Reverse Engineering a NAND Flash Device Management Algorithm

unsoldered flash chip

Put your hand under you chin as here comes a 6 months long jaw-dropping reverse engineering work: getting the data back from a (not so) broken SD card. As you can guess from the picture above, [Joshua]’s first step was to desolder the card’s Flash chip as the tear-down revealed that only the integrated SD-to-NAND Flash controller was damaged. The flash was then soldered on a breadboard so it could be connected to a Digilent Nexys-2 FPGA board. [Joshua] managed to find a similar Flash datasheet, checked that his wire-made bus was reliable and generated two 12GiB dump files on his computer.

In order to extract meaningful data from the dumps he first had to understand how SD-to-NAND controllers work. In his great write-up he provides us with a background of the Flash technology, so our readers can better understand the challenges we face with today’s chips. As flash memories integrate more storage space while keeping the same size, they become less reliable and have nifty problems that should be taken care of. Controllers therefore have to perform data whitening (so neighboring blocks of data don’t have similar content), spread data writes uniformly around the flash (so physical blocks have the same life expectancy) and finally support error correcting codes (so damaged bits can still be recovered). We’ll let our users imagine how complex reverse engineering the implementation of such techniques is when you don’t know anything about the controller. [Joshua] therefore had to do a lot of research, perform a lot of statistical analysis on the data he extracted and when nothing else was possible, use bruteforce…

The In-Circuit SD Card Switch

SDISP

For nearly every problem, it’s possible to engineer a solution, even if you’re dealing with an extraordinarily niche problem that might only apply to yourself. [Joel] wanted to be able to program the microSD card in his BeagleBone with a new bootloader or file system without removing the SD card from the target board. This is a peculiar requirement, and it’s highly doubtful a product or even a circuit exists for such a function. This meant [Joel] would need to roll his own board to accomplish the task.

The board is remarkably simple, housing a single microSD socket, two expansion headers for a microSD sniffer for a computer and an embedded board, an FTDI header, and a pair of 4-bit multiplexer/demultiplexers. The operation of the device is fairly straightforward: send a signal down the FTDI cable, and the board switches the onboard SD card from one device to another.

[Joel] has a video of his screen that shows him pulling off in-circuit SD card reading and writing. You can check that out below.

Continue reading “The In-Circuit SD Card Switch”

Say Watt? A Talking Multimeter?

talkingMultimeter

After a request from one of his friends, [Mastro Gippo] managed to put together a talking multimeter to be used by blind persons working in electronics. He wanted a feature-rich meter that had serial output, and recalling this Hackaday article from a few years back led him to find a DT-4000ZC on eBay, which has serial output on a 3.5mm jack. (Though, he actually recommends this knockoff version which comes with excellent documentation).

It turns out there aren’t many talking meter options available other than this expensive one and a couple of discontinued alternatives. [Mastro Gippo] needed to start from scratch with the voice synthesizer, which proved to be as easy as recording a bunch of numbers and packing them onto an SD card to be read by an Arduino running the SimpleSDAudio library.

He found a small, battery-powered external speaker used for rocking out with music on cell phones and hooked it up to the build, stuffing all the electronics into an aluminum case. Stick around after the jump for a quick video of the finished product!

Continue reading “Say Watt? A Talking Multimeter?”

The Tiniest SD Card Locker

sdlocker-tiny

In case you weren’t aware, that little ‘write protect’ switch on your SD cards probably doesn’t do anything. It’s only a switch, really, and if an SD card reader doesn’t bother to send that signal to your computer, it’s completely ineffective. Then there’s the question of your OS actually doing something with that write protect signal.

The better way to go about write protecting an SD card is using the TMP_WRITE_PROTECT bit on the SD card’s controller. [Nephiel] came up with an amazingly small device to set that bit, with the entire circuit fitting inside an old Playstation memory card.

[Nephiel] based his project on [Karl Lunt]’s SD Card Locker we saw late last year. [Karl]’s SD Locker uses an ATMega328 microcontroller, a pair of AA batteries, and an SD card socket to perform the bit toggling. This is still a very small device that fits inside an Altoids tin, but [Nephiel] thought he could make it smaller.

The new and improved version uses an ATTiny85 for SPI access to the SD card. A single button and LED serves as the user interface: with the LED off, the SD card is writable. Press the button, the card is locked, and the LED lights up.

Hacking SD Card & Flash Memory Controllers

We hope that some of our readers are currently at this year’s Chaos Communication Congress (schedule can be found here and live streams here), as many interesting talks are happening. One of them addressed hacking the memory controllers embedded in all memory cards that you may have. As memory storage density increases, it’s more likely that some sectors inside the embedded flash are defective. Therefore, all manufacturers add a small microcontroller to their cards (along with extra memory) to invisibly ‘replace’ the defective sectors to the operating system.

[Bunnie] and [xobs] went around buying many different microSD cards in order to find a hackable one. In their talk at 30C3 (slides here), they reported their findings on a particular microcontroller brand, Appotech, and its AX211/AX215. By reverse engineering the firmware code they found online, they discovered a simple “knock” sequence transmitted over manufacturer-reserved commands that dropped the controller into a firmware loading mode. From there, they were able to reverse engineer most of the 8051 microcontroller function-specific registers, allowing them to develop novel applications for it. Some of the initial work was done using a FPGA/i.MX6-based platform that the team developed named Novena, which we hope may be available for purchase some day. It was, among others, used to simulate the FLASH memory chip that the team had previously removed. A video of the talk is embedded below.

Continue reading “Hacking SD Card & Flash Memory Controllers”

A Motherboard for a WiFi Enabled SD Card

Over the last few months, a few very capable hackers have had a hand in cracking open a Transcend WiFi-enable SD card that just happens to be running a small Linux system inside. The possibilities for a wireless Linux device you can lose in your pocket are immense, but so far no one has gotten any IO enabled on this neat piece of hardware. [CNLohr] just did us all a favor with his motherboard for these Transcend WiFi SD cards, allowing the small Linux systems to communicate with I2C devices.

This build is based upon [Dmitry]’s custom kernel for the Transcend WiFiSD card. [CNLohr] did some poking around with this system and found he could use an AVR to speak to the card in its custom 4-bit protocol.

The ‘motherboard’ consists of some sort of ATMega, an AVR programming header, a power supply, and a breakout for the I2C bus. [Lohr] wired up a LED array to the I2C bus and used it to display some configuration settings for the WiFi card before connecting to the card over WiFi and issuing commands directly to the Linux system on the card. The end result was, obviously, a bunch of blinking LEDs.

While this is by far the most complex and overwrought way to blink a LED we’ve ever seen, this is a great proof of concept that makes the Transcend cards extremely interesting for a variety of hardware projects. If you want your own Transcend motherboard, [CNLohr] put all the files up for anyone who wants to etch their own board.

Rescuing an SD card with an Arduino

A few days ago, one of [Severin]’s SD cards died on him, Instead of trashing the card, he decided to investigate what was actually wrong with the card and ended up recovering most of the data using an Arduino and an immense amount of cleverness.

SD cards can be accessed with two modes. The first is the SDIO mode, which is what cameras, laptops, and other card readers use. The second mode is SPI mode. SPI is slower, but much, much simpler. It turned out the SDIO mode on [Severin]’s card was broken, but accessing it with an Arduino and SPI mode worked. There was finally hope to get files off this damaged card.

[Severin] used a few sketches to dump the data on the SD card to his computer. The first looked at the file system and grabbed a list of files contained on the card. The second iterated over the file system and output all the files in hex over the serial port. With a bit of Python, [Severin] was able to reconstruct a few files that were previously lost forever.

Even though the SD card was completely inaccessible with a normal card reader, [Severin] was able to get a few files off the card. All the sketches and Python scripts are available on the Githubs, ready to recover files from your broken SD cards.