All times are UTC - 5 hours [ DST ]


Forum rules


Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...



Post new topic Reply to topic  [ 32 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Dumping nand flash memory
PostPosted: May 22nd, 2015, 19:15 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 226
Location: Portugal
Hey guys,

I've been building this DIY Nand Reader:

https://www.blackhat.com/docs/us-14/mat ... fit-WP.pdf

The build is completed now and I've already installed python dependencies and needed software for this to work.

However, I believe I have some trouble with the voltages when I try to dump, I'm saying this because sometimes I can get a perfect chip ID like figure 16 of this article shows, and if I try to repeat the process the Page Size, OOB size, Page Count and Adress Cycles may be all 0 or they are diferent from the first read attempt.

If voltage is not the issue is it possible that the chip might have been slightly damaged from the heat gun used to de-solder even though I've used termic time on the chip ?

Thanks.


And Spildit, please answer my PM :'(

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 22nd, 2015, 19:54 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 226
Location: Portugal
Oh, and another thing, the chip when is inside the Xeltek tsop 48 adapter gets REALLY HOT. :oops:

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 22nd, 2015, 21:25 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3535
Location: Adelaide, Australia
ok, chip should not get really hot, actually shouldn't get hot at all. Only part I have ever seen get slightly warm is a power IC on the reader itself.. can you show good quality pics of your actual project? Also, what voltages are you using, and how are you supplying the voltage?

Also possible depending on your nand chip that pinout is slightly different, though I assume you've looked at the datasheet, so doubt this.


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 22nd, 2015, 21:50 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 226
Location: Portugal
I'll take some decent photos once I'm on the office, I'm using 2 x 3.3v as described on the article, however I'll de-solder some more tsop 48's and I'll guide the new wiring and make extra sure the pinout is ok!

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 22nd, 2015, 22:04 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3535
Location: Adelaide, Australia
I have just bought one of the boards, might help to replicate the project to make it easier to troubleshoot. Ive been meaning to try it out anyway!


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 22nd, 2015, 22:16 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 226
Location: Portugal
I managed to grab some photos that I took earlier:

The schematics talk about a 2x 3.3v and 2x Ground, I'm using the ones on the FTDI board, am I correct?


Attachments:
File comment: schematics used
schematics.png
schematics.png [ 39.46 KiB | Viewed 11632 times ]
File comment: This is me bragging to pclab
IMG_20150522_105304.jpg
IMG_20150522_105304.jpg [ 1.43 MiB | Viewed 11632 times ]
File comment: Post it means: Hi I'm Zé and I hate Mac's (I've spent 3 days fixing a hardware related kernel panic on a macbook that made me go nuts)
IMG_20150518_211726.jpg
IMG_20150518_211726.jpg [ 1.89 MiB | Viewed 11632 times ]
File comment: When both baby's arrived.
IMG_20150511_144435.jpg
IMG_20150511_144435.jpg [ 1.37 MiB | Viewed 11632 times ]

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 22nd, 2015, 22:28 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3535
Location: Adelaide, Australia
ok, check the grounds and the vcc. I think these are actually connected internally, so you only need 1 supply of each. example, on the bare chip, check with continuity meter both vcc, and if beeps you only need a vcc on one of them

I cant see the back of ftdi board, but looks like connections are fine in any case.


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 22nd, 2015, 22:33 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 226
Location: Portugal
So you would say I only need this 2 pins ?

Having them on 12-13 or 36-37 makes any diference ?


Attachments:
vs.png
vs.png [ 3.52 MiB | Viewed 11621 times ]

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 22nd, 2015, 22:37 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 226
Location: Portugal
Nevermind, only 2 pins needed, already found a image showing that. It's a little bit weird since in the article they state 2x 3.3v and 2x GND.

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 23rd, 2015, 6:12 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3535
Location: Adelaide, Australia
some nand chips have them internally connected and some don't :-)

just noticed the NAND is a Sandisk.. what is the actual part number?.. SDTN...

Some of these chips are 16bit and some are "16-8"( 8-bit chips wired on 16-bit bus ). Also some Sandisk need to have pin 38 isolated.


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 23rd, 2015, 12:45 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 226
Location: Portugal
I have some more chips for testing, when you get your ftdi board let me know if you need the py scripts and the libs, one of them has been discontinued and I've managed to find it on a web.archive :)

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 23rd, 2015, 16:11 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 12371
Location: Australia
DRUG wrote:
Nevermind, only 2 pins needed, already found a image showing that. It's a little bit weird since in the article they state 2x 3.3v and 2x GND.

I would obtain a datasheet before proceeding. You can't simply assume that your chip follows the same pinout and voltage spec as the Samsung chip in the Blackhat article.

I would also connect all the supply and ground pins. I wouldn't rely on the chip's internal connections to make up for your wiring shortcuts. Some chips have separate Vcc and Vccq pins, and separate Vss and Vssq. The "Q" rail is for the IO section. Even when these voltages are the same, the two sections of the NAND might still require separate supply rails (although this doesn't appear to apply in your case).

If you can't locate a datasheet, then you may still be able to determine the pinout by examing the PCB from which you obtained the chip, assuming that is the case. The signal traces will go to the flash controller. The power traces will be bypassed by adjacent capacitors. Measure the voltages across these capacitors to determine the supply rails.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 24th, 2015, 2:48 
Offline
User avatar

Joined: August 15th, 2006, 3:01
Posts: 2876
Location: CDRLabs @ Chandigarh [ India ]
Well,
what would be the actual cost of building this project once its ended ?

_________________
Regards
Amarbir S Dhillon , Chandigarh Data Recovery Labs
Logical,Semi Physical And Physical Data Recovery
Website-> http://www.chandigarhdatarecovery.com


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 24th, 2015, 4:45 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3535
Location: Adelaide, Australia
approx US$55 but I think some limitations on reading some chips


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 24th, 2015, 14:37 
Offline
User avatar

Joined: August 15th, 2006, 3:01
Posts: 2876
Location: CDRLabs @ Chandigarh [ India ]
HaQue wrote:
approx US$55 but I think some limitations on reading some chips


HaQue ,
i See you already on sergy forums .But this is better -> http://www.flash-extractor.com/shop/

_________________
Regards
Amarbir S Dhillon , Chandigarh Data Recovery Labs
Logical,Semi Physical And Physical Data Recovery
Website-> http://www.chandigarhdatarecovery.com


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 24th, 2015, 18:32 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3535
Location: Adelaide, Australia
Amarbir wrote:
HaQue wrote:
approx US$55 but I think some limitations on reading some chips


HaQue ,
i See you already on sergy forums .But this is better -> http://www.flash-extractor.com/shop/


Yes, I have one of those. but this is even better still, and I have one of these as well:
http://rusolut.com/visual-nand-reconstructor/nand-reader/


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 24th, 2015, 20:01 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 226
Location: Portugal
fzabkar wrote:
DRUG wrote:
Nevermind, only 2 pins needed, already found a image showing that. It's a little bit weird since in the article they state 2x 3.3v and 2x GND.

I would obtain a datasheet before proceeding. You can't simply assume that your chip follows the same pinout and voltage spec as the Samsung chip in the Blackhat article.

I would also connect all the supply and ground pins. I wouldn't rely on the chip's internal connections to make up for your wiring shortcuts. Some chips have separate Vcc and Vccq pins, and separate Vss and Vssq. The "Q" rail is for the IO section. Even when these voltages are the same, the two sections of the NAND might still require separate supply rails (although this doesn't appear to apply in your case).

If you can't locate a datasheet, then you may still be able to determine the pinout by examing the PCB from which you obtained the chip, assuming that is the case. The signal traces will go to the flash controller. The power traces will be bypassed by adjacent capacitors. Measure the voltages across these capacitors to determine the supply rails.


Well, that makes total sense. Saddly only after you explained it to me.

I have some more chips to test on and I'll check the datasheet before the wiring.

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 24th, 2015, 20:03 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 226
Location: Portugal
Amarbir wrote:
Well,
what would be the actual cost of building this project once its ended ?



I've spent 75€ for the FTDI BOARD, the tsop 48 adapter and the wires. Even though, still pretty cheap for the kind of experience I'm obtaining with this whole project.

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 24th, 2015, 21:14 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3535
Location: Adelaide, Australia
Other comments:

1. ONFI support.. Just because a company like SanDisk is heavily involved with ONFI, doesn't mean all their chips are 100% support. SanDisk do some weird-ass things sometimes.

2. Refurbished chips: Micron and Spectek. It has been reported that Spectek chips are "The ones that john west rejects" "john west" in this case is Micron. The chips from Spectek are often rebadged/ refurbished Micron chips. Some even have the Spectek clearly lasered over the micron Logo. The chips may be a Micron 2 bank 16GB chip with a faulty bank, and rebadged as a single bank Spectek 8GB.

SanDisk sell a lot of chips with faults as well, and you can tell these as there is 2 rows of RMRMRM over the Brand.
They have been remanufactured to either map out the bad blocks or lower capacity. They should have same ID but might have 1/2 the banks.

Attachment:
refurb-Sandisk.jpg
refurb-Sandisk.jpg [ 17.3 KiB | Viewed 11408 times ]


Toshiba seems to sell to Phison, and they are usually labelled with short numbers starting with TF or TT, where the actual Toshiba part would start with TC58NV. Again the bank numbers can be different

It is important to be aware of refurb chips because if you are looking at a datasheet, all bets are off if it is refurb.

Pirate chips: these chips usually "look" dodgy.. they can be thinner, have broken bits of the package around where the dies meet, have printed labels instead of laser markings that denote faked chips. These normally have a correct ID but the quality is atrocious and many bit errors or straight out failure is probable.

The NAND industry is quite interesting. Almost NOTHING goes to waste. If a chip is not dead, it will be labelled and configured at whatever capacity they can get from it. Sometimes even 512MB cards are still made from 32GB chips that are all but stuffed. if you open as many devices as I do, you see some strange and wonderful things such as MicroSD cards in holder or soldered to PCB inside of Flash Disks and SD Cards, eMMC chips soldered to use just the NAND, totally fake things like 1GB NAND chips inside "64GB" drives.

I guess the whole point to this post is that NAND is a little different to most chips.. uC's, logic chips etc where specifications are everything. sometimes you can reliably rely on documentation such as 29F chips from intel/Micron, and other times it is a crapshoot. But it is ALWAYS fun ;)


Top
 Profile  
 
 Post subject: Re: Dumping nand flash memory
PostPosted: May 25th, 2015, 12:43 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 226
Location: Portugal
OK, this is weird.

The SanDisk ( SDTNQGAMA-008G ) i'm trying to read is known as Toshiba :|

I can't also find that specific datasheet :(


Attachments:
sc.png
sc.png [ 100.77 KiB | Viewed 11357 times ]

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 32 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group