Skip to main content


This section allows you to view all Topics made by this member. Note that you can only see Topics made in areas you currently have access to.

Topics - Ramazuri

Bus Pirate Support / Experiences with dumping flash content while it is still on the board
Hello everyone,

I would like to ask if anyone has some experiences with dumping content of a flash while it is still located on the PCB.
I am just wondering because I did this for my last project and I ended up running into a bunch of problems. I am not 100% sure if the problems were related to that because it was my first time dealing with flashes but I found out in the end that there are a lot of issues related to that.
Is it always recommendable to desolder the target flash from the board or are there some other workarounds?

General discussion / Getting access to the content of a SquashFS filesystem
Hello everyone,

I bought myself a while ago a BusPirate to retrieve the content of a NAND Flash via SPI.
After some inicial trouble I managed to dump the entire flash. Unfortunately I am having a big issue with analyzing the filesystem that is part of it. I was hoping that someone has an idea what I can do.

First of all let me tell you what I already did. I gave the dump binwalk as input and extracted the content with the
Code: [Select]
binwalk -Me
So far so good. I knew that I was dealing with a squashfs filesystem, so I installed sasquatch just in case that some weird modification was used that unsquashfs couldn't handle.
Unfortunately sasquatch couldn't handle it either. The whole thing seemed pretty suspicious to me so I took a look at the binary and I found something weird.
The binary started with a squashfs header obviously but afterwards there is a pretty big area before the actual content of the filesystem starts that consists of a periodically repeating Byte structure (16 * 0xff followed by a 0x01 Byte). Also there are UBI signatures appearing throughout the entire binary.
I think the squashfs was running on top of a UBI device and that is why sasquatch couldn't extract it. Does anyone had to deal with a similar situation before and knows what I can do to mount it or to extract the files that it contains?

Bus Blaster JTAG debugger / Does a non-selftest buffer exist for BBv4.1a
Hello everyone,

I am still trying to get my BusBlaster v4.1a to work.
The last time I tried to get it to work I reprogrammed the CPLD buffer logic with the following file:

Today I found an other svf file that I didn't see before:

If I see this correctly both svf files are identical. Is there something that I am missing?
Especially because the manual says
We highly recommend users upgrade to a non-selftest buffer immediately.

Someone mentioned this before but nobody replied to that so I am trying it again.
Bus Pirate Support / Bus Pirate communication in SPI Mode / SPI speed
Hello everyone,

I have one question related to the Bus Pirates SPI Mode and the configuration of the SPI speed.

I have a Script with that I can read out the content of the first page of a NAND Flash.
That script does the following.
makes the BP enter BBIO1 Mode (20* 0x00) -> makes the BP enter SPI Mode (0x01) -> configures the SPI speed and the SPI Mode (0x64 = 2MHz and 0x8a = CLK idle low, CKE Edge from active to idle, w=3.3V, SMP Sample = Middle) -> supplies power to the NAND Flash and activates CS (0x49).
After all the configuration is done it reads out the first page that is automatically loaded into the Cache from the Flash when it is powered up.

To do so, I used the Write-then-read function: 0x04 0x00 0x04 0x08 0x80 0x03 0x00 0x00 0x00

When I look at the file that contains the content of the first page, it looks like a part of the content is cutted off from the rest and in between there are a bunch of 0 bytes (sometimes 0xFF bytes it does look inconsitent).  Besides of that I know how the first page has to look like and the beginning is correct but once I reach the middle or so it should look different.
I tried a few things until I found out that when I change the SPI speed the output gets even messier. That's why I assume it has something to do with that.
I would like to ask you guys if someone of you knows and can explain me why my output is different with a different SPI speed and how do I determine which SPI speed I need to use and what if the speed value that I need is not part of the 8 values that the BP supports?
Bus Blaster JTAG debugger / BusBlaster v4.1a can't connect to JTAG
Hello everyone,

let me explain you my situation first so that you understand what I want to achieve:
I am currently trying to read out the NAND Flash from a chip that I have here. First I tried to use the BusPirate v4 to do so. Unfortunately it didn't work, I had several issues with flashrom and my other attempts to communicate with the SPI NAND Flash didn't work either.
So I searched for an other option and I saw that I can read out my NAND Flash via JTAG as well. Apparently there is a readmem command, so I wanted to try that out (at this point I don't really care much if it takes way longer like that because I am stagnating for weeks at the same point).

I connected my BusBlaster v4.1a with the corresponding pins and my first attempt was with UrJTAG.
This is the result:
Code: [Select]
UrJTAG 0.10 #1502
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

WARNING: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable jtagkey pid=0x6010 vid=0x0403 interface=0
Connected to libftd2xx driver.
jtag> detect
Warning: TDO seems to be stuck at 1

I looked that up, first I thought I may have connected something wrong, unfortunately I found several posts about the exact same problem. I didn't find a solution though.

So I got curious if it's maybe a problem with UrJTAG so I tried out to access JTAG via OpenOCD.
This is what I got:
Code: [Select]
~/openocd/tcl$ openocd -f interface/ftdi/dp_busblaster.cfg -f target/qualcomm_qca4531.cfg 
Open On-Chip Debugger 0.10.0+dev-00924-g16496488 (2019-08-22-10:23)
Licensed under GNU GPL v2
For bug reports, read
Info : If you need SWD support, flash KT-Link buffer from
and use dp_busblaster_kt-link.cfg instead
adapter speed: 2000 kHz

Info : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'.
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : clock speed 2000 kHz
Error: JTAG scan chain interrogation failed: all ones
Error: Check JTAG interface, timings, target power, etc.
Error: Trying to use configured scan chain anyway...
Error: qca4531.cpu: IR capture error; saw 0x1f not 0x01
Warn : Bypassing JTAG setup events due to errors
Error: isa info not available, failed to read cp0 config register: 0
Error: The 'mww' command must be used after 'init'.
Error executing event halted on target qca4531.cpu:

Info : Listening on port 3333 for gdb connections

I have no idea if I am doing something really wrong of if the chip or the BBv4.1a is broken or something else.
Does anyone have an idea what I can try out else or what I can do to fix these issues?
Bus Pirate Support / What options do I have to read out flash
Hello everyone,

I finally managed to connect my NAND Flash with my Bus Pirate v4 and my next and final step that I would like to do is reading out the Flash.
Well, I thought I could just use flashrom to do so but apparently the tool doesn't support the device that I am working with.
I get the following output:
Code: [Select]
Found chip "Generic unknown SPI chip (RDID)" (0 KB, SPI) at physical address 0x0.
This flash part has status NOT WORKING for operations: PROBE READ ERASE WRITE

My question is, are there any other tools that I can use to dump the Flash?

I am pretty new to this, this is probably a pretty basic question I guess, the problem is every ressource that I can find involves flashrom to read out the Flash.
Bus Pirate Support / Is it possible to use dual/quad spi to read flash?
Hey guys,

I am wondering about something. I bought a buspirate v4 because I would like to read the content of a NAND Flash that I have.
My idea is to connect the BP to my NAND Flash and then I would like to use flashrom to read out the Flash and store the content in a .bin file.
I found a couple of tutorials and explanations about how to connect the pins and how it works.
After a quick look at the datasheet from the NAND Flash I could verify what I read about the connection. It should looks like this:

BP      |  NAND Flash
CS      | CS#
3v3    | WP#
3v3    | VCC
3v3    | HOLD#

After taking an other look at the datasheet I found out that the NAND Flash supports dual and quad spi and the WP#, SO, SI and the HOLD# Pin have a second function.
WP# can also be used as SIO2, HOLD# can also be used as SIO3.
SI can also be used as SIO0 and SO can also be used as SIO1.

What I am wondering about is, can I connect the pins differently so that I can use dual or quad spi instead of standard spi to read out the flash?
Does flashrom and the BP even support dual and quad spi?