SPI flash read command causes chip erase due to invalid file path

General
1

I recently got a BP 5 rev 10. I was super enthused to extract some firmware after reading the setup instructions and the device demo guide (W25QXXX NOR Flash Chips SPI). I had updated the BP 5 firmware, reset/restarted, and run the self-test before any attempts. My BP 5 has firmware version 3c14168.

One target has a Macronix chip. I connected most of the probe hooks to the Macronix MX25L12833F chip (in-circuit but powered off). Since I was dumping the flash chip, I did not connect a wire from the bus pirate to the WP pin. Also, there is a pull-up resistor (on the PCB) connected to the WP pin. I thought my setup would work to dump the firmware.

From the device demo guide, I first ran the basic SPI commands and flash probe. Those commands were successful. Then I ran the flash read command with option -f filename.bin . Then disaster happens. The command executes normally until the following output (not exact but very similar). I was up too late and did not save the output with the exact error text.

Erasing ...
Erase OK
Invalid path or error invalid path

I ran flash read -f multiple times adjusting the file path (/filename.bin, ./filename.bin) and each time the command output

Erasing ...
Erase OK
Invalid path or error invalid path

until making a directory and setting the file path as dir-name/filename.bin. The flash read command then executed without error and dumped the complete chip contents. Checking the dumped file with binwalk, I found the chip had been erased. It must have been erased each time the invalid path error occurred. This is a time you wish you had tested your tool and method first on junk hardware instead of something high value. Part is my own fault, but it is hard to understand how the command for reading flash accidentally triggered a complete erase. If I had connected a BP wire to the WP pin (set according to the datasheet), that should have blocked erasing. The BP hw, sw, & docs are quite good overall. Flash read needs a code update to fix the invalid path error. Also, if the top level / cannot be saved to by the user, please consider updating the BP docs on saving files.

2 Likes
2

For reference, here is the BP terminal output before the invalid path error occured.

SPI speed                                                                                                                                                 
 1 to 62500kHz                                                                                                                                            
 x. Exit                                                                                                                                                  
kHz (100kHz*) > 100                                                                                                                                       
Data bits                                                                                                                                                 
 4 to 8 bits                                                                                                                                              
 x. Exit                                                                                                                                                  
Bits (8*) > 8                                                                                                                                             
Clock polarity                                                                                                                                            
 1. Idle LOW*                                                                                                                                             
 2. Idle HIGH                                                                                                                                             
 x. Exit                                                                                                                                                  
Polarity (1) > 1                                                                                                                                          
Clock phase                                                                                                                                               
 1. LEADING edge*                                                                                                                                         
 2. TRAILING edge                                                                                                                                         
 x. Exit                                                                                                                                                  
Phase (1) > 1                                                                                                                                             
Chip select                                                                                                                                               
 1. Active HIGH (CS)                                                                                                                                      
 2. Active LOW (/CS)*                                                                                                                                     
 x. Exit                                                                                                                                                  
CS (2) > 2                                                                                                                                                
Actual speed: 99kHz                                                                                                                                       
SPI>  W 3.3                                                                                                                                               
3.30V requested, closest value: 3.30V                                                                                                                     
300.0mA requested, closest value: 300.0mA                                                                                                                 
Undervoltage limit: 2.96V (10%)                                                                                                                           
                                                                                                                                                          
Power supply:  Enabled                                                                                                                                    
Vreg output: 3.3V, Vref/Vout pin: 3.3V, Current: 4.3mA                                                                                                    
                                                                                                                                                          
SPI>  [0x90 0x00:3 r:2]                                                                                                                                   
                                                                                                                                                          
CS Enabled                                                                                                                                                
TX: 0x90 0x00 0x00 0x00                                                                                                                                   
RX: 0xC2 0x17                                                                                                                                             
CS Disabled                                                                                                                                               
SPI>  [0x5A 0x00:3 0x00 r:8]                                                                                                                              
                                                                                                                                                          
CS Enabled                                                                                                                                                
TX: 0x5A 0x00 0x00 0x00 0x00                                                                                                                              
RX: 0x53 0x46 0x44 0x50 0x06 0x01 0x02 0xFF                                                                                                               
                                                                                                                                                          
CS Disabled                                                                                                                                                                                                                                                                           
                                                                                                                                                          
SPI>  flash probe                                                                                                                                         
                                                                                                                                                          
Initializing SPI flash...                                                                                                                                 
Flash device manufacturer ID 0xC2, type ID 0x20, capacity ID 0x18                                                                                         
SFDP V1.6, 2 parameter headers                                                                                                                            
                Type            Ver.    Length  Address                                                                                                   
Table 0         JEDEC (0x00)    1.6     64B     0x000030                                                                                                  
JEDEC basic flash parameter table info:                                                                                                                   
MSB-LSB  3    2    1    0                                                                                                                                 
[0001] 0xFF 0xF1 0x20 0xE5                                                                                                                                
[0002] 0x07 0xFF 0xFF 0xFF                                                                                                                                
[0003] 0x6B 0x08 0xEB 0x44                                                                                                                                
[0004] 0xBB 0x04 0x3B 0x08                                                                                                                                
[0005] 0xFF 0xFF 0xFF 0xFE                                                                                                                                
[0006] 0xFF 0x00 0xFF 0xFF                                                                                                                                
[0007] 0xEB 0x44 0xFF 0xFF                                                                                                                                
[0008] 0x52 0x0F 0x20 0x0C                                                                                                                                
[0009] 0xFF 0x00 0xD8 0x10                                                                                                                                
4 KB Erase is supported throughout the device (instruction 0x20)                                                                                          
Write granularity is 64 bytes or larger                                                                                                                   
Flash status register is non-volatile                                                                                                                     
3-Byte only addressing                                                                                                                                    
Capacity is 16777216 Bytes                                                                                                                                
Flash device supports 4KB block erase (instruction 0x20)                                                                                                  
Flash device supports 32KB block erase (instruction 0x52)                                                                                                 
Flash device supports 64KB block erase (instruction 0xD8)                                                                                                 
Found a Macronix  flash chip (16777216 bytes)                                                                                                             
Flash device reset success                                                                                                                                
Probing:                                                                                                                                                  
                Device ID       Manuf ID        Type ID         Capacity ID                                                                               
RESID (0xAB)    0x17                                                                                                                                      
REMSID (0x90)   0x17            0xc2                                                                                                                      
RDID (0x9F)                     0xc2            0x20            0x18                                                                                      
                                                                                                                                                          
SFDP (0x5A): found 0x50444653 "PDFS"                                                                                                                      
 Version: 1.6                                                                                                                                             
 Headers: 3                                                                                                                                               
                                                                                                                                                          
**Param Table 0**                                                                                                                                         
                Type            Ver.    Length  Address                                                                                                   
Table 0         JEDEC (0x00)    1.6     64      0x000030                                                                                                  
                                                                                                                                                          
MSB-LSB  3    2    1    0                                                                                                                                 
[0001] 0xFF 0xF1 0x20 0xE5                                                                                                                                
[0002] 0x07 0xFF 0xFF 0xFF                                                                                                                                
[0003] 0x6B 0x08 0xEB 0x44                                                                                                                                
[0004] 0xBB 0x04 0x3B 0x08                                                                                                                                
[0005] 0xFF 0xFF 0xFF 0xFE                                                                                                                                
[0006] 0xFF 0x00 0xFF 0xFF                                                                                                                                
[0007] 0xEB 0x44 0xFF 0xFF                                                                                                                                
[0008] 0x52 0x0F 0x20 0x0C                                                                                                                                
[0009] 0xFF 0x00 0xD8 0x10                                                                                                                                
[0010] 0x00 0xBD 0x41 0x82                                                                                                                                
[0011] 0xC6 0x7B 0xE5 0x81                                                                                                                                
[0012] 0x38 0x67 0x03 0x44                                                                                                                                
[0013] 0xB0 0x30 0xB0 0x30                                                                                                                                
[0014] 0x5C 0xD5 0xBD 0xF7                                                                                                                                
[0015] 0xFF 0x29 0xBE 0x4A                                                                                                                                
[0016] 0xFF 0xFF 0xD0 0xE1                                                                                                                                
                                                                                                                                                          
Density: 16777216 bytes                                                                                                                                   
Address bytes: 3                                                                                                                                          
Write granularity:>=64B                                                                                                                                   
Write Enable Volatile: 0                                                                                                                                  
Write Enable instruction: 0x50                                                                                                                            
4K erase instruction: 0x20                                                                                                                                
                                                                                                                                                          
Fast read:      1-1-2   1-1-4   1-2-2   1-4-4   2-2-2   4-4-4                                                                                             
Instruction:    0x3b    0x6b    0xbb    0xeb    --      0xeb                                                                                              
Wait states:    8       8       4       4       0       4                                                                                                 
Mode clocks:    0       0       0       4       0       4                                                                                                 
                                                                                                                                                          
Erase:          1       2       3       4                                                                                                                 
Instruction:    0x20    0x52    0xd8    0xff                                                                                                              
Size:           4K      32K     64K     1B                                                                                                                
                                                                                                                                                          
**Param Table 1**                                                                                                                                         
                Type            Ver.    Length  Address                                                                                                   
Table 1         manuf (0xc2)    1.0     16      0x000110                                                                                                  
                                                                                                                                                          
MSB-LSB  3    2    1    0                                                                                                                                 
[0001] 0x27 0x00 0x36 0x00                                                                                                                                
[0002] 0x64 0xC0 0xF9 0x9D                                                                                                                                
[0003] 0xFF 0xFF 0xCB 0x85                                                                                                                                
[0004] 0xFF 0xFF 0xFF 0xFF                                                                                                                                
                                                                                                                                                          
VCC min: 2700mV                                                                                                                                           
VCC max: 3600mV                                                                                                                                           
/Reset pin: Y                                                                                                                                             
/Hold pin: -                                                                                                                                              
Deep Power Down (DPDM): Y                                                                                                                                 
SW reset: Y (instruction 0x99)                                                                                                                            
Suspend/Resume program: Y                                                                                                                                 
Suspend/Resume erase: Y                                                                                                                                   
Wrap Read mode: Y (instruction 0xc0, length 100)                                                                                                          
Individual block lock: Y (nonvolatile -, instruction 0xe1, default 0)                                                                                     
Secured OTP: Y                                                                                                                                            
Read lock: -                                                                                                                                              
Permanent lock: -                                                                                                                                         
                                                                                                                                                          
**Param Table 2**                                                                                                                                         
                Type            Ver.    Length  Address                                                                                                   
Table 2         manuf (0x84)    1.0     8       0x0000c0                                                                                                  
                                                                                                                                                          
MSB-LSB  3    2    1    0                                                                                                                                 
[0001] 0xFF 0xFF 0x00 0x00                                                                                                                                
[0002] 0xFF 0xFF 0xFF 0xFF                                                                                                                                
                                                                                                                                                          
VCC min: ffffmV                                                                                                                                           
VCC max: 0000mV                                                                                                                                           
/Reset pin: Y                                                                                                                                             
/Hold pin: Y                                                                                                                                              
Deep Power Down (DPDM): Y                                                                                                                                 
SW reset: Y (instruction 0xff)                                                                                                                            
Suspend/Resume program: Y                                                                                                                                 
Suspend/Resume erase: Y                                                                                                                                   
Wrap Read mode: Y (instruction 0xff, length 255)                                                                                                          
Individual block lock: Y (nonvolatile -, instruction 0xe1, default 0)                                                                                     
Secured OTP: Y                                                                                                                                            
Read lock: -                                                                                                                                              
Permanent lock: -
1 Like
3

Hi @xcoder Iā€™m sorry about the issue, thank you for reporting it.

As I understand it, you had an issue with the file path/name error that led to the chip being erased while you were trying to read it? And you are unable to save to the root of storage?

Dumping to filename.bin...
[-------------------C]
Dump OK
Dumping to ./filename.b...
[-------------------C]
Dump OK
Dumping to /filename.bi...
[-------------------C]
Dump OK

I tried several iterations of ./,/,filename.bin and all were successful.

   1048576 filename.bin
   1048576 filename.b
   1048576 filename.bi

Though because of file name restrictions only the first 13 characters are used.

SPI> flash read -f
Missing file name (-f)

SPI> flash read -f /path/to/really/long/file.bin
...
Dumping to /path/to/rea...
Error: path not found

Tested with very long path and no file in the name.

    if (flash_action == FLASH_ERASE || erase_flag || flash_action == FLASH_TEST) {
        if (!spiflash_erase(&flash_info)) {
            goto flash_cleanup;
        }
        if (verify_flag || flash_action == FLASH_TEST) {
            if (!spiflash_erase_verify(start_address, end_address, sizeof(data), data, &flash_info)) {
                goto flash_cleanup;
            }
        }
    }

In the flash command, the only path to erase is:

  • Explicit: flash erase
  • As part of a test: flash test
  • As part of a command with the -e flag: flash write -e

Is it possible you may have hit -e instead of -f?

    if (flash_action == FLASH_ERASE || (erase_flag && FLASH_WRITE) || flash_action == FLASH_TEST) {

I updated the erase check to ensure -e is only valid with a write operation. This should stop any accidental -e operations during read and verify operations.

If you still have issues saving to the root of the storage, Iā€™d suggest backing up the contents and then running format to get a fresh file system.

4 
SPI> flash read -f /path/to/really/long/file.bin -e
...
Erasing flash...
Erase OK
Dumping to /path/to/rea...
Error: path not found

If I add -e with invalid path I get something similar.

SPI> flash read -f file.bin -e
...
Erase OK
Dumping to file.bin...
[-------------------C]
Dump OK

With -e and read to root of storage. This combination of read and erase is no longer allowed in the latest firmware I pushed.

SPI> flash read -e /path/to/really/long/file.bin
Missing file name (-f)

If I accidentally hit -e instead of -f it throws a missing file flag error.

5

maybe add a output that tells that erase doesnt make sense while reading and the flag dropped

1 Like
6

Hi @ian, I appreciate your effort to reproduce the error and update the code.

As I understand it, you had an issue with the file path/name error that led to the chip being erased while you were trying to read it? And you are unable to save to the root of storage?

yes and yes but only saving to root of storage via flash read -f
I didnā€™t know there is a restriction of 13 characters on the length. Thanks

When the invalid path error occurred, I am pretty certain that I only typed -f followed by name.bin. I do not remember seeing -e in my input command. The error you produced is similar (Erasing flash ā€¦ and Erase OK) to what I got but not the same because ā€œinvalidā€ was part of my error text. What flash chip did you use to test flash read with above? Maybe this invalid path error occurs with some flash chip models but not all.

Your code revision may have fixed this problem unless there is an erase route in goto flash_cleanup. Is there a way to log more detail during execution, or what debug software do you use? I could connect my device to the bus pirate again to see if the invalid path error occurs with the same firmware and the new version you pushed.

1 Like
7

Good suggestion, done.

I used a Winbond and Puya chip to test, but it shouldnā€™t matter. The invalid path is an error about the Bus Pirateā€™s internal NAND storage, nothing to do with the flash chip

flash_cleanup:
    //we manually control any FALA capture
    fala_stop_hook();
    fala_notify_hook();

Cleanup simply disables the follow along logic analyzer.

I guess the next step is to try to reproduce the error on your Bus Pirate with current firmware. Try to read the chip to a file in the root directory. Then try the most recent firmware. Post all the output here.

8

Does it make sense to add a ā€œAre you sure?ā€ before an erase occurs?

You could add some flag to disable the extra check, perhaps a -i to ignore the warning.

2 Likes
9

I am very afraid to use test one day, instead of probe and delete the whole thing ā€¦

See Command Reference | Bus Pirate Docs

This question would help a lot. If I would ignore this question and overwrite anyway, the error is I am too tired.

It would be still bad, but at least I would complain about myself, not about the BusPirate;)

2 Likes
10 
SPI> flash erase
This action may modify the SPI flash contents. Do you want to continue?
y/n> n
Aborted by user

SPI> flash erase -y

Initializing SPI flash...

Yes/no prompt now required for destructive action. Override with the -y flag.

Firmware pushed and docs updated.

3 Likes
11

Very nice. This is a very good security feature!

1 Like
12

I also added it to the various EEPROM commands :slight_smile:

1 Like
13

I reproduced the original error (invalid path) with the same firmware version 3c14168. Ian had mentioned the restriction on path/name length. A couple days later, I remembered reading that the BP5 storage is formatted as FAT16, which is why the length has to be short. I realized on the first run of flash read -f , I had typed a filename of about 15 characters. Previously I thought flash read only worked after I made a folder, but it was actually because I happened to use a short directory name and short file name.

I ran several tests to show the invalid path error and successful command execution. All tests were saving the file to the root storage level. I also ran the BP5 in legacy binary mode (binmode 5). I dumped the firmware from the same flash chip using flashrom. I compared checksums for md5, sha256, and sha512. Checksums from BP flash read matched those from flashrom.

The BP firmware is greatly improved with the question to confirm before erasing and the block on using option -e with the read command. I trust using the BP more with those updates.

1 Like
14

BP5 firmware version and SPI configuration:

HiZ>  i                                                                                                                                                                                                                    
Bus Pirate 5 REV10                                                                                                  
https://BusPirate.com/                                                                                              
Firmware main branch @ 3c14168 (Jan 20 2026 12:52:40)                                                               
RP2040 with 264KB RAM, 128Mbit FLASH     
...

HiZ> m spi                                                                                                          
                                                                                                                    
Mode: SPI                                                                                                           
                                                                                                                    
Use previous settings?                                                                                              
 SPI speed: 100 kHz                                                                                                 
 Data bits: 8                                                                                                       
 Clock polarity: Idle LOW                                                                                           
 Clock phase: LEADING edge                                                                                          
 Chip select: Active LOW (/CS)                                                                                      
                                                                                                                    
y/n, x to exit (Y) > y                                                                                              
                                                                                                                    
SPI>  W                                                                                                             
Power supply                                                                                                        
Volts (0.80V-5.00V)                                                                                                 
x to exit (3.30) > 2.7                                                                                              
Maximum current (1mA-500mA), 0 for unlimited                                                                        
x to exit (300.00) > 500                                                                                            
2.70V requested, closest value: 2.70V                                                                               
500.0mA requested, closest value: 500.0mA                                                                           
Undervoltage limit: 2.42V (10%)                                                                                     
                                                                                                                    
Power supply:  Enabled                                                                                              
Vreg output: 2.7V, Vref/Vout pin: 2.7V, Current: 67.7mA                                                             
                                                                                                                    
SPI>  a 2                                                                                                           
IO2 set to OUTPUT: 0

Here are two tests showing the invalid path error from flash read -f with file names that are too long (exceed 8.3 format). Note that during these tests, I enabled the WP pin on the flash chip, and as a result, the erase was blocked. However, I am certain that with the WP pin disabled, firmware 3c14168 would have executed the erase code (showing Erasing flashā€¦ and Erase OK).

SPI>  flash read -f x123456789abcdef.bin                                                                            
                                                                                                                    
Initializing SPI flash...                                                                                           
Flash device manufacturer ID 0xC2, type ID 0x20, capacity ID 0x10                                                   
SFDP V1.0, 1 parameter headers                                                                                      
                Type            Ver.    Length  Address                                                             
Table 0         JEDEC (0x00)    1.0     36B     0x000030                                                            
JEDEC basic flash parameter table info:                                                                             
MSB-LSB  3    2    1    0                                                                                           
[0001] 0xFF 0x81 0x20 0xE5                                                                                          
[0002] 0x00 0x07 0xFF 0xFF                                                                                          
[0003] 0xFF 0x00 0xFF 0x00                                                                                          
[0004] 0xFF 0x00 0x3B 0x08                                                                                          
[0005] 0xFF 0xFF 0xFF 0xEE                                                                                          
[0006] 0xFF 0x00 0xFF 0xFF                                                                                          
[0007] 0xFF 0x00 0xFF 0xFF                                                                                          
[0008] 0xD8 0x10 0x20 0x0C                                                                                          
[0009] 0xFF 0x00 0xFF 0x00                                                                                          
4 KB Erase is supported throughout the device (instruction 0x20)                                                    
Write granularity is 64 bytes or larger                                                                             
Flash status register is non-volatile                                                                               
3-Byte only addressing                                                                                              
Capacity is 65536 Bytes                                                                                             
Flash device supports 4KB block erase (instruction 0x20)                                                            
Flash device supports 64KB block erase (instruction 0xD8)                                                           
Found a Macronix  flash chip (65536 bytes)                                                                          
Flash device reset success                                                                                          
Dumping to x123456789ab...                                                                                          
Error: invalid path 
                                                                                                
SPI>  flash read -f x123456789.bin                                                                                  
                                                                                                                    
Initializing SPI flash...                                                                                           
Flash device manufacturer ID 0xC2, type ID 0x20, capacity ID 0x10                                                   
SFDP V1.0, 1 parameter headers                                                                                      
                Type            Ver.    Length  Address                                                             
Table 0         JEDEC (0x00)    1.0     36B     0x000030                                                            
JEDEC basic flash parameter table info:                                                                             
MSB-LSB  3    2    1    0                                                                                           
[0001] 0xFF 0x81 0x20 0xE5                                                                                          
[0002] 0x00 0x07 0xFF 0xFF                                                                                          
[0003] 0xFF 0x00 0xFF 0x00                                                                                          
[0004] 0xFF 0x00 0x3B 0x08                                                                                          
[0005] 0xFF 0xFF 0xFF 0xEE                                                                                          
[0006] 0xFF 0x00 0xFF 0xFF                                                                                          
[0007] 0xFF 0x00 0xFF 0xFF                                                                                          
[0008] 0xD8 0x10 0x20 0x0C                                                                                          
[0009] 0xFF 0x00 0xFF 0x00                                                                                          
4 KB Erase is supported throughout the device (instruction 0x20)                                                    
Write granularity is 64 bytes or larger                                                                             
Flash status register is non-volatile                                                                               
3-Byte only addressing                                                                                              
Capacity is 65536 Bytes                                                                                             
Flash device supports 4KB block erase (instruction 0x20)                                                            
Flash device supports 64KB block erase (instruction 0xD8)                                                           
Found a Macronix  flash chip (65536 bytes)                                                                          
Flash device reset success                                                                                          
Dumping to x123456789.b...                                                                                          
Error: invalid path

Successful execution of flash read:

SPI>  flash read -f x1234567.bin                                                                                    
                                                                                                                    
Initializing SPI flash...                                                                                           
Flash device manufacturer ID 0xC2, type ID 0x20, capacity ID 0x10                                                   
SFDP V1.0, 1 parameter headers                                                                                      
                Type            Ver.    Length  Address                                                             
Table 0         JEDEC (0x00)    1.0     36B     0x000030                                                            
JEDEC basic flash parameter table info:                                                                             
MSB-LSB  3    2    1    0                                                                                           
[0001] 0xFF 0x81 0x20 0xE5                                                                                          
[0002] 0x00 0x07 0xFF 0xFF                                                                                          
[0003] 0xFF 0x00 0xFF 0x00                                                                                          
[0004] 0xFF 0x00 0x3B 0x08                                                                                          
[0005] 0xFF 0xFF 0xFF 0xEE                                                                                          
[0006] 0xFF 0x00 0xFF 0xFF                                                                                          
[0007] 0xFF 0x00 0xFF 0xFF                                                                                          
[0008] 0xD8 0x10 0x20 0x0C                                                                                          
[0009] 0xFF 0x00 0xFF 0x00                                                                                          
4 KB Erase is supported throughout the device (instruction 0x20)                                                    
Write granularity is 64 bytes or larger                                                                             
Flash status register is non-volatile                                                                               
3-Byte only addressing                                                                                              
Capacity is 65536 Bytes                                                                                             
Flash device supports 4KB block erase (instruction 0x20)                                                            
Flash device supports 64KB block erase (instruction 0xD8)                                                           
Found a Macronix  flash chip (65536 bytes)                                                                          
Flash device reset success                                                                                          
Dumping to x1234567.bin...                                                                                          
[-------------------C]                                                                                              
Dump OK
1 Like
15 
Dumping to x123456789.b...
Error: invalid path
SPI>

I get the same, thank you for the confirmation.

Were you able to reproduce the accidental erase condition?

16

It looks to as if the e in the long filename would of been after an 8.3 filename. And maybe option processing then sees the e as another flag. Does filename extract look for a space after filename .

1 Like
17

The pattern in argument parsing is to search for spaces, then ā€˜-ā€™, then a letter. It must have been a very unusual path/file name to meet those conditions.

If you ever see it again please let me know and I will add more safety checks or bug fixes.

18

Ok. In some unix tools you can run multiple single character options together. Instead of multiple dashes

ls -lhs

Instead of

ls -l -h -s

1 Like