Nov 2, 2013

Re-programming the 2Wire NAND flash IC

Californian hacker RyanC suggested another method for unlocking the 2Wires: re-purposing a SmartMedia or xD-Picture card reader to program the NAND flash memory. [1]

The SmartMedia format uses the standard ONFI command set for reading and programming the NAND flash. The xD-Picture specs are slightly more involved, being a superset of ONFI.

Simple, so far?

2Wire, however, has its own flash translation layer (FTL) to hold the logical-to-physical block mapping. This mapping data is stored in the out-of-band (OOB) area of the NAND page. Unfortunately, the average flash card reader cannot program arbitrary data to the OOB area, so can’t be used to reprogram a 2Wire flash. All is not lost though..

Aside the professional NAND programmers costing $2000 or more, there is one consumer-grade NAND controller IC which offers raw read and write access to all areas of the flash device. The IC, codenamed the Alauda, is something of a mystery. No one is even sure who developed it, but it was probably on behalf of Fuji and/or Olympus.

The Alauda IC has a USB peripheral controller to interface very simply with the PC. This allows easy transfer of control messages and page data to the raw NAND device. And it doesn’t matter if the NAND chip is embedded in a camera card, or in a TSOP48 surface mount package, as in the case of the 2Wire.

It was perhaps BrendanU who first publicly documented the capabilities of Alauda-based card readers. [2] An open source kernel driver was then developed for the Alauda by legendary Linux hacker Daniel Drake.[3] Cory1492, a well-known XBox and PSP hacker, ported Daniel’s code, and built it against the userspace USB library, libusb.[4] Cory’s efforts have made the tool available for most Unix platforms and even for Microsoft Windows.

Alauda NAND flash controller harnessed to TSOP48 cradle 256Mbit NAND from 2Wire board loose beneath
The Alauda NAND controller IC

The plan to exploit this hack and hardware was described earlier. Briefly:
  • Gently lift the NAND flash IC off the PCB with a hot-air gun;
  • Dump contents with a NAND reader. For reasons above, the Alauda IC is ideal;
  • Rewrite “initd” XML table to re-enable secure shell daemon. See:
  • Rewrite “user” XML table with new root password. See:
  • Update ECC in OOB areas of all modified pages. See: http://hack.error-correcting-code-ecc/
  • Re-program the modified NAND pages;
  • Re-install NAND IC on the 2Wire PCB;
  • Fingers crossed and boot!
Userspace tool for Alauda NAND reader by Cory1492

This method was just trialled several times. While the NAND reading and writing works fine, the 2Wire board still won’t boot with our modified firmware image. The device just hangs with a solid red LED.

The search for that elusive 2Wire hack continues!

As for the NAND hack in general, it could be very useful in a range of other applications. Whether for unlocking routers, digital TV set-top boxes, or for reflashing PC BIOS chips, etc.


There are some more notes in the comments below. In the dueness of time, it can be properly documented and referenced. The beauty of this NAND reader is that it costs scarcely $10 to make.


Post a Comment