NAND Flash question

Trying to further the development of the Android on the Revue? Talk about it hear and document it on the wiki: http://www.wiki.gtvhacker.com

Moderator: Revue Mod

pcgeil
Android 1.0
Posts: 26
Joined: Wed Aug 17, 2011 3:15 am
GTV Device Owned: Logitech Revue

NAND Flash question

Post by pcgeil »

Hi,
does anyone know, if for example the root-filesystem is saved encrypted on the NAND flash?
Has anyone tried it before to read the NAND to get the real honeycomb from a honeycomb flashed device?

Or has it be tried with a virgin box? Are there differences?

Thanks.
pcgeil
Android 1.0
Posts: 26
Joined: Wed Aug 17, 2011 3:15 am
GTV Device Owned: Logitech Revue

Re: NAND Flash question

Post by pcgeil »

today my gtv was delivered :-)
i am happy that uart is still working with this box


guess nobody tried to dump the nand externally before, or?
next week, I should get all things which are needed to dump the nand externally.
First of all, I will dump my virgin box and look if that works

maybe i will then try to update to honeycomb and dump again.
i am excited if the whole flash is then encrypted or not ...
cj_000
1.6 Donut
Posts: 121
Joined: Fri Jul 29, 2011 2:13 pm

Re: NAND Flash question

Post by cj_000 »

pcgeil wrote:today my gtv was delivered :-)
i am happy that uart is still working with this box


guess nobody tried to dump the nand externally before, or?
next week, I should get all things which are needed to dump the nand externally.
First of all, I will dump my virgin box and look if that works

maybe i will then try to update to honeycomb and dump again.
i am excited if the whole flash is then encrypted or not ...
What type of hardware are you planning on using to dump out the nand?
pcgeil
Android 1.0
Posts: 26
Joined: Wed Aug 17, 2011 3:15 am
GTV Device Owned: Logitech Revue

Re: NAND Flash question

Post by pcgeil »

I will desolder the TSOP48 with a hot air soldering machine and put the TSOP then in:

http://datasheet.octopart.com/IC191-048 ... 508500.pdf

To read the TSOP, I will probably use the ATNGW100 from Atmel based on an AVR32 or
will try if I can use an CARD-Reader with xD-Card support, see

http://en.wikipedia.org/wiki/XD-Picture ... w_hardware
User avatar
Chinpokomon
Android 1.0
Posts: 36
Joined: Mon Aug 01, 2011 10:13 pm

Re: NAND Flash question

Post by Chinpokomon »

pcgeil wrote:today my gtv was delivered :-)
i am happy that uart is still working with this box


guess nobody tried to dump the nand externally before, or?
next week, I should get all things which are needed to dump the nand externally.
First of all, I will dump my virgin box and look if that works

maybe i will then try to update to honeycomb and dump again.
i am excited if the whole flash is then encrypted or not ...
I'd hold off on upgrading to Honeycomb until then... it might be valuable having root access before going further.
pcgeil
Android 1.0
Posts: 26
Joined: Wed Aug 17, 2011 3:15 am
GTV Device Owned: Logitech Revue

Re: NAND Flash question

Post by pcgeil »

Update, my setup with Yamaichi IC191-0482-004 is ready.
I hope I can desolder the NAND this weekend and then I try to dump it :-)
pcgeil
Android 1.0
Posts: 26
Joined: Wed Aug 17, 2011 3:15 am
GTV Device Owned: Logitech Revue

Re: NAND Flash question

Post by pcgeil »

i managed it to get a dump of the samsung nand
but till now, I do not know if the dump is correct.

Maybe on monday i will be able to check if the dump is complete and try to update to honeycomb and dump again.
Itsjusttim
Android 1.0
Posts: 22
Joined: Mon Aug 01, 2011 9:33 pm

Re: NAND Flash question

Post by Itsjusttim »

Good! Thanks for the update
pcgeil
Android 1.0
Posts: 26
Joined: Wed Aug 17, 2011 3:15 am
GTV Device Owned: Logitech Revue

Re: NAND Flash question

Post by pcgeil »

Just another short update:

Some Information about the GTV filesystem is written here:
http://gtvhacker.com/index.php/GTV_FileSystem

I don't know if anyone dumped the nand before to get some of these information.
So what I can confirm is that:
1. 0x00a00000-0x00c00000 "redboot" All FF's
but the last 10 bytes are zero in my dump, it looks somehow if everything is shifted 10 bytes in the dump.
don't know why ...

2. 0x00c00000-0x00e00000 "cefdk-config" Holds Box SN, repeats (like MBR)
0x00bffff6 - 0x00c01ff5 is 0x00 (important 10 bytes shift)
then everything is 0xff till 0x00c06ff5
but from 0x00c21f6 - c02204 it is not 0x00 maybe the serial number (same pattern in 0x00c02a2e, 0x00c02c3c, 0x00c02e4a, 0x00c031f6, 0x00c03404 and so on)
there are more pattern the following block ... and it looks as if everything gets repeated many times


3. 0x00e00000-0x00f00000 not described
0x00e00000 to 0x00ebff5 is 0xff, from 0x00ebff6 to 0x00effff5 is 0x00 and from 0x00effff6 to 0x00fffff5 is 0xff again
(remember the 10 bytes shift!)


4. 0x01800000-0x01900000 "fts" Flash Transaction Key/Value Storage. (Contents seem to be just seems to be just: "F*TS..e.L.......bootloader.command=boot-recovery.bootloader.recovery=recovery.--wipe_data.")
this is correct, there are some more things inside this area, for example you can find the same pattern as in 0x00c21f6 - c02204
there are some more things which also repeats
everything else is 0xff


please forget the mentioned 10 bytes shift, it was a problem of my hexedit ...
pcgeil
Android 1.0
Posts: 26
Joined: Wed Aug 17, 2011 3:15 am
GTV Device Owned: Logitech Revue

Re: NAND Flash question

Post by pcgeil »

here maybe a helpful script to split the dump!

Code: Select all

#!/bin/bash
# copyright: pcgeil
# (c) 2011 progged for GTV revue

dumpFile="nand.dump"

outputDir="dump"
outputName=${outputDir}"/test"

# bash check if directory exists
if [ -d $outputDir ]; then
	echo "Directory exists"
else 
	echo "Directory does not exists"
	mkdir $outputDir
fi 

# dump mbr 0x00000000-0x00200000
dd if=$dumpFile of=${outputName}".mbr" count=8192 bs=256

# dump cefdk 0x00200000-0x00a00000
dd if=$dumpFile of=${outputName}".cefdk" count=32768 bs=256 skip=8192

# dump redboot 0x00a00000-0x00c00000
dd if=$dumpFile of=${outputName}".redboot" count=8192 bs=256 skip=40960

# dump cefdk-config 0x00c00000-0x00e00000
dd if=$dumpFile of=${outputName}".cefdk-config " count=8192 bs=256 skip=49152

# dump splash 0x01000000-0x01800000
dd if=$dumpFile of=${outputName}".splash" count=16384 bs=512 skip=32768

# dump fts 0x01800000-0x01900000
dd if=$dumpFile of=${outputName}".fts" count=2048 bs=512 skip=49152

# dump recovery 0x01900000-0x02d00000
dd if=$dumpFile of=${outputName}".recovery" count=40960 bs=512 skip=51200

# dump kernel 0x02d00000-0x03200000
dd if=$dumpFile of=${outputName}".kernel" count=10240 bs=512 skip=92160

# dump boot 0x03200000-0x07200000
dd if=$dumpFile of=${outputName}".boot" count=131072 bs=512 skip=102400

# dump system 0x07200000-0x1f200000
dd if=$dumpFile of=${outputName}".system" count=786432 bs=512 skip=233472

# dump data 0x1f200000-0x3fa00000
dd if=$dumpFile of=${outputName}".data" count=1064960 bs=512 skip=1019904

# dump keystore 0x3fa00000-0x3ff00000
dd if=$dumpFile of=${outputName}".keystore" count=10240 bs=512 skip=2084864

# dump bbt 0x3ff00000-0x40000000
dd if=$dumpFile of=${outputName}".bbt" count=2048 bs=512 skip=2095104
Post Reply