Page 2 of 3

Re: NAND Flash question

Posted: Mon Aug 29, 2011 11:34 pm
by pcgeil
the bash script in the post before could be used for dumps which have no ecc data!

I think (because of this link, http://www.anandtech.com/show/4029/the- ... x-review/3 ) that the internal NAND controller of the SoC is using BCH ECC.
But can't try it, because my dump hasn't any ecc data at all.

think the suitable linux nand controller driver for the CE4150 can be found here:
http://git.kernel.org/?p=linux/kernel/g ... d/denali.c

Re: NAND Flash question

Posted: Tue Aug 30, 2011 12:30 pm
by pcgeil
if you take the kernel.img for example out of an update (not the honeycomb one)
then the structure is as follows:

from 0x00 to 0x18 the pattern is equal, 3 bytes which looks like the total size (but a bit bigger !?!), then 0x1c to 0x47f is also equal!
The following pattern is maybe a hash or signing signature (should be signature) and is 0x100 big.
Afterwords ANDROID! follows which is magic pattern which is described here:
http://android.git.kernel.org/?p=platfo ... 3f;hb=HEAD

update:
most of this information can be also found here:
http://www.gtvhacker.com/index.php/Startup

Re: NAND Flash question

Posted: Wed Aug 31, 2011 4:30 am
by pcgeil
it is possible to boot the kernel with qemu if the header is deleted

i also tried to boot the cefdk-logitech_ka3.bin included inside 439c26f6af05.mp-signed-ota_update-b39389.zip
but that doesn't work out of the box (deleted the first 0x480 bytes) as far as I see.
Inside this cefdk are strings contained, are they visible during boot or is it disabled?

the header of cefdk-logitech_ka3.bin has also a structure like kernel.img for example but not exactly the same.

is it known, what the number inside mbr means?
i my dump is written at 0x00:
0B B0 AD DE 0F 00 01 A9
and at 0x200:
DE 26 FA CB 9A 29 D6 2D CC F6 BA 09 B8
can someone confirm this, is it everywhere the same?
it is repeated with offset 0x40000 so this is available 8 times!


some pics of my setup:
http://i53.tinypic.com/mlktnk.jpg
http://i53.tinypic.com/2z3npmq.jpg

Re: NAND Flash question

Posted: Thu Sep 01, 2011 9:48 pm
by Chipster
Following your progess. I envy your desoldering toys and debugging tools. Lacking those tools, can't help (yet). I thought cefdk files were encrypted. Did you find they were still encrypted in NAND?

Re: NAND Flash question

Posted: Fri Sep 02, 2011 7:52 am
by zenofex
Chipster wrote:Following your progess. I envy your desoldering toys and debugging tools. Lacking those tools, can't help (yet). I thought cefdk files were encrypted. Did you find they were still encrypted in NAND?
The update: 439c26f6af05.mp-signed-ota_update-b39389.zip (a proper link can be found on the wiki) has an un-encrypted version of the boot-loader for pre-honeycomb. Honeycomb actually updates the boot-loader to handle the encrypted recovery, so the boot-loader pcgeil is working with is the one from 2.1. You can also find a copy of the un-encrypted boot-loader in memory by dumping /dev/mem. We actually should probably start a thread for people to discuss disassembling it.

Thanks,
Zenofex

Re: NAND Flash question

Posted: Sun Sep 04, 2011 2:01 am
by pcgeil
So new version for splitting dump:

Code: Select all

#!/bin/bash
# copyright: pcgeil
# (c) 2011 progged for GTV revue

echo "progged for gtv revue by pcgeil (c) 2011"
echo "revision 0.1"
echo ""

dumpFile="nand.dump"

outputDir="dump"
outputName=${outputDir}"/test"

# bash check if directory exists
if [ -d $outputDir ]; then
	echo "directory exists"
else 
	echo "directory does not exists, create now directory"
	mkdir $outputDir
fi 

if [ "0" = "0" ]; then

# dump mbr 0x00000000-0x00200000
dd if=$dumpFile of=${outputName}".mbr" count=8192 bs=256 > /dev/null 2>&1

# dump cefdk 0x00200000-0x00a00000
dd if=$dumpFile of=${outputName}".cefdk" count=32768 bs=256 skip=8192 > /dev/null 2>&1

# dump redboot 0x00a00000-0x00c00000
dd if=$dumpFile of=${outputName}".redboot" count=8192 bs=256 skip=40960 > /dev/null 2>&1

# dump cefdk-config 0x00c00000-0x00e00000
dd if=$dumpFile of=${outputName}".cefdk-config " count=8192 bs=256 skip=49152 > /dev/null 2>&1

# dump splash 0x01000000-0x01800000
dd if=$dumpFile of=${outputName}".splash" count=16384 bs=512 skip=32768 > /dev/null 2>&1

# dump fts 0x01800000-0x01900000
dd if=$dumpFile of=${outputName}".fts" count=2048 bs=512 skip=49152 > /dev/null 2>&1

# dump recovery 0x01900000-0x02d00000
dd if=$dumpFile of=${outputName}".recovery" count=40960 bs=512 skip=51200 > /dev/null 2>&1

# dump kernel 0x02d00000-0x03200000
dd if=$dumpFile of=${outputName}".kernel" count=10240 bs=512 skip=92160 > /dev/null 2>&1

# dump boot 0x03200000-0x07200000
dd if=$dumpFile of=${outputName}".boot" count=131072 bs=512 skip=102400 > /dev/null 2>&1 

# dump system 0x07200000-0x1f200000
dd if=$dumpFile of=${outputName}".system" count=786432 bs=512 skip=233472> /dev/null 2>&1

# dump data 0x1f200000-0x3fa00000
dd if=$dumpFile of=${outputName}".data" count=1064960 bs=512 skip=1019904 > /dev/null 2>&1

# dump keystore 0x3fa00000-0x3ff00000
dd if=$dumpFile of=${outputName}".keystore" count=10240 bs=512 skip=2084864 > /dev/null 2>&1

# dump bbt 0x3ff00000-0x40000000
dd if=$dumpFile of=${outputName}".bbt" count=2048 bs=512 skip=2095104 > /dev/null 2>&1

echo "dump was splitted successfully"
fi

echo ""
echo "extract repetition out of files (mbr and cefdk)"
# extract repetition of cefdk and mbr (8 times)
for i in 0 1 2 3 4 5 6 7; do
	#echo "$i"
	dd if=${outputName}".cefdk" of=${outputName}"_"${i}".cefdk" skip=${i} count=1 bs=262144 > /dev/null 2>&1
	dd if=${outputName}".mbr" of=${outputName}"_"${i}".mbr" skip=${i} count=1 bs=262144 > /dev/null 2>&1
done

echo "compare cefdk and mbr"
# compare extraction with each other (mbr and cefdk)
for i in 1 2 3 4 5 6 7; do
	diff ${outputName}"_0.cefdk" ${outputName}"_"${i}".cefdk"
	diff ${outputName}"_0.mbr" ${outputName}"_"${i}".mbr"
done

echo ""
echo "extract repetition out of files (splash and fts)"
# extract repetition of splash and fts (4 times)
for i in 0 1 2 3; do
	#echo "$i"
	dd if=${outputName}".fts" of=${outputName}"_"${i}".fts" skip=${i} count=1 bs=262144 > /dev/null  2>&1
	dd if=${outputName}".splash" of=${outputName}"_"${i}".splash" skip=${i} count=1 bs=262144 > /dev/null 2>&1
done

echo "compare splash and fts"
# compare extraction with each other (splash and fts)
for i in 1 2 3; do
	diff ${outputName}"_0.fts" ${outputName}"_"${i}".fts"
	diff ${outputName}"_0.splash" ${outputName}"_"${i}".splash"
done
Info:
cefdk and mbr is repeated 8 times at (0x000000, 0x040000, 0x080000, 0x0C0000, 0x100000, 0x140000, 0x180000 and 0x1C0000)
fts and splash is repeated 4 times at (0x000000, 0x040000, 0x080000, 0x0C0000)
but fts is not exactly the same in my dump 0x200 to 0x20f after repetition changes

if anyone else has a dump, please validate my results :-)

Update:
If you have UART you can get an mem-dump like this:
#mount -w -t msdos /dev/sdb1 /sdcard


# dd if=/dev/mem of=/sdcard/test-mem.dump
/dev/mem: read error: Bad address
1572864+0 records in
1572864+0 records out
805306368 bytes transferred in 236.377 secs (3406872 bytes/sec

# sync
At 0x0F0000 you find the CEFDK and at 0x800000 the recovery
the difference between nand and mem dump is that at CEFDK and recovery address, i have at offset 0x200 13 bytes written (cefdk and recovery) and afterwords a shift of 12 bytes
(just checked first 0xffff maybe there is more like this) think that this are bad blocks maybe!

Re: NAND Flash question

Posted: Thu Sep 15, 2011 11:59 pm
by pcgeil
This is a update for everyone who want to dump the NAND extern.

I did the first dump with dd, but that isn't very clever and good.
There exists a package mtd-utils which has nanddump included:

Code: Select all

Usage: nanddump [OPTIONS] MTD-device
Dumps the contents of a nand mtd partition.

           --help               Display this help and exit
           --version            Output version information and exit
-a         --forcebinary        Force printing of binary data to tty
-c         --canonicalprint     Print canonical Hex+ASCII dump
-f file    --file=file          Dump to file
-l length  --length=length      Length
-n         --noecc              Read without error correction
-N         --noskipbad          Read without bad block skipping
-o         --omitoob            Omit oob data
-b         --omitbad            Omit bad blocks from the dump
-p         --prettyprint        Print nice (hexdump)
-q         --quiet              Don't display progress and status messages
-s addr    --startaddress=addr  Start address
You can find that package here:
http://www.linux-mtd.infradead.org/

I will try this next month and hopefully I have till then some NANDs with 1Gbyte so I can try to clone the NAND.
If that is working I will try to boot some older CEFDK ...

Re: NAND Flash question

Posted: Fri Sep 16, 2011 6:51 am
by ender_x
Highly recommend, those of you who have hopped on the userdebug leak, to grab a backup of your nand.. and keep it somewhere safe.
use the nanddump tool thats provided.. or at least do a dd dump.

run the following: (should be paste-able into adb shell)

Code: Select all

su
dd if=/dev/mtd/mtd0 > /sdcard/mtd0.dd
dd if=/dev/mtd/mtd1 > /sdcard/mtd1.dd
dd if=/dev/mtd/mtd2 > /sdcard/mtd2.dd
dd if=/dev/mtd/mtd3 > /sdcard/mtd3.dd
dd if=/dev/mtd/mtd4 > /sdcard/mtd4.dd
dd if=/dev/mtd/mtd5 > /sdcard/mtd5.dd
dd if=/dev/mtd/mtd6 > /sdcard/mtd6.dd
dd if=/dev/mtd/mtd7 > /sdcard/mtd7.dd
dd if=/dev/mtd/mtd8 > /sdcard/mtd8.dd
dd if=/dev/mtd/mtd9 > /sdcard/mtd9.dd
dd if=/dev/mtd/mtd10 > /sdcard/mtd10.dd
dd if=/dev/mtd/mtd11 > /sdcard/mtd11.dd
dd if=/dev/mtd/mtd12 > /sdcard/mtd12.dd
suck the files off of /sdcard/*.dd and keep them somewhere safe, and hopefully you'll never need them.

Re: NAND Flash question

Posted: Fri Sep 16, 2011 9:09 am
by cj_000
pcgeil wrote:This is a update for everyone who want to dump the NAND extern.

I did the first dump with dd, but that isn't very clever and good.
There exists a package mtd-utils which has nanddump included:

Code: Select all

Usage: nanddump [OPTIONS] MTD-device
Dumps the contents of a nand mtd partition.

           --help               Display this help and exit
           --version            Output version information and exit
-a         --forcebinary        Force printing of binary data to tty
-c         --canonicalprint     Print canonical Hex+ASCII dump
-f file    --file=file          Dump to file
-l length  --length=length      Length
-n         --noecc              Read without error correction
-N         --noskipbad          Read without bad block skipping
-o         --omitoob            Omit oob data
-b         --omitbad            Omit bad blocks from the dump
-p         --prettyprint        Print nice (hexdump)
-q         --quiet              Don't display progress and status messages
-s addr    --startaddress=addr  Start address
You can find that package here:
http://www.linux-mtd.infradead.org/

I will try this next month and hopefully I have till then some NANDs with 1Gbyte so I can try to clone the NAND.
If that is working I will try to boot some older CEFDK ...
Just to confirm - it does pull off the ECC data (with the correct flags), so the only issue is if you run into any bad blocks on your new nand, and managing to re-map them.

Re: NAND Flash question

Posted: Tue Dec 20, 2011 8:45 am
by safranek
Do you know how the NAND flash is organized?
Does it have a standard filesystem, like ext3 with some partitions?

Sorry about the lame question, just trying to understand how the NAND looks like if I would like to reprogram it.

Thanks in advance.