All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 36 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Help to unscramble my NAND flash
PostPosted: September 6th, 2021, 16:13 
Offline

Joined: September 6th, 2021, 15:07
Posts: 22
Location: France
Hello,

I try to recover data from broken USB stick for a friend. It's the first time I try to do that.

The USB stick is build around PS2251-09-26 and a "noname" NAND.

Attachment:
stick1.png
stick1.png [ 302.72 KiB | Viewed 12000 times ]


Attachment:
stick2.png
stick2.png [ 252.17 KiB | Viewed 12000 times ]


Controller PS2251-09-26 seem completely broken so I unsold carrefully the NAND

Attachment:
stick3.png
stick3.png [ 71.16 KiB | Viewed 12000 times ]


And I build a "Poor Man NAND Reader" with a TSOP48 adapter, a NUCLEO board and some dupont wires...
(I add a FT232H breakout to increase serial output speed).

Attachment:
setup1.png
setup1.png [ 406.63 KiB | Viewed 12000 times ]


I write a peace of code to download data on PC from serial port.

Attachment:
screen1.png
screen1.png [ 32.53 KiB | Viewed 12000 times ]


I'm able to get "JEDEC" ID and the device ID from the NAND "0x983AA4937A51".
This seem to be a TOSHIBA like NAND
I don't find the datasheet for this NAND but I find some characteristics from the "TC58TEG6DDKTA00-Toshiba" datasheets.

Attachment:
id1.png
id1.png [ 159.83 KiB | Viewed 12000 times ]


Attachment:
id2.png
id2.png [ 122.63 KiB | Viewed 12000 times ]


Attachment:
id3.png
id3.png [ 121.96 KiB | Viewed 12000 times ]


Here is the supposed caraceristics of the NAND Flash

Code:
#define NAND_SIZE_KB        (16*1024*1024)                // 16777216 KB
#define BLOC_SIZE_KB        (4*1024)                      // 4096 KB
#define BLOC_SIZE_BYTE      (BLOC_SIZE_KB*1024)           // 4194304 B
#define PAGE_SIZE_KB        (16)                          // 16 KB
#define PAGE_SIZE_BYTE      (PAGE_SIZE_KB*1024)           // 16384 B
#define BLOC_COUNT          (NAND_SIZE_KB/BLOC_SIZE_KB)   // 4096 BLOCKS
#define PAGE_PER_BLOC       (BLOC_SIZE_KB/PAGE_SIZE_KB)   // 256 PAGES


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 8th, 2021, 13:56 
Offline
User avatar

Joined: June 11th, 2013, 17:01
Posts: 1710
Location: Phoenix, AZ USA
You will not be able to recover data from the NAND without professional data recovery software. The NAND uses ECC and XOR (which is basically encryption). However I do like the way you have read the chip, bou can get pretty much the same information by plugging the USB drive into a PC and using a free app called Chip Genius.

Did you check the PCB fully for shorts or failed components before removing the NAND?

_________________
HDD, SSD, Flash and RAID Data Recovery
Founder of The Data Recovery Professionals Group


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 8th, 2021, 15:40 
Offline

Joined: September 6th, 2021, 15:07
Posts: 22
Location: France
Hello ddrecovery,
Thanks for reply, I'm not finish my post because of technical problem. Yes I understand it's pretty hard to recover data but I want to try because my friend don't have money and professional solution are out of bound here.
Yes I take a lot of time to check hardware problem and try to recover the PS2251-09-26 before removing NAND but USB controller it seem cooked.


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 8th, 2021, 16:06 
Offline

Joined: September 6th, 2021, 15:07
Posts: 22
Location: France
I'm able to download all the blocks

Attachment:
dump1.png
dump1.png [ 109.79 KiB | Viewed 11908 times ]


I write a small code to concat some block and add BMP header (I concat only 8 block because of the limitation of the bmp size)

Attachment:
bmp1.png
bmp1.png [ 113.58 KiB | Viewed 11908 times ]


Now I can use the Windows image viewer to quickly navigate into NAND blocks or GIMP for pixel (offset) measurement

Attachment:
bmp2.png
bmp2.png [ 350.07 KiB | Viewed 11908 times ]


I'm able to find some header, LBN and LPN and some thing look like flags "0x01FF".

Attachment:
LBN1.png
LBN1.png [ 29.19 KiB | Viewed 11908 times ]


I can get the boundary of all area of the pages

Attachment:
fmt1.png
fmt1.png [ 451.39 KiB | Viewed 11908 times ]


Code:
...
      25 : H1=0x0038 LBN=0x7467 LPN=0x0019 ?=0x01FF H2=0x0038 H3=0x0038 H4=0x0038 H5=0x0038 H6=0x0038 H7=0x0038 H8=0x0038 H9=0x0038 H10=0x0038 H11=0x0038 H12=0x0038 H13=0x0038 H14=0x0038
      26 : H1=0x0038 LBN=0x746B LPN=0x001A ?=0x01FF H2=0x0038 H3=0x0038 H4=0x0038 H5=0x0038 H6=0x0038 H7=0x0038 H8=0x0038 H9=0x0038 H10=0x0038 H11=0x0038 H12=0x0038 H13=0x0038 H14=0x0038
      27 : H1=0x0038 LBN=0x746F LPN=0x001B ?=0x01FF H2=0x0038 H3=0x003C H4=0x0038 H5=0x0038 H6=0x8038 H7=0x0038 H8=0x0038 H9=0x0038 H10=0x0238 H11=0x0038 H12=0x0038 H13=0x0038 H14=0x0038
      28 : H1=0x0038 LBN=0x7473 LPN=0x001C ?=0x01FF H2=0x0038 H3=0x0038 H4=0x0038 H5=0x0038 H6=0x0038 H7=0x0038 H8=0x0038 H9=0x0038 H10=0x0038 H11=0x0038 H12=0x0038 H13=0x0038 H14=0x0038
      29 : H1=0x0038 LBN=0x7477 LPN=0x001D ?=0x01FF H2=0x0038 H3=0x0038 H4=0x0038 H5=0x0038 H6=0x0038 H7=0x0038 H8=0x0038 H9=0x0038 H10=0x0038 H11=0x0038 H12=0x0038 H13=0x0038 H14=0x0038
...


With the header Hx and LBN I'm able to get the full logical block number I think


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 8th, 2021, 16:18 
Offline

Joined: September 6th, 2021, 15:07
Posts: 22
Location: France
When I take look on the bitmap representation I found different type of blocks
I'm not sure what kind of block/data it is.

Some scrambled/noisy block : XORED DATA ?

Attachment:
blocks1.png
blocks1.png [ 198.74 KiB | Viewed 11902 times ]


Some recurrent pattern block : 0 XOR KEY ?

Attachment:
blocks2.png
blocks2.png [ 165.92 KiB | Viewed 11902 times ]


Some unscrambled bloc : BLOCK TABLE ?

Attachment:
blocks0.png
blocks0.png [ 67.98 KiB | Viewed 11902 times ]

I really don't know what are thoses unscrambled information


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 8th, 2021, 16:54 
Offline

Joined: September 6th, 2021, 15:07
Posts: 22
Location: France
I begin to document the format of page

Attachment:
fmtstruct1.png
fmtstruct1.png [ 36.12 KiB | Viewed 11886 times ]


Attachment:
fmtstruct2.png
fmtstruct2.png [ 111.64 KiB | Viewed 11886 times ]


I write a small code to extract and filter the 15 data areas of each page without the header and 78 bytes (ECC ?), I take look on a block with visible repetitive pattern

Attachment:
key1.png
key1.png [ 242.91 KiB | Viewed 11886 times ]


I can see the repetitive pattern (the key ?) is shifted left of 1024 bytes at every pages

Attachment:
key2.png
key2.png [ 127.66 KiB | Viewed 11886 times ]


For instance I'm not sure about key length... but I think it's page size (15336 Bytes) but visualy it seem to be 1024 Bytes...


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 9th, 2021, 3:21 
Offline

Joined: October 24th, 2009, 15:22
Posts: 867
Location: Poland
XOR block usually start from 9A9EF0 at this model, but start from correct ECC. Wihtout it all data will be broken and all your work will be useless.

_________________
Flash Killer - everyday new resources (pinout, XOR, ECC,config) for flash devices


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 9th, 2021, 8:10 
Offline

Joined: September 6th, 2021, 15:07
Posts: 22
Location: France
Hello Arvika,

Many many thanks for the key start, that what I found, I found the shifting rate too. Big THANKS thanks for confirmation this help me a lot.
I thought that ECC data was not scrambled by XOR key, so XOR key is "round robin" shifted applied on all datas parts (1024 bytes) of a page except on "headers/LBN/LPN" (8+(13x2)=34 bytes) and "ECC" (13x78=1014 bytes). Did you confirm that ?
In other words:
Did you confirm ECC (78 bytes) areas are not XORed ?
Does ECC (78 bytes) is applied on scrambled data or unscrambled data (1024 bytes) ?


Subsidiary question, I got 14 areas of 1024 bytes with "ECC like area" (78 bytes) + 1 area of 1000 bytes without "ECC like area" per pages. I don't know what is the purpose of this last 1000 bytes area ? I don't know if this area is XORed too...
Can you enlighten me about this area ?

My idea is to :
  1. Extract the potential key on several "repetitive patterns" pages/blocks (taking account shifting, so I get all key starting with 0x9A9EF0)
  2. Compute statistics for each (dirty) bytes of the keys
  3. Create a temporary/partial key with the most probable bytes (higher occurence)
  4. Do a first pass with the temporary/partial key to find a known pattern (like FAT32 header, filename or directory name in directory entry, etc...)
  5. Try to manually correct the known pattern
  6. Use this pattern to brut force the associated ECC algorithm parameters

Do you think it's a good way to find ECC parameters ?

Thanks in advance for your immeasurable help, i think I enter in the hardest part...


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 9th, 2021, 15:27 
Offline

Joined: October 24th, 2009, 15:22
Posts: 867
Location: Poland
Probably it is your case: http://flash-extractor.com/library/PS/P ... a4_93__1x1
If yes, first sector should be 1110, rest 1104 bytes. Usually for this Phison controllers only data is XORed, SA and ECC not.
ECC for this controller use BCH algorithm and should work on source (unXORed) dump as I remeber.

_________________
Flash Killer - everyday new resources (pinout, XOR, ECC,config) for flash devices


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 9th, 2021, 16:38 
Offline

Joined: September 6th, 2021, 15:07
Posts: 22
Location: France
Many thank for your help Arvika, I will try BCH ECC on unXORed data area.


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 9th, 2021, 17:02 
Offline

Joined: October 3rd, 2005, 0:40
Posts: 4301
Location: Hungary
there seem to be a couple of errors in the above.
page size is surely not 16384 bytes. The page should fit an integer power of 2 sectors (512 bytes), so 14*1024 + ECC is not enough.
Try setting the read page size to 20KB and check where the page actually ends. (usually FFs are read beyond the end of the page).
in your case it should accomodate like 16 1K sectors plus ECC plus SA.

pepe

_________________
Adatmentés - Data recovery


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 10th, 2021, 9:27 
Offline

Joined: September 6th, 2021, 15:07
Posts: 22
Location: France
:shock: It did not come to my mind I don't read the real size of page... I stuck on datasheet info I found from device ID....
Many big THANKS pepe to point this, I will try...


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 10th, 2021, 10:36 
Offline

Joined: September 6th, 2021, 15:07
Posts: 22
Location: France
Ok pepe, you are right, i'm not read the entire pages...
I do a quick test and I receive that at end of pages.

Code:
Last sector of data         1024 B
The delimiter/header           2 B
The missing area (ECC?)       78 B
A full of 0xFF area           90 B
The rest of 20KB is 0x00

Attachment:
20k.png
20k.png [ 99.84 KiB | Viewed 11570 times ]

Code:
                       SIZE OF PAGE
Without 0xFF area   141360 px    17670 B
With 0xFF area      142080 px    17760 B


Pfff... I need to re-read all my NAND...
I will take this opportunity to optimize my power supply filtering and level...

Another big THANKS pepe, this help me a lot.


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 10th, 2021, 12:17 
Offline

Joined: September 6th, 2021, 15:07
Posts: 22
Location: France
Ok, so this is the true page structure of my NAND for instance

Attachment:
pagestruct2.png
pagestruct2.png [ 64.65 KiB | Viewed 11545 times ]


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 10th, 2021, 12:36 
Offline

Joined: October 3rd, 2005, 0:40
Posts: 4301
Location: Hungary
looks better :)

but still a long way to go...

pepe

_________________
Adatmentés - Data recovery


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 10th, 2021, 15:33 
Offline

Joined: September 6th, 2021, 15:07
Posts: 22
Location: France
:D Yes, "I have my nose in the handlebars" to don't think about looking forward behind the limits.
I understand it still a long way to go especially since I only spend a few minutes a day ...
Another thank you for your help.


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 10th, 2021, 15:53 
Offline

Joined: October 3rd, 2005, 0:40
Posts: 4301
Location: Hungary
But congrats for your reader, nice one ...
I also built mine back in 2005 or so. ECC and XOR were not players those days, i was able to reconstruct pretty good images from SLC memories.
Later i realized i am better with a commercial tool which makes life much easier - when the thing is supported of course :)
Also, with MLC and TLC ecc is a must, so it is netto cheaper to own a tool than developing these things from scratch.

pepe

_________________
Adatmentés - Data recovery


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 10th, 2021, 17:58 
Offline

Joined: September 6th, 2021, 15:07
Posts: 22
Location: France
I know, I ask for a quote for recovery and for two different bundled solutions but prices are high in both case, my friend don't have budget. She is a modest person without a lot of money with health problems, that what I try with my hand...

My reader is not very good in that state, if I had time, I will probably make a small PC to connect properly the TSOP48 adapter and the NUCLEO board, integrate the FT232H and a small adjustable power supply (0 .. 3V3) with good filtering.

For example when I read 3 times a block, sometimes I got some different read byte (just 1 bit is different essentially)

Attachment:
dump_noise.png
dump_noise.png [ 232.81 KiB | Viewed 11472 times ]


First I use the 3V3 of the NUCLEO and dont have any decoupling capacitor near the TSOP adapter, and I read that, lowering the power supply voltage of a NAND improve readability, I don't know if it's true.... I will try with my lab power supply...


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 10th, 2021, 18:06 
Offline

Joined: October 3rd, 2005, 0:40
Posts: 4301
Location: Hungary
supply voltage may affect data integrity but you can't really decide what's good and what's wrong without calculating ecc.
Reading same value several times does not mean it is good.

pepe

_________________
Adatmentés - Data recovery


Top
 Profile  
 
 Post subject: Re: Help to unscramble my NAND flash
PostPosted: September 10th, 2021, 19:21 
Offline
User avatar

Joined: June 11th, 2013, 17:01
Posts: 1710
Location: Phoenix, AZ USA
rom1nux wrote:
I read that, lowering the power supply voltage of a NAND improve readability, I don't know if it's true.... I will try with my lab power supply...

Heating or cooling the chip can also make a difference.

_________________
HDD, SSD, Flash and RAID Data Recovery
Founder of The Data Recovery Professionals Group


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 36 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 18 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group