Reading bare NAND flash chips with a microcontroller

NAND flash, the same memory chips found in everything from USB thumb drives to very expensive solid state disk drives, are increasingly common. As they (partially) serve as the storage for cellphones, Wiis, routers and just about every piece of consumer electronic devices, you’re probably surrounded by dozens of NAND chips at any one time.

[Sprite_tm], hacker extraordinaire, put up a build a few years ago where he was able to read the contents of NAND Flash chips using a PC parallel port. It’s getting rather hard to find a parallel port on a PC anymore, so he updated his build to read Flash chips off of a USB port.

There are two main components of [Sprite_tm]‘s build. First, to read the Flash chip, he needed a way to break out the pins on the very tiny TSOP48 package. [Sprite] found a neat little socket for these chips on eBay for about 10 Euros.

Communicating with the Flash chip via USB was a little harder. [Sprite] knew he needed USB 2.0, but not many microcontrollers have that implemented. Luckily, the FTDI FT2232H has USB 2.0, along with the very nice feature of being able to read data and address pins directly from the Flash chip. After a bit of soldering, [Sprite_tm] was left with the device seen above.

[Sprite_tm] found a nice library to bitbang the pins on the FTDI chip and request one page of memory from the Flash chip at a time. The device works as advertised, but it’s still a bit slow at 250 kBps. [Sprite] figures he can increase the speed of reading a Flash chip by requesting multiple pages at a time, but it’s still orders of magnitude faster than the old parallel port solution.

There’s a good bit of software [Sprite] posted to help him (and possibly others) read bare NAND flash chips via USB. This means if you have a broken USB Flash drive or SD card, it’s possible to desolder the chip and read it with your own controller. Interpreting the blocks of data recovered from a Flash drive as a file system is another story, but it’s still a fairly remarkable build.

Comments

  1. nes says:

    Lovely work, but just wondering why not hack up an xD/SmartMedia card reader and use the support already in the Linux kernel to do this? Should think read access would be a bit quicker.

    • Sprite_tm says:

      Theoretically, yes, but this assumes the NAND flash is formatted in the specific SmartMedia format. Most flash chips ripped from newer SD-cards or USB-sticks aren’t, so the card reader will probably bork on them.

      Also, titlefix? The build reads flash chips _without_ a microcontroller.

      • justice099 says:

        What is a “specific SmartMedia format”? Never heard of it. Smartmedia is a direct connection to the NAND flash chip with nothing at all in between.

      • Sprite_tm says:

        Justice009: The SmartMedia format has some fixed structures on the flash: the first pages are CIS (info) fields, etc. The SmartMedia also defines how the OOB (‘spare’) bits of a page are used: ECC etc. (See e.g. http://www.win.tue.nl/~aeb/linux/smartmedia/SmartMedia_Format.pdf ) Normal card readers try to interpret an attached nand flash chip as a SmartMedia card. Best case, the nand has something resembling a cis and uses the standard SM ECC layout and you can more or less read out the flash contents. Worst case, it has no CIS and has e.g. an JFFS2 or YAFFS or proprietary flash format, and your card reader will bork. In either case, you have no way to read out the ‘spare’ bytes; the card reader uses this for itself.

        Perhaps if there’s a SM reader left that does direct NAND access and leaves the interpretation to the Linux-kernel, you can do direct flash access… but as far as I know, all card readers nowadays only expose an USB mass storage device carrying the ‘interpreted’ flash data.

      • nes says:

        Ah yes, good point. Even if it did work, dd wouldn’t get you the extra bytes in each page, and there’s nothing to say the pendrive ASIC wasn’t using those for extra storage or block mapping or something important.

      • no says:

        Olympus Camedia MAUSB-10
        Fuji FinePix DPC-R1

        are both xd card readers that have a RAW mode. These are used to flash xD cards for use as a second nand in an xbox 360, so it can dual boot. They should be able to read the raw data for you.

      • justice099 says:

        Fair enough. I have not done a ton of projects this way, and I used a Radioshack Dazzle SM/xD reader for mine. I have not had any troubles either connecting up and reading a raw NAND or using an xD card as a replacement for a NAND chip. I guess I have just been lucky.

      • Mikey says:

        Not to mention the controller hardware on the actual card probably has more than one flash chip and it could be accessing the array directly, or doing weird RAID-like logic to increase the speed, it might be doing hardware checksums and storing those in bits of the flash that are never exposed (some flash controllers DO do this depending on how reliable the chips are as it can allow it to recover & fix bad data, etc…), double etc…

  2. justice099 says:

    I did this as nes said above. I hacked up a Smartmedia reader to read NAND flash and used a program called WinImage to get a byte copy of the NAND flash.

    I have always though of going the other way and hacking a USB flash drive to read NAND flash.

    I really don’t know if raw reading would work, though. The NAND flash chips I have read so far have been in FAT formatted data already. I would assume there would be a way to talk to the USB bridge controller to get it to do raw access.

  3. Yann Vernier says:

    You do realize this is reading a bare nand _without_ a microcontroller? The FT2232H chip is not that programmable, it merely emulates the external bus of some MCUs.

  4. chango says:

    Sorry to be pedantic so early in the morning, but unless you’re counting the fixed-function FTDI part I’m not seeing the microcontroller.

  5. farout says:

    IC, microcontroller–what’s the difference? /sarcasm

  6. xorpunk says:

    It’s pretty simple with any SoC that has a NAND/NOR controller. It’s just a big production unless you use ARM Linux or roll out drivers.

    They are also slow bus devices.

  7. Danny says:

    Could this be a way to mount the image again? http://kevin.deldycke.com/2005/05/how-to-mount-a-file-system-binary-image/

    I am more a hardware guy than software. Building a nice hardware setup (can’t be more than 10 components) may help a lot of students recovering their data.

    Please help!

  8. mike says:

    Anyone know of something similar that can read movinand flash chips?I have seen a reader for them,but they run about $1400.00 for it.A little too much out of my price range.lol

  9. pharos says:

    This is really awesome! Not long ago I didn’t have a 2232 and didn’t know about the ZIF socket, so I used a 360 Clip and RPi. It’s a bit more expensive (like $80 in total parts), see http://www.raspberrypi.org/phpBB3/viewtopic.php?f=44&t=16775

    I wouldn’t recommend the 360 Clip, operation was unreliable, and a side of the clip pcb sticks out and collides with high enough components near one side of the NAND.

  10. bothersaidpooh says:

    Some Integral brand pendrives have BGA space on one side and TQFP on the other, I found a 4GB with this configuration.

  11. aaronmarsh632 says:

    Hi, Im looking for 1 of those nand clips in the picture, I saw some ages ago on ebay but what ever I search for I cant seem to find 1 – think they were about £6 but I cant remember what they are called, Tried lots of things like ‘nand clip’ ‘nand holder’ 48pin tsop clip’ etc. Can anyone help?

    thanks

    • hardcorefs says:

      you need to be looking for “tsop programmer sockets”

      • aaronmarsh632 says:

        Hi, thanks for that, just got 1 for about £15. I have 1 of the Olympus Camedia MAUSB-10 card readers which I’m going to try to turn into a universal nand reader/writer which from googling around is possible – correct me if i’m wrong.

        Does anyone know how to build 1 of these using the parts stated in this post? Like a tutorial? ‘Cos I’d like a couple of these universal nand readers but only have 1 MAUSB-10 card reader.

        thanks

  12. asbokid says:

    This was also achieved with an Alauda-based SM/XD card reader costing $5. It worked fine and together with the TSOP48 cradle cost less than $10 to make.

    See:

    http://hackingbtbusinesshub.wordpress.com/2012/10/25/reprogramming-the-2wire-nand-flash-ic/

    The same hack was also done using a one dollar XD/SM reader based on the Genesys Logic GL827 IC. However, that IC doesn’t allow arbitrary access to the Out-Of-Band area of the NAND page where ECC and flash translation layer data is stored.

    See:

    http://asbokid.picturepush.com/showformat.php&imgid=8755467

    cheers, a

  13. aaronmarsh632 says:

    Hi, thanks for these links they look interesting, I’ll check them out.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,600 other followers