I would like to ask if anyone has some experiences with dumping content of a flash while it is still located on the PCB. I am just wondering because I did this for my last project and I ended up running into a bunch of problems. I am not 100% sure if the problems were related to that because it was my first time dealing with flashes but I found out in the end that there are a lot of issues related to that. Is it always recommendable to desolder the target flash from the board or are there some other workarounds?
I bought myself a while ago a BusPirate to retrieve the content of a NAND Flash via SPI. After some inicial trouble I managed to dump the entire flash. Unfortunately I am having a big issue with analyzing the filesystem that is part of it. I was hoping that someone has an idea what I can do.
First of all let me tell you what I already did. I gave the dump binwalk as input and extracted the content with the
command. So far so good. I knew that I was dealing with a squashfs filesystem, so I installed sasquatch just in case that some weird modification was used that unsquashfs couldn't handle. Unfortunately sasquatch couldn't handle it either. The whole thing seemed pretty suspicious to me so I took a look at the binary and I found something weird. The binary started with a squashfs header obviously but afterwards there is a pretty big area before the actual content of the filesystem starts that consists of a periodically repeating Byte structure (16 * 0xff followed by a 0x01 Byte). Also there are UBI signatures appearing throughout the entire binary. I think the squashfs was running on top of a UBI device and that is why sasquatch couldn't extract it. Does anyone had to deal with a similar situation before and knows what I can do to mount it or to extract the files that it contains?
I have one question related to the Bus Pirates SPI Mode and the configuration of the SPI speed.
I have a Script with that I can read out the content of the first page of a NAND Flash. That script does the following. makes the BP enter BBIO1 Mode (20* 0x00) -> makes the BP enter SPI Mode (0x01) -> configures the SPI speed and the SPI Mode (0x64 = 2MHz and 0x8a = CLK idle low, CKE Edge from active to idle, w=3.3V, SMP Sample = Middle) -> supplies power to the NAND Flash and activates CS (0x49). After all the configuration is done it reads out the first page that is automatically loaded into the Cache from the Flash when it is powered up.
To do so, I used the Write-then-read function: 0x04 0x00 0x04 0x08 0x80 0x03 0x00 0x00 0x00
When I look at the file that contains the content of the first page, it looks like a part of the content is cutted off from the rest and in between there are a bunch of 0 bytes (sometimes 0xFF bytes it does look inconsitent). Besides of that I know how the first page has to look like and the beginning is correct but once I reach the middle or so it should look different. I tried a few things until I found out that when I change the SPI speed the output gets even messier. That's why I assume it has something to do with that. I would like to ask you guys if someone of you knows and can explain me why my output is different with a different SPI speed and how do I determine which SPI speed I need to use and what if the speed value that I need is not part of the 8 values that the BP supports?
let me explain you my situation first so that you understand what I want to achieve: I am currently trying to read out the NAND Flash from a chip that I have here. First I tried to use the BusPirate v4 to do so. Unfortunately it didn't work, I had several issues with flashrom and my other attempts to communicate with the SPI NAND Flash didn't work either. So I searched for an other option and I saw that I can read out my NAND Flash via JTAG as well. Apparently there is a readmem command, so I wanted to try that out (at this point I don't really care much if it takes way longer like that because I am stagnating for weeks at the same point).
I connected my BusBlaster v4.1a with the corresponding pins and my first attempt was with UrJTAG. This is the result:
UrJTAG 0.10 #1502 Copyright (C) 2002, 2003 ETC s.r.o. Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors
UrJTAG is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. There is absolutely no warranty for UrJTAG.
WARNING: UrJTAG may damage your hardware! Type "quit" to exit, "help" for help.
jtag> cable jtagkey pid=0x6010 vid=0x0403 interface=0 Connected to libftd2xx driver. jtag> detect Warning: TDO seems to be stuck at 1 jtag>
I looked that up, first I thought I may have connected something wrong, unfortunately I found several posts about the exact same problem. I didn't find a solution though.
So I got curious if it's maybe a problem with UrJTAG so I tried out to access JTAG via OpenOCD. This is what I got:
~/openocd/tcl$ openocd -f interface/ftdi/dp_busblaster.cfg -f target/qualcomm_qca4531.cfg Open On-Chip Debugger 0.10.0+dev-00924-g16496488 (2019-08-22-10:23) Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html Info : If you need SWD support, flash KT-Link buffer from https://github.com/bharrisau/busblaster and use dp_busblaster_kt-link.cfg instead adapter speed: 2000 kHz
Info : auto-selecting first available session transport "jtag". To override use 'transport select <transport>'. qca4531_ddr2_550_550_init Info : Listening on port 6666 for tcl connections Info : Listening on port 4444 for telnet connections Info : clock speed 2000 kHz Error: JTAG scan chain interrogation failed: all ones Error: Check JTAG interface, timings, target power, etc. Error: Trying to use configured scan chain anyway... Error: qca4531.cpu: IR capture error; saw 0x1f not 0x01 Warn : Bypassing JTAG setup events due to errors Error: isa info not available, failed to read cp0 config register: 0 Error: The 'mww' command must be used after 'init'. Error executing event halted on target qca4531.cpu:
Info : Listening on port 3333 for gdb connections
I have no idea if I am doing something really wrong of if the chip or the BBv4.1a is broken or something else. Does anyone have an idea what I can try out else or what I can do to fix these issues?
I finally managed to connect my NAND Flash with my Bus Pirate v4 and my next and final step that I would like to do is reading out the Flash. Well, I thought I could just use flashrom to do so but apparently the tool doesn't support the device that I am working with. I get the following output:
I am wondering about something. I bought a buspirate v4 because I would like to read the content of a NAND Flash that I have. My idea is to connect the BP to my NAND Flash and then I would like to use flashrom to read out the Flash and store the content in a .bin file. I found a couple of tutorials and explanations about how to connect the pins and how it works. After a quick look at the datasheet from the NAND Flash I could verify what I read about the connection. It should looks like this:
BP | NAND Flash ------------------------ CS | CS# MISO | SO 3v3 | WP# GND | VSS 3v3 | VCC 3v3 | HOLD# CLK | SCLK MOSI | SI
After taking an other look at the datasheet I found out that the NAND Flash supports dual and quad spi and the WP#, SO, SI and the HOLD# Pin have a second function. WP# can also be used as SIO2, HOLD# can also be used as SIO3. SI can also be used as SIO0 and SO can also be used as SIO1.
What I am wondering about is, can I connect the pins differently so that I can use dual or quad spi instead of standard spi to read out the flash? Does flashrom and the BP even support dual and quad spi?