I thought it might be prudent to answer some of the questions properly, Instead of a quick scan and poo-ppooing the OP with negativity..even if a little late.
1) How do I determine the page and block size from the hex dump?
Usually you will know the page and block size from the config you used to read the chip, but this is what I call the starting page and block size. Generally you need to do operations on the dump and this changes the size reference. example, if you need to pair the blocks, you might assume a block is 0x200000 and a page 0x2000. You get first page from first block, then first page from second block and keep going to make one block of 0x400000. If you need to do operations still, page size now is probably 0x4000, but could be different.
if you only have the dump, you start looking at the data and not where a set of bytes look the same/similar at certain size points. Rusoluts VNR is excellent for this with the bitmap view. otherwise if you can find a hex viewer that allows you to stretch out rows of bytes to as many as 9216, 17664, then try common page sizes and you will see distinct vertical rows of bytes the same, this is the SA between the data.
2) Is there a standard for the spare area? I know that the spare area stores the physical to logical block address translation. No standard, different firmware versions of same controller, different controller models/manufacturers mix up data/spare area like crazy. It is almost as if they think if they made one the same as another they would get fired!
3) Are the blocks OR the pages in the wrong order when a physical image is read? Is this a question about granularity? yes no maybe. some are a complete list consecutive (early ones and fake ones with little or no concern to wear levelling) remember, the controller does not "read" an image. WE need to construct the image, reverse engineering what the controller does. But the controller only throws data around the nand chip based on its algorithms.
4) Is there any free software to rearrange the FAT structure? I have tried a lot of different software. No, remember the FAT structure isnt un-arranged, it was never arranged to begin with. There are thousands of different (albeit some slightly) algo's in play. I only know of 5 softwares in existence. 1st (SD) is a stinking pile of crap, where if bytes were apples, they would rotten. 2nd (nand team or similar?)is gone, I think Devs moved on to current other software. 3 (VNR), 4 (SC)& 5 (ACE Labs)are current and varying degrees of maturity and support for devices. any other software such as hex editors, file manipulators, disk editors and forensic tools are just not designed to play with the dump data. you might get somewhere but it will be a hard slog.
The most important question is that how do I determine the page and block size with hex editor?
answered above (1)
Is there some magic numbers from which I recognize the spare area like 55 AA in the MBR? yes and no. usually you will see at the same place in each page like or same hex code example, this is fro a controller that doesnt use block numbers, and SA is at same place in every page. This is the SA for first page of every block:
00 b8 d3 07 00 b8 d3 07 00 b8 d3 07 00 b8 d3 07 00 b8 d3 07 00 b8 d3 07 00 b8 d3 07 00 b8 d3 07 ..etc
one with block and page numbers(simplified) might look like:
FF FF 00 00 FF 00 FF FF 00 01 FF 00 FF FF 00 02 FF 00 FF FF 00 03 FF 00 FF FF 00 04 FF 00 FF FF 00 05 FF 00 FF FF 00 06 FF 00
some SA's will contain bytes for block renumbering, sector updates, page numbers, bank numbers, unused or "test" bytes and bytes that a vendor may know what it is for but we dont.
I have found a spare area format for 512 byte page size + 16 byte spare area but as I'm not sure which page size this dump resembles I can't move forward. What this is is actually referred to as a DATA+SA+DATA+SA format, not page. a page is made up of a whole group of these to a certain length (page size).
In case there are no free software available to do this simple job I will write my own script for it. It needs only to rearrange the blocks/pages. maybe in this case, but generally it would need to do a LOT more.
On the surface you would think you could just write some scripts to put things back together, but you would find these would keep blowing out until you have essentially written VNR or another commercial tool! So it is just common sense to buy it from the get go
This is all very general, but in practice it is even more complex by an order of magnitude as you need to also take into account reading from the physical chip, errors in the dump, ECC, bad columns, XOR, encryption, etc etc
|