Reading Bare NAND Flash Chips With A Microcontroller

NAND flash, the same memory chips found in everything from USB thumb drives to very expensive solid state disk drives, are increasingly common. As they (partially) serve as the storage for cellphones, Wiis, routers and just about every piece of consumer electronic devices, you’re probably surrounded by dozens of NAND chips at any one time.

[Sprite_tm], hacker extraordinaire, put up a build a few years ago where he was able to read the contents of NAND Flash chips using a PC parallel port. It’s getting rather hard to find a parallel port on a PC anymore, so he updated his build to read Flash chips off of a USB port.

There are two main components of [Sprite_tm]’s build. First, to read the Flash chip, he needed a way to break out the pins on the very tiny TSOP48 package. [Sprite] found a neat little socket for these chips on eBay for about 10 Euros.

Communicating with the Flash chip via USB was a little harder. [Sprite] knew he needed USB 2.0, but not many microcontrollers have that implemented. Luckily, the FTDI FT2232H has USB 2.0, along with the very nice feature of being able to read data and address pins directly from the Flash chip. After a bit of soldering, [Sprite_tm] was left with the device seen above.

[Sprite_tm] found a nice library to bitbang the pins on the FTDI chip and request one page of memory from the Flash chip at a time. The device works as advertised, but it’s still a bit slow at 250 kBps. [Sprite] figures he can increase the speed of reading a Flash chip by requesting multiple pages at a time, but it’s still orders of magnitude faster than the old parallel port solution.

There’s a good bit of software [Sprite] posted to help him (and possibly others) read bare NAND flash chips via USB. This means if you have a broken USB Flash drive or SD card, it’s possible to desolder the chip and read it with your own controller. Interpreting the blocks of data recovered from a Flash drive as a file system is another story, but it’s still a fairly remarkable build.

30 thoughts on “Reading Bare NAND Flash Chips With A Microcontroller

    1. Theoretically, yes, but this assumes the NAND flash is formatted in the specific SmartMedia format. Most flash chips ripped from newer SD-cards or USB-sticks aren’t, so the card reader will probably bork on them.

      Also, titlefix? The build reads flash chips _without_ a microcontroller.

      1. Justice009: The SmartMedia format has some fixed structures on the flash: the first pages are CIS (info) fields, etc. The SmartMedia also defines how the OOB (‘spare’) bits of a page are used: ECC etc. (See e.g. http://www.win.tue.nl/~aeb/linux/smartmedia/SmartMedia_Format.pdf ) Normal card readers try to interpret an attached nand flash chip as a SmartMedia card. Best case, the nand has something resembling a cis and uses the standard SM ECC layout and you can more or less read out the flash contents. Worst case, it has no CIS and has e.g. an JFFS2 or YAFFS or proprietary flash format, and your card reader will bork. In either case, you have no way to read out the ‘spare’ bytes; the card reader uses this for itself.

        Perhaps if there’s a SM reader left that does direct NAND access and leaves the interpretation to the Linux-kernel, you can do direct flash access… but as far as I know, all card readers nowadays only expose an USB mass storage device carrying the ‘interpreted’ flash data.

      2. Ah yes, good point. Even if it did work, dd wouldn’t get you the extra bytes in each page, and there’s nothing to say the pendrive ASIC wasn’t using those for extra storage or block mapping or something important.

      3. Olympus Camedia MAUSB-10
        Fuji FinePix DPC-R1

        are both xd card readers that have a RAW mode. These are used to flash xD cards for use as a second nand in an xbox 360, so it can dual boot. They should be able to read the raw data for you.

      4. Fair enough. I have not done a ton of projects this way, and I used a Radioshack Dazzle SM/xD reader for mine. I have not had any troubles either connecting up and reading a raw NAND or using an xD card as a replacement for a NAND chip. I guess I have just been lucky.

      5. Not to mention the controller hardware on the actual card probably has more than one flash chip and it could be accessing the array directly, or doing weird RAID-like logic to increase the speed, it might be doing hardware checksums and storing those in bits of the flash that are never exposed (some flash controllers DO do this depending on how reliable the chips are as it can allow it to recover & fix bad data, etc…), double etc…

  1. I did this as nes said above. I hacked up a Smartmedia reader to read NAND flash and used a program called WinImage to get a byte copy of the NAND flash.

    I have always though of going the other way and hacking a USB flash drive to read NAND flash.

    I really don’t know if raw reading would work, though. The NAND flash chips I have read so far have been in FAT formatted data already. I would assume there would be a way to talk to the USB bridge controller to get it to do raw access.

  2. Hi, Im looking for 1 of those nand clips in the picture, I saw some ages ago on ebay but what ever I search for I cant seem to find 1 – think they were about £6 but I cant remember what they are called, Tried lots of things like ‘nand clip’ ‘nand holder’ 48pin tsop clip’ etc. Can anyone help?

    thanks

      1. Hi, thanks for that, just got 1 for about £15. I have 1 of the Olympus Camedia MAUSB-10 card readers which I’m going to try to turn into a universal nand reader/writer which from googling around is possible – correct me if i’m wrong.

        Does anyone know how to build 1 of these using the parts stated in this post? Like a tutorial? ‘Cos I’d like a couple of these universal nand readers but only have 1 MAUSB-10 card reader.

        thanks

  3. This was also achieved with an Alauda-based SM/XD card reader costing $5. It worked fine and together with the TSOP48 cradle cost less than $10 to make.

    See:

    http://hackingbtbusinesshub.wordpress.com/2012/10/25/reprogramming-the-2wire-nand-flash-ic/

    The same hack was also done using a one dollar XD/SM reader based on the Genesys Logic GL827 IC. However, that IC doesn’t allow arbitrary access to the Out-Of-Band area of the NAND page where ECC and flash translation layer data is stored.

    See:

    http://asbokid.picturepush.com/showformat.php&imgid=8755467

    cheers, a

  4. Where can we get the details on the parallel port system to read the chip? For reasons too long to go into, I still maintain an older computer running XP that never sees the net for things that I need that can’t be done on Win10.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.