Identifying Chips on an Unfamiliar Board
Every hardware assessment starts with the same question: what am I looking at. Identifying the major chips tells you where the processing, storage, and radios are, and that map guides everything that follows. Spend the first hour here and the rest of the work becomes targeted instead of blind.
Every Assessment Starts Here
A board you have never seen is a pile of black rectangles until you name them. Naming the major parts is what converts it into a set of known interfaces with public datasheets, and those datasheets are where the attack surface is written down.
The goal of this phase is a labeled map: which chip is the processor, where the firmware lives, what radios are present, and which buses connect them. Everything after this step is faster because of it.
Find the Big Three
Three chips define most of the attack surface. The processor is usually the largest package with the most pins, often near a crystal. The storage, a flash or eMMC part, sits close to it. Any radio is under a shielded metal can with an antenna trace leading away from it.
Start by locating those three. Decorative parts, power regulators, and passives can wait. The processor, its storage, and its radios are where the firmware, the secrets, and the wireless attack surface live.
Read the Markings
Use a loupe or a USB microscope and raking light to read the top of each major package. The first line is usually the part number, and the lines below are date and lot codes. Even a partial number plus a manufacturer logo is often enough to identify the part.
# markings read off the three largest packages
U1: MT7628AN (large QFP, many pins) -> SoC?
U2: W25Q128JV (8-pin SOIC) -> SPI flash?
U3: shielded can, "RTL8192" -> Wi-Fi radio?MT7628AN -> MediaTek MIPS SoC, common in routers W25Q128JV -> Winbond 16 MB SPI NOR flash RTL8192 -> Realtek 802.11n Wi-Fi
Three markings turned an anonymous board into a MediaTek router-class SoC with 16 MB of SPI flash and a Realtek Wi-Fi radio. That is most of the architecture, established in a few minutes with a loupe.
Search the Part Number
Each number leads to a datasheet, and the datasheet leads everywhere else. A quick search confirms the manufacturer, the package, and the role, and it surfaces the reference manual you will use to find debug and boot pins later.
# a part-number search resolves role, package, and docs
W25Q128JV -> 16 MB (128 Mbit) SPI NOR, SOIC-8, 3.3V, standard 25-series command set-> SPI flash, readable with a SOIC-8 clip and flashrom -> likely holds the bootloader, kernel, and root filesystem
Confirming the flash is a standard 25-series SPI part tells you immediately that a clip and flashrom can read it, and that it most likely holds the entire firmware. The identification step has already pointed at the next move.
Infer Role From Layout
Traces and neighboring components tell a story even when a marking is unreadable. A chip with a nearby crystal is a processor or a radio. A small eight-pin part on four wires is almost certainly SPI flash. Two lines with pull-up resistors are an I2C bus.
Reading the layout this way lets you assign a role to a part you cannot identify by number. The function follows from the connections, and the connections are visible on the board even when the silkscreen and the markings are not helpful.
Identify the Storage Precisely
Storage is the highest-value part after the processor, because it holds the firmware. Distinguish the small SPI NOR (8 pins, 25-series number) from larger eMMC or NAND (more pins, a controller). The pin count and package usually settle it at a glance.
This matters because it decides your extraction method. An 8-pin SPI part means a clip and a programmer. A BGA eMMC means test points or a reball. Identifying the storage type early tells you which tools to bring to the bench.
Spot the Radio and Its FCC ID
A shielded can with an antenna trace is a radio. The module often carries its own marking or an FCC ID printed on the shield or a label, and that ID is a public record that names the module and its capabilities.
# an FCC ID printed on a module label resolves the exact part
FCC ID: 2AB12-ESP32 -> fccid.io lookup-> Espressif ESP32 module: Wi-Fi + Bluetooth LE, Xtensa dual-core -> internal photos and test reports are public on the FCC database
An FCC ID is a gift to reconnaissance. The public filing often includes internal photos and test reports, which can reveal the module’s chipset and antenna layout without you even opening anything.
When the Markings Are Gone
BGA packages hide their tops, and some vendors sand or laser off part numbers to slow you down. Even then, the package size, the pin or ball count, the power and ground layout, and the surrounding parts narrow the field to a family.
A sanded chip with the power and clock fingerprint of a known SoC family is identified by elimination. The markings are a shortcut, not the only route, and a determined look at the connections recovers most of what the missing number would have told you.
Map the Buses Between Chips
With the chips named, trace the buses that connect them. The processor-to-flash SPI lines, the I2C sensors, the UART console, and the link to the radio are the wires worth probing. A continuity meter confirms which pads carry which signal.
That bus map is the part of the picture that tells you where to clip a logic analyzer and what to expect. It also reveals trust relationships: a key that travels from the processor to a secure element over an exposed I2C bus is a finding before you have powered anything on.
Build the Board Map
Pull it together into a labeled diagram: each major chip, its role, its part number, and the buses between them. This map is the deliverable of the recon phase and the reference for everything that follows.
A good board map is also what makes a report credible. It shows the client exactly what their product is made of and where the interesting interfaces are, which frames every later finding in terms they can act on.
From Inventory to Plan
A labeled board is a plan. Knowing the processor, the storage, and the radios tells you which datasheets to pull, which buses to clip onto, and which interfaces to attack first. The chips you could not identify still contribute through their connections.
This step feels unglamorous, and skipping it is how assessments waste days probing the wrong part. The hour spent identifying is repaid many times over in the focus it brings to the rest of the work.
The Defender’s View
The same map is useful in reverse. Knowing exactly what is on your board, and what each part exposes, is the starting point for deciding what needs locking down before the device ships and what an attacker will reach for first.
A product team that can produce its own accurate board map, with the exposed interfaces and the sensitive data flows marked, is already ahead of most. The attacker is going to build that map anyway. Building it first is how you decide what to close.
Using an X-Ray and a Microscope When Markings Fail
When the markings are sanded off or the part is a BGA whose top you cannot read, the identification work moves to imaging. A microscope at higher magnification often recovers a part number that looked blank to the eye, because laser etching leaves a shallow contrast that good lighting and angle bring out. For BGAs, an X-ray reveals the ball pattern and die size, both of which narrow the candidate parts.
These tools sound exotic but are increasingly accessible, and they turn an apparently anonymous chip into an identifiable one. A ball count and pitch from an X-ray, matched against package databases, frequently resolves a part to a family even when the vendor deliberately obscured it. The effort is proportional to the value of knowing, and for the main processor of a device under assessment, knowing exactly what it is repays the time spent imaging it.
Cross-Referencing the FCC Filing for Internals
For any device with a radio, the FCC filing is a reconnaissance goldmine that requires no hardware at all. United States regulations require internal photos, and those photos often show the board clearly enough to read the major chips, identify the radio module, and see the antenna layout, all before you have opened your own unit. The filing also lists the test frequencies, which tells you what the device transmits.
# find a device's FCC filing from the ID printed on its label # fccid.io/<GRANTEE>/<PRODUCT> -> internal photos, test report, block diagram echo "FCC ID 2AB12-XYZ -> internal photos show MT7621 SoC + W25Q128 flash"
Pulling the internal photos and the test report from the public FCC database can hand you most of the board map and the wireless capabilities for free. It is one of the highest-yield, lowest-effort steps in component identification, and it is routinely overlooked by people who reach for the soldering iron before they reach for the public filing that already documents the device.
Where This Fits
Component identification and board mapping are the opening phase of any hardware penetration test or product security assessment. If you want a structured teardown of your product that turns the board into an actionable map, that is the kind of work we do at Berkner Tech.