NAND READING VIA FTDI2232H

[DRUG]

Following my previous post about this (viewtopic.php?f=13&t=31253)

So after some more digging into the subject, I've finally managed to dump NAND content from a TSOP48 chip.

However, I do believe ECC correction must be made manually.

This is a dump of a 1GB stick (I've purchased and grabbed old usb drives from friends to test this DIY reader)

1gbinfo.png (5.48 KiB) Viewed 25533 times

After dumping the contents of the chip, I open the image file in FTK imager:

I see that data is there, but no FS is recognized, and i try to carve it trough R-STUDIO:

Even though it finds files, they can't be opened, and so far the best results I had were from an 2007 MP3 player, wich I've managed to see all the musics that used to be there, and even play some bits of them.

Anyway, my issue is. I know for sure this isn't viable to be used in the office. The time I take to dump 1 gb chip I could dump 100 with VNR.
But I got a little attached to this project, and the reader looks really funky

What I am still trying to realize is, do someone with enough knowledge use this dump to re-create the original file system + files ?

Thank you all !

[jermy]

I see that data is there, but no FS is recognized

of course not

and i try to carve it trough R-STUDIO:

you wasting your time, programs like that in not designed to handle the structure of flash.

Even though it finds files, they can't be opened

of course not

and so far the best results I had were from an 2007 MP3 player

you wasting your time

But I got a little attached to this project, and the reader looks really funky

then go for it

What I am still trying to realize is, do someone with enough knowledge use this dump to re-create the original file system + files ?

of course, the question is if you're trying to invent the wheel ?
but if you really eager doing it, you have to understand the basics first, such as, the structure of flash chips and how the data is stored there.

[fzabkar]

The OP is not trying to reinvent the wheel. Obviously there is a fundamental lack of understanding of flash structures, despite the fact that the OP has an expensive professional tool. I would want the tool to be an extension of my intellect, not a substitute for it. How many in the DR profession actually understand the technologies that they work with?

My approach would be to use a relatively simple case as a learning example. I found an earlier industrial knitting machine thread to be very educational in this regard. If I were embarking on a career in data recovery, I would want to be much more than a mere ROM jockey and head swap mechanic.

Kudos to the OP for making the effort.

[fzabkar]

After dumping the contents of the chip, I open the image file in FTK imager:

You need to examine the spare area (OOB). Can you upload the first 20KB of the dump?

[jermy]

despite the fact that the OP has an expensive professional tool.

I think you're mistaken, we talking here on cheap tool can be acquired for less than 25 bucks.

[fzabkar]

despite the fact that the OP has an expensive professional tool.

I think you're mistaken, we talking here on cheap tool can be acquired for less than 25 bucks.

Anyway, my issue is. I know for sure this isn't viable to be used in the office. The time I take to dump 1 gb chip I could dump 100 with VNR.

I took this comment to mean that the OP has VNR (Visual Nand Reconstructor).

http://rusolut.com/

[DRUG]

The OP is not trying to reinvent the wheel. Obviously there is a fundamental lack of understanding of flash structures, despite the fact that the OP has an expensive professional tool. I would want the tool to be an extension of my intellect, not a substitute for it. How many in the DR profession actually understand the technologies that they work with?

My approach would be to use a relatively simple case as a learning example. I found an earlier industrial knitting machine thread to be very educational in this regard. If I were embarking on a career in data recovery, I would want to be much more than a mere ROM jockey and head swap mechanic.

Kudos to the OP for making the effort.

Hi Frank, and thanks once again for always contributing in a helpfull way.
First of all everyone here needs to understand, I've learned all I know so far (wich is nothing compared to 90% of the users I see here) figuring out bits of information scattered everywhere on the web and with the help of people like pclab and haque.
My job ocupation is not DR full time. I've started working in the company I am at and realised the amount of jobs we outsourced for data recovery. I asked my boss if i could start taking some easy cases along with my infosec duties. Things have evolved from scratch and we've managed to profit enough to buy a MRT pro. We rarely have flash cases, but i see that every month flash stars to appear every now and then. After purchasing the MRT I must confess I felt more confident and solved some harder cases, but I still keep outsourcing if the job is flash or needs clean room. My next objective is owning VNR, the only thing stopping us to buy it is my knowledge. Even though they have classes along with the kit, I fear that assisting those classes would be like hearing a new language for the first time, once again, im not pro, but i love recovering and perhaps would be better to understand how chip off works with a diy method, that I can do on my free time and perhaps learn something that will be usefull in the future. My goal is to own VNR until the end of the year, plus the lessons. It will be a heavy investment but I hope that with hard work, advertising and social networking I'll be able to get us enough jobs to justify the purchase.

About the topic, tomorrow I will upload the first 20kbs.
P.s: I also know soft center flash extractor, that would ideally be the step between this nand reader and VNR.
And thanks once again for your help Frank, sometimes i feel bad doing this kinds of posts because i know im looking for the right answers with the wrong questions.
Jermie, i understand your point, i feel they way you feel every time i see a random noob claiming he can pentest. I hope some day I can contribute more and leach less on this forum.

[DRUG]

Here is a link to a sample of the dump, and the full dump.

password is: hddguru

http://cloud.g3t-server.com/owncloud/in ... tJtCLjce8k

[pcimage]

Data recovered

Do you want the data uploading?

[DRUG]

Data recovered

Do you want the data uploading?

The data on those files is from sticks friends gave me that weren't used anymore.

Something cool would be creating a sql db with all the info for any chip I've came across, and then offer it online for people with interest in NAND.

However I don't understand how to go from chip in my hands to search for the ECC, OOB, and implement it.

[HaQue]

Data recovered

Do you want the data uploading?

The data on those files is from sticks friends gave me that weren't used anymore.

Something cool would be creating a sql db with all the info for any chip I've came across, and then offer it online for people with interest in NAND.

However I don't understand how to go from chip in my hands to search for the ECC, OOB, and implement it.

THAT would be re-inventing the wheel, and this is already what the major DR tool vendors do. The problem is that you may be severely underestimating the amount of combinations of controller + NAND + Layouts + XOR + Mix + "Other"

I have been collecting new devices for a couple of years and not often do I get the same. you would take years to build up some database, and customer walks in the door with something new. IMHO, better to become part of an existing group that already does this and contribute. This gives the benefit of access to their experiences as well.

I have done things like buy bulk lots of old devices, swapped old for new from colleagues in a campaign to increase my "list" and buy flash every week. still only a few douple-ups in 585 drives.

Another thing - with flash, you need to not think of it as the nand as the discrete part that has the data. Sure it HAS the data, but other factors come into play, and the nand properties are only a subset of what is considered when recovering flash. The OOB, XOR, ECC really don't have much to do with the nand, but the flash controller. so the exact same nand chip on both a Toshiba flash drive and a sandisk drive will have different OOB (spare area or whatever name you want to give the service data). The act of reading the nand initially is probably the only place you care about the NAND intricacies.. voltage, read retry, WL, 8/16 bit. DDR etc

[fzabkar]

However I don't understand how to go from chip in my hands to search for the ECC, OOB, and implement it.

THAT would be re-inventing the wheel, and this is already what the major DR tool vendors do.

AISI it is case of understanding the wheel rather than re-inventing it.

Cast your mind back to that industrial knitting machine thread. The OP in that thread took his NAND chip (one of the earliest Samsung ICs) to a "professional" who used PC$10K to dump the contents. The result was an image file with the wrong "OOB" data. The user was told that the dump was error free, which was obviously a lie.

The professionals in this forum then failed to realise that the reason for the bad OOB data was a missing ground wire, which in turn implied that none could read a datasheet. Instead of adding a ground wire, the OP was asked to send his chip to another country so that other professional tools could be tried.

The resulting data recovery then recovered only 75% of the file system. The operator failed to realise that anything was wrong, presumably because he trusted his professional tools.

Furthermore, the recovered file was corrupt, yet no tool alerted the operator to this fact.

The irony is that the data were 100% recoverable with the OP's $25 McGuyver kit and a little knowledge.

In another case, a person contacted me privately regarding a flash drive he wished to recover. He was unable to identify a particular component (it turned out to be a resistor). I found a reference circuit diagram to assist him, but he was unable to determine which of the two components in the diagram was the NAND (the other was obviously the flash controller). Apparently he had been involved in "IT" for many years, having sold 15000 PCs. During that time he had never used a multimeter, solving problems by replacing "FRUs". One day he decided that data recovery looked like a good earner, so he took Scott Moulton's course. He tells me that he has managed to convince a major US car manufacturer that he is a data recovery expert. When I asked him how he expected to succeed in the DR business when he didn't even understand the basics, he said that he only needed to remove the NAND and let his tool do the rest.

[DRUG]

I remember that industrial knitting machine case, the OP is from my country.
I'm now testing diferent wirings according to nand datasheets looking for diferent results.
I want to understand the weel, I just need to keep trying!

[jermy]

Here is a link to a sample of the dump, and the full dump.

I took the time to reread the thread

Following my previous post about this (viewtopic.php?f=13&t=31253)

and over there the NAND's are SDTNQxxxx-008G
my question is if the dump sample and full dump is from the same NAND(s) ?

[DRUG]

Here is a link to a sample of the dump, and the full dump.

I took the time to reread the thread

Following my previous post about this (viewtopic.php?f=13&t=31253)

and over there the NAND's are SDTNQxxxx-008G
my question is if the dump sample and full dump is from the same NAND(s) ?

Thanks.

Yes, they are.

[DRUG]

Update: Sean was kind enough to repair the ecc on the dump and retrieved the files.
The best part is that this flash drive is from one of my best friends, and tonight I will troll him and ask why he has a amateur porn video close to her granny photos

[jermy]

Update: Sean was kind enough to repair the ecc on the dump and retrieved the files.

I don't get it
I thought the mission is to try doing it by yourself using 25 bucks equipment (despite Sean did it already), suddenly you backing off ?

[DRUG]

Update: Sean was kind enough to repair the ecc on the dump and retrieved the files.

I don't get it
I thought the mission is to try doing it by yourself using 25 bucks equipment (despite Sean did it already), suddenly you backing off ?

Did anyone said the mission changed ? That was 1 chip, I have like 17 others :p

I've dumped some, I'm trying to figure out how to use Flash Extractor free version.

Btw jermy, you seem such a experienced professional, would you nsme some books about flash I should read as a starter?

[HaQue]

The advantage of pro tools and their associated communites is you don't need to figure out 100's of different XOR, ECC, block manipulations, data/SA layouts and wear levelling schemes. doing so would simply use up so much time that any intention of turning a profit would be out the window. knowing 20 different schemes isn't going to save you the many hours figuring out the next strange scheme.. even the pros that write the tools can spend days/weeks figuring out some.
In my opinion it isn't a choice between pro tool, pro/community help, re-inventing wheels etc..
you have to do everything and use every available resource. you have to learn the stuff as Franc alluded to, AND get help from others. If you want to sit alone on a flash quest, you are going to be sitting in front of that PC for a LONG time, but your bank balance wont reflect it.

Sure, with work you will solve some cases, but you cant spend many days on each case.

Happy for anyone to prove that you don't need community support or pro tools to have a profitable flash recovery business, starting from where DRUG is starting from.

[HaQue]

I've dumped some, I'm trying to figure out how to use Flash Extractor free version.

Flash Extractor free version???

Btw jermy, you seem such a experienced professional, would you nsme some books about flash I should read as a starter?

http://www.amazon.com/Inside-NAND-Flash-Memories-Micheloni/dp/904819430X(Insane price tag alert!!) is probably the only one worth its salt, but really you are going to USE little of it.

I would suggest buying a logic analyser and watching comms from controller to chip and understanding the reading of a chip.. blocks, pages, how bad columns are implemented, how to read a datasheet so you can create a config for your reader.. those types of things.

Flash and NAND is a small part of flash recovery. The community collectively figure out how to read the NAND chips to give best results, and in 80% of cases the tools handle the chips and reading just fine. The other equally important, but much less documented job is creating a disk image from the dump. This is where the Rusolut docs excel at explaining the whole process. Bear in mind there are literally hundreds of variations in this part.

If you have read the Rusolut docs, and are very comfortable you understand them, then the only logical next step is experience in real world examples.