in the new before soldering. This information prior to the milling is omitted from the video.
There's a tool for that (many, many of them), both software-based and physical-based tools that can copy out the SysCFG block and write it into a new chunk of flash.
I’ve seen several videos by reputable fixers that demonstrate empty NANDs working fine with DFU factory restore.
Same situation on Mn MacBooks.
Would be weird in the actual mass production process if the flash would need to be pre-programmed somehow; one DFU process IMO must be able to do everything needed.
After watching a couple of videos, that works with some older versions of DFU software and not new ones. Might be an arbitrary restriction by the DFU update software rather than the hardware. I'm sure they know this and work around it of course when doing these FLASH swaps.
Also if there are two flash chips they need to be installed in a certain order. Not sure of the rationale behind that precisely. I doubt it's a hardware difference.
Me, watching video: so now they're going to desolder the original flash chip, put it into a chip programmer and copy data to the new one, resizing the file system as needed.
They: casually proceed to turn the original chip into fine dust
I had the same thought. Got a chuckle out of @challenger2205's comment[1]:
> Apple: our NAND flash is so integrated, that it's impossible to replace unless you literally machine it off the board. Surely no repair shop would do that!
The care taken can only be described as mesmerizing. If you want proof that Apple is full of it and the whole "bootleg parts can compromise security," then here it is. Apparently, a lid close sensor is a major security risk - where NAND is not?
Let’s say you travel to a foreign country that has some level of corruption in immigration.
Your devices might have or receive information their government or just some company in the country wants.
You get detained for extra questioning. Your belongings get taken for review.
What parts could a reasonably skilled person quickly replace in less than 30 minutes that would compromise security? THOSE are the parts they’re worried about.
The threat model of someone trying to secretly grind off and replace your NAND without your knowledge is what, exactly?
That's cherry-picking an intentionally silly example. Replacing the NAND is within the realm of possibility for an evil maid, and even more likely prior to a resale.
Now, considering that the lid close sensor DRM leaves the laptop in the state that a hostile entity would want (including your example) - the laptop doesn't automatically lock, what is the security argument there?
> Apparently, a lid close sensor is a major security risk - where NAND is not?
Nobody sane would ever try to design a secure system that trusted commodity NAND parts. Secure boot and encrypted storage are literally the first things to tackle when trying to secure/lock down a device against hardware-based attacks.
And isn't the lid sensor issue more a matter of calibration rather than a security measure?
Yeah I guess I shouldn’t be surprised but the depth of that mill has to be fairly precise to not rip into the pads but still remove enough of the nand package. Very impressive - looked pretty straightforward after the jig is set up.
This is cool, no doubt about that. And fascinating due to the sheer complexity and amount of fine detail work required. But. Uh. For all that work, Why not upgrade it to an amount of storage you couldn’t otherwise get? Or at least max it out?
>Why not upgrade it to an amount of storage you couldn’t otherwise get
He's running a repair shop, so used market.
>But. Uh. For all that work
The difference between 128GB and 512GB on the used iPhone 15 market is $200+. he's probably buying the 512GB NAND IC for $25-40. If you're a repair shop you already have all the needed tools and jigs except the maybe the CNC mill, which is about $3-4K. The only things we don't know is how long it takes and the failure rate, but the process (especially the CNC milling part) looks pretty consistent and repeatable, so I'd not be surprised to learn he's profiting off this.
I was mistaken—yes it would be possible to upgrade to a 1TB NAND. I'm going to guess it wasn't cost-effective to source or it was hard to find an iCloud-locked/activation-locked 1TB iPhone 15 Pro/Pro Max motherboard.
I started watching this assuming that the nand is either slotted in or would be de-sodered. Then the micrometer scale calibration gauges for the milling machine came out and I realized what was about to happen. Quality work!
If you have the equipment, it's the most consistent and least risky option. Purpose designed CNC mills are not even that expensive in terms of shop equipment, maybe 3-4k.
> KingSener is a registered trademark of our company in China, United Kingdom, United States and European Union. Our company specializes in supplying premium quality laptop batteries for global customers. We have more than 10 years experience in this industry,cost-effective products for customers and also produce customized products (OEM/ODM) as per buyers requirements.
Yes, absolutely. However, it seems to me that he is not using official Apple tools. I am familiar with them and they are similar, but they are not built by Apple. To me, they seem like a copy, and he’s not using the official Apple software to calibrate the device.
This is the new upgrade status quo. I wouldn’t do it on a phone but some hot air work on a MacBook to upgrade the SSD would not scare me at all. I did do board rework a long time ago though.
What does scare me is the software side of doing a change like that!
I once tried to replace a screen on an iPhone, and accidentally knocked a barely visible capacitor next to the connector right off the board. When I say barely visible, I’m not exaggerating. I did try to solder it back onto the board under a microscope with my cheap reflow station, but it was absolutely futile. Which is to say, as difficult as this video looks, this is being done by a person who has done similar things many times, and you’re very unlikely to be successful at this the first time around. Tread carefully.
This is impressive, but... what is so terrible about a Micro SD slot? Knowing, of course, that Apple products don't have one as a rule but my current (cheap) Android phone still does, and storage expansion is a matter of spending $30 at Costco.
If you rely on one for anything professional you know what's so terrible about a Micro SD slot.
Even pro DSLR camera bodies using top of the line Micro SD tend to fail, that's why they come with two slots that you write to in parallel.
// Also, iPhones since getting rid of SIM tray work after days to weeks under fresh or even salt water. That's harder to pull off with slots. More people need their phone to keep working after dropped in water than really need a MicroSD slot.
Excruciatingly slow, mechanically and electrically unreliable, obscenely large. Inconsistent-to-zero quality of the inserted device leading to people complaining about how “you” lost the data on their US$3.00 card.
If you have high confidence the CNC is well-calibrated and safe to use, then milling is the better choice. There is a significant amount of resin gluing the original NAND which could rip pads when pulled, and hot air risks damaging nearby components.
GPU, Phones and Laptops are going to get chip modded. Chip modding was the process of making game consoles run any copied game. So modders would chip modify them to bypasss console manufacturers copy protection. Since other manufacturers are now selling memory expansion at highers margin rate there are going to be chip soldering possibilities.
I would have assumed as per previous iphone models that they needed to desolder the nand and put it into jc pro or similar in order to clone it to the new nand. Interesting that they just grind the old one off and do a dfu restore. I wonder what was done for that process.
Are there separate radios for BT/WiFi (Apple) and LTE modem (Qualcomm)? If so, it might be possible to turn off just the LTE modem by pulling down one pin, while allowing the rest of the phone to function normally without OS/firmware modification.
WiFi can be locked to whitelisted SSIDs via Apple Configurator.
He's applying flux (appears to be a kind of rosin) by vaporizing it. Oxidation contaminates or prevents solder from joining, soldering flux (often rosin) is an acid that removes oxidation.
This is ridiculous Apple should just include a microSD slot. Who even uses 512GB of storage on a phone? It's a stupid way to try to rip off the wealthy.
It is not ridiculous. SD slot is much slower than the built-in NAND. iPhone SSD read speeds are about 1200 MB/sec, about 500 MB/sec write. The OS is optimized to take advantage of that fast, contiguous, and reliable memory.
So what? How is that additional bandwidth relevant to 99% of phone users? All they have is photos, and most of the photos sit on internal storage for an hour before being uploaded to iCloud. UHS-III goes to 620 MB/s that's more than enough. The OS would be fine with 100GB internal storage
Similar to the lightning cable, generates an artificial market. Making design choices against the best interests of the customer. Not sure why anyone would be Ok w that. Restricting users options, taking advantage really
The video omits crucial details aside from the physical act of removing the original and soldering the new NAND. I know for a fact failing to copy original details results in failure to restore iOS with specific error codes, so I wonder what this video did. I've successfully done this many times back in the iPhone 6S days where the original chip was desoldered, read by a Chinese-made reader, and finally the identifiers cloned to the new chip. I sold phones upgraded from 16GB to 128GB for a meager profit, but it was for fun.
How can the new chip work if the original chip is milled off completely? I would be surprised if you could read all necessary identifiers through iOS/USB software before milling unless the device was jailbroken and read that way. Seems like a big oversight for Apple not to implement simple countermeasures to make it a little bit harder, or that Apple would undo protections they had back in the iPhone 6S days.
Just out of curiosity, what was the fail rate for that rework?
I don't repair/upgrade iPhones or anything, and I'm an EE not a trained technician, but I do need to swap BGAs from time to time and my rework rate for 0.4mm pitch BGAs is not the best. It works say, 3 of 4 times. But compared to colleagues I'm pretty good. But that rate is way too low to run any kind of viable business, I would think.
In this situation you're doing literally the same rework over and over, which helps, and probably have equipment and stencils specific to the job, which helps.
So I'm curious what kind of success rate was achieved if you don't mind sharing.
SysCfg with serial number etc has been on a separate NOR chip for quite some time [1]. I wouldn't be surprised if Apple allowed DFU restore to initialize a blank flash as mere optimization in the production process.
[1] https://www.theiphonewiki.com/wiki/NOR
Your link only lists NOR sizes for the original iPhone and the iPhone 3G and then goes on to say "iPod touch (3rd generation) and beyond -- The NOR is replaced with a dedicated partition of NAND"
I suspect they intentionally skipped that part because it contains "proprietary" techniques they don't want to make public.
Security though obscurity is...
A widely misunderstood concept, seldom applied where it is relevant
... commonly referred to as a "trade secret".
https://en.m.wikipedia.org/wiki/Trade_secret
They show it getting restored to factory image.
... As I said... it's not enough to just plop on a new chip from somewhere else and do the standard iOS factory image restore process without extracting info from the original and putting it in the new before soldering. This information prior to the milling is omitted from the video.
https://www.aliexpress.us/item/3256804472885970.html
There's a tool for that (many, many of them), both software-based and physical-based tools that can copy out the SysCFG block and write it into a new chunk of flash.
I’ve seen several videos by reputable fixers that demonstrate empty NANDs working fine with DFU factory restore. Same situation on Mn MacBooks.
Would be weird in the actual mass production process if the flash would need to be pre-programmed somehow; one DFU process IMO must be able to do everything needed.
After watching a couple of videos, that works with some older versions of DFU software and not new ones. Might be an arbitrary restriction by the DFU update software rather than the hardware. I'm sure they know this and work around it of course when doing these FLASH swaps.
Also if there are two flash chips they need to be installed in a certain order. Not sure of the rationale behind that precisely. I doubt it's a hardware difference.
> read by a Chinese-made reader, and finally the identifiers cloned to the new chip
sounds like a national security threat to me
Maybe save worrying about that until Apple phones aren't actually being manufactured in China?
https://www.solveyourtech.com/uncovering-where-iphones-are-m...
Me, watching video: so now they're going to desolder the original flash chip, put it into a chip programmer and copy data to the new one, resizing the file system as needed.
They: casually proceed to turn the original chip into fine dust
I had the same thought. Got a chuckle out of @challenger2205's comment[1]:
> Apple: our NAND flash is so integrated, that it's impossible to replace unless you literally machine it off the board. Surely no repair shop would do that!
> The repair shop: https://www.youtube.com/watch?v=JbSDdU8bJI0&t=324s
[1] https://www.youtube.com/watch?v=JbSDdU8bJI0&lc=Ugxs-u-AdfmJn...
Now that's what I call secure erase.
The care taken can only be described as mesmerizing. If you want proof that Apple is full of it and the whole "bootleg parts can compromise security," then here it is. Apparently, a lid close sensor is a major security risk - where NAND is not?
Let’s say you travel to a foreign country that has some level of corruption in immigration.
Your devices might have or receive information their government or just some company in the country wants.
You get detained for extra questioning. Your belongings get taken for review.
What parts could a reasonably skilled person quickly replace in less than 30 minutes that would compromise security? THOSE are the parts they’re worried about.
The threat model of someone trying to secretly grind off and replace your NAND without your knowledge is what, exactly?
That's cherry-picking an intentionally silly example. Replacing the NAND is within the realm of possibility for an evil maid, and even more likely prior to a resale.
Now, considering that the lid close sensor DRM leaves the laptop in the state that a hostile entity would want (including your example) - the laptop doesn't automatically lock, what is the security argument there?
> Apparently, a lid close sensor is a major security risk - where NAND is not?
Nobody sane would ever try to design a secure system that trusted commodity NAND parts. Secure boot and encrypted storage are literally the first things to tackle when trying to secure/lock down a device against hardware-based attacks.
And isn't the lid sensor issue more a matter of calibration rather than a security measure?
I mostly admire their patience. Can imagine flipping a table or two during this process.
Cool. Haven't seen anyone doing precision chip removal with a CNC mill/router before, but it makes sense for this situation and was done well. :)
This was amazing to me. I'll think about it next time I'm trying to desolder something with hot air and solder wick like a chump.
The specialised fixture for the board was impressive, too!
Yeah I guess I shouldn’t be surprised but the depth of that mill has to be fairly precise to not rip into the pads but still remove enough of the nand package. Very impressive - looked pretty straightforward after the jig is set up.
I have seen HDD disks destroyed for security, but this took it to another level.
This is cool, no doubt about that. And fascinating due to the sheer complexity and amount of fine detail work required. But. Uh. For all that work, Why not upgrade it to an amount of storage you couldn’t otherwise get? Or at least max it out?
>Why not upgrade it to an amount of storage you couldn’t otherwise get
He's running a repair shop, so used market.
>But. Uh. For all that work
The difference between 128GB and 512GB on the used iPhone 15 market is $200+. he's probably buying the 512GB NAND IC for $25-40. If you're a repair shop you already have all the needed tools and jigs except the maybe the CNC mill, which is about $3-4K. The only things we don't know is how long it takes and the failure rate, but the process (especially the CNC milling part) looks pretty consistent and repeatable, so I'd not be surprised to learn he's profiting off this.
Because... When you bought the phone 2 years ago you didn't anticipate you would need more than 128GB of storage?
I think they mean with the new chip, not the initial purchase. Eg. putting 4TB into the phone instead of 500GB.
-
But Apple sells a 1TB version of the iPhone 15 Pro. Are you saying the 1TB version uses a different motherboard?
I was mistaken—yes it would be possible to upgrade to a 1TB NAND. I'm going to guess it wasn't cost-effective to source or it was hard to find an iCloud-locked/activation-locked 1TB iPhone 15 Pro/Pro Max motherboard.
I started watching this assuming that the nand is either slotted in or would be de-sodered. Then the micrometer scale calibration gauges for the milling machine came out and I realized what was about to happen. Quality work!
Definitely a "wait where is this going" moment.
Had no idea CNCing away BGA chips is a thing
If you have the equipment, it's the most consistent and least risky option. Purpose designed CNC mills are not even that expensive in terms of shop equipment, maybe 3-4k.
This is a joy to watch.
And this person had better stay anonymous. If Apple knew their identity, they'd be excommunicated on the spot.
It's a company with a website, https://www.batterymall.com, described on their YouTube channel:
> KingSener is a registered trademark of our company in China, United Kingdom, United States and European Union. Our company specializes in supplying premium quality laptop batteries for global customers. We have more than 10 years experience in this industry,cost-effective products for customers and also produce customized products (OEM/ODM) as per buyers requirements.
Yes, absolutely. However, it seems to me that he is not using official Apple tools. I am familiar with them and they are similar, but they are not built by Apple. To me, they seem like a copy, and he’s not using the official Apple software to calibrate the device.
The end of the video seems to show the hardware mac address for the phone, so it probably wouldn't take too much effort for Apple to figure out.
This is the new upgrade status quo. I wouldn’t do it on a phone but some hot air work on a MacBook to upgrade the SSD would not scare me at all. I did do board rework a long time ago though.
What does scare me is the software side of doing a change like that!
At 5 minutes is when it shifts gears from the merely brave/experienced.
I once tried to replace a screen on an iPhone, and accidentally knocked a barely visible capacitor next to the connector right off the board. When I say barely visible, I’m not exaggerating. I did try to solder it back onto the board under a microscope with my cheap reflow station, but it was absolutely futile. Which is to say, as difficult as this video looks, this is being done by a person who has done similar things many times, and you’re very unlikely to be successful at this the first time around. Tread carefully.
This is impressive, but... what is so terrible about a Micro SD slot? Knowing, of course, that Apple products don't have one as a rule but my current (cheap) Android phone still does, and storage expansion is a matter of spending $30 at Costco.
If you rely on one for anything professional you know what's so terrible about a Micro SD slot.
Even pro DSLR camera bodies using top of the line Micro SD tend to fail, that's why they come with two slots that you write to in parallel.
// Also, iPhones since getting rid of SIM tray work after days to weeks under fresh or even salt water. That's harder to pull off with slots. More people need their phone to keep working after dropped in water than really need a MicroSD slot.
Excruciatingly slow, mechanically and electrically unreliable, obscenely large. Inconsistent-to-zero quality of the inserted device leading to people complaining about how “you” lost the data on their US$3.00 card.
That's why I do pay $30 at Costco, where it is exceedingly likely that the Sandisk memory card actually is one.
Cool, anybody doing that to macbooks, which are much more storage constrained?
Since the early M1 days I saw such scenarios of upgrading RAM and SSD, https://www.youtube.com/watch?v=kDNtSqa_i2A
But I’ve never saw a real service that offers that or anything after M1 (I didn’t look though)
Yes there's one in Canada, much cheaper than Apple: https://vancouvermac.ca
Why did he mill the NAND rather than removing it using his hot air station?
If you have high confidence the CNC is well-calibrated and safe to use, then milling is the better choice. There is a significant amount of resin gluing the original NAND which could rip pads when pulled, and hot air risks damaging nearby components.
GPU, Phones and Laptops are going to get chip modded. Chip modding was the process of making game consoles run any copied game. So modders would chip modify them to bypasss console manufacturers copy protection. Since other manufacturers are now selling memory expansion at highers margin rate there are going to be chip soldering possibilities.
Wikipedia modchip https://en.m.wikipedia.org/wiki/Modchip
Super impressive to watch, person clearly knows what they’re doing.
But saving $200 to then need to expend this effort seems hardly worth it, never mind that it likely voids the warranty.
Maybe if it was already a few years old it might be worth it.
I suspect the video is to show off expertise rather than advertise this as a particular service they could economically offer.
I would have assumed as per previous iphone models that they needed to desolder the nand and put it into jc pro or similar in order to clone it to the new nand. Interesting that they just grind the old one off and do a dfu restore. I wonder what was done for that process.
What a lot of mucking about. With a microSD card it's done in seconds.
It only took me several seconds to put a 512GB SD card in my Moto phone.
MicroSD is much worse performance than eMMC.
Can an iPhone work as an iPod with better screen/storage/battery, if the LTE radio is removed?
In theory, it would be possible.
In practice(as a bare minimum):
- you need to patch the firmware for the new display
- patch out the radio
- ? patch battery capacity or re-init
Not sure how much of the patching part is possible atm.
Are there separate radios for BT/WiFi (Apple) and LTE modem (Qualcomm)? If so, it might be possible to turn off just the LTE modem by pulling down one pin, while allowing the rest of the phone to function normally without OS/firmware modification.
WiFi can be locked to whitelisted SSIDs via Apple Configurator.
It can do this without even removing the LTE radio.
No need to remove it. Just turn off the LTE radio in settings.
What's going on around 7:40 when it looks like something is being vaporized onto the new chip?
He's applying flux (appears to be a kind of rosin) by vaporizing it. Oxidation contaminates or prevents solder from joining, soldering flux (often rosin) is an acid that removes oxidation.
Can he do the same on my GPU?
This is ridiculous Apple should just include a microSD slot. Who even uses 512GB of storage on a phone? It's a stupid way to try to rip off the wealthy.
It is not ridiculous. SD slot is much slower than the built-in NAND. iPhone SSD read speeds are about 1200 MB/sec, about 500 MB/sec write. The OS is optimized to take advantage of that fast, contiguous, and reliable memory.
Just tested my iPhone 15 Pro Max. Read 1600 MB/s, write 1017 MB/s.
Sequential, 512 MB test size, 65536 test count.
So what? How is that additional bandwidth relevant to 99% of phone users? All they have is photos, and most of the photos sit on internal storage for an hour before being uploaded to iCloud. UHS-III goes to 620 MB/s that's more than enough. The OS would be fine with 100GB internal storage
Similar to the lightning cable, generates an artificial market. Making design choices against the best interests of the customer. Not sure why anyone would be Ok w that. Restricting users options, taking advantage really
Do UHS-III microSD cards actually exist?