Arduino into NAND Reader

[James Tate] is starting up a project to make a “Super Reverse-Engineering Tool”. First on his list? A simple NAND flash reader, for exactly the same reason that Willie Sutton robbed banks: because that’s where the binaries are.

As it stands, [James]’s first version of this tool is probably not what you want to use if you’re dumping a lot of NAND flash modules. His Arduino code reads the NAND using the notoriously slow digital_read() and digital_write() commands and then dumps it over the serial port at 115,200 baud. We’re not sure which is the binding constraint, but neither of these methods are built for speed.

Instead, the code is built for hackability. It’s pretty modular, and if you’ve got a NAND flash that needs other low-level bit twiddling to give up its data, you should be able to get something up and working quickly, start it running, and then go have a coffee for a few days. When you come back, the data will be dumped and you will have only invested a few minutes of human time in the project.

With TSOP breakout boards selling for cheap, all that prevents you from reading out the sweet memory contents of a random device is a few bucks and some patience. If you haven’t ever done so, pull something out of your junk bin and give it a shot! If you’re feeling DIY, or need to read a flash in place, check out this crazy solder-on hack. Or if you can spring for an FTDI FT2233H breakout board, you can read a NAND flash fast using essentially the same techniques as those presented here.

28 thoughts on “Arduino into NAND Reader

  1. If he wants to keep this as an Arduino project would a teensy not be a better board choice. They seem a better choice I know you would still be constrained with baud rate but the read() write() would be a lot faster.

    1. If time isn’t really of the essence, I think using an Arduino is actually a pretty solid plan. For one thing, almost everyone who has any sort of Arduino has a standard Arduino sitting around, so they can follow along with that. If I don’t use a standard Arduino, I’m inclined to try something like ARM instead.

      Of course writing code for the Arduino is so straightforward it’s basically brain-dead. This is a really nice feature when you are trying to interface with something that you are just starting to understand. I don’t know how many times I’ve though “I could write a much more efficient program in C (or assembly…)”, only to spend an embarrassing amount of time hunting down bugs.

      I’d be inclined to go with a microcontroller that operates at 1.8v so you wouldn’t have to worry about cooking the NAND chip. Something like one of the MSP430 chips.

      1. Good point there about using the simplest most predictable tool, no matter how many more fancy ones are at your disposal.

        I relate to the situation but can’t pull an example out of my noggin right this second. Been investigating some unknown behavior, and using a metaphorical rock when I’ve got a nice new hammer, and ppl ask why, and it’s because I know the rock won’t bounce.

  2. He can also dump the contents of the Nand Flash to a SD card instead of sending them through the serial port. As for port read/writes he can write some functions digitalwrite(address,data) and digital_read(address). Then both functions can could initially use digitalRead() and digitalWrite() initially, and later tweaked for speed for any given platform.

  3. Why Arduino? You can do the same thing with a 6502, especially with the black-blobbed ones hidden into toys.
    Just run it by pressing the single-step button repeatedly (if any) or by sweeping a wire connected to the clock pin between VCC and GND (ensure it’s shorting the power rails for best performance). Then use a single LED to get the data out of the 6502 and your laptop’s low-FPS camera to decode it. Remember to save the image file to your punched card drive and to place the LED as far as possible from the camera.

    You’ll notice a big speed improvement over the Arduino-based solution.

      1. Why 555s and 74s when you can use discrete components? And why discrete components when you can just control the data bus manually with a lot of wires shorting VCC and GND? And why wires when you can decap the chip and read its contents with a microscope?

        You can use anything, just don’t use Arduino.

  4. I have to wonder if support circuitry would improve the implied speed any. Presumably having the Arduino providing the addressing and toggling the pins on the flash, probably in linear order must cut down on how fast things can be done. Wouldn’t having a binary counter IC for the addresses and some kind of logic that converts 0 (read) vs 1 (write) into the correct signals make things faster since the arduino would just need to perform a sequence of a single write (to affect the control/address) followed by a single read (to get the data)? Seems like it’s really more of a case of whether to do everything in software vs hardware rather than with a fast/slow microcontroller.

  5. I probably would of dumped the data to an sd card. I plan to dump the flash of a broken phone when I reach this level of confidence. …. :( then I have to parse the filesystem to retrieve old by pictures.

    1. It’s depressing that most of the comments relate to adding ‘power’ or complexity rather than doing it right. No wonder modern products are packed with sh!t software…

      1. Tell me about it. And the excuse is that “it is hard! People don’t understand it!”

        Wtf, guys, it took some serious engineering to build default functions are as horrible as the *digital* functions.

        You can even wrap it and it would still result in a single instruction if you are afraid of registers, which are just as easily understandable if you aren’t irrationally stupid!

        It even hurts people who should actually learn and understand these things. Just the other day a friend, who studies electronics and electrical engineering asked me for help because arduino code didn’t perform good enough. Why? Because of shit defaults and attempting to hide those flaws.

        If you want to promote a HAL, at least write it well.

      2. In most cases, all of that is unnecessary. Most equipment with NAND flash has a plain old JTAG port to program them at the factory. Just plug in the J-Link and dump away…

        Otherwise, there’s plenty of other good solutions that are much faster. Like using a cheap ARM MCU (no, it’s not complicated) or even any other cheap MCU that can do USB (the plain old FX2LP comes to mind), or just dumpin to a SD card.

        If I was gonna be doing lots of dumping, I’d rather spend extra time to get a better dumper. I’d probably go with a ARM Cortex for simplicity, and a cheapo 2.4″ touch LCD off of ebay (all of $5), a micro USB port and a SD card socket. That would connect to a replaceable board (onto plain old 100 mil header) where you can solder the TSOP IC (eventually the pads will need to be replaced), or another board that lets you solder wires if that’s your thing. That would be inexpensive, quick to develop and quite functional.

        I’m just glad the JTAG option is almost always available still. Even if the port wasn’t readily available, you can trace the signals back, or even try a jtagulator… So many options!

    1. The thumb drive controller’s CPU gets its firmware from the first blocks of the NAND chip it’s connected to. If you replace the chip, the controller will try to execute the first sector and hang up/blink the LED randomly/crash the computer/brick the NAND.

  6. why complain about speed?

    do you spend hours each day zapping data onto and off of 10000 chips?

    i would assume the people concerned with such things would NOT be looking at any solution without any sort of robotic auto-card swapper. but this article is about a single-chip manual unit.

    that being said, does it really matter if it takes 3 minutes to transfer the data? it took you 10 minutes to disassemble, 10 minutes to solder, and 2 minutes to code and hook shit up. why does the actual data transfer HAVE to be less then 7 seconds ?!?!?!!?!?!?!?

    this mentality i just do not get. must be internet-people… cant wait 3 extra minutes to be the first to score a copy.

    good luck downloading DOOM2 (full/retail) over rs232, it’ll take ya ~45 minutes!

    1. PS: the only useage of “far too long” i will put up with is downloading DUKE3D over dial-up, that shit cuts out before it finishes and (most?) web-browsers wont let you “continue” downloads when interupted.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s