Dumping nand flash memory

[DRUG]

Hey guys,

I've been building this DIY Nand Reader:

https://www.blackhat.com/docs/us-14/mat ... fit-WP.pdf

The build is completed now and I've already installed python dependencies and needed software for this to work.

However, I believe I have some trouble with the voltages when I try to dump, I'm saying this because sometimes I can get a perfect chip ID like figure 16 of this article shows, and if I try to repeat the process the Page Size, OOB size, Page Count and Adress Cycles may be all 0 or they are diferent from the first read attempt.

If voltage is not the issue is it possible that the chip might have been slightly damaged from the heat gun used to de-solder even though I've used termic time on the chip ?

Thanks.


And Spildit, please answer my PM :'(

[DRUG]

Oh, and another thing, the chip when is inside the Xeltek tsop 48 adapter gets REALLY HOT.

[HaQue]

ok, chip should not get really hot, actually shouldn't get hot at all. Only part I have ever seen get slightly warm is a power IC on the reader itself.. can you show good quality pics of your actual project? Also, what voltages are you using, and how are you supplying the voltage?

Also possible depending on your nand chip that pinout is slightly different, though I assume you've looked at the datasheet, so doubt this.

[DRUG]

I'll take some decent photos once I'm on the office, I'm using 2 x 3.3v as described on the article, however I'll de-solder some more tsop 48's and I'll guide the new wiring and make extra sure the pinout is ok!

[HaQue]

I have just bought one of the boards, might help to replicate the project to make it easier to troubleshoot. Ive been meaning to try it out anyway!

[DRUG]

I managed to grab some photos that I took earlier:

The schematics talk about a 2x 3.3v and 2x Ground, I'm using the ones on the FTDI board, am I correct?

Attachments

schematics used

This is me bragging to pclab

Post it means: Hi I'm Zé and I hate Mac's (I've spent 3 days fixing a hardware related kernel panic on a macbook that made me go nuts)

When both baby's arrived.

[HaQue]

ok, check the grounds and the vcc. I think these are actually connected internally, so you only need 1 supply of each. example, on the bare chip, check with continuity meter both vcc, and if beeps you only need a vcc on one of them

I cant see the back of ftdi board, but looks like connections are fine in any case.

[DRUG]

So you would say I only need this 2 pins ?

Having them on 12-13 or 36-37 makes any diference ?

Attachments

[DRUG]

Nevermind, only 2 pins needed, already found a image showing that. It's a little bit weird since in the article they state 2x 3.3v and 2x GND.

[HaQue]

some nand chips have them internally connected and some don't

just noticed the NAND is a Sandisk.. what is the actual part number?.. SDTN...

Some of these chips are 16bit and some are "16-8"( 8-bit chips wired on 16-bit bus ). Also some Sandisk need to have pin 38 isolated.

[DRUG]

I have some more chips for testing, when you get your ftdi board let me know if you need the py scripts and the libs, one of them has been discontinued and I've managed to find it on a web.archive

[fzabkar]

Nevermind, only 2 pins needed, already found a image showing that. It's a little bit weird since in the article they state 2x 3.3v and 2x GND.

I would obtain a datasheet before proceeding. You can't simply assume that your chip follows the same pinout and voltage spec as the Samsung chip in the Blackhat article.

I would also connect all the supply and ground pins. I wouldn't rely on the chip's internal connections to make up for your wiring shortcuts. Some chips have separate Vcc and Vccq pins, and separate Vss and Vssq. The "Q" rail is for the IO section. Even when these voltages are the same, the two sections of the NAND might still require separate supply rails (although this doesn't appear to apply in your case).

If you can't locate a datasheet, then you may still be able to determine the pinout by examing the PCB from which you obtained the chip, assuming that is the case. The signal traces will go to the flash controller. The power traces will be bypassed by adjacent capacitors. Measure the voltages across these capacitors to determine the supply rails.

[Amarbir[CDR-Labs]]

Well,
what would be the actual cost of building this project once its ended ?

[HaQue]

approx US$55 but I think some limitations on reading some chips

[Amarbir[CDR-Labs]]

approx US$55 but I think some limitations on reading some chips

HaQue ,
i See you already on sergy forums .But this is better -> http://www.flash-extractor.com/shop/

[HaQue]

approx US$55 but I think some limitations on reading some chips

HaQue ,
i See you already on sergy forums .But this is better -> http://www.flash-extractor.com/shop/

Yes, I have one of those. but this is even better still, and I have one of these as well:
http://rusolut.com/visual-nand-reconstructor/nand-reader/

[DRUG]

Nevermind, only 2 pins needed, already found a image showing that. It's a little bit weird since in the article they state 2x 3.3v and 2x GND.

I would obtain a datasheet before proceeding. You can't simply assume that your chip follows the same pinout and voltage spec as the Samsung chip in the Blackhat article.

I would also connect all the supply and ground pins. I wouldn't rely on the chip's internal connections to make up for your wiring shortcuts. Some chips have separate Vcc and Vccq pins, and separate Vss and Vssq. The "Q" rail is for the IO section. Even when these voltages are the same, the two sections of the NAND might still require separate supply rails (although this doesn't appear to apply in your case).

If you can't locate a datasheet, then you may still be able to determine the pinout by examing the PCB from which you obtained the chip, assuming that is the case. The signal traces will go to the flash controller. The power traces will be bypassed by adjacent capacitors. Measure the voltages across these capacitors to determine the supply rails.

Well, that makes total sense. Saddly only after you explained it to me.

I have some more chips to test on and I'll check the datasheet before the wiring.

[DRUG]

Well,
what would be the actual cost of building this project once its ended ?

I've spent 75€ for the FTDI BOARD, the tsop 48 adapter and the wires. Even though, still pretty cheap for the kind of experience I'm obtaining with this whole project.

[HaQue]

Other comments:

1. ONFI support.. Just because a company like SanDisk is heavily involved with ONFI, doesn't mean all their chips are 100% support. SanDisk do some weird-ass things sometimes.

2. Refurbished chips: Micron and Spectek. It has been reported that Spectek chips are "The ones that john west rejects" "john west" in this case is Micron. The chips from Spectek are often rebadged/ refurbished Micron chips. Some even have the Spectek clearly lasered over the micron Logo. The chips may be a Micron 2 bank 16GB chip with a faulty bank, and rebadged as a single bank Spectek 8GB.

SanDisk sell a lot of chips with faults as well, and you can tell these as there is 2 rows of RMRMRM over the Brand.
They have been remanufactured to either map out the bad blocks or lower capacity. They should have same ID but might have 1/2 the banks.

refurb-Sandisk.jpg (17.3 KiB) Viewed 40899 times

Toshiba seems to sell to Phison, and they are usually labelled with short numbers starting with TF or TT, where the actual Toshiba part would start with TC58NV. Again the bank numbers can be different

It is important to be aware of refurb chips because if you are looking at a datasheet, all bets are off if it is refurb.

Pirate chips: these chips usually "look" dodgy.. they can be thinner, have broken bits of the package around where the dies meet, have printed labels instead of laser markings that denote faked chips. These normally have a correct ID but the quality is atrocious and many bit errors or straight out failure is probable.

The NAND industry is quite interesting. Almost NOTHING goes to waste. If a chip is not dead, it will be labelled and configured at whatever capacity they can get from it. Sometimes even 512MB cards are still made from 32GB chips that are all but stuffed. if you open as many devices as I do, you see some strange and wonderful things such as MicroSD cards in holder or soldered to PCB inside of Flash Disks and SD Cards, eMMC chips soldered to use just the NAND, totally fake things like 1GB NAND chips inside "64GB" drives.

I guess the whole point to this post is that NAND is a little different to most chips.. uC's, logic chips etc where specifications are everything. sometimes you can reliably rely on documentation such as 29F chips from intel/Micron, and other times it is a crapshoot. But it is ALWAYS fun

[DRUG]

OK, this is weird.

The SanDisk ( SDTNQGAMA-008G ) i'm trying to read is known as Toshiba

I can't also find that specific datasheet

Attachments