All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 17 posts ] 
Author Message
 Post subject: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: October 29th, 2018, 18:19 
Offline

Joined: October 26th, 2018, 9:22
Posts: 10
Location: Ulm Germany
Hi everyone,
I have an SSD which is only present in BIOS when Jumper J2 on the pcb is set. Then it identifies as indilinx barefoot2.
SSD contains 3 partitions (Windows, Linux, Data). I am particularly interested in the data partition, which is partly truecrypted.

SSD has a 20pin 1/20" 2-row connector inside (CN1), which I assume is UART, JTAG and probably something else.
Has anyone information on this or can help in any other way?

I consulted data recovery firms. They claim that they can recover (?) and will charge 2000 - 3000 euros, which I will not spend.
I googled a lot and found PC-3000 software, which claims to recover from indilinx1 and indilinx3 but not indilinx2.

Q: In "factory mode", is data usually recovered via SATA interface or via UART? Could I get a complete useful image this way?
Q: The people who made indilinx2 and know about CN1 connector (datasheet...) must be alive. Info anyone? Wikipedia tells me that Toshiba bought OCZ bought Indilinx. Contacted Toshiba, received no useful information, as expected.

Photos of the SSD can be found here:https: //forum.hddguru.com/viewtopic.php?f=10&t=31212
It is the same pcb. To answer the questions from this thread: My voltages are all ok, SSD stays cold.
And yes, the flash chips are numbered U3...U34. Worst case: I could deliver 16 desoldered and numbered chips to someone to read out.

Giving up is not an option.
Any help greatly appreciated.


Top
 Profile  
 
 Post subject: Re: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: November 9th, 2018, 4:38 
Offline

Joined: October 26th, 2018, 9:22
Posts: 10
Location: Ulm Germany
I made a breakout board for CN1 and tried to connect with a FT232H UART interface.
CN1 pins checked:
1,2: Vcc 3,3V
4,6,8,10,12,14,16,18,20: GND
11,17,19: n.c.
5: 10k pullup
7: 10k pullup
9: 10k pulldown
13: high impedance, somehow connected, 0V
15: 10k pullup
Cannot find any signal with the oscilloscope, tracing signals on pcb impossible (multilayer).

The FTDI I am using supports MPSSE (Multi-Protocol Synchronous Serial Engine) and can be used as JTAG interface
with Open OCD. But I've never tried this and could use some advice.


Top
 Profile  
 
 Post subject: Re: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: November 9th, 2018, 5:02 
Offline

Joined: October 26th, 2018, 9:22
Posts: 10
Location: Ulm Germany
I just read some documents...
This is a standard pinout for JTAG.
Pin5:TDI
Pin7:TMS
Pin9:TCK
Pin13:TDO
Pin15:nSRST
Will connect the FTDI accordingly...


Top
 Profile  
 
 Post subject: Re: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: November 9th, 2018, 5:18 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 11171
Location: Australia
ARM 20-pin and TI 20-pin look promising:
http://processors.wiki.ti.com/index.php/JTAG_Connectors#Pinout

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: November 9th, 2018, 8:57 
Offline

Joined: October 26th, 2018, 9:22
Posts: 10
Location: Ulm Germany
while researching for nSRST (seems to be System Reset, alike Reset button on PC) and nTRST
I wonder if there is a chance to get this working simply by putting the 16 memory chips onto another SSD (identical part of course).
The Indilinx2 carries an ARM logo. I don't think that there is a hardware defect. Problem must be within flash memory on the drive controller or the NAND flash chips (OCZ M2501064T048AX21).


Top
 Profile  
 
 Post subject: Re: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: November 9th, 2018, 9:58 
Offline

Joined: October 26th, 2018, 9:22
Posts: 10
Location: Ulm Germany
Thanks fzabkar, I got it. I just wonder, if the JTAG approach is right. I tried to read the OCZtechnologyforum through internet archives (doesn't exist anymore).
I learned that it is very difficult to hexdump the flash via JTAG if I don't have any knowledge of the JTAG.
Updating and altering firmware via JTAG kills access to the data in the flash chips.
https://rusolut.com/flash-data-recovery-technology/ is very interesting.I have found that obviously nobody made a FTL (firmware translation layer) for Indilinx2 controller because they were not very common. So the only chance is to use a working Indilinx2 controller. thus put the memory chips on another pcb.

So, the first step will be desoldering the 16 NAND chips and reading out their content to be safe.
Then soldering the chips to another OCZ vertex R2 SSD and see.
If that does not work, try to analyse the raw data.....


Top
 Profile  
 
 Post subject: Re: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: November 9th, 2018, 10:21 
Offline

Joined: October 26th, 2018, 9:22
Posts: 10
Location: Ulm Germany
I found TL866ii Plus on Aliexpress. Seems a little overpowered just to read my chips, but anyway.
The name of my chips (m2501064t048ax21) is not on the compatibility list of this programmer, but with 16.000 parts there should be a compatible one.
Q: What is the "standard" name for a TSOP48 NAND flash chip m2501064t048ax21?
I just ordered the TL866ii plus on Alibaba. Plus adapter for TSOP48.


Top
 Profile  
 
 Post subject: Re: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: November 9th, 2018, 12:39 
Offline

Joined: October 26th, 2018, 9:22
Posts: 10
Location: Ulm Germany
@fzabkar thanks for the answer

There is a little hope on the horizon, I just found openssd-project.org/wiki/Jasmine_OpenSSD_Platform,
there are three Indilinx barefoot FTLs. Unfortunately it is only barefoot and not barefoot2, but it is a start.
I do not fully understand everything yet,....
Somebody from RecoverMyFlashDrive.com collaborated with lots of chinese universities. So at least there are people to ask :-)
Will post again when I have successfully read data from my flash chips (may take some time, delivery from china).


Top
 Profile  
 
 Post subject: Re: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: November 9th, 2018, 12:42 
Offline

Joined: September 29th, 2005, 4:10
Posts: 257
Location: Moscow
Username,
Bad idea to read chips.
You need to know XOR and ECC type, conversion and encryption algorithm.
Almost the same as for flash drives, but on the SSD at times more difficult.
example:
https://www.youtube.com/playlist?list=P ... wkFfr_uM_Y


Top
 Profile  
 
 Post subject: Re: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: November 9th, 2018, 13:55 
Offline
User avatar

Joined: February 9th, 2009, 16:13
Posts: 2153
Location: Ontario, Canada
If we are able to recover such cases, we charge $900 CAD, if that helps.

_________________
Luke
RAID Data Recovery


Top
 Profile  
 
 Post subject: Re: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: November 9th, 2018, 14:50 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 199
Location: Portugal
Username wrote:
while researching for nSRST (seems to be System Reset, alike Reset button on PC) and nTRST
I wonder if there is a chance to get this working simply by putting the 16 memory chips onto another SSD (identical part of course).
The Indilinx2 carries an ARM logo. I don't think that there is a hardware defect. Problem must be within flash memory on the drive controller or the NAND flash chips (OCZ M2501064T048AX21).


It seems to me that you are trying to do a job without the required tools.

Reading a USB TSOP48 with a standard programmer may be doable if you are not a flash jockey, but reading 16 SSD TSOP48 NANDS is very different.

Perhaps @HAQUE can add some input into this.

_________________
BTC Wallet - 16S1yq41ehJr9Kh8GeA2cgSYLt397XKU4Q


Top
 Profile  
 
 Post subject: Re: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: November 9th, 2018, 17:08 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 11171
Location: Australia
FWIW, this thread claims that the M2501064T048AX21 is actually a Micron MT29F64G08CBAAA:
http://www.hdd-and-ssd.com/en/forum/topic-41576-page-21.html

https://datasheetspdf.com/datasheet/MT29F64G08CBAAA.html

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: December 18th, 2018, 4:25 
Offline

Joined: October 26th, 2018, 9:22
Posts: 10
Location: Ulm Germany
Hi everyone,
I am back from some real life problems.
Thanks for allyour input.
@fzabkar, you googled better than I did! I haven't found that link.
@lcoughey: thank you for the offer, I might consider visiting Canada and Niagara Falls :-)
@DRUG: I see your point, I calculated a worst case of 24hrs for each chip to read. That would be 2 weeks for my set. Well, I'll take the time. I wonder though, if the chinese TL866 plus can handle the chip (no answer from vendor, on the list are chips up to 32G. Let's wait and see)

I bought two other defective HDDs to practise desoldering of the chips. I have 100% clean and beautifully desoldered chips from these. Before I start now to work on the patient, I want to be 100% sure that the contents cannot be read simply via JTAG in raw mode or so.
I suspect so not only because the recovery offers range from about 500euro to 5000euro, but there is also a beautiful standard JTAG interface on the pcb.

In openssd-project.org/mediawiki/images/Jasmine_FTL_Dev_Guide_v.1.2e.pdf I found that I can use an installer.exe and the realview ICE and Keil Ulink to read at least a bad block list from block 0 of the attached memory. IF the barefoot2 is somehow similar to the barefoot (which I read somewhere else, is true).
Ulink range from 12$ chinese copy to 350$ original... :-(. Let's see....
Now Jtagging seems a HUGE field to experiment....


Top
 Profile  
 
 Post subject: Re: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: January 15th, 2019, 16:49 
Offline

Joined: October 26th, 2018, 9:22
Posts: 10
Location: Ulm Germany
I found that many of the available JTAG adapters consist of some FTDI chips with drivers. So I decided to build my own JTAG interface around a FT232H and use OpenOCD for a start.
Unfortunately I have some speed problems. I will likely solve soon by using the same high speed driver ICs as turtelizer. Config file in OpenOCD are ok.

I just bought another OCZ Vertex R2 plus 120gb off Ebay to experiment, because I am not going to mess with the patient at the beginning.

There is not much hope that I will succeed with JTAG since I have about zero information on this barefoot2 controller. So I am thinking more about putting the memory chips on a new drive with a working controller.
Do any of you think that there is a chance this will work? Bad Block tables are in flash, but how about wear levelling information and so on. Is there any information stored in Barefoot2 memory?
Who knows?
Maybe someone can estimate the probability... I wouldn't want to change the flash chips back to the old drive.

btw. my order of a TL866ii programmer in china has not arrived and is assumably lost. But meanwhile I found a much better device: RT809H universal programmer. Has anyone worked with that one yet?


Top
 Profile  
 
 Post subject: Re: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: January 16th, 2019, 3:18 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2415
Location: Kuwait
Username wrote:
I found that many of the available JTAG adapters consist of some FTDI chips with drivers. So I decided to build my own JTAG interface around a FT232H and use OpenOCD for a start.
Unfortunately I have some speed problems. I will likely solve soon by using the same high speed driver ICs as turtelizer. Config file in OpenOCD are ok.

I just bought another OCZ Vertex R2 plus 120gb off Ebay to experiment, because I am not going to mess with the patient at the beginning.

There is not much hope that I will succeed with JTAG since I have about zero information on this barefoot2 controller. So I am thinking more about putting the memory chips on a new drive with a working controller.
Do any of you think that there is a chance this will work? Bad Block tables are in flash, but how about wear levelling information and so on. Is there any information stored in Barefoot2 memory?
Who knows?
Maybe someone can estimate the probability... I wouldn't want to change the flash chips back to the old drive.

btw. my order of a TL866ii programmer in china has not arrived and is assumably lost. But meanwhile I found a much better device: RT809H universal programmer. Has anyone worked with that one yet?



Will not work (assuming you have very high soldering skills)

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein


Top
 Profile  
 
 Post subject: Re: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: January 16th, 2019, 8:25 
Offline
User avatar

Joined: February 9th, 2009, 16:13
Posts: 2153
Location: Ontario, Canada
Assuming you get the dumps, how are you going to calculate the ECC and handle the bad blocks?

_________________
Luke
RAID Data Recovery


Top
 Profile  
 
 Post subject: Re: OCZ Vertex Plus R2 120GB Recovery in Factory Mode
PostPosted: January 23rd, 2019, 11:04 
Offline

Joined: October 26th, 2018, 9:22
Posts: 10
Location: Ulm Germany
Thanks for your replies and again sorry for replying unregularly.

ECC: I refer to "Understanding SSDs with the OpenSSD Platform" by Lee and Kim as a starting point. They describe the Barefoot 1, and I have been told that Barefoot 2 is not much of an evolution to that. Don't know if it is true. I have no illusion about the scope and scale of this piece of software.
Someplace else I read that Barefoot are quite simple, and an "expert" wrote someplace that it would take him two or three hours to make an FTL for this.
So it should be possible for anybody else to do it in 20 or 200 hrs.
Bad Blocks: I will have to work this into somehow. Maybe I know more after having read all Jasmine docu.

@einstein9, why exactly do you think it will not work? I am very interested in your opinion (just assume that soldering is no problem).
Will it not work because there is some crucial information stored inside the barefoot controller itself? Or do you think that there is corrupted firmware in the flash memory?
I might even consider to remove and exchange the controller itself - BGA, to the same effect) (btw. I am now only a few meters away from Albert Einsteins birthplace :-)

I know that there are handy methods to access the contents of the memory chips via the JTAG connector (there is a beautiful and standard JTAG connector on the PCB). But the only living person that has some inside knowledge of Barefoot controllers seems to be Jeremy Brock (does not reply, neither mail nor PM). Maye because this whole thing is more than 6 years old and no significant revenue to expect from (manufacture date 2012/04)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 17 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group