All times are UTC - 5 hours [ DST ]


Forum rules


Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...



Post new topic Reply to topic  [ 22 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: NAND READING VIA FTDI2232H
PostPosted: March 3rd, 2016, 13:59 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 413
Location: Portugal
Following my previous post about this (viewtopic.php?f=13&t=31253)

So after some more digging into the subject, I've finally managed to dump NAND content from a TSOP48 chip.

However, I do believe ECC correction must be made manually.

This is a dump of a 1GB stick (I've purchased and grabbed old usb drives from friends to test this DIY reader)

Attachment:
1gbinfo.png
1gbinfo.png [ 5.48 KiB | Viewed 25255 times ]


After dumping the contents of the chip, I open the image file in FTK imager:

Attachment:
dump.png
dump.png [ 163.87 KiB | Viewed 25255 times ]


I see that data is there, but no FS is recognized, and i try to carve it trough R-STUDIO:

Attachment:
fcd.png
fcd.png [ 130.99 KiB | Viewed 25255 times ]


Even though it finds files, they can't be opened, and so far the best results I had were from an 2007 MP3 player, wich I've managed to see all the musics that used to be there, and even play some bits of them.

Anyway, my issue is. I know for sure this isn't viable to be used in the office. The time I take to dump 1 gb chip I could dump 100 with VNR.
But I got a little attached to this project, and the reader looks really funky 8)

What I am still trying to realize is, do someone with enough knowledge use this dump to re-create the original file system + files ?

Thank you all !

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Instagram https://www.instagram.com/datarecovery_morde.pt/


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 3rd, 2016, 14:44 
Offline

Joined: March 19th, 2015, 15:01
Posts: 1387
Location: isreal
DRUG wrote:
I see that data is there, but no FS is recognized

of course not
DRUG wrote:
and i try to carve it trough R-STUDIO:

you wasting your time, programs like that in not designed to handle the structure of flash.
DRUG wrote:
Even though it finds files, they can't be opened

of course not
DRUG wrote:
and so far the best results I had were from an 2007 MP3 player

you wasting your time
DRUG wrote:
But I got a little attached to this project, and the reader looks really funky 8)

then go for it
DRUG wrote:
What I am still trying to realize is, do someone with enough knowledge use this dump to re-create the original file system + files ?

of course, the question is if you're trying to invent the wheel ?
but if you really eager doing it, you have to understand the basics first, such as, the structure of flash chips and how the data is stored there.


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 3rd, 2016, 16:15 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15462
Location: Australia
The OP is not trying to reinvent the wheel. Obviously there is a fundamental lack of understanding of flash structures, despite the fact that the OP has an expensive professional tool. I would want the tool to be an extension of my intellect, not a substitute for it. How many in the DR profession actually understand the technologies that they work with?

My approach would be to use a relatively simple case as a learning example. I found an earlier industrial knitting machine thread to be very educational in this regard. If I were embarking on a career in data recovery, I would want to be much more than a mere ROM jockey and head swap mechanic.

Kudos to the OP for making the effort.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 3rd, 2016, 16:20 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15462
Location: Australia
DRUG wrote:
After dumping the contents of the chip, I open the image file in FTK imager:

You need to examine the spare area (OOB). Can you upload the first 20KB of the dump?

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 3rd, 2016, 16:30 
Offline

Joined: March 19th, 2015, 15:01
Posts: 1387
Location: isreal
fzabkar wrote:
despite the fact that the OP has an expensive professional tool.

I think you're mistaken, we talking here on cheap tool can be acquired for less than 25 bucks.


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 3rd, 2016, 16:36 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15462
Location: Australia
jermy wrote:
fzabkar wrote:
despite the fact that the OP has an expensive professional tool.

I think you're mistaken, we talking here on cheap tool can be acquired for less than 25 bucks.

DRUG wrote:
Anyway, my issue is. I know for sure this isn't viable to be used in the office. The time I take to dump 1 gb chip I could dump 100 with VNR.

I took this comment to mean that the OP has VNR (Visual Nand Reconstructor).

http://rusolut.com/

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 3rd, 2016, 22:57 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 413
Location: Portugal
fzabkar wrote:
The OP is not trying to reinvent the wheel. Obviously there is a fundamental lack of understanding of flash structures, despite the fact that the OP has an expensive professional tool. I would want the tool to be an extension of my intellect, not a substitute for it. How many in the DR profession actually understand the technologies that they work with?

My approach would be to use a relatively simple case as a learning example. I found an earlier industrial knitting machine thread to be very educational in this regard. If I were embarking on a career in data recovery, I would want to be much more than a mere ROM jockey and head swap mechanic.

Kudos to the OP for making the effort.


Hi Frank, and thanks once again for always contributing in a helpfull way.
First of all everyone here needs to understand, I've learned all I know so far (wich is nothing compared to 90% of the users I see here) figuring out bits of information scattered everywhere on the web and with the help of people like pclab and haque.
My job ocupation is not DR full time. I've started working in the company I am at and realised the amount of jobs we outsourced for data recovery. I asked my boss if i could start taking some easy cases along with my infosec duties. Things have evolved from scratch and we've managed to profit enough to buy a MRT pro. We rarely have flash cases, but i see that every month flash stars to appear every now and then. After purchasing the MRT I must confess I felt more confident and solved some harder cases, but I still keep outsourcing if the job is flash or needs clean room. My next objective is owning VNR, the only thing stopping us to buy it is my knowledge. Even though they have classes along with the kit, I fear that assisting those classes would be like hearing a new language for the first time, once again, im not pro, but i love recovering and perhaps would be better to understand how chip off works with a diy method, that I can do on my free time and perhaps learn something that will be usefull in the future. My goal is to own VNR until the end of the year, plus the lessons. It will be a heavy investment but I hope that with hard work, advertising and social networking I'll be able to get us enough jobs to justify the purchase.

About the topic, tomorrow I will upload the first 20kbs.
P.s: I also know soft center flash extractor, that would ideally be the step between this nand reader and VNR.
And thanks once again for your help Frank, sometimes i feel bad doing this kinds of posts because i know im looking for the right answers with the wrong questions.
Jermie, i understand your point, i feel they way you feel every time i see a random noob claiming he can pentest. I hope some day I can contribute more and leach less on this forum.

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Instagram https://www.instagram.com/datarecovery_morde.pt/


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 4th, 2016, 7:16 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 413
Location: Portugal
Here is a link to a sample of the dump, and the full dump.

password is: hddguru

http://cloud.g3t-server.com/owncloud/in ... tJtCLjce8k

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Instagram https://www.instagram.com/datarecovery_morde.pt/


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 4th, 2016, 10:36 
Offline

Joined: November 29th, 2006, 10:08
Posts: 7843
Location: UK
Data recovered :-)

Do you want the data uploading?

_________________
PC Image Data Recovery
http://www.pcimage.co.uk

New!! HDD-PCB.COM for all your PCB and donor HDD requirements!


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 4th, 2016, 10:42 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 413
Location: Portugal
pcimage wrote:
Data recovered :-)

Do you want the data uploading?


The data on those files is from sticks friends gave me that weren't used anymore.

Something cool would be creating a sql db with all the info for any chip I've came across, and then offer it online for people with interest in NAND.

However I don't understand how to go from chip in my hands to search for the ECC, OOB, and implement it.

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Instagram https://www.instagram.com/datarecovery_morde.pt/


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 5th, 2016, 5:37 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
DRUG wrote:
pcimage wrote:
Data recovered :-)

Do you want the data uploading?


The data on those files is from sticks friends gave me that weren't used anymore.

Something cool would be creating a sql db with all the info for any chip I've came across, and then offer it online for people with interest in NAND.

However I don't understand how to go from chip in my hands to search for the ECC, OOB, and implement it.

THAT would be re-inventing the wheel, and this is already what the major DR tool vendors do. The problem is that you may be severely underestimating the amount of combinations of controller + NAND + Layouts + XOR + Mix + "Other"

I have been collecting new devices for a couple of years and not often do I get the same. you would take years to build up some database, and customer walks in the door with something new. IMHO, better to become part of an existing group that already does this and contribute. This gives the benefit of access to their experiences as well.

I have done things like buy bulk lots of old devices, swapped old for new from colleagues in a campaign to increase my "list" and buy flash every week. still only a few douple-ups in 585 drives.

Another thing - with flash, you need to not think of it as the nand as the discrete part that has the data. Sure it HAS the data, but other factors come into play, and the nand properties are only a subset of what is considered when recovering flash. The OOB, XOR, ECC really don't have much to do with the nand, but the flash controller. so the exact same nand chip on both a Toshiba flash drive and a sandisk drive will have different OOB (spare area or whatever name you want to give the service data). The act of reading the nand initially is probably the only place you care about the NAND intricacies.. voltage, read retry, WL, 8/16 bit. DDR etc


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 5th, 2016, 16:59 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15462
Location: Australia
HaQue wrote:
DRUG wrote:
However I don't understand how to go from chip in my hands to search for the ECC, OOB, and implement it.

THAT would be re-inventing the wheel, and this is already what the major DR tool vendors do.

AISI it is case of understanding the wheel rather than re-inventing it.

Cast your mind back to that industrial knitting machine thread. The OP in that thread took his NAND chip (one of the earliest Samsung ICs) to a "professional" who used PC$10K to dump the contents. The result was an image file with the wrong "OOB" data. The user was told that the dump was error free, which was obviously a lie.

The professionals in this forum then failed to realise that the reason for the bad OOB data was a missing ground wire, which in turn implied that none could read a datasheet. Instead of adding a ground wire, the OP was asked to send his chip to another country so that other professional tools could be tried.

The resulting data recovery then recovered only 75% of the file system. The operator failed to realise that anything was wrong, presumably because he trusted his professional tools.

Furthermore, the recovered file was corrupt, yet no tool alerted the operator to this fact.

The irony is that the data were 100% recoverable with the OP's $25 McGuyver kit and a little knowledge.

In another case, a person contacted me privately regarding a flash drive he wished to recover. He was unable to identify a particular component (it turned out to be a resistor). I found a reference circuit diagram to assist him, but he was unable to determine which of the two components in the diagram was the NAND (the other was obviously the flash controller). Apparently he had been involved in "IT" for many years, having sold 15000 PCs. During that time he had never used a multimeter, solving problems by replacing "FRUs". One day he decided that data recovery looked like a good earner, so he took Scott Moulton's course. He tells me that he has managed to convince a major US car manufacturer that he is a data recovery expert. When I asked him how he expected to succeed in the DR business when he didn't even understand the basics, he said that he only needed to remove the NAND and let his tool do the rest.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 6th, 2016, 12:15 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 413
Location: Portugal
I remember that industrial knitting machine case, the OP is from my country.
I'm now testing diferent wirings according to nand datasheets looking for diferent results.
I want to understand the weel, I just need to keep trying!

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Instagram https://www.instagram.com/datarecovery_morde.pt/


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 6th, 2016, 12:51 
Offline

Joined: March 19th, 2015, 15:01
Posts: 1387
Location: isreal
DRUG wrote:
Here is a link to a sample of the dump, and the full dump.

I took the time to reread the thread
DRUG wrote:
Following my previous post about this (viewtopic.php?f=13&t=31253)

and over there the NAND's are SDTNQxxxx-008G
my question is if the dump sample and full dump is from the same NAND(s) ?


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 7th, 2016, 6:33 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 413
Location: Portugal
jermy wrote:
DRUG wrote:
Here is a link to a sample of the dump, and the full dump.

I took the time to reread the thread
DRUG wrote:
Following my previous post about this (viewtopic.php?f=13&t=31253)

and over there the NAND's are SDTNQxxxx-008G
my question is if the dump sample and full dump is from the same NAND(s) ?


Thanks.

Yes, they are.

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Instagram https://www.instagram.com/datarecovery_morde.pt/


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 7th, 2016, 10:57 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 413
Location: Portugal
Update: Sean was kind enough to repair the ecc on the dump and retrieved the files.
The best part is that this flash drive is from one of my best friends, and tonight I will troll him and ask why he has a amateur porn video close to her granny photos :x

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Instagram https://www.instagram.com/datarecovery_morde.pt/


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 7th, 2016, 11:28 
Offline

Joined: March 19th, 2015, 15:01
Posts: 1387
Location: isreal
DRUG wrote:
Update: Sean was kind enough to repair the ecc on the dump and retrieved the files.

I don't get it
I thought the mission is to try doing it by yourself using 25 bucks equipment (despite Sean did it already), suddenly you backing off ?


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 7th, 2016, 20:03 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 413
Location: Portugal
jermy wrote:
DRUG wrote:
Update: Sean was kind enough to repair the ecc on the dump and retrieved the files.

I don't get it
I thought the mission is to try doing it by yourself using 25 bucks equipment (despite Sean did it already), suddenly you backing off ?


Did anyone said the mission changed ? That was 1 chip, I have like 17 others :p

I've dumped some, I'm trying to figure out how to use Flash Extractor free version.

Btw jermy, you seem such a experienced professional, would you nsme some books about flash I should read as a starter?

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Instagram https://www.instagram.com/datarecovery_morde.pt/


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 7th, 2016, 21:39 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
The advantage of pro tools and their associated communites is you don't need to figure out 100's of different XOR, ECC, block manipulations, data/SA layouts and wear levelling schemes. doing so would simply use up so much time that any intention of turning a profit would be out the window. knowing 20 different schemes isn't going to save you the many hours figuring out the next strange scheme.. even the pros that write the tools can spend days/weeks figuring out some.
In my opinion it isn't a choice between pro tool, pro/community help, re-inventing wheels etc..
you have to do everything and use every available resource. you have to learn the stuff as Franc alluded to, AND get help from others. If you want to sit alone on a flash quest, you are going to be sitting in front of that PC for a LONG time, but your bank balance wont reflect it.

Sure, with work you will solve some cases, but you cant spend many days on each case.

Happy for anyone to prove that you don't need community support or pro tools to have a profitable flash recovery business, starting from where DRUG is starting from.


Top
 Profile  
 
 Post subject: Re: NAND READING VIA FTDI2232H
PostPosted: March 7th, 2016, 21:52 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
DRUG wrote:
I've dumped some, I'm trying to figure out how to use Flash Extractor free version.

Flash Extractor free version???

DRUG wrote:
Btw jermy, you seem such a experienced professional, would you nsme some books about flash I should read as a starter?


http://www.amazon.com/Inside-NAND-Flash-Memories-Micheloni/dp/904819430X(Insane price tag alert!!) is probably the only one worth its salt, but really you are going to USE little of it.

I would suggest buying a logic analyser and watching comms from controller to chip and understanding the reading of a chip.. blocks, pages, how bad columns are implemented, how to read a datasheet so you can create a config for your reader.. those types of things.

Flash and NAND is a small part of flash recovery. The community collectively figure out how to read the NAND chips to give best results, and in 80% of cases the tools handle the chips and reading just fine. The other equally important, but much less documented job is creating a disk image from the dump. This is where the Rusolut docs excel at explaining the whole process. Bear in mind there are literally hundreds of variations in this part.

If you have read the Rusolut docs, and are very comfortable you understand them, then the only logical next step is experience in real world examples.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 22 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group