Unusual question ab...
 
Notifications
Clear all

Unusual question about NAND

5 Posts
4 Users
0 Likes
511 Views
(@elliot)
Posts: 14
Active Member
Topic starter
 

Hello,

We have an unusual situation where we have a standard BGA169 chip, we can get an ID from it using "EasyJTAG Plus", it will not read a single LBA of data anywhere on the chip.

We carried out research and came across some interesting articles, one of which was going into details of the NAND Technological pinouts of a BGA chip. Basically the BGA/eMMC interface itself will give you data that has been processed through the controller internal to the chip.

This article by Rusolut goes into dumping the data not via the eMMC interface and pads but by the NAND pads that normally have no solder and may need the chip sanding away to discover.

Our question is, if we have a dump of data like this, is there anything out there that can inject this raw NAND dump straight into another chip (equivalent has been sourced)? Our hope would then be that the controller inside the chip is similar enough to process the data and output something legible.

We gave this a shot with some test chips and the EasyJTAG which has a NAND section, we are sure there is more of an issue with NAND compatibility because no chip was ever detected.

 
Posted : 27/02/2019 10:46 am
(@arcaine2)
Posts: 235
Estimable Member
 

We gave this a shot with some test chips and the EasyJTAG which has a NAND section, we are sure there is more of an issue with NAND compatibility because no chip was ever detected.

Easy-jtag NAND support is meant mainly for iPhone repairs and it has limited support up to iPhone 6+. I'm affraind you won't be able to connect bare NAND chip from eMMC. http//easy-jtag.com/nand-kit-2/

As for copying data into another eMMC, @bolo might be a correct user to ask, since he, or his company, do recover data from "dead" eMMC directly from NAND. I don't think this would work unless you get the same chip, but don't quote me on that one.

 
Posted : 27/02/2019 5:18 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

If done right, it would work.

 
Posted : 27/02/2019 8:17 pm
(@elliot)
Posts: 14
Active Member
Topic starter
 

Thank you for the replies, I have contacted Bolo and am awaiting a reply. We haven't really come across anything where we can inject that raw dump of data to another NAND (we have equivalent chips)

 
Posted : 28/02/2019 10:10 am
Bolo
 Bolo
(@bolo)
Posts: 97
Trusted Member
 

Hello,

First explanation
As @arcaine2 wrote - NAND kit is dedicated to iPhone mainly but connection with NAND kit of Easy JTAG can bring you ID of NAND or even you can read it (for sure will be wrong readout) but nothing more. Recovering from NAND is totally diffrent from those which known from eMMC using SD protocol (ISP/ChipOff) or JTAG - RAW read will not give you any data.

How NAND recovery works from unknown eMMC chip
If we are playing with new eMMC first we need to find technological pinout for chip (if not same which we got already) - this are done by diffrent approach but fastest are using Logic Analyzer, after we got pinout we can connect to chip by using special adapter or by soldering and we can create configuration for it if unknown (page structure, block structure, plane…). Then we will need discover how sector is configured in page (Data area, Service Area, ECC code - if it will be XORed need to extract XOR). So assuiming all this are done we can start reading of Chip. If we will read it correct (since maybe there are neccessary to aply ReadRetry command before Read or play with correct voltage settigns to avoid shifht of pages) we will need to reverse what controller "does" so apply ECC code, remove XOR pattern (which in case of most of eMMC are quite complicated as for example Samsung with register shifts) and after this play with wear leveling, bad block mechanism so correct assembly scheme of readed data. if you will compate read over NAND it's very similar to recovery from SD/microSD monotlith cards but 2x/3x more complicated due XOR and probelsm with readouts and Garbage mechanism……. but if done correctly you will get all data with you can parse with PA or even logical strcuture etc.

Now let's answer to your questions
Our question is, if we have a dump of data like this, is there anything out there that can inject this raw NAND dump straight into another chip (equivalent has been sourced)? Our hope would then be that the controller inside the chip is similar enough to process the data and output something legible.
It's not so simple as you think - it's very low chance that you will find exact chip. Problem in not only of internal firmware of controller but also whole FTL/VFL (Garabe mechanism, block management, Wear Leveling). There was an article about cloning of NAND in iPhone but it was about NAND… then you will need to handle only with BadBlocks etc - here we got build in eMMC controller which you will not program with data from donor since it's corrupted (controller must know positionl of logical and physical blocks in cell array, must know where are BD - you cannot simple put data in NAND expecting it will magically learn those). But… it's not cessary to clone anything… why you want to make this ?

We maked many of dead eMMC chips - get back many data and in some cases even logical strucuture with all partitionas available. First let me know what chip you got and then we can find a way but data are still there - we will need only to recover it.

P.S
You can check of actually supported by us chips at https://multi-recovery.com/models.php, look first on raster and after this on supported models. We are developing new adapters and pinouts every months so maybe we already got chip you got but not published info abotu this yet - in this case contact with me so I think I can help.

P.S#2
NAND recovery from eMMC are also used after Facotry Reset - if you will get all 0000000 so no data over ChipOff/ISP/JTAG or simply DD in most of cases you will get plently of Data from NAND directly… .I'm not talking about 10-100 SMS but we solved cases where ISP/ChipOff not give any data at all after Factory Reset and recovered thousend of messages, photos contacts. It's worth to known this

 
Posted : 28/02/2019 11:09 am
Share: