March 21st, 2023, 6:44
csava wrote:Bolo wrote:@Amarbir: There are few options to use RR but you need first understand what RR really do. ReadRetry (RR) are commands that are sended to NAND and by this it change threshold of cells. To set proper RR you need to know address which is reponsible to change threshold (called registers) and their data to set (so called values). You can have 4, 6, ..... 32 registers. Many chip uses same RR but there are some that doesn't work on standard library codes and you need to set it up by your own (look for all 8bytes for ID) ... there are few ways:
- Sniff them using Logic Analyzer when you get working device (so called donor) so how controller communicate with NAND... ( a lot of time.... for us called lost of time but it's possible)
- Bruteforce them so apply all values from 0x00 to 0xff into correct address (this option was addedd to FE few weeks ago but require to know correct address - if you not have correct address then you cannot use it. The addresses are "hidden" under for example Hynix v1/v2/v3/v4 etc)
- read those values from NAND OTP if OTP area exist (this way we prefer and we found a way to get it long time ago and use it till now)
You can set own RR with VNR (Rusolut) in Config / Power UP actions (as Michal writes) or in FE by using Before Read option to give commands to NAND before read page. I don't see option to use own RR in PC3K and this sometimes make impossible to read leatest 3D TLC v4 chip correctly but this is talk for other time.
Now question from where you get those addresse/correct value ? In FF you can see values but not address ! Most important thing is to know correct registers address - nobody will share those for you since this knowledge requires a lot of work and time spend on research.... that why producers code this into software and not share anywhere. Due this you see RR1/RR2/RR3 in VNR for example.....
For someone who know how RR works and are able to read it from OTP settings correct threshold takes usually not more that 2-10 minutes to get perfect readout (this example is from eMMC that everyone claims was unrecoverable - https://www.youtube.com/watch?v=_iBkOclbMmM)
P.S
One more thing: values in registers are depend from each other in leatest chip - changing A reflect to B for example but they vary also in temperature... so perfect RR to chip readed in +24C will usually not work in temp. -20C or +60C
According to the experiment, I think the first register address of FE, HYV1 read retry option should be A7 instead of AC, please check
For the read retry address of AD3A1803, I think the current version also has a major bug, which will cause sometimes the ECC bitmap gives green, but the data is actually wrong. According to my experiment, AD3A1803 has 31-bit register address
March 24th, 2023, 21:43
Amarbir[CDR-Labs] wrote:csava wrote:Bolo wrote:@Amarbir: There are few options to use RR but you need first understand what RR really do. ReadRetry (RR) are commands that are sended to NAND and by this it change threshold of cells. To set proper RR you need to know address which is reponsible to change threshold (called registers) and their data to set (so called values). You can have 4, 6, ..... 32 registers. Many chip uses same RR but there are some that doesn't work on standard library codes and you need to set it up by your own (look for all 8bytes for ID) ... there are few ways:
- Sniff them using Logic Analyzer when you get working device (so called donor) so how controller communicate with NAND... ( a lot of time.... for us called lost of time but it's possible)
- Bruteforce them so apply all values from 0x00 to 0xff into correct address (this option was addedd to FE few weeks ago but require to know correct address - if you not have correct address then you cannot use it. The addresses are "hidden" under for example Hynix v1/v2/v3/v4 etc)
- read those values from NAND OTP if OTP area exist (this way we prefer and we found a way to get it long time ago and use it till now)
You can set own RR with VNR (Rusolut) in Config / Power UP actions (as Michal writes) or in FE by using Before Read option to give commands to NAND before read page. I don't see option to use own RR in PC3K and this sometimes make impossible to read leatest 3D TLC v4 chip correctly but this is talk for other time.
Now question from where you get those addresse/correct value ? In FF you can see values but not address ! Most important thing is to know correct registers address - nobody will share those for you since this knowledge requires a lot of work and time spend on research.... that why producers code this into software and not share anywhere. Due this you see RR1/RR2/RR3 in VNR for example.....
For someone who know how RR works and are able to read it from OTP settings correct threshold takes usually not more that 2-10 minutes to get perfect readout (this example is from eMMC that everyone claims was unrecoverable - https://www.youtube.com/watch?v=_iBkOclbMmM)
P.S
One more thing: values in registers are depend from each other in leatest chip - changing A reflect to B for example but they vary also in temperature... so perfect RR to chip readed in +24C will usually not work in temp. -20C or +60C
According to the experiment, I think the first register address of FE, HYV1 read retry option should be A7 instead of AC, please check
For the read retry address of AD3A1803, I think the current version also has a major bug, which will cause sometimes the ECC bitmap gives green, but the data is actually wrong. According to my experiment, AD3A1803 has 31-bit register address
Hi ,
This is pinout graph and you are talking about registers ,I quiet did not get it
June 26th, 2023, 11:44
Bolo wrote:@Amarbir: There are few options to use RR but you need first understand what RR really do. ReadRetry (RR) are commands that are sended to NAND and by this it change threshold of cells. To set proper RR you need to know address which is reponsible to change threshold (called registers) and their data to set (so called values). You can have 4, 6, ..... 32 registers. Many chip uses same RR but there are some that doesn't work on standard library codes and you need to set it up by your own (look for all 8bytes for ID) ... there are few ways:
- Sniff them using Logic Analyzer when you get working device (so called donor) so how controller communicate with NAND... ( a lot of time.... for us called lost of time but it's possible)
- Bruteforce them so apply all values from 0x00 to 0xff into correct address (this option was addedd to FE few weeks ago but require to know correct address - if you not have correct address then you cannot use it. The addresses are "hidden" under for example Hynix v1/v2/v3/v4 etc)
- read those values from NAND OTP if OTP area exist (this way we prefer and we found a way to get it long time ago and use it till now)
You can set own RR with VNR (Rusolut) in Config / Power UP actions (as Michal writes) or in FE by using Before Read option to give commands to NAND before read page. I don't see option to use own RR in PC3K and this sometimes make impossible to read leatest 3D TLC v4 chip correctly but this is talk for other time.
Now question from where you get those addresse/correct value ? In FF you can see values but not address ! Most important thing is to know correct registers address - nobody will share those for you since this knowledge requires a lot of work and time spend on research.... that why producers code this into software and not share anywhere. Due this you see RR1/RR2/RR3 in VNR for example.....
For someone who know how RR works and are able to read it from OTP settings correct threshold takes usually not more that 2-10 minutes to get perfect readout (this example is from eMMC that everyone claims was unrecoverable - https://www.youtube.com/watch?v=_iBkOclbMmM)
P.S
One more thing: values in registers are depend from each other in leatest chip - changing A reflect to B for example but they vary also in temperature... so perfect RR to chip readed in +24C will usually not work in temp. -20C or +60C
August 2nd, 2023, 5:30
August 2nd, 2023, 5:47
Powered by phpBB © phpBB Group.