Jan 15, 2014

How-To Read Embedded NAND Flash Chips

NAND flash chips are used in all sorts of electronics for storing information/firmware etc. If you are interested in trying to get the information out to study, then I may have something useful for you. This is how I read the flash chip without removing it from the device.

DISCLAIMER- Not an easy task, and not foolproof either. This procedure can be rough on both the device you are trying to read, and the reader used. NAND chip specs are also changing all the time, and so are card readers, so there is no real way of knowing if this pertains to “ALL” NAND Flash and “ALL” readers. This has been used successfully on Samsung small block flash using a Dazzle SmartMedia/xD reader.

First, you’ll need to get a Smartmedia/xD card reader. The reason for this is Smartmedia and xD flash cards are basically just NAND flash chips in a friendly, removable card. Other types of flash media also use NAND, but have a controller in them that handles the interfacing between the flash chip and the host, be it a camera, cell phone, card reader, etc. This controller gets in the way or reading data off embedded chips, because they are looking for partitions/files in a particular formats (FAT16 for example) that embedded flash rarely uses. Typically, we’d be trying to get the raw data off the embedded NAND to study.

Knowing that Smartmedia/xD cards are basically straight NAND chips, we can connect the card reader directly to the NAND chip by cross-referencing the chip pin out to Smartmedia/xD card reader. You can get the card pinouts here.
Note- These pin outs are for the cards themselves, not the readers.

An example for wiring to a Smartmedia reader is pictured below. Pin one of the reader is at the top of the picture, and the pin out is as follows.

Pin 1 — Vcc (+)
Pin 2 — Vss (ground)
Pin 3 — I/O 5
Pin 4 — not used
Pin 5 — I/O 6
Pin 6 — I/O 4
Pin 7 — I/O 7
Pin 8 — I/O 3
Pin 9 — I/O 8
Pin 10 – I/O 2
Pin 11 – not used
Pin 12 – I/O 1
Pin 13 – not used
Pin 14 – WP
Pin 15 – RY/BY
Pin 16 – WE
Pin 17 – RE
Pin 18 – ALE
Pin 19 – CE
Pin 20 – CLE
Pin 21 – not used
Pin 22 – not used

The battery select is dependent on your NAND chips voltage (either 3.3 or 5 Volts) and the write-protect switch is used if needed.

Connecting the reader to the chip can be the hardest part. The chips I have done have all been TSOPs, which are surface-mount chips with .5mm pitch. Quite small! I have done it several different ways. First way was to use some 30 gauge Kynar (used for wire-wrapping), soldering a wire from each pin on the NAND chip to its corresponding pin on the reader. An old IDE hard drive cable can provide wire of a similar size. It was doable with an extremely fine-tipped soldering iron and plenty of patience, but was by no means easy. Depending on the device, you may be able to trace out some alternative points to solder to, instead of directly to the NAND chip. It gets pretty tight trying to solder to 4 of those tiny pins in a row without bridging anything with solder!

Another approach used some flexible ribbon cable. The wire in the cable had the same pitch as the chip, making it easier to keep all the wires aligned while soldering to NAND chip. A few places sell this cable, such as Mouser and Digikey, but you may also be able to scrounge some from an old DVD player or drive, or even possibly old CD drives. They are used to connect the laser assembly to the main board.

If you have some .5mm TSOP/TSSOP prototyping boards around, this can be the easiest. Cut down to size, and beveled where they will meet the chip, you can make a set of wedges that will solder up fairly easy. Just line them up, and drag some solder from the board down to the chip to solder in place. A little flux will help, but you won’t have to use any additional solder, just what is already on the prototype board. Once you are done, a little wiggle will free the board from the chip without damage. No need to desolder anything, either. The following pics should clarify this.

Once you have the NAND chip hooked up to your reader, you have to get the data off it. Leaving power to the device you are trying to read OFF (preferably Batteries out, unplugged, etc.), plug in your reader to you computer. Depending on your OS, you can get the data off a couple of ways.

Linux users can mount the card reader and use dd to dump an image of the Flash chip. The resulting image can the be studied with the hex editor of your choice.

For Windows, I used a product called OnBelay by Compuapps. A very similar (identical?) product is Recovery Manager by Vaiosoft. Both these will work the same way. The main screen has a list of drives it can access, choose the one that corresponds to your reader. The program probably won’t recognize the file structure of the flash, so it says “no media present” or something to that effect. Along the top of the screen are tabs, one of them is labeled “Tools”. When you click on that, you’ll have the option to back up your media. Press it and it will allow you to back up the chip to a specified folder. I also check the box to backup both used and unused space. The backup image is in .FMB format, which can be browsed with any hex editor and studied.

Hope this can be of use to someone!

via uC Hobby


Post a Comment