All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 50 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 18th, 2019, 17:43 
Offline

Joined: June 18th, 2019, 17:36
Posts: 10
Location: hereandthere
I have this little chinese NES knockoff which has built in games that aren't obviously the originals for copyright reasons. I am not asking anyone for help with anything illegal, rom related etc.

I am new to playing with flash memory at a hardware level, and I'd like to learn how to dump the contents of these chips. There are 2 on a controller board of some sort called "M400X2-256A". Ideally I'd like to access the filesystem and change files, look at them etc to learn about it.

I have experience microsoldering, have a microscope, hot air, oscilloscope etc, and some general electronics knowledge, but I will be the first to admit I have a lot to learn. Hence asking these questions. But to give you an idea what I can maybe pull off, is why I posted that info.

Anyway thanks for your time and consideration!


Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 18th, 2019, 17:55 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 11725
Location: Australia
Could we see the PCB?

BTW, a better forum for this type of question would be EEVblog.com or a forum that discusses arcade games, etc.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 18th, 2019, 17:59 
Offline

Joined: June 18th, 2019, 17:36
Posts: 10
Location: hereandthere
Here you go, let me know if you need a closeup of anything and I'll post it tomorrow when I get back to work.


Attachments:
board.JPG
board.JPG [ 2.12 MiB | Viewed 2565 times ]
Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 18th, 2019, 18:23 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 11725
Location: Australia
The part number is M36L0T705 and the manufacturer is STMicroelectronics.

I can't find any reference to it, but in any case you may be better off determining the pinout of the 47-pin memory module and working with that. To this end you would need to identify the CPU and hope that its pinout is in the public domain.

FWIW, the M36L0T704 is a 16384 Kb "flash chip" used in the Siemens DreamTeam A31 phone:

http://forum.gsmhosting.com/vbb/f360/dreamteam-a31-flash-error-whats-wrong-343104/

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 18th, 2019, 18:45 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 11725
Location: Australia
There is a Google search result which suggests that this chip may be a combination of 128MB SDRAM and 32M flash memory:

http://www.odysseyelectronics.net/gsitemap4316.html

Quote:
ICM 128+32 FBGA88 M36L0T7050T · ICM 128M+64M FBGA88 M36L0T706

    M36L0T704 -> 128M SDRAM + 16M flash
    M36L0T705 -> 128M SDRAM + 32M flash
    M36L0T706 -> 128M SDRAM + 64M flash

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 18th, 2019, 19:26 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 11725
Location: Australia
https://datasheetspdf.com/pdf-file/673255/Numonyx/M36L0T7050T2/1
https://datasheetspdf.com/pdf-file/673253/STMicroelectronics/M36L0T7050T0/1

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 18th, 2019, 19:31 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 11725
Location: Australia
    M36L0T7040Tx -> 128M flash + 16M RAM
    M36L0T7050Tx -> 128M flash + 32M RAM
    M36L0T7060Tx -> 128M flash + 64M RAM

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 19th, 2019, 2:23 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3380
Location: Adelaide, Australia
just having a very quick look at this thread at work, and chips with address pins A0 - A22 could be CFI (common Flash Interface). Devices that can read it are things like the FlashCAT USB https://www.embeddedcomputers.net/products/FlashcatUSB/

definitely not regular NAND flash.

Ive tried a few times to read a CFI but not had success yet, there is not a lot of info about it. And looking for any homebrew CFI readers has came up with nothing so far.

I would be interested in the device, and getting one to hack on when time permits, and link to the thing?

any chance of full pics of all PCBs?


Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 19th, 2019, 8:56 
Offline

Joined: June 18th, 2019, 17:36
Posts: 10
Location: hereandthere
Here are pics of everything, and a link to the device (well nearly identical, the controllers are different.) I bought it from a wholesaler i deal with for $17.
https://www.amazon.ca/Handheld-Retro-Fa ... way&sr=8-4


Attachments:
File comment: Overview
overview.JPG
overview.JPG [ 2.54 MiB | Viewed 2376 times ]
File comment: usb dc in and headphone type RCA out
dc in and av out.JPG
dc in and av out.JPG [ 1.75 MiB | Viewed 2376 times ]
File comment: backside of controller input and power button/reset button board
controllersbackside.JPG
controllersbackside.JPG [ 1.46 MiB | Viewed 2376 times ]
File comment: front side of controllers/power/reset
controllersandpowerreset.JPG
controllersandpowerreset.JPG [ 2.22 MiB | Viewed 2376 times ]
File comment: back of the main board I first showed, im guessing the cpu is under the black hot snot?
backside of main board.JPG
backside of main board.JPG [ 1.7 MiB | Viewed 2376 times ]
Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 19th, 2019, 9:48 
Offline

Joined: June 18th, 2019, 17:36
Posts: 10
Location: hereandthere
I posted pictures of everything, and a link so you can see the product online. The message said awaiting approval though, probably due to the link? In the meantime you can search "620 games" on amazon and youll probably see it. just looks like an NES with 2 controllers, but tiny.

Sorry about the part number in the first post, you're right. It was an unfortunate typo.


Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 20th, 2019, 5:53 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 11725
Location: Australia
HaQue wrote:
Ive tried a few times to read a CFI but not had success yet, there is not a lot of info about it.

I can't see the problem.

The datasheet says to disable the PSRAM. You could do that be holding its E2p pin low.

Then enable the flash memory by holding Ef low, Gf low, Wf high, RPf high.

Then drive Lf low to latch the address bus into the flash memory, and read its data on the data bus.

The only other signal pin of interest is WAITf which needs to specially configured, or you can simply try setting it high and low until you find which is the default.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 20th, 2019, 5:59 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3380
Location: Adelaide, Australia
could you post top down pics of both sides of the board in the last photo showing the whole board, and cable out the way? I'm guessing this is the one with the memory board on it. I already suspected a blob controller. Shame I was right :(


Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 20th, 2019, 9:07 
Offline

Joined: June 18th, 2019, 17:36
Posts: 10
Location: hereandthere
Of course, here you go:
RE: the black snot on the processor, is there a good way to remove it besides hot air and pick at it? Is it worth trying?


Attachments:
IMG_6650sharpened.jpg
IMG_6650sharpened.jpg [ 7.68 MiB | Viewed 2347 times ]
IMG_6648rotated.jpg
IMG_6648rotated.jpg [ 5.52 MiB | Viewed 2347 times ]
Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 20th, 2019, 10:47 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3380
Location: Adelaide, Australia
Thanks a lot.
No there is no reason to remove the black crap, it is just there to protect the cpu or whatever is under there.
A method might be something like : http://travisgoodspeed.blogspot.com/2009/06/cold-labless-hno3-decapping-procedure.html

These are called COB for chip-on-board. Something like this:

Attachment:
cob.png
cob.png [ 646.26 KiB | Viewed 2336 times ]


if you need to hack it at that level, then it really starts to get interesting.

There may be other interfaces on the board, Serial port, JTAG etc.


Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 20th, 2019, 14:43 
Offline

Joined: June 18th, 2019, 17:36
Posts: 10
Location: hereandthere
I appreciate you looking, and your advice. But I'm still not really sure where to begin. Can you see any interfaces on that board? Without schematics which we'll never get, or something clearly labeled, I'm lost.

When I first opened it, I was hoping with all the easy to reach connectors on that memory module, it would be simple to solder a few wires and somehow pull the data off, but it doesn't seem like that is going to be the case.

Do you have any suggestions, or should I let it go, do you think?


Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 20th, 2019, 18:17 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 11725
Location: Australia
AISI, there is no easy way to determine the correspondence between the edge connections of the memory module and the balls of the BGA memory ICs. I was relying on the CPU's pinout to help us in this regard, but you can't get much info out of a blob. :-(

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 20th, 2019, 22:28 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3380
Location: Adelaide, Australia
mgysgthath wrote:
I appreciate you looking, and your advice. But I'm still not really sure where to begin. Can you see any interfaces on that board? Without schematics which we'll never get, or something clearly labeled, I'm lost.

When I first opened it, I was hoping with all the easy to reach connectors on that memory module, it would be simple to solder a few wires and somehow pull the data off, but it doesn't seem like that is going to be the case.

Do you have any suggestions, or should I let it go, do you think?



Being not sure where to begin in cases like this where there is no clear serial port, JTAG or easily identified controller is normal, so currently you are on the right track!

As Franc said, not having access to CPU pinout or any markings does present a stumbling block. But what you do have is a nice open board with the ability to easily probe it and solder around if need be.

The 4 pads in between CPU and crystal Osc could be something, or could be nothing! interesting the crystal is same frequency as original NES, not a common part to find these days!

The memory board interests me, as it HAS to be a kind of drop-in part from somewhere that gets used on other devices or different variations of devices like this, otherwise they would just create a mainboard to hold the memory chips directly. Also, I am not sure of the age of this product, but the memory chip technology looks rather old. memory such as this was popular for things that used files/data straight off the chip, rather than something like NAND where it would be read from the chip but then converted straight to files or sent to RAM or needed to work through something like a flash controller (USB flash drives for example). common uses were early cell phone memory, bootloaders for embedded systems etc.

I seriously doubt any type of protection to hacking.

I have a few different FlashCats that are supposed to read CFI chips. Hopefully the unit I bought is similar to yours, ad was slighly different but essentially details look the same.

What I normally do in situations where you need to strip things apart is just buy another unit to take chips off and map, then you still have a complete unit to run test on when you conjure up theories.


Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 20th, 2019, 23:11 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 11725
Location: Australia
The crystal frequency (21.47727 MHz) is 6 times the NTSC TV frequency (3.579545 MHz). That's why it's an odd one.

I notice that the T2 and T0 versions of these memory chips require 1.8Vcore and 3Vio. Their organisation is 8M x 16 which requires 23 address bits and 16 data bits. The module has 47 pins (plus ground?), so that leaves only 4 or 5 pins for chip selects, etc.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 21st, 2019, 2:33 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3380
Location: Adelaide, Australia
some of these chips only use 8 DQ's for flash

the forums at https://forums.nesdev.com/ have a wealth of information. I am looking at one particular post where OP dumps a NOR: https://forums.nesdev.com/viewtopic.php?f=9&t=18652
he is rather sparse with the details and setup used to dump it, but over here: https://www.reddit.com/r/retrogaming/comments/ad8z2n/retro_fc_q3_clone_teardown/ he says he used a FlashCatUSB:

Quote:
My first attempt to dump it with a raspberry pi + TSOP56 adapter did not work out because obviously the GPIO of the raspberry pi only has 26 pins, but you need more to handle the address bus and Data i/o of a tsop56 chip. (Well, 56 pins.)
So i got a Flashcat USB and the fitting tsop56 adapter from imbedded computers, put the chip in there and dumped it. Really easy.




There is probably much more at the forum and also the IRC channels mentioned that would be useful.

Also, this may dump it: http://xmonstermodsx.freeforums.net/thread/6/progskeet-downgrade-guide

When I get mine I can test with my Saleae Logic analyser and see if those 4 pads are anything. I don't think the chips will be hard to dump with a little research.

I collected a folder of info today that may have something amongst it to help.


Top
 Profile  
 
 Post subject: Re: Accessing/Modifying/Dumping M36L0T05 Flash Contents
PostPosted: June 21st, 2019, 9:00 
Offline

Joined: June 18th, 2019, 17:36
Posts: 10
Location: hereandthere
HaQue wrote:
mgysgthath wrote:
I appreciate you looking, and your advice. But I'm still not really sure where to begin. Can you see any interfaces on that board? Without schematics which we'll never get, or something clearly labeled, I'm lost.

When I first opened it, I was hoping with all the easy to reach connectors on that memory module, it would be simple to solder a few wires and somehow pull the data off, but it doesn't seem like that is going to be the case.

Do you have any suggestions, or should I let it go, do you think?



Being not sure where to begin in cases like this where there is no clear serial port, JTAG or easily identified controller is normal, so currently you are on the right track!

As Franc said, not having access to CPU pinout or any markings does present a stumbling block. But what you do have is a nice open board with the ability to easily probe it and solder around if need be.

The 4 pads in between CPU and crystal Osc could be something, or could be nothing! interesting the crystal is same frequency as original NES, not a common part to find these days!

The memory board interests me, as it HAS to be a kind of drop-in part from somewhere that gets used on other devices or different variations of devices like this, otherwise they would just create a mainboard to hold the memory chips directly. Also, I am not sure of the age of this product, but the memory chip technology looks rather old. memory such as this was popular for things that used files/data straight off the chip, rather than something like NAND where it would be read from the chip but then converted straight to files or sent to RAM or needed to work through something like a flash controller (USB flash drives for example). common uses were early cell phone memory, bootloaders for embedded systems etc.

I seriously doubt any type of protection to hacking.

I have a few different FlashCats that are supposed to read CFI chips. Hopefully the unit I bought is similar to yours, ad was slighly different but essentially details look the same.

What I normally do in situations where you need to strip things apart is just buy another unit to take chips off and map, then you still have a complete unit to run test on when you conjure up theories.


Thanks for the reassurance :)

The memory chip IS used for other things, if you google the silkscreened number on it's pcb, and image search I came across an arcade cabinet of some sort someone was showing, it had the same board in it stuck on like this one. I was trying to identify it hoping it would be a common thing people have hacked before, but I guess you're going to be on the cutting edge on this one.

You're very kind to be purchasing things to research and help me out, it is above and beyond. I feel a little bad, I would have mailed you one.. but it is much appreciated, thank you.

I wish I knew half of what you guys do, but I'm trying to learn slowly but surely.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 50 posts ]  Go to page 1, 2, 3  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group