All times are UTC - 5 hours [ DST ]


Forum rules


Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...



Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: NAND Flash Adapter
PostPosted: September 16th, 2019, 11:56 
Offline

Joined: August 13th, 2016, 17:10
Posts: 193
Location: Vienna, Austria
Ok, let's try to start working on a flash adapater solution together:

My main objective is to have a flash adapter that is capable to dump/read BGA-316 chips.
Optional targets:
* Write+Erase support
* VSC support (I actually found some vendor specific commands and want a reader where I am able to play around with them)
* High speed
* Cheap price

I started to collect a market-overview of potentially interesting Flash adapters, both commercially available and DIY solutions:

https://docs.google.com/spreadsheets/d/ ... sp=sharing
(Should I provide a Non-Google-Docs version for anyone?)
Does anyone know any flash readers that I haven't covered yet? Any feedback or improvements are highly appreciated!

BGA-316 has defined approximately 80 balls (the standard defines up to 32 chip enable lines, the chips I have seem use ), so I took a look at the interface between the flash reader and the chip adapters and counted the number of pins. It seems that all the commercial data-recovery flash readers do not have enough pins for ONFI BGA-316.
I guess that we might be able to spare a few pins by sharing the data lines between the quad 8-bit data lines, which would slow the reading down, but would allow flash readers to be used with less pins. I am not sure, whether that works out electrically (whether the chips are able to drive the load of shared data lines), or whether we would get other signal integrity problems. If sharing the lines would be possible, what is the minimum number of pins we actually need to fully support BGA-316? (I have a friend who might be able to answer that question)

I took a look at the interface connector between the flash reader and the chip adapters, to see whether they are easily purchasable, whether it is possible to develop your own adapters, whether the wiring is high-speed capable.

Is any of the vendors able to use GPIO Extenders on the Flash Adapters? Using 2 I/Os for a GPIO extender that extends to the 32 CE lines might be a good idea to spare I/O lines between the flash reader and the adapters.

Another thing that surprised me is that I couldn't find any USB3 flash reader yet. But perhaps it would need a lot of effort for parallelisation for all the other things to make use of USB3 speed, and it would likely interfere with the linear dump-file concept the industry currently has.

Since I couldn't find any data-recovery capable flash reader with BGA-316 support, I also searched for universal programmers (the UP-828P looks really interesting!), and I researched how it would be possible to DIY. I also searched for single-board computers that have enough GPIOs to be usable, anything that can be turned into a NAND flash reader.

Since BGA316 is difficult from the hardware side and kind of a niche market, I thought it might be a good idea that we start with an easier ONFI compliant target instead first, so I chose TSOP-48 for it. I have a BGA-316 <-> TSOP-48 adapter (with 4CE), so whatever is to be learnt for TSOP-48 should be applicable to BGA-316 later.

I bought a 360-Clip for TSOP48 and used it with a logic-analyzer. One important warning: The 360-CLIP comes in 3 different versions: The 32-Pin version, the 48-Pin version and the 56-Pin version. I accidently bought the 32-Pin version, which provides only 2 CE lines, the 48-Pin version is my preferred version. If you have to deal with TSOP56 you want the 56-Pin version.
I think we should develop an ONFI decoder for SigRok, does anyone want to help there? I developed a few SigRok plugins in the past.

My research showed that many of the readers do not provide the programming voltage (VPP) on the pins, so those are not usable for Write/Erase. But they still might be usable for special VSC (vendor specific commands)

Does anyone know the maximum signal speed of the individual signal lines of ONFI? Can anyone recommend a certain logic analyzer for the job? Can anyone provide logic-analyzer dumps from a complete ONFI communication?

On the software-side, I have found several different interesting options:
I found a ANSI-C flash reader for one of the commercial tools
I found various ANSI-C flash readers that should be easily adaptable to various boards and systems.
The Linux kernel contains a lot of flash interface code and various tables for supporting various chips.
I found a ONFI compliant flash reader implemented in VHDL on OpenCores. I tried to get it converted to Verilog in an automated way, but I failed with that, I guess I would have to convert it manually to Verilog.
I took the Raspberry-Pi 360-Clip Flash-Reader code from GitHub that was posted in the forum and started enhancing it with testing functionality, I'll send it upstream to GitHub soon.
So from the software-side I am somewhat confident that we will be able to find a good solution.

Most of the commercial tools seem to just dump all pages in a linear way into a single dump file that can then be processed by most commercial tools. I think the single dump file itself is OK, but I personally would prefer that the flash reader also spits out all the flash parameters and things like the flash-ID and adds it somewhere to the file, which might be useful information for the analyzing tools later on.

I had a lot of ideas in the past about interposers that would allow not just logic analyzing but even man-in-the-middle tampering with ONFI flash, some of them I have documented in the TheMissingManual already. And I even found interposers for BGA-316 on the market, but they are only usable for logic-analyzing.


Top
 Profile  
 
 Post subject: Re: NAND Flash Adapter
PostPosted: September 16th, 2019, 22:42 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
some quick notes as I'm working and don't have time to really dig in yet:

for the interposer thing, I know Bunnie did some work using custom made ribbon cable. I think it was for his purpose built hacking computer, a search should find it .. I quickly found a reference to it:
Quote:
Most of this work was done using our open source hardware platform, Novena, and a set of custom flex circuit adapter cards (which, tangentially, lead toward the development of flexible circuit stickers aka chibitronics).


BGA-316 adapters: https://forum.hddguru.com/viewtopic.php?t=35238

I have read BGA-316 with these on NR and works well.

NR has a tool called NAND_Console_v1.rar which I assume you can send commands to chips, but I havent played with it yet. http://www.flash-extractor.com/downloads/Other/

As for LA, good luck getting anyone to actually recommend one, as it just turns into a pissing match about specifications or interpretations of them, without anyone recommending a make/model and giving an explanation of why it was chosen.

you want to analyse the nand chips protocol, so I suggest saying that to any potential vendor you contact when looking for a product. You would want protocol decoding, and I assume you would need to write your own decoder for some chips (VSC's) as I guess many would be close to standard NAND but not exactly.. again I havent done enough work in this sector to be of much help.


Top
 Profile  
 
 Post subject: Re: NAND Flash Adapter
PostPosted: September 18th, 2019, 2:57 
Offline

Joined: August 13th, 2016, 17:10
Posts: 193
Location: Vienna, Austria
I have the Romulator flex cable that Bunnie designed, and that was also a great inspiration for me. I haven't actually tried it yet, but that's a good idea. That's the schematic of the romulator: http://bunniefoo.com/novena/romulator/S ... r-pvt1.PDF

What exactly do you mean with NR? VNR from Rusolut? Or NAND-Reader from Soft-Center?

Thanks for reminding me about the BGA-316 adapaters from JAKC LEE, I had forgotten about them again. Now that opens quite a lot of possibilities again.
I have one question regarding power-management for you: With those BGA-316 adapters, can the power supply to Vdd and VddQ be configured seperately by Flash Extractor? And does it have a seperate Vpp voltage that can be configured too?
Back then when I investigated the BGA-316 adapters from JAKC LEE, I errorneously thought that the supply voltage is configured by the adapter, but now I realized that the flash reader actually produces the required voltages and the adapter just passes them on to the chips.

Is it possible with the converters from Multi-Recovery to use the BGA-316 adapters from JAKC-LEE with the other commercial flash readers as well?

Has anyone here ever used any of the flash adapters for writing/erasing? Can you tell me more about which products support that?

Does anyone have pinouts for the flash adapter interfaces?

Regarding the Logic-Analyzer, I think I want more than 16 channels, so most likely 32 Channels. I guess I will try to measure the speeds with one channel first, to see what the maximum speed is that I need.


Top
 Profile  
 
 Post subject: Re: NAND Flash Adapter
PostPosted: September 18th, 2019, 12:36 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
sourcerer wrote:
I have the Romulator flex cable that Bunnie designed, and that was also a great inspiration for me. I haven't actually tried it yet, but that's a good idea. That's the schematic of the romulator: http://bunniefoo.com/novena/romulator/S ... r-pvt1.PDF

Just not sure how much man in the middling NAND is going to get you early on.

sourcerer wrote:
What exactly do you mean with NR? VNR from Rusolut? Or NAND-Reader from Soft-Center?

Nand Reader from Soft Center

sourcerer wrote:
Thanks for reminding me about the BGA-316 adapaters from JAKC LEE, I had forgotten about them again. Now that opens quite a lot of possibilities again.
I have one question regarding power-management for you: With those BGA-316 adapters, can the power supply to Vdd and VddQ be configured seperately by Flash Extractor? And does it have a seperate Vpp voltage that can be configured too?
Back then when I investigated the BGA-316 adapters from JAKC LEE, I errorneously thought that the supply voltage is configured by the adapter, but now I realized that the flash reader actually produces the required voltages and the adapter just passes them on to the chips.

NR - no control over voltage, if you need to change VddQ or want to play with Vcc, then you would use an external PS. You can add Vcc to other pins as documented in the manual pages, but that's it. No write voltages anymore.

VNR yes you can change Vcc and Vccq independent of each other. again I don't think there is any write functionality.

PC3K - I don't know.


sourcerer wrote:
Is it possible with the converters from Multi-Recovery to use the BGA-316 adapters from JAKC-LEE with the other commercial flash readers as well?

Some of the other flash readers may not support the type of NAND we are talking about. Most of those are for firmware type NAND, but don't have enough support or aren't able to read the different WL versions, DDR etc. could be wrong here these days.

sourcerer wrote:
Has anyone here ever used any of the flash adapters for writing/erasing? Can you tell me more about which products support that?

NR supports writing with a very old NR software version, but I don't know what chips it would support. I doubt there is any write support on any of the top 3 tools.

sourcerer wrote:
Does anyone have pinouts for the flash adapter interfaces?
very doubtful, apart from SC adapter dimensions in their manual.

sourcerer wrote:
Regarding the Logic-Analyzer, I think I want more than 16 channels, so most likely 32 Channels. I guess I will try to measure the speeds with one channel first, to see what the maximum speed is that I need.

I know someone uses a LAP-C 322000 http://www.zeroplus.com.tw/logic-analyzer_en/products.php?pdn=7&product_id=314
last time I looked they were mucho $$$


Top
 Profile  
 
 Post subject: Re: NAND Flash Adapter
PostPosted: September 19th, 2019, 7:58 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
There is another possibly up and coming reader you can add to the list:

https://www.embeddedcomputers.net/products/FlashcatUSB_Mach1/

I don't have this one yet, but will probably get one this month.

I have a classic, Pro and an XPORT (using it here: http://forum.hddguru.com/viewtopic.php?f=10&t=38520&start=20)

and very easy to use and does what it says on the tin. Products are being updated at a good steady rate.

the manual is available in the latest version of the software download. Not sure about how the write support goes, but at least there is this:
Quote:
FlashcatUSB Mach¹ now has ability to program HyperFlash


Top
 Profile  
 
 Post subject: Re: NAND Flash Adapter
PostPosted: September 20th, 2019, 4:23 
Offline

Joined: August 13th, 2016, 17:10
Posts: 193
Location: Vienna, Austria
I analyzed the CE (ChipEnable) pins now, and found that my BGA316 chips have 8 CE pins, so I need a reader that supports at least 8 CE pins, which unfortunately rules out a lot of the options.
The ONFI standard for BGA316 defines up to 32 CE pins but I don't know whether any Flash chips actually use more than 8 CE pins yet.
TSOP48 is only defined with 4 CE pins in the ONFI standard.


Top
 Profile  
 
 Post subject: Re: NAND Flash Adapter
PostPosted: September 20th, 2019, 9:30 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
you could build an adapter board with jumpers/dip switches to "banks" of 4 CE pins.

read 4, set jumpers, read another 4 and so on. the rare cases you would see more than 8 wouldn't be that much of a time penalty.


Top
 Profile  
 
 Post subject: Re: NAND Flash Adapter
PostPosted: September 23rd, 2019, 3:06 
Offline

Joined: September 23rd, 2019, 2:55
Posts: 54
Location: Poland
HaQue wrote:
you could build an adapter board with jumpers/dip switches to "banks" of 4 CE pins.

read 4, set jumpers, read another 4 and so on. the rare cases you would see more than 8 wouldn't be that much of a time penalty.


Something like this exists for VNR from FE interface standard, support BGA316 and BGA 272 https://multi-com.eu/,details,id_pr,22263,key,fe-converter-to-vnr-for-8ce-8bit.html

Image


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group