Skip to content


Read Embedded Flash Chips

WedgeNAND flash chips are used in all sorts of electronics for storing information/firmware etc. If you are interested in trying to get the information out to study, then I may have something useful for you. This is how I read the flash chip without removing it from the device.

This article was submitted by BrandonU as part of the “Hobby parts for articles” program. Write something of interest to electronic hobbyist and receive parts for your next project.

DISCLAIMER- Not an easy task, and not foolproof either. This procedure can be rough on both the device you are trying to read, and the reader used. NAND chip specs are also changing all the time, and so are card readers, so there is no real way of knowing if this pertains to “ALL” NAND Flash and “ALL” readers. This has been used successfully on Samsung small block flash using a Dazzle SmartMedia/xD reader.

First, you’ll need to get a Smartmedia/xD card reader. The reason for this is Smartmedia and xD flash cards are basically just NAND flash chips in a friendly, removable card. Other types of flash media also use NAND, but have a controller in them that handles the interfacing between the flash chip and the host, be it a camera, cell phone, card reader, etc. This controller gets in the way or reading data off embedded chips, because they are looking for partitions/files in a particular formats (FAT16 for example) that embedded flash rarely uses. Typically, we’d be trying to get the raw data off the embedded NAND to study.

Knowing that Smartmedia/xD cards are basically straight NAND chips, we can connect the card reader directly to the NAND chip by cross-referencing the chip pin out to Smartmedia/xD card reader. You can get the card pinouts here.

Note- These pin outs are for the cards themselves, not the readers.

An example for wiring to a Smartmedia reader is pictured below. Pin one of the reader is at the top of the picture, and the pin out is as follows.

SMPinout2Pin 1 — Vcc (+)
Pin 2 — Vss (ground)
Pin 3 — I/O 5
Pin 4 — not used
Pin 5 — I/O 6
Pin 6 — I/O 4
Pin 7 — I/O 7
Pin 8 — I/O 3
Pin 9 — I/O 8
Pin 10 – I/O 2
Pin 11 – not used
Pin 12 – I/O 1
Pin 13 – not used
Pin 14 – WP
Pin 15 – RY/BY
Pin 16 – WE
Pin 17 – RE
Pin 18 – ALE
Pin 19 – CE
Pin 20 – CLE
Pin 21 – not used
Pin 22 – not used

The battery select is dependent on your NAND chips voltage (either 3.3 or 5 Volts) and the write-protect switch is used if needed.

ConnectionsConnecting the reader to the chip can be the hardest part. The chips I have done have all been TSOPs, which are surface-mount chips with .5mm pitch. Quite small! I have done it several different ways. First way was to use some 30 gauge Kynar (used for wire-wrapping), soldering a wire from each pin on the NAND chip to its corresponding pin on the reader. An old IDE hard drive cable can provide wire of a similar size. It was doable with an extremely fine-tipped soldering iron and plenty of patience, but was by no means easy. Depending on the device, you may be able to trace out some alternative points to solder to, instead of directly to the NAND chip. It gets pretty tight trying to solder to 4 of those tiny pins in a row without bridging anything with solder!

Another approach used some flexible ribbon cable. The wire in the cable had the same pitch as the chip, making it easier to keep all the wires aligned while soldering to NAND chip. A few places sell this cable, such as Mouser and Digikey, but you may also be able to scrounge some from an old DVD player or drive, or even possibly old CD drives. They are used to connect the laser assembly to the main board.

DSC00906-fullIf you have some .5mm TSOP/TSSOP prototyping boards around, this can be the easiest. Cut down to size, and beveled where they will meet the chip, you can make a set of wedges that will solder up fairly easy. Just line them up, and drag some solder from the board down to the chip to solder in place. A little flux will help, but you won’t have to use any additional solder, just what is already on the prototype board. Once you are done, a little wiggle will free the board from the chip without damage. No need to desolder anything, either. The following pics should clarify this.

Wedge closeOnce you have the NAND chip hooked up to your reader, you have to get the data off it. Leaving power to the device you are trying to read OFF (preferably Batteries out, unplugged, etc.), plug in your reader to you computer. Depending on your OS, you can get the data off a couple of ways.

Linux users can mount the card reader and use dd to dump an image of the Flash chip. The resulting image can the be studied with the hex editor of your choice.

For Windows, I used a product called OnBelay by Compuapps. A very similar (identical?) product is Recovery Manager by Vaiosoft. Both these will work the same way. The main screen has a list of drives it can access, choose the one that corresponds to your reader. The program probably won’t recognize the file structure of the flash, so it says “no media present” or something to that effect. Along the top of the screen are tabs, one of them is labeled “Tools”. When you click on that, you’ll have the option to back up your media. Press it and it will allow you to back up the chip to a specified folder. I also check the box to backup both used and unused space. The backup image is in .FMB format, which can be browsed with any hex editor and studied.

Hope this can be of use to someone!
BrandonU

Posted in Hacks, Projects.


12 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Brad Martin says

    Ye gods. You have the patience of Job and the skill of a mad genius. We’ve used the Tektronix probes made just for this purpose: they were very expensive, NOT easy to use and NOT reusable, either.

    If I was in an emergency debugging situation, I’d sure try your approach rather than sit waiting for the expensive probes to arrive.

    One thing that might help is mixing your standard solder with >just a little bit

  2. antics says

    Wow, amazing. That is a lot to go thru but then again it can be worth it. I have one of those cameras and love being able to reuse it.

  3. gregr says

    There is actually a dd for windows that does a fine job at dumping raw data. http://www.chrysocome.net/dd

  4. brandonu says

    @ Brad Martin-
    Thanks for the comment. I had priced out TSOP test clips and found out they were way over my budget. Hence the hack. Lower melt solder would certainly help being a bit easier to work with and a little bit gentler on the chip.
    One of the guys over at CameraHacking.com had come up with a reusable, non-solder clip out of a SchmartBoard. You can see fliers work at
    http://camerahacks.10.forumer.com/viewtopic.php?p=27277#27277
    It can make this even easier :)

    @ antics
    This was originally used by me as the first “legal” hack of the then new M220 model of “one-time-use” camcorders.

    @ gregr
    I’ll have to check that out! Thanks

    Any questions, etc. can be sent to camcorderhack {at} gmail [dot] com

  5. brandonu says

    Thank you for the LCD Module!

  6. Autopig says

    COOL!
    i will learn more from you! Genius!

  7. Pio says

    These articles, and Brandonu’s notes helped me recover video from a friends CVS camcorder that I accidentally damaged. The unit was ‘bricked’, it would only power on for a half second before shutting off.
    I tried many different ways to mount the NAND image as a drive: OnBelay, dd, chip clips, etc. to no avail. I finally had to physically remove the chip and breadboard it onto a Schmartboard. From there I coupled it to an old Ethernut controller board (Atmega 128) and did a brute force I/O dump.
    This was in fact the hardest part, writing the software dumping program for the ethernut to overcome some very noisy wiring that I had arranged. This finally produced a text-based data dumping program which ran over telnet. The data took 3 days to dump 128MB, plus 1 hour to convert from text to binary with a ruby script. But, the results were perfect.
    I don’t recommend this method to anyone, but it sort of evolved on its own for me out of necessity and cost. If you are in a similar situation and need some encouragement you can email me madarp {at} rocketmail [dot] com.
    Thanks guys.

  8. Arjun says

    Thanks for ur idea man
    Probably it will be useful to fix my mp3 player
    I was not able to mend my player for past 2 years.
    This will help me..Thanks

  9. pepe says

    Good piece of hardware.

    without trying to build it I had some worries.
    When U read out the image does it contain the spare area of the memory? I am afraid no.
    Without this info it is impossible to reorder blocks to build up the correct image most of the cases…
    I would welcome comments on this matter…

    thx,
    pepe

  10. datadiscount says

    Very good work, what’s about data you get ?

  11. Alex says

    I would never come up with such idea. Great!

  12. john says

    Since the other Ic’s do not have power applied , you are basically taking their pins higher that the supply voltage…. this can cause destructive latch-up of the onboard transistors inside the ic’s you may or may not get away with it.

    There is no mention of anti-static procedures in this article.