

## Reverse Engineering Flash Memory for Fun and Benefit

Jeong Wook (Matt) Oh / 2014

oh@hp.com

oh.jeongwook@gmail.com

## **De-soldering**



## **De-soldering**







#### Use an SMT Rework station with an hot air blower:

• The solder alloy melts at around 180 and 190°C (360 and 370°F), but I recommend setting the temperature slightly higher

Note: Before applying high heat to the chip, put insulating tape around the target area



# FTDI FT2232H & NAND Flash Memory



## FTDI FT2232H breakout board



#### A chip for USB communication

Provides USB 2.0 Hi-Speed (480Mb/s) to UART/FIFO IC

Note: Put female pin headers on each port extension



### MCU Host Bus Emulation Mode

#### **FTDI FT2232H supports multiple modes**

Use 'MCU Host Bus Emulation Mode' for this case

The FTDI chip emulates an 8048/8051 MCU host bus



### FT2232H Commands

| Commands | Operation | Address               |
|----------|-----------|-----------------------|
| 0x90     | Read      | 8bit address          |
| 0x91     | Read      | 16bit address         |
| 0x92     | Write     | 8bit address          |
| 0х93     | Write     | 16bit address         |
| 0x82     | Set       | High byte (BDBUS6, 7) |
| 0x83     | Read      | High byte (BDBUS6, 7) |

By sending commands and retrieving results, the software reads or writes bits through I/O lines.

See FTDI's <u>note</u> for more detail



## NAND Flash memory pins and names





Connection between FT2232H and NAND Flash Memory

The connections are mostly based on the information from Sprites Mod, but there is a slight modification between BDBUS6 and CE (9) connection.





## NAND Flash reader/writer

You need an FTDI FT2232H breakout board, a USB cable, a TSOP48 socket and wires





### TSOP48 socket





#### Place your NAND Flash chip inside the TSOP48 socket:

- This socket is very useful
- Use it to directly interact with the extended pins and avoid touching and possibly damaging any Flash memory chip pins



## **Data Lines**

| FT2232H | Use  | NAND Flash | Pin number | Description                                                        |
|---------|------|------------|------------|--------------------------------------------------------------------|
| ADBUSO  | Bit0 | 1/00       | 29         |                                                                    |
| ADBUS1  | Bit1 | I/01       | 30         | DATA INPUT/OUTPUT                                                  |
| ADBUS2  | Bit2 | 1/02       | 31         | Input command, address and data Output data during read operations |
| ADBUS3  | Bit3 | 1/03       | 32         |                                                                    |
| ADBUS4  | Bit4 | 1/04       | 41         |                                                                    |
| ADBUS5  | Bit5 | 1/05       | 42         |                                                                    |
| ADBUS6  | Bit6 | 1/06       | 43         |                                                                    |
| ADBUS7  | Bit7 | 1/07       | 44         |                                                                    |

#### Low byte

• 0x90,0x91,0x92,0x93 commands can be used to set values



## **Data Control Lines**

| FT2232H | Use   | NAND Flash | Pin number | Description                                                                                                  |
|---------|-------|------------|------------|--------------------------------------------------------------------------------------------------------------|
| ACBUS5  | Bit13 | WP         | 19         | WRITE PROTECT Write operations fail when this is not high                                                    |
| ACBUS6  | Bit14 | CLE        | 16         | COMMAND LATCH ENABLE When this is high, commands are latched into the command register through the I/O ports |
| ACBUS7  | Bit15 | ALE        | 17         | ADDRESS LATCH ENABLE When this is high, addresses are latched into the address registers                     |

#### High byte

• 0x91, 0x93 can be used to set values



## I/O and Strobe Lines

| FT2232H | Use                           | NAND<br>Flash | Pin number | Description                                                                                    |
|---------|-------------------------------|---------------|------------|------------------------------------------------------------------------------------------------|
| BDBUS6  | 1/00                          | CE            | 9          | CHIP ENABLE Low state means, the chip is enabled.                                              |
| BDBUS7  | I/01                          | RB            | 7          | READY/BUSY OUTPUT This pin indicates the status of the device operation. Low=busy, High=ready. |
| BDBUS2  | Serial Data<br>In (RD#)       | RE            | 8          | READ ENABLE Serial data-out control. Enable reading data from the device.                      |
| BDBUS3  | Serial<br>Signal Out<br>(WR#) | WE            | 18         | WRITE ENABLE Commands, addresses and data are latched on the rising edge of the WE pulse.      |

- BDBUS6 (I/O0), BDBUS7 (I/O1) is controlled by 0x83, 0x82 command
- RD#, WR# is connected to RE, WE pin on NAND Flash



## **Power Lines**

|     | Use    |     | Pin<br>number | Description |
|-----|--------|-----|---------------|-------------|
| 3v3 | POWER  | 3v3 | 12            | POWER       |
| GND | GROUND | GND | 13            | GROUND      |
| 3v3 | POWER  | 3v3 | 36            | POWER       |
| GND | GROUND | GND | 37            | GROUND      |

Power lines



## **Read Operation Example**



- CLE and ALE go high the controller is sending commands and addresses
- The RE changes phases when page data is read from the NAND Flash chip
- The R/B line goes low during the busy state and back up to high when the NAND chip is ready



## Basic command sets for usual NAND Flash memory (small blocks)

| Function     | 1 <sup>st</sup> cycle | 2 <sup>nd</sup> cycle |
|--------------|-----------------------|-----------------------|
| Read 1       | 00h/01h               | -                     |
| Read 2       | 50h                   | -                     |
| Read ID      | 90h                   | -                     |
| Page Program | 80h                   | 10h                   |
| Block Erase  | 60h                   | D0h                   |
| Read Status  | 70h                   |                       |

#### There are more complicated commands available depending on the chipsets.

- The pins and other descriptions presented here are mostly focused on small block NAND Flash models (512 bytes of data with 16 bytes 00B)
- The model with a large block size uses a different set of commands, but the principle is the same



## Read operation

To read a page, it uses the Read 1 (00h, 01h) and Read 2 (50h) functions

#### To read a full page with OOB data from small block Flash memory, you need to read it 3 times:

- The 00h command is used to read the first half of the page data (A area)
- The 01h command is used to read the second half of the page data (B area)
- Finally, the 50h command is used to retrieve the 00B of the page (spare C area)



## Read operation

| CLE    | 1               | 0                                 |                        |             |  |  |  |
|--------|-----------------|-----------------------------------|------------------------|-------------|--|--|--|
| ALE    | 0               | 1                                 | 0                      |             |  |  |  |
| R/B    |                 | 1 (Ready)                         | R/B=0 (busy) 1 (Ready) |             |  |  |  |
| RE     |                 | 1                                 | Falling for each bytes |             |  |  |  |
| WE     |                 | Rising for each bytes             |                        | 1           |  |  |  |
| 1/00~7 | 00h/01h<br>/50h | Start Address<br>A0 – A7 A9 – A25 |                        | Data Output |  |  |  |

- CLE is set to high (1) when commands (00h, 01h, 50h) are passed
- ALE is set to high (1) when addresses are transferred
- R/B pin is set to low (0) when the chip is busy preparing the data

#### RE and WE are used to indicate the readiness of the data operation on the I/O lines:

- When the WE signal is rising, new bytes (command and address in this case) are sent to the I/O pins
- When the RE signal is falling, new bytes come from the NAND Flash memory chip if any data is available



## Reading data



- First, the WE and CLE logic changes to send commands.
- Next, the WE and ALE will change state to send addresses.
- Finally, RE is used to signal reading of each byte.



## Reading a small block page

- NAND\_CMD\_READ0 (00h)
- NAND\_CMD\_READ1 (01h)
- NAND\_CMD\_READOOB (50h)

```
326
                   self.sendCmd(self.NAND CMD READ0)
                                                                            Read A area
                   self.waitReady()
                                                                               (0-255)
328
                   self.sendAddr(pageno<<8,self.AddrCycles)</pre>
329
                   self.waitReady()
                   bytes+=self.readData(self.PageSize/2)
                                                                            Read B area
                   self.sendCmd(self.NAND CMD READ1)
332
                                                                              (256-511)
333
                   self.waitReadv()
334
                   self.sendAddr(pageno<<8,self.AddrCycles)</pre>
                   self.waitReadv()
336
                   bytes+=self.readData(self.PageSize/2)
337
                   self.sendCmd(self.NAND CMD READOOB)
                                                                            Read spare C
339
                   self.waitReady()
                                                                           area (512-527)
                   self.sendAddr(pageno<<8,self.AddrCycles)</pre>
340
341
                   self.waitReady()
342
                   bytes+=self.readData(self.OOBSize)
```



## Reading data

```
t:~# python FlashTool.py -i
                NAND 64MiB 3,3V 8-bit
ID:
                0x76
                0x200
Page size:
OOB size:
                0x10
                0x20000
Page count:
Size:
                0x40
Erase size:
                0x4000
Options:
Address cycle: 4
Manufacturer:
                Samsund
```

Download the FlashTool code from here first. You should install prerequisite packages like **pyftdi** and libusbx. With everything setup, you can query basic Flash information using the *-i* option.

```
t:~# python FlashTool.py -r flash.dmp
                NAND 64MiB 3,3V 8-bit
Name:
                0x76
                0x200
Page size:
OOB size:
                0x10
                0x20000
Page count:
                0x40
Size:
Erase size:
                0x4000
Options:
Address cvcle:
Manufacturer:
                Samsung
Reading 0x232/0x20000 (9586 bytes/sec)
```

You can also read the raw data with the -r option. It takes some time to retrieve all the data depending on the size of the memory.

```
::~# python FlashTool.py -r flash.dmp -s
Name:
                NAND 64MiB 3,3V 8-bit
ID:
                0x76
Page size:
                0x200
                0x10
OOB size:
Page count:
                0x20000
                0x40
Size:
Erase size:
                0x4000
Options:
Address cycle:
                Samsung
```

FlashTool supports sequential row read mode. You can specify the —s option and it will use the mode and increase reading performance. The speed of reading is 5-6 times faster than normal page-by-page mode.



## Write operation pin states

| CLE    | 1   | 0                                 | 1     |   |                 |             |         |
|--------|-----|-----------------------------------|-------|---|-----------------|-------------|---------|
| ALE    | 0   | 1                                 |       | 0 |                 |             |         |
| R/B    |     | 1 (Ready)                         |       |   | R/B=0<br>(busy) | 1 (         | (Ready) |
| RE     |     |                                   | 1     |   |                 |             | Falling |
| WE     |     | Rising for each I                 | oytes |   | 1               | Rising      | 1       |
| 1/00~7 | 80h | Address Input<br>A0 – A7 A9 – A25 | 10h   |   | 70h             | I/O0=status |         |

## The writing operation is done through sequence-in command (80h) and program command (10h):

- The read status command (70h) is used to retrieve the result of the write operation
- If I/O0 is 0, the operation was successful



## Writing a small block page with spare C area

```
self.sendCmd(self.NAND CMD READ0)
self.sendCmd(self.NAND CMD SEQIN)
self.waitReady()
                                                                       Write A area
self.sendAddr(pageno<<8,self.AddrCycles)
                                                                           (0-255)
self.waitReadv()
self.writeData(data[0:256])
self.sendCmd(self.NAND CMD PAGEPROG)
err=self.Status()
  err&self.NAND_STATUS FAIL:
self.sendCmd(self.NAND CMD READ1)
                                                                        Write B area
self.sendCmd(self.NAND CMD SEQIN)
self.waitReady()
                                                                          (256-511)
self.sendAddr(pageno<<8.self.AddrCvcles)
self.waitReady()
self.writeData(data[self.PageSize/2:self.PageSize])
self.sendCmd(self.NAND CMD PAGEPROG)
err=self.Status()
  err&self.NAND STATUS FAIL:
self.sendCmd(self.NAND CMD READOOB)
                                                                       Write spare C
self.sendCmd(self.NAND_CMD_SEQIN)
                                                                      area (512-527)
self.waitReady()
self.sendAddr(pageno<<8.self.AddrCycles)
self.waitReadv()
self.writeData(data[self.PageSize:self.PageSize+self.OOBSize])
self.sendCmd(self.NAND_CMD_PAGEPROG)
err-self.Status()
  err@self.NAND STATUS FAIL:
```



## **Writing Data**



After command and address are sent, WE fluctuates repeatedly to send bytes.



## Working with a bare metal image



## Page+00B

```
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E OF
                                                                      ...ê.6Ÿå.6Ÿå.6Ÿå
           00000000
                     OF 00 00 EA 18 FO 9F E5 18 FO 9F E5 18 FO 9F E5
           00000010
                                                                     .674.674.674.674
                                                                     .őŸāà...à...à...
           00000020
                                         00 CO
                                               02
                                                  00 00 C0 02
           00000030
                                   02 00 00 CO 02 00 00 CO 02 00 00
                                                                     À . . . À . . . À . . . À . . .
                                                                     |...S. ä.. ä..€å
           00000040
                     7C 01 00 00 53 04 A0 E3 00 10 A0 E3 00 10 80 E5
                                                                     4.Ÿå..àä..€å,.Ÿå
           00000050
                     34 O1 9F E5 OO 10 E0 E3 OO 10 80 E5 2C O1 9F E5
                                                                     ,.ٌ..ی(.Ÿå(.Ÿå
           00000060
           00000070
                                                                     ..ea$.Ÿā$.Ÿā..eā
                                                                     .. ã..Qâýÿÿ...Ÿå
           00000080
           00000090
                                                                     ...å; & á.P.å..Uå
           0400000
                     05 00 00 0A 01 00 55 E3 05 00 00 0A 02 00
                                                                      .....uä....uä
           000000B0
                                         E5 05
                                               00
                                                  00 EA EC 40
                                                                      ....60Ÿå...êì@Ÿå
           000000C0
                                                                      ...êè0Ÿå...êä0Ÿå
           000000000
                                                                     vvvê⊾.YåÜ.Yå..€å
           000000E0
                                       AO E3 OO
                                                                     À.Ÿå.. ã..€åÌ.Ÿå
           000000FO.
                                                                     .. ã..€å.. ãÿ.àã
           00000100
                                                                     ..ی,.Ÿå,.Ÿå..€å
Data
                                                                      .Ÿå. `å...ä....
                                       91 E5 02
           00000120
                                                                      .. á.. ã4 €â.O.ä
                                                                     .O.ä..Ráû♥♥....ã
           00000130
           00000140
                                                                     X...,.Ÿå.. `å.. Àä
           00000150
           00000160
                                       81 E4 00
                                               00 52 E1 FB FF FF 1A
                                                                     .O.ä.O.ä..Ráûyy
           00000170
                                                                     b. ä..Qâýyy.P.Ÿå
                                                                     . ` 'å.5 á.. á...J
           00000180
                                       AO E1 00
                                                  AO E1 08 00
           00000190
                                       00 00 60
                                                  00 56 00 FF
                                                                     ...Jÿ...`..V.ÿPA
                                               00
                                                                     h..V~Ÿ..d..VØ...
           00000140
           000001B0
                     40 02 00 00 0C 02 00 00 74 02 00 00 00 FF 50 55
           000001C0
                                       00 4C 11 CO 05 00 B4 00
                     80 00 00 56 B8 00 00 56 20 99 11 22 00 07 00 00
                                                                     €..∀...∀ ™."...
           000001D0
           000001E0
                     00 07 00 00 F0 7F 00 00 4C 1F 00 00 00 07 00 00
                                                                     ....ö...L.....
           000001F0
                     00 07 00 00 09 80 01 00 05 80 01 00 E9 01 9E 00
                                                                      ....€...€..é.ž.
           ă*-9999999999999
 OOB Area
                                Bad Block Marker
```



## **ECC (Error Correction Code)**

#### Failures occur with data on memory:

A checksum can be useful to detect these errors

#### ECC (Error Correction Code) is a way to correct one bit of failure from a page:

- Besides detecting errors, ECC can correct them too if they are minor
- Uses the concept of Hamming code

#### Modern Flash memories use various ECC algorithms that have their roots in Hamming code:

- Even similar chipsets from the same vendor may have slightly different ECC algorithms
- Differences are generally minor (tweaks of XOR or shifting orders or methods)
- You need to figure out the correct algorithm to verify the validity of each page and to generate ECC



## **ECC** calculation table

| byte[0]   | Bit7 | Bit6   | Bit5 | Bit4 | Bit3   | Bit2 | Bit1 | Bit0 |  |
|-----------|------|--------|------|------|--------|------|------|------|--|
| byte[1]   | Bit7 | Bit6   | Bit5 | Bit4 | Bit3   | Bit2 | Bit1 | Bit0 |  |
| byte[2]   | Bit7 | Bit6   | Bit5 | Bit4 | Bit3   | Bit2 | Bit1 | Bit0 |  |
| byte[3]   | Bit7 | Bit6   | Bit5 | Bit4 | Bit3   | Bit2 | Bit1 | Bit0 |  |
| •••       |      |        |      | •    | •      |      |      |      |  |
| byte[508] | Bit7 | Bit6   | Bit5 | Bit4 | Bit3   | Bit2 | Bit1 | Bit0 |  |
| byte[509] | Bit7 | Bit6   | Bit5 | Bit4 | Bit3   | Bit2 | Bit1 | Bit0 |  |
| byte[510] | Bit7 | Bit6   | Bit5 | Bit4 | Bit3   | Bit2 | Bit1 | Bit0 |  |
| byte[511] | Bit7 | Bit6   | Bit5 | Bit4 | Bit3   | Bit2 | Bit1 | Bit0 |  |
|           |      |        |      |      |        |      |      |      |  |
|           | P1   | P1'    | P1   | P1'  | P1     | P1'  | P1   | P1'  |  |
|           | Р    | P2 P2' |      | 2'   | P2 P2' |      |      | 2'   |  |
|           |      | P      | 4    |      | P4'    |      |      |      |  |

| P16' | P32' | <br>P2048' | Representation of bits<br>on a page with size of<br>512. Each bit is<br>represented by a cell |
|------|------|------------|-----------------------------------------------------------------------------------------------|
| •••  |      |            | and each row is one                                                                           |
| P16' | P32' | <br>P2048  | byte. From this matrix,<br>you can calculate                                                  |
| P16  | P32  |            | various checksums<br>across bits.                                                             |



## **Example - P8' calculation**



P8' checksum is calculated by XOR-ing all the bits in red



## Example - P16' calculation

| byte[0]   | Bit7 | Bit6 | Bit5 | Bit4 | Bit3 | Bit2 | Bit1 | Bit0 | P8' | P16' |      |     |        |
|-----------|------|------|------|------|------|------|------|------|-----|------|------|-----|--------|
| byte[1]   | Bit7 | Bit6 | Bit5 | Bit4 | Bit3 | Bit2 | Bit1 | Bit0 | Р8  | P10  | P32' |     |        |
| byte[2]   | Bit7 | Bit6 | Bit5 | Bit4 | Bit3 | Bit2 | Bit1 | Bit0 | P8' | P16  | P32  | ••• | P2048' |
| byte[3]   | Bit7 | Bit6 | Bit5 | Bit4 | Bit3 | Bit2 | Bit1 | Bit0 | Р8  | P10  |      |     |        |
| •••       |      |      |      | •    |      |      |      |      |     |      |      |     |        |
| ****      |      |      |      |      |      |      |      |      |     |      |      |     |        |
| byte[508] | Bit7 | Bit6 | Bit5 | Bit4 | Bit3 | Bit2 | Bit1 | Bit0 | P8' | P16' |      |     |        |
| byte[509] | Bit7 | Bit6 | Bit5 | Bit4 | Bit3 | Bit2 | Bit1 | Bit0 | P8  | L10  | P32' |     | P2048  |
| byte[510] | Bit7 | Bit6 | Bit5 | Bit4 | Bit3 | Bit2 | Bit1 | Bit0 | P8' | D4.6 | P32  |     |        |
| byte[511] | Bit7 | Bit6 | Bit5 | Bit4 | Bit3 | Bit2 | Bit1 | Bit0 | Р8  | P16  |      |     |        |

- Uses bits from byte[0], bytes[1], byte[4], byte[5] and so on until byte[508] and byte[509] for checksum calculation
- Other column checksums like P8, P16', P16, P32', P32, P2048' and P2048 are calculated in same manner

## Code for calculating row checksums

```
if i & 0x01 == 0x01:
                     p8 = xor bit ^ p8
                     p8 = xor bit ^ p8
                 if i & 0x02 == 0x02:
                     p16 = xor bit ^ p16
                     p16 = xor bit ^ p16
                 if i & 0x04 == 0x04:
                     p32 = xor bit ^p32
                     p32_ = xor_bit ^p32_
100
101
                 if i & 0x08 == 0x08:
102
                     p64 = xor bit ^p64
103
104
                     p64 = xor bit ^ p64
105
106
                 if i & 0x10 == 0x10:
                     p128 = xor bit ^ p128
```

```
p128 = xor bit ^ p128
if i & 0x20 == 0x20:
   p256 = xor bit ^p256
    p256 = xor bit ^p256
if i & 0x40 == 0x40:
    p512 = xor bit ^ p512
   p512 = xor_bit ^ p512_
if i & 0x80 == 0x80:
    p1024 = xor bit ^
                     p1024
    p1024 = xor bit ^p1024
if i & 0x100 == 0x100:
    p2048 = xor bit ^p2048
    p2048 = xor bit ^
                      p2048
```



## **Example - P2 calculation**



| Bit7 | Bit6 | Bit5 | Bit4 | Bit3 | Bit2 | Bit1 | Bit0 |
|------|------|------|------|------|------|------|------|
| Bit7 | Bit6 | Bit5 | Bit4 | Bit3 | Bit2 | Bit1 | Bit0 |
| Bit7 | Bit6 | Bit5 | Bit4 | Bit3 | Bit2 | Bit1 | Bit0 |
| Bit7 | Bit6 | Bit5 | Bit4 | Bit3 | Bit2 | Bit1 | Bit0 |

The column checksums are calculated over the same bit locations over all the bytes in the page.



...



...

The picture shows how P2 can be calculated by taking bits 2,3,6,7 from each byte.





#### Row checksum calculation code

```
p1 = bit7 ^ bit5 ^ bit3 ^ bit1 ^ p1
                   p1_ = bit6 ^ bit4 ^ bit2 ^ bit0 ^ p1_
133
                   p2 = bit7 ^ bit6 ^ bit3 ^ bit2 ^ p2
134
                   p2_ = bit5 ^ bit4 ^ bit1 ^ bit0 ^ p2_
135
                   p4 = bit7 ^ bit6 ^ bit5 ^ bit4 ^ p4
136
                   p4 = bit3 \wedge bit2 \wedge bit1 \wedge bit0 \wedge p4
```



#### ECC calculation code

You need to calculate 3 ECC values based on the checksums calculated

The row and column checksum methods are very similar for different NAND Flash memory models, but ECC calculations tend to be slightly different across different models



#### **Bad blocks**

- Bad blocks is a very generic concept that is also used with hard disk technology:
- With Flash memory, if errors are more than the ECC can handle, the entire block is marked as bad
- Bad blocks are isolated from other blocks and are no longer used
- According to the ONFI standard, the first or last pages are used for marking bad blocks



## Example bad block check routine

Some vendors use their own scheme for marking bad blocks:

 Ex) If the 6th byte from the 00B data of the first or second page for each block has non FFh values, it is recognized as a bad block (Samsung and Micron).



#### How a bad block is marked

```
C:\mat\Analysis\NAND Flash\Tool>c:\python27\python DumpFlash.py -b flash.dmp
Opening flash.dmp
Check bad blocks:
Bad block: 3622 (at 0x3a5cc00)
Bad block: 3626 (at 0x3a6d400)
Bad block: 3978 (at 0x4019400)
Checked 4096 blocks and found 3 errors
```

```
3A5CC60
 Start of a bad block
3A5CC70
 D3A5CCCD
 OOB
  Bad block marker != 0xFF
```

# Reverse engineering Flash memory data



## An example of Flash memory layout



Usual structure of NAND Flash memory used for booting up embedded systems:

- The first block is always loaded to address 0x00000000
- U-Boot code and images follow
- When boot loading, code and U-Boot images are read only

The JFFS2 file system is used for read and write:

When a file is saved, it goes to JFFS2 file system



## Low level initialization of the system

```
ROM: 00000178 loc 178
                                                 : CODE XREF: ROM: 000001581
                                                                                        ROM: 00000DF5 aNandBootloader DCB "Nand Bootloader(ADAM) 3.2.4", 0xA
ROM: 00000178
                           TST
                                          R10, #2
                                                                                        ROM: 00000DF5
ROM: 8888817C
                           BEO
                                          loc 2EC
                           LDR
                                          R1. = 0x56000080 ; S3C2410X MISCCR
ROM: 00000180
                                                                                        ROM: 00000E16
                                                                                                                                        0
                                                                                                                               DCB
                           LDR
ROM: 00000184
                                          RO, RO, #0xE0000
                                                                                        ROM: 00000E17
                                                                                                                              DCB
                                                                                                                                        0
                           BIC
                           STR
                                          RO. [R1]
                                                                                        ROM: 00000E18
                                                                                                                              DCB
                                                                                                                                     ØxA
                                          RO. R4 : R4: butes to send to bus
                                                                                                                              DCB "Loading U-BOOT ", 0xA
                                                                                        ROM:00000E19 aLoadingUBoot
                                          R1. #8x48888888 ; S3C2418X BWSCON
                           ADD
ROM: 00000198
                                                                                        ROM: 00000E19
ROM: 0000019C
                                                                                        ROM: 00000E2B
                                                                                                                              DCB
                                                 ; CODE XREF: ROM: 800001A81i
                                                                                                                                        ß
ROM: 0000019C loc 19C
ROM: 0000019C
                           LDR
                                          R3, [R0],#4
                                                                                        ROM: 00000E2C
                                                                                                                              DCB 0xA
ROM: 808881A8
                           STR
                                          R3, [R1],#4; R0: bytes to send to bus
                                                                                        ROM: 00000E2D
                                                                                                                              DCB
                                                                                                                                     ØxA
ROM: 000001A4
                           CHP
                                          R2. R0
                           BNE
                                                                                                                              DCB "U-Boot EXIT", 0xA, 0
ROM: 000001A8
                                          1oc 19C
                                                                                        ROM:00000E2E aUBootExit
                           MOV
                                          R1, #0xFE : '!'
ROM: 000001AC
ROM: 000001B0
ROM: 000001B0 loc 1B0
                                                   CODE XREF: ROM: 8000018411
                                          R1, R1, #1
                           SUBS
                           BNE
                                          loc 188
                           LDR
                                          R1. = 0x560000088 ; S3C2410X GSTATUS3
                                          R6, [R1]
                                          PC. R6
ROM: GARGAGICA
```

#### This boot loader does low level initialization:

It loads up the next level boot loader

Note: The image I worked on showed very interesting strings, like the name of the 1st boot loader and some log messages



#### **U-boot boot code**



After the 1st stage boot loader, there is a next level boot loader that performs various, more complex operations:

The kernel image and actual file system are placed inside



## **U-Boot image header structure**

```
#define IH MAGIC
#define IH NMLEN
typedef struct image header
               ih magic; /* Image Header Magic Number
               ih hcrc;
   uint32 t
               ih time:
   uint32 t
               ih size:
               ih_load;
   uint32 t
               ih ep:
   uint32 t
               ih dcrc;
   uint8 t
               ih os;
   uint8 t
               ih arch;
   uint8 t
               ih type;
   uint8 t
               ih comp:
   uint8 t
               ih name[IH NMLEN]; /* Image Name
  image header t;
```



The important value in retrieving the whole image file is the image length:

 The header size is 0x40 and the image length is 0x28A03B in this case. This makes total image size of 0x28A07B.



## Calculating U-Boot image size on a bare metal image

#### For my example:

One page is 0x200 bytes, so a page of 0x28A07B/0x200 = 0x1450 and more of 0x28A07B%0x200 = 0x7B bytes are needed

One page on the NAND dump image is 0x210 because of the extra 00B size (0x10)

So the physical address of the image end is similar to the following:

page count \* (page size + oob size) + extra data

- = 0x1450 \* (0x200 + 0x10) + 0x7b
- = 0x29E57B

The start address of the image is 0x31800. If you add up this to the size of the image on the NAND image (0x29E57B), it becomes 0x2CFD7B:

c:\python27\python DumpFlash.py -r 0x00031800 0x002CFD7B -o Dump-00031800-UB00T.dmp flash.dmp



## **U-Boot image disassembly**



IDA doesn't do well with multi-file images



## Multi-file image



This image has two images inside it with lengths of 0x000E9118 and 0x001A0F17



## Mounting RAMdisk image

```
coot8test:~# file 02.decompressed.img
02.decompressed.img: Linux rev 1.0 ext2 filesystem data, UUID=42ba98f4-ee44-494e
-bddf-22d139c313b8

coot8tali:-# modprobe mtdram total_size=65536
coot8tali:-# modprobe mtdblock

coot8test:~# dd if=02.decompressed.img of=/dev/mtdblock0
16384+0 records in
16384+0 records out
8388608 bytes (8.4 MB) copied, 0.0928797 s, 90.3 MB/s
```

When image 0 looks like a code file, image 1 has more interesting contents:

- You can identify that it is gzip compressed
- After decompression, if you run file command on the file, it shows that the file is an ext2 file system file



## Mounting RAMdisk image

```
t:~# mount /dev/mtdblockO /tmp/mtd -t ext2
 ot@test:~# ls -la /tmp/mtd
total 51
drwxr-xr-x 17 root root 1024 Jan 8
drwxr-xr-x. 2 root root 2048 Jan
drwxr-xr-x. 2 root root 1024 Jan
drwxr-xr-x. 5 root root
                        4096 Jan
drwxr-xr-x. 3 root root 1024 Jan 8
drwxr-xr-x. 2 root root 1024 Jan 8
drwxr-xr-x. 2 root root 1024 Jan 8
drwxr-xr-x. 3 root root 1024 Jan 8
                          11 Jan
           2 root root 12288 Jan 8
drwxr-xr-x. 5 root root 1024 Jan 8
drwxr-xr-x. 2 root root 1024 Jan 8
drwxr-xr-x. 2 root root 1024 Jan 8
drwxr-xr-x. 2 root root 2048 Jan 8
drwxr-xr-x. 2 root root 1024 Jan
drwxr-xr-x. 4 root root 1024 Jan 8
drwxr-xr-x. 2 root root 1024 Jan 8 2009 var
```

After pushing the image, you can mount the MTD block device using the mount command and browse and modify the file.



## mkimage information for 2nd U-Bootimage

```
6F 72 6D 61 74 20 28 65 72 72 3D 32 29 00 00 00
        t:~# mkimage -1 Dump-00349800-UB00T.dmp
                                                                                      6F 75 74 20 6F 66 20 6D 65 6D 6F 72 79 00 00 00
               Mx0004US 01.00 011
Created:
               Mon Mar 31 11:30:37 2008
                                                                                                        6D 61 74 20 28 6F 74 68 65 72
              ARM Linux Kernel Image (uncompressed)
                                                                                                        63 20 65 72 72 6F 72 00 00 00
              953052 Bytes = 930.71 kB = 0.91 MB
                                                                                       6C 65 6E 67 74 68 20 65 72 72 6F 72 00 00 00 00
                                                                                                                                      length error....
Load Address: 30108000
                                                                   Start of gzipped
              30108000
                                                                    kernel image
                                                                                                                                      $Êæ..5¶O hŠO.Œ.%
                                                                             00003060 97 24 40 C4 A8 91 84 3F 22 BA AB 62 4B 3D 7A C7
                                                                                      42 64 7D 51 7E 5F 1E 9B 87 EF EB F1 5D 8E EF CA
```

IDA loads this image up without any issues. There are no hidden images.

- Unfortunately the code shown by IDA is the bootstrapping code that decompresses following the gzipped kernel image
- To identify the start of the kernel image, search for the gzip image magic value (0x8b1f)



## Kernel image disassembly





## JFFS2 erase marker location from a page and spare column bytes



Identifying the JFFS2 file system from the raw NAND Flash image is relatively easy

Usually JFFS2 puts specialized erasemarkers inside the spare column of each page



## Mounting JFFS2 file system using a MTD

```
:-# modprobe mtdram total size=65536
:- # modprobe jffs2
```

```
li:-# dd if=jffs2.dmp of=/dev/mtdblock0
19328+0 records in
19328+0 records out
1095936 bytes (61 MB) copied, 0.899118 s, 68.0 MB/s
     ali: # mount /dev/mtdblock0 /tmp/jffs2 -t jffs2
```

```
root@kali: /tmp/jffs2
 rwxr-xr-x 18 root root
                                    2009 linux-0x330000-Mx000403.img.tmp
 rwx----- 1 root root 966656 Jan 8
                          11 Dec 31 1969 linuxrc -> bin/busybox
                                    1969 tmp -> /
 rwxr-xr-x 5 root root
                           0 Jan 30 2009 u
                           0 Mar 9 2007 var
 rwxr-xr-x 2 root root
```

First, you need to create a MTD device:

 Load related Linux kernel modules like mtdram, mtdblock and JFFS2. This creates a MTD device on the system.

After successful mounting, you can navigate and modify the file system on the fly



## **Writing JFFS2 data**

1. Dump mtdblock data to a file

#### 2. Add OOB area

python DumpFlash.py -R -o mtdblock0.oob.dmp mtdblock0.dmp

#### 3. Program memory at JFFS2 location

python FlashTool.py -w mtdblock.mod.oob.dmp -R 0x12820 0xfffffff

```
dd if=/dev/mtdblockO of=mtdblockO.dmp bs=512
131070+0 records in
131070+0 records out
67107840 bytes (67 MB) copied, 2.90779 s, 23.1 MB/s
```

```
::~# python FlashTool.py -w mtdblockO.oob.dmp -R 0x12820 0xfffff
                NAND 64MiB 3,3V 8-bit
                0x76
Page size:
                0x200
                0x10
OB size:
                0x20000
Page count:
                0x40
Size:
Erase size:
                0x4000
Options:
Address cycle:
                Samsung
Writing 0x1285b/0x20000 (6941 bytes/sec)
```



## **SMT Re-soldering**



## After modifying the raw data and writing it back to the Flash memory, re-solder the chip:

- The re-soldering process is not much different from usual SMT soldering
- SMT was originally developed for automatic soldering of the PCB components
- The chips are usually small and the pitch of the pins is also relatively small
- Soldering these chips to the PCB manually is challenging, but not terribly difficult
- There are many different methods, but I placed the chip on the pin location and heated the pins using the soldering iron
- The solder residue left from previous de-soldering process melts again and the chip can be soldered again using this solder
- Various other detailed technologies can be found on the Internet



## Bridge & damaged pins



## There are many pitfalls with SMT soldering and one of the big issues is bridging:

• The pitch for NAND flash TSOP48 model is 0.5 mm (which is extremely small). The solder can go over multiple pins and create shorts

## One of the big problems with re-soldering is possible damage to the board:



- Be extra careful when you re-solder the chips!
- Luckily, with Flash memory, many pins are not used at all. If the damaged patterns are not used, then the chips operate normally
- Check with the chip datasheet to see if damaged patterns are used by the chip





## My tools

#### FlashTool – Python Implmentation of Flash reader/writer software

- https://github.com/ohjeongwook/DumpFlash/blob/master/FlashTool.py
  - Write support
  - Fast sequential row read mode support
  - More experimental code coming.

#### Enhanced NandTool (forked from original NandTool): added writing support

- https://github.com/ohjeongwook/NANDReader\_FTDI
  - Write support, which is missing from original NANDTool project from Sprites Mode

#### DumpFlash.py: Flash image manipulation tool (ECC, Bad block check)

https://github.com/ohjeongwook/DumpFlash/blob/master/DumpFlash.py

#### **DumpJFFS2.py: JFFS2 parsing tool**

https://github.com/ohjeongwook/DumpFlash/blob/master/DumpJFFS2.py



#### **Conclusion**

#### Interacting directly with Flash memory is useful when JTAG can't be used:

- This is increasingly relevant as vendors obfuscate or remove JTAG interfaces to protect their intellectual property
- By directly interacting with the low level Flash memory interface, you can access data that sometimes can't be retrieved otherwise

## The de-soldering method is referred to as destructive, but it is still possible to re-solder the chip to the system using SMT soldering methods:

There is more chance of damaging the circuit board, but the chance of success is still high enough

## There are many factors when extracting, modifying and reconstructing a bare metal image with your modification like ECC, bad blocks and JFFS2 erasemarkers:

You might try to modify code from many places like the boot loaders, the kernel or the JFFS2 root image



#### **Credits**

Original design of NAND reader/writer **Sprites Mod** 

**NANDTool** 

**Sprites Mod and Bjoern Kerlers** 

