NAND Flash question

[pcgeil]

Hi,
does anyone know, if for example the root-filesystem is saved encrypted on the NAND flash?
Has anyone tried it before to read the NAND to get the real honeycomb from a honeycomb flashed device?

Or has it be tried with a virgin box? Are there differences?

Thanks.

[pcgeil]

today my gtv was delivered
i am happy that uart is still working with this box


guess nobody tried to dump the nand externally before, or?
next week, I should get all things which are needed to dump the nand externally.
First of all, I will dump my virgin box and look if that works

maybe i will then try to update to honeycomb and dump again.
i am excited if the whole flash is then encrypted or not ...

[cj_000]

today my gtv was delivered
i am happy that uart is still working with this box


guess nobody tried to dump the nand externally before, or?
next week, I should get all things which are needed to dump the nand externally.
First of all, I will dump my virgin box and look if that works

maybe i will then try to update to honeycomb and dump again.
i am excited if the whole flash is then encrypted or not ...

What type of hardware are you planning on using to dump out the nand?

[pcgeil]

I will desolder the TSOP48 with a hot air soldering machine and put the TSOP then in:

http://datasheet.octopart.com/IC191-048 ... 508500.pdf

To read the TSOP, I will probably use the ATNGW100 from Atmel based on an AVR32 or
will try if I can use an CARD-Reader with xD-Card support, see

http://en.wikipedia.org/wiki/XD-Picture ... w_hardware

[Chinpokomon]

today my gtv was delivered
i am happy that uart is still working with this box


guess nobody tried to dump the nand externally before, or?
next week, I should get all things which are needed to dump the nand externally.
First of all, I will dump my virgin box and look if that works

maybe i will then try to update to honeycomb and dump again.
i am excited if the whole flash is then encrypted or not ...

I'd hold off on upgrading to Honeycomb until then... it might be valuable having root access before going further.

[pcgeil]

Update, my setup with Yamaichi IC191-0482-004 is ready.
I hope I can desolder the NAND this weekend and then I try to dump it

[pcgeil]

i managed it to get a dump of the samsung nand
but till now, I do not know if the dump is correct.

Maybe on monday i will be able to check if the dump is complete and try to update to honeycomb and dump again.

[Itsjusttim]

Good! Thanks for the update

[pcgeil]

Just another short update:

Some Information about the GTV filesystem is written here:
http://gtvhacker.com/index.php/GTV_FileSystem

I don't know if anyone dumped the nand before to get some of these information.
So what I can confirm is that:
1. 0x00a00000-0x00c00000 "redboot" All FF's
but the last 10 bytes are zero in my dump, it looks somehow if everything is shifted 10 bytes in the dump.
don't know why ...

2. 0x00c00000-0x00e00000 "cefdk-config" Holds Box SN, repeats (like MBR)
0x00bffff6 - 0x00c01ff5 is 0x00 (important 10 bytes shift)
then everything is 0xff till 0x00c06ff5
but from 0x00c21f6 - c02204 it is not 0x00 maybe the serial number (same pattern in 0x00c02a2e, 0x00c02c3c, 0x00c02e4a, 0x00c031f6, 0x00c03404 and so on)
there are more pattern the following block ... and it looks as if everything gets repeated many times


3. 0x00e00000-0x00f00000 not described
0x00e00000 to 0x00ebff5 is 0xff, from 0x00ebff6 to 0x00effff5 is 0x00 and from 0x00effff6 to 0x00fffff5 is 0xff again
(remember the 10 bytes shift!)


4. 0x01800000-0x01900000 "fts" Flash Transaction Key/Value Storage. (Contents seem to be just seems to be just: "F*TS..e.L.......bootloader.command=boot-recovery.bootloader.recovery=recovery.--wipe_data.")
this is correct, there are some more things inside this area, for example you can find the same pattern as in 0x00c21f6 - c02204
there are some more things which also repeats
everything else is 0xff


please forget the mentioned 10 bytes shift, it was a problem of my hexedit ...

[pcgeil]

here maybe a helpful script to split the dump!

Code: Select all

#!/bin/bash
# copyright: pcgeil
# (c) 2011 progged for GTV revue

dumpFile="nand.dump"

outputDir="dump"
outputName=${outputDir}"/test"

# bash check if directory exists
if [ -d $outputDir ]; then
	echo "Directory exists"
else 
	echo "Directory does not exists"
	mkdir $outputDir
fi 

# dump mbr 0x00000000-0x00200000
dd if=$dumpFile of=${outputName}".mbr" count=8192 bs=256

# dump cefdk 0x00200000-0x00a00000
dd if=$dumpFile of=${outputName}".cefdk" count=32768 bs=256 skip=8192

# dump redboot 0x00a00000-0x00c00000
dd if=$dumpFile of=${outputName}".redboot" count=8192 bs=256 skip=40960

# dump cefdk-config 0x00c00000-0x00e00000
dd if=$dumpFile of=${outputName}".cefdk-config " count=8192 bs=256 skip=49152

# dump splash 0x01000000-0x01800000
dd if=$dumpFile of=${outputName}".splash" count=16384 bs=512 skip=32768

# dump fts 0x01800000-0x01900000
dd if=$dumpFile of=${outputName}".fts" count=2048 bs=512 skip=49152

# dump recovery 0x01900000-0x02d00000
dd if=$dumpFile of=${outputName}".recovery" count=40960 bs=512 skip=51200

# dump kernel 0x02d00000-0x03200000
dd if=$dumpFile of=${outputName}".kernel" count=10240 bs=512 skip=92160

# dump boot 0x03200000-0x07200000
dd if=$dumpFile of=${outputName}".boot" count=131072 bs=512 skip=102400

# dump system 0x07200000-0x1f200000
dd if=$dumpFile of=${outputName}".system" count=786432 bs=512 skip=233472

# dump data 0x1f200000-0x3fa00000
dd if=$dumpFile of=${outputName}".data" count=1064960 bs=512 skip=1019904

# dump keystore 0x3fa00000-0x3ff00000
dd if=$dumpFile of=${outputName}".keystore" count=10240 bs=512 skip=2084864

# dump bbt 0x3ff00000-0x40000000
dd if=$dumpFile of=${outputName}".bbt" count=2048 bs=512 skip=2095104