±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35657
New Yesterday: 3 Visitors: 149

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Unusual question about NAND

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Elliot
Member
 

Unusual question about NAND

Post Posted: Feb 27, 19 11:46

Hello,

We have an unusual situation where we have a standard BGA169 chip, we can get an ID from it using "EasyJTAG Plus", it will not read a single LBA of data anywhere on the chip.

We carried out research and came across some interesting articles, one of which was going into details of the NAND Technological pinouts of a BGA chip. Basically the BGA/eMMC interface itself will give you data that has been processed through the controller internal to the chip.

This article by Rusolut goes into dumping the data not via the eMMC interface and pads but by the NAND pads that normally have no solder and may need the chip sanding away to discover.

Our question is, if we have a dump of data like this, is there anything out there that can inject this raw NAND dump straight into another chip (equivalent has been sourced)? Our hope would then be that the controller inside the chip is similar enough to process the data and output something legible.

We gave this a shot with some test chips and the EasyJTAG which has a NAND section, we are sure there is more of an issue with NAND compatibility because no chip was ever detected.  
 
  

arcaine2
Senior Member
 

Re: Unusual question about NAND

Post Posted: Feb 27, 19 18:18

- Elliot

We gave this a shot with some test chips and the EasyJTAG which has a NAND section, we are sure there is more of an issue with NAND compatibility because no chip was ever detected.


Easy-jtag NAND support is meant mainly for iPhone repairs and it has limited support up to iPhone 6+. I'm affraind you won't be able to connect bare NAND chip from eMMC. easy-jtag.com/nand-kit-2/

As for copying data into another eMMC, @bolo might be a correct user to ask, since he, or his company, do recover data from "dead" eMMC directly from NAND. I don't think this would work unless you get the same chip, but don't quote me on that one.  

Last edited by arcaine2 on Feb 27, 19 23:07; edited 2 times in total
 
  

passcodeunlock
Senior Member
 

Re: Unusual question about NAND

Post Posted: Feb 27, 19 21:17

If done right, it would work.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

Elliot
Member
 

Re: Unusual question about NAND

Post Posted: Feb 28, 19 11:10

Thank you for the replies, I have contacted Bolo and am awaiting a reply. We haven't really come across anything where we can inject that raw dump of data to another NAND (we have equivalent chips)  
 
  

Bolo
Senior Member
 

Re: Unusual question about NAND

Post Posted: Feb 28, 19 12:09

Hello,

First explanation:
As @arcaine2 wrote - NAND kit is dedicated to iPhone mainly but connection with NAND kit of Easy JTAG can bring you ID of NAND or even you can read it (for sure will be wrong readout) but nothing more. Recovering from NAND is totally diffrent from those which known from eMMC using SD protocol (ISP/ChipOff) or JTAG - RAW read will not give you any data.

How NAND recovery works from unknown eMMC chip:
If we are playing with new eMMC first we need to find technological pinout for chip (if not same which we got already) - this are done by diffrent approach but fastest are using Logic Analyzer, after we got pinout we can connect to chip by using special adapter or by soldering and we can create configuration for it if unknown (page structure, block structure, plane...). Then we will need discover how sector is configured in page (Data area, Service Area, ECC code - if it will be XORed need to extract XOR). So assuiming all this are done we can start reading of Chip. If we will read it correct (since maybe there are neccessary to aply ReadRetry command before Read or play with correct voltage settigns to avoid shifht of pages) we will need to reverse what controller "does" so apply ECC code, remove XOR pattern (which in case of most of eMMC are quite complicated as for example Samsung with register shifts) and after this play with wear leveling, bad block mechanism so correct assembly scheme of readed data. if you will compate read over NAND it's very similar to recovery from SD/microSD monotlith cards but 2x/3x more complicated due XOR and probelsm with readouts and Garbage mechanism....... but if done correctly you will get all data with you can parse with PA or even logical strcuture etc.

Now let's answer to your questions:
Our question is, if we have a dump of data like this, is there anything out there that can inject this raw NAND dump straight into another chip (equivalent has been sourced)? Our hope would then be that the controller inside the chip is similar enough to process the data and output something legible.
It's not so simple as you think - it's very low chance that you will find exact chip. Problem in not only of internal firmware of controller but also whole FTL/VFL (Garabe mechanism, block management, Wear Leveling). There was an article about cloning of NAND in iPhone but it was about NAND... then you will need to handle only with BadBlocks etc - here we got build in eMMC controller which you will not program with data from donor since it's corrupted (controller must know positionl of logical and physical blocks in cell array, must know where are BD - you cannot simple put data in NAND expecting it will magically learn those). But... it's not cessary to clone anything... why you want to make this ?

We maked many of dead eMMC chips - get back many data and in some cases even logical strucuture with all partitionas available. First let me know what chip you got and then we can find a way but data are still there - we will need only to recover it.


P.S
You can check of actually supported by us chips at multi-recovery.com/models.php, look first on raster and after this on supported models. We are developing new adapters and pinouts every months so maybe we already got chip you got but not published info abotu this yet - in this case contact with me so I think I can help.

P.S#2
NAND recovery from eMMC are also used after Facotry Reset - if you will get all 0000000 so no data over ChipOff/ISP/JTAG or simply DD in most of cases you will get plently of Data from NAND directly... .I'm not talking about 10-100 SMS but we solved cases where ISP/ChipOff not give any data at all after Factory Reset and recovered thousend of messages, photos contacts. It's worth to known this
_________________
Multi-COM - Bogusław Rzepka 
 

Page 1 of 1