HDD GURU FORUMS

Maybe I am looking in the wrong places, but I cant find the layout for the Ultra Wide 52 pin TSOP. It's not in the ONFI specs.

I could be wrong, but I seem to remember finding out that it's just an extra unused NC pin at each corner and the rest is the same as TSOP 48.

I think the safest approach would be to examine the PCB. If the pinout for the controller is known, then it wouldn't take long to determine the NAND pinout with a little visual circuit tracing , or by buzzing the traces with a DMM in continuity mode. At the very least, determine the ground and Vcc pins. These can be identified with reference to the adjacent bypass capacitors.

Francs approach is ideal. some of these chips have a different pinout than standard, but I haven't come across any that I could find datasheets, or info on the web about to say anything concrete. Also they could be TSOP-56 with the 4 outer pins missing, or left off by design. http://www.flash-extractor.com/manual/adapter_tsop_56/

I agree with Jared, Probably tsop48 though

really not sure why vendors stray from standard.. especially when they actually make the chip bigger than it needs to be, or for no apparent reason.

possible that really cheap and nasty outfits buy bare silicon chips that did not pass QA from a major vendor and repackage them with retrofitted packages or worse "homemade" moulds.

What controller? It could be not typical standard. So if you have known controller with datasheet, measure shorts between memory and controller pads and you find correct pinout.

arvika wrote:What controller? It could be not typical standard. So if you have known controller with datasheet, measure shorts between memory and controller pads and you find correct pinout.

Thanks for the replies guys. I have just found out that the controller (DM8261) is encrypted. I have found a blog where a data recovery company say they did work out the encryption from the NAND and reversed engineered the XOR after about 2 weeks of work. I might refer this one...

ddrecovery wrote:

arvika wrote:What controller? It could be not typical standard. So if you have known controller with datasheet, measure shorts between memory and controller pads and you find correct pinout.

Thanks for the replies guys. I have just found out that the controller (DM8261) is encrypted. I have found a blog where a data recovery company say they did work out the encryption from the NAND and reversed engineered the XOR after about 2 weeks of work. I might refer this one...

Are you sure they did not just mean they worked out the XOR and was referring to the XOR as encryption?

I have never heard of a single case where actual encryption on a flash device was reversed/broken.

I see these controllers seem to use software bad bytes, and a few cases on FE site, but none solved.

notice the Pin1 mark is in the wrong corner. What is marked on PCB, any chance of a photo of the PCB?

fzabkar wrote:https://usbflashrecovery.com/appotech-dm8261-controller/

interesting.

I don't know the specifics and I would like to believe the DR Engineer figured out the AES-256. It is the wording that bothers me. I want to point out I am not so much doubting the DR guys, but more don't understand how it would be carried out.

First:

.....and it has been recently confirmed the Appotech DM8261 controller uses XOR in conjunction with AES-256 encryption

I would have thought something along the lines of "we confirmed" or "we discovered" not the vague statement like was used. If someone else did it, a link to their work might have been nice. Anyway a bit strange wording.

Second:

I was able to successfully recover the data on the one we received once I figured out the XOR using the encryption key from the original NAND.

you cannot figure out XOR using an AES-256 encryption key. Unless it is to decrypt dump first, then find XOR (which is not that hard).

I am not going to pretend I know how the data is actually stored using the encryption and XOR, but I do know how others work. And even though there is a huge range of combinations of factors, the actual main aspects are all pretty similar.

to use the encryption key (AES key) there would need to be some kind of decryption, before or after XOR. The XOR key is usually a small block of DATA, say 256 pages, applied to each 256 pages over and over again.

If after, you would need to remove XOR, then break or decrypt AES.

To remove the wear levelling mix you would need to see FAT tables or such, see SA at least, so either data area only is encrypted or there is some other scenario I havent thought of.

If it was encrypted after XOR, even if you found the key, how would you know what algorith you could use to decrypt? After dumping the chip what would be next steps? If you saw an encrypted dump, how would a key be recogniseable?

I am probably not making much sense as I am trying to weigh things up as I reply. All I can come up with is if this is all true, then the blog post is extremely over simplified.

I would love a deeper dive into this.

fzabkar wrote:https://usbflashrecovery.com/appotech-dm8261-controller/

I intentionally did not put a link to this blog in my post as I did not deem it appropriate in this forum. A few people have PM'd me about it and I did share the details with them.

HaQue wrote:

fzabkar wrote:https://usbflashrecovery.com/appotech-dm8261-controller/

interesting.

I don't know the specifics and I would like to believe the DR Engineer figured out the AES-256. It is the wording that bothers me. I want to point out I am not so much doubting the DR guys, but more don't understand how it would be carried out.

First:

.....and it has been recently confirmed the Appotech DM8261 controller uses XOR in conjunction with AES-256 encryption

I would have thought something along the lines of "we confirmed" or "we discovered" not the vague statement like was used. If someone else did it, a link to their work might have been nice. Anyway a bit strange wording.

Second:

I was able to successfully recover the data on the one we received once I figured out the XOR using the encryption key from the original NAND.

you cannot figure out XOR using an AES-256 encryption key. Unless it is to decrypt dump first, then find XOR (which is not that hard).

I am not going to pretend I know how the data is actually stored using the encryption and XOR, but I do know how others work. And even though there is a huge range of combinations of factors, the actual main aspects are all pretty similar.

to use the encryption key (AES key) there would need to be some kind of decryption, before or after XOR. The XOR key is usually a small block of DATA, say 256 pages, applied to each 256 pages over and over again.

If after, you would need to remove XOR, then break or decrypt AES.

To remove the wear levelling mix you would need to see FAT tables or such, see SA at least, so either data area only is encrypted or there is some other scenario I havent thought of.

If it was encrypted after XOR, even if you found the key, how would you know what algorith you could use to decrypt? After dumping the chip what would be next steps? If you saw an encrypted dump, how would a key be recogniseable?

I am probably not making much sense as I am trying to weigh things up as I reply. All I can come up with is if this is all true, then the blog post is extremely over simplified.

I would love a deeper dive into this.

Thanks for the detailed response. I know no more than you do. I did not post the company details as I had a feeling there would be negative comments about it and I did not consider it fair to the company. The blog post is probably done for SEO purposes rather than accurate data recovery information.

Hi guys ,very sorry to disturb this feed ,as this is not related ,but is there any chance for you @fzabkar and @HaQue to PM me ? sorry i relay cant find an another way to contact this two champs
many thanks

Been there, done that. https://forum.acelaboratory.com/viewtop ... +52#p32537

lcoughey wrote:Been there, done that. https://forum.acelaboratory.com/viewtop ... +52#p32537

AIUI, you did this ...



I'm stunned that the chip survived. :shock:

My approach, in the case of an unfamiliar chip, is to start by identifying the power rails on the PCB it came from. In that way you avoid the possibility of catastrophic damage. In your case you have applied power to the chip's signal pins. Normally that would kill it.

vito wrote:Hi guys ,very sorry to disturb this feed ,as this is not related ,but is there any chance for you @fzabkar and @HaQue to PM me ? sorry i relay cant find an another way to contact this two champs
many thanks

Cheers guys appreciate it ,I can read your PM ,but don't have the permission to replay you ,even on my received PMs perhaps email in PM?

Well,
How Many Time Does a Normal AND Guy Find TSOP56 ? . This Does Not Justify Buying a Adapter But a PCB With TSOP56 Interfaced To Your Tol And You Solder This On That is Not a BAD Idea And i Have Seem Many Peeps Doing It