All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 25 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: Kingston - DT50 16GB Chipoff [ PS2250-07-V Controller ]
PostPosted: March 21st, 2023, 6:44 
Offline
User avatar

Joined: August 15th, 2006, 3:01
Posts: 3459
Location: CDRLabs @ Chandigarh [ India ]
csava wrote:
Bolo wrote:
@Amarbir: There are few options to use RR but you need first understand what RR really do. ReadRetry (RR) are commands that are sended to NAND and by this it change threshold of cells. To set proper RR you need to know address which is reponsible to change threshold (called registers) and their data to set (so called values). You can have 4, 6, ..... 32 registers. Many chip uses same RR but there are some that doesn't work on standard library codes and you need to set it up by your own (look for all 8bytes for ID) ... there are few ways:

- Sniff them using Logic Analyzer when you get working device (so called donor) so how controller communicate with NAND... ( a lot of time.... for us called lost of time but it's possible)
- Bruteforce them so apply all values from 0x00 to 0xff into correct address (this option was addedd to FE few weeks ago but require to know correct address - if you not have correct address then you cannot use it. The addresses are "hidden" under for example Hynix v1/v2/v3/v4 etc)
- read those values from NAND OTP if OTP area exist (this way we prefer and we found a way to get it long time ago and use it till now)

You can set own RR with VNR (Rusolut) in Config / Power UP actions (as Michal writes) or in FE by using Before Read option to give commands to NAND before read page. I don't see option to use own RR in PC3K and this sometimes make impossible to read leatest 3D TLC v4 chip correctly but this is talk for other time.

Now question from where you get those addresse/correct value ? In FF you can see values but not address ! Most important thing is to know correct registers address - nobody will share those for you since this knowledge requires a lot of work and time spend on research.... that why producers code this into software and not share anywhere. Due this you see RR1/RR2/RR3 in VNR for example.....

For someone who know how RR works and are able to read it from OTP settings correct threshold takes usually not more that 2-10 minutes to get perfect readout (this example is from eMMC that everyone claims was unrecoverable - https://www.youtube.com/watch?v=_iBkOclbMmM)

P.S
One more thing: values in registers are depend from each other in leatest chip - changing A reflect to B for example but they vary also in temperature... so perfect RR to chip readed in +24C will usually not work in temp. -20C or +60C

According to the experiment, I think the first register address of FE, HYV1 read retry option should be A7 instead of AC, please check
For the read retry address of AD3A1803, I think the current version also has a major bug, which will cause sometimes the ECC bitmap gives green, but the data is actually wrong. According to my experiment, AD3A1803 has 31-bit register address


Hi ,
This is pinout graph and you are talking about registers ,I quiet did not get it

_________________
Regards
Amarbir S Dhillon , Chandigarh Data Recovery Labs [India]
Logical,Semi Physical And Physical Data Recovery
Website-> http://www.chandigarhdatarecovery.com


Top
 Profile  
 
 Post subject: Re: Kingston - DT50 16GB Chipoff [ PS2250-07-V Controller ]
PostPosted: March 24th, 2023, 21:43 
Offline
User avatar

Joined: July 8th, 2019, 12:27
Posts: 143
Location: 中国大陆浙江省湖州市
Amarbir[CDR-Labs] wrote:
csava wrote:
Bolo wrote:
@Amarbir: There are few options to use RR but you need first understand what RR really do. ReadRetry (RR) are commands that are sended to NAND and by this it change threshold of cells. To set proper RR you need to know address which is reponsible to change threshold (called registers) and their data to set (so called values). You can have 4, 6, ..... 32 registers. Many chip uses same RR but there are some that doesn't work on standard library codes and you need to set it up by your own (look for all 8bytes for ID) ... there are few ways:

- Sniff them using Logic Analyzer when you get working device (so called donor) so how controller communicate with NAND... ( a lot of time.... for us called lost of time but it's possible)
- Bruteforce them so apply all values from 0x00 to 0xff into correct address (this option was addedd to FE few weeks ago but require to know correct address - if you not have correct address then you cannot use it. The addresses are "hidden" under for example Hynix v1/v2/v3/v4 etc)
- read those values from NAND OTP if OTP area exist (this way we prefer and we found a way to get it long time ago and use it till now)

You can set own RR with VNR (Rusolut) in Config / Power UP actions (as Michal writes) or in FE by using Before Read option to give commands to NAND before read page. I don't see option to use own RR in PC3K and this sometimes make impossible to read leatest 3D TLC v4 chip correctly but this is talk for other time.

Now question from where you get those addresse/correct value ? In FF you can see values but not address ! Most important thing is to know correct registers address - nobody will share those for you since this knowledge requires a lot of work and time spend on research.... that why producers code this into software and not share anywhere. Due this you see RR1/RR2/RR3 in VNR for example.....

For someone who know how RR works and are able to read it from OTP settings correct threshold takes usually not more that 2-10 minutes to get perfect readout (this example is from eMMC that everyone claims was unrecoverable - https://www.youtube.com/watch?v=_iBkOclbMmM)

P.S
One more thing: values in registers are depend from each other in leatest chip - changing A reflect to B for example but they vary also in temperature... so perfect RR to chip readed in +24C will usually not work in temp. -20C or +60C

According to the experiment, I think the first register address of FE, HYV1 read retry option should be A7 instead of AC, please check
For the read retry address of AD3A1803, I think the current version also has a major bug, which will cause sometimes the ECC bitmap gives green, but the data is actually wrong. According to my experiment, AD3A1803 has 31-bit register address


Hi ,
This is pinout graph and you are talking about registers ,I quiet did not get it

This is the timing diagram of flashextractor when using the HYV1 read retry option. From it, the read retry address can be analyzed. Quoting Bolo said "Now question from where you get those addresse/correct value ? In FF you can see values ​​but not address ! Most important thing is to know correct registers address - nobody will share those for you since this knowledge requires a lot of work and time spend on research.... that why producers code this into software and not share anywhere. Due this you see RR1/RR2/RR3 in VNR for example...."
Data sheets barely cover this aspect. In addition to finding the value from the OTP area and using the pinout to sniff the signal from the working flash device, I also found a smarter magic method, but the accuracy of the read retry address obtained this way needs to be further tested .

_________________
Auxiliary Tool Used For MonoLith Data Recovery, featuring the industry's most extensive Monolith pinouts
http://flash-matrix.com/


Top
 Profile  
 
 Post subject: Re: Kingston - DT50 16GB Chipoff [ PS2250-07-V Controller ]
PostPosted: June 26th, 2023, 11:44 
Offline
User avatar

Joined: August 15th, 2006, 3:01
Posts: 3459
Location: CDRLabs @ Chandigarh [ India ]
Bolo wrote:
@Amarbir: There are few options to use RR but you need first understand what RR really do. ReadRetry (RR) are commands that are sended to NAND and by this it change threshold of cells. To set proper RR you need to know address which is reponsible to change threshold (called registers) and their data to set (so called values). You can have 4, 6, ..... 32 registers. Many chip uses same RR but there are some that doesn't work on standard library codes and you need to set it up by your own (look for all 8bytes for ID) ... there are few ways:

- Sniff them using Logic Analyzer when you get working device (so called donor) so how controller communicate with NAND... ( a lot of time.... for us called lost of time but it's possible)
- Bruteforce them so apply all values from 0x00 to 0xff into correct address (this option was addedd to FE few weeks ago but require to know correct address - if you not have correct address then you cannot use it. The addresses are "hidden" under for example Hynix v1/v2/v3/v4 etc)
- read those values from NAND OTP if OTP area exist (this way we prefer and we found a way to get it long time ago and use it till now)

You can set own RR with VNR (Rusolut) in Config / Power UP actions (as Michal writes) or in FE by using Before Read option to give commands to NAND before read page. I don't see option to use own RR in PC3K and this sometimes make impossible to read leatest 3D TLC v4 chip correctly but this is talk for other time.

Now question from where you get those addresse/correct value ? In FF you can see values but not address ! Most important thing is to know correct registers address - nobody will share those for you since this knowledge requires a lot of work and time spend on research.... that why producers code this into software and not share anywhere. Due this you see RR1/RR2/RR3 in VNR for example.....

For someone who know how RR works and are able to read it from OTP settings correct threshold takes usually not more that 2-10 minutes to get perfect readout (this example is from eMMC that everyone claims was unrecoverable - https://www.youtube.com/watch?v=_iBkOclbMmM)

P.S
One more thing: values in registers are depend from each other in leatest chip - changing A reflect to B for example but they vary also in temperature... so perfect RR to chip readed in +24C will usually not work in temp. -20C or +60C


Sir ,
What according to you is ideal temperature in most cases ,Is that 24 Degree Celsius ? so that most RR respond properly ? .

_________________
Regards
Amarbir S Dhillon , Chandigarh Data Recovery Labs [India]
Logical,Semi Physical And Physical Data Recovery
Website-> http://www.chandigarhdatarecovery.com


Top
 Profile  
 
 Post subject: Re: Kingston - DT50 16GB Chipoff [ PS2250-07-V Controller ]
PostPosted: August 2nd, 2023, 5:30 
Offline

Joined: August 13th, 2016, 17:10
Posts: 192
Location: Vienna, Austria
From my point of view, there is no optimal temperature in general, you can try different temperatures per page and see which one works best. In general, most semiconductors are primarily characterized for 25°C , but I think that you might be able to get better results at different temperatures too.


Top
 Profile  
 
 Post subject: Re: Kingston - DT50 16GB Chipoff [ PS2250-07-V Controller ]
PostPosted: August 2nd, 2023, 5:47 
Offline

Joined: September 17th, 2016, 16:06
Posts: 430
Location: India
Good point. In general Vt (kt/q) ie thermal voltage for semiconductors is defined at 25deg C in most of the books
However some books take it at 27degC...Not much of a difference


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 25 posts ]  Go to page Previous  1, 2

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group