ohjeongwook / dumpflash Goto Github PK

The program time for 3D takes a long time. Is there any to make is faster? Like whole block write like erase? Or make specific def for 3d so that the code does not check for extra conditions?

I have been able to read from my flash chip "NAND 128MiB 3,3V 8-bit" but when i try to write back to the nand it starts but wont complete

$ ./DumpFlash.py -w -R Test.dmp
Writing 0% page: 0/65535 block: 0/1024 speed: 740542 bytes/s
Writing 0% page: 1/65535 block: 0/1024 speed: 635190 bytes/s
Writing 0% page: 2/65535 block: 0/1024 speed: 592652 bytes/s
Writing 0% page: 3/65535 block: 0/1024 speed: 576613 bytes/s
Writing 0% page: 4/65535 block: 0/1024 speed: 566247 bytes/s
Writing 0% page: 5/65535 block: 0/1024 speed: 559423 bytes/s
Writing 0% page: 6/65535 block: 0/1024 speed: 554747 bytes/s
Writing 0% page: 7/65535 block: 0/1024 speed: 551275 bytes/s
Writing 0% page: 8/65535 block: 0/1024 speed: 548253 bytes/s
Writing 0% page: 9/65535 block: 0/1024 speed: 546401 bytes/s
Writing 0% page: 10/65535 block: 0/1024 speed: 544010 bytes/s
Writing 0% page: 11/65535 block: 0/1024 speed: 543094 bytes/s
Writing 0% page: 12/65535 block: 0/1024 speed: 502387 bytes/s
Traceback (most recent call last):
File "./DumpFlash.py", line 167, in
flash_util.io.writePages(filename, options.offset, start_page, end_page, add_oob, add_jffs2_eraser_marker=add_jffs2_eraser_marker, raw_mode=options.raw_mode)
File "/home/Matthew/projects/DumpFlash/FlashDevice.py", line 671, in writePages
self.writePage(page,page_data)
File "/home/Matthew/projects/DumpFlashFlashDevice.py", line 536, in writePage
self.waitReady()
File "/home/Matthew/projects/DumpFlash/FlashDevice.py", line 164, in waitReady
if data[0]&2==0x2:
IndexError: array index out of range

I was also able to erase the nand but now I can not reflash the image I read out from the chip.

From the documentation and the code it seems like only small-block devices are supported..? what needs to be changed other than the command set defined in the flashdevice_def to work with large block NAND devices?

Hi do you plan to support more ECC algorithm ?

Like:

NAND_ECC_HW3_256

Hardware ECC generator providing 3 bytes ECC per 256 byte.

NAND_ECC_HW3_512

Hardware ECC generator providing 3 bytes ECC per 512 byte.

NAND_ECC_HW6_512

Hardware ECC generator providing 6 bytes ECC per 512 byte.

NAND_ECC_HW8_512

Hardware ECC generator providing 8 bytes ECC per 512 byte.

Hi,

I have 2 PCB's with NAND chips in circuit. I have a 360-clip to read the chips while still in circuit.
I followed the guide, installed all libraries and hooked everything up and I use Linux.
But when running with -i to get information I will always get wrong info and I have no idea what I am doing wrong here.
I had to add info to FlashDevice.py to get one of the chips to even show up. So the IS IT REAL name is my making haha.
What could I be doing wrong?

The two nand chips I have are:
SK Hynix H27U4G8F2DTR-BC
Sandisk SDTNRGAMA-008GK

./DumpFlash.py -i Full ID: 8080808080 ID Length: 5 Name: IS IT REAL? ID: 0x80 Page size: 0x400 OOB size: 0x10 Page count: 0x80000 Size: 0x200 Erase size: 0x10000 Block count: 8192 Options: 1 Address cycle: 5 Bits per Cell: 1 Manufacturer: Unknown

./DumpFlash.py -i Full ID: F0F0F0F0F0 ID Length: 5 Name: NAND 64MiB 3,3V 8-bit ID: 0xf0 Page size: 0x400 OOB size: 0x10 Page count: 0x10000 Size: 0x40 Erase size: 0x80000 Block count: 128 Options: 1 Address cycle: 4 Bits per Cell: 1 Manufacturer: Unknown
I have this FT2232HL breakout board:
https://github.com/arm8686/FT2232HL-Board

Thanks in advance!

just trying fetch/pull with latest commit
i dont really know how to used this, even just for showsup my nand flash information 🙃

Hello,
Got inspired by this work for Parallel NAND flash, I want to work to create similar for SPI NAND flash. Could you please guide in what way should I proceed? I already have my FT232 based board with it's SPI interface, I wanted guidance in terms of its software development.

Kindly suggest.

Thanks & Regards
Asmita

running dumpfalsh i get this:

the pagecount on the 7th line is wrong:

PageCount = FileSize/RawPageSize = 0x8400000÷0x840= 0x10000

Hello,

I have hooked up the FTDI breakout board and oriented the TSOP-48 NAND flash chip correctly in the socket. But I get this error when running the script? I am using python 2.7.6, pyftdi-0.9.1, pyusb 1.0.0, and libusb-1.0-0.dev. Am I missing a dependency or a specific version?

test@ubuntu:~/DumpFlash-master$ sudo python DumpFlash.py -i
Traceback (most recent call last):
  File "DumpFlash.py", line 83, in <module>
    flash_util=FlashUtil(options.filename,options.page_size, options.oob_size, options.pages_per_block,options.slow)
  File "/home/test/DumpFlash-master/FlashUtil.py", line 17, in __init__
    self.io = NandIO(slow)
  File "/home/test/DumpFlash-master/FlashDevice.py", line 155, in __init__
    self.GetID()
  File "/home/test/DumpFlash-master/FlashDevice.py", line 362, in GetID
    self.PagePerBlock=self.PageCount/self.BlockCount
ZeroDivisionError: integer division or modulo by zero

I've been looking into this project on and off for some time, but I never could completly understand this fully.

When I dump a NAND, i grab the image and i try to carve it with data recovery tools like r-studio.
The only time I had sucess was with some old mp3 player, but even there, the songs were corrupted, but I could see MFT correctly, file names and even hear some bits of the songs.

I believe this is related to XOR, am I right?
Thanks!

Dear Sir,
first of all, I want to thank you so much for your work. I appreciate it SO much, since this is exactly what I was looking for, when wondering, how I could possibly change the NAND-flash of an STB I`d like to repair. (Was looking for a way on how to write the CFE for a Broadcom-STB to the new flash chip).
Since I had been successfully using my TUMPA Lite to write CFEs to I2C/SPI eeproms, I was already familiar with ft2232h in general, and I was extremely glad when I found your project.
So, I ordered 2 of those YAMAICHI TSOP48-ZIF Sockets, a new FT2232H breakout board (since my TUMPA Lite had only 1 Channel UART channel available, using the FT2232HL chip) and two TSOP48-DIP adapters, for direct soldering.
I installed pyusb. pyserial and pyftdi (from https://github.com/eblot/pyftdi ) and tried to use DumpFlash, but I was not able to get any answer from one of the four NAND chips I desoldered from old USB-flash devices. No ID, nothing, although I built two adapters and soldered one of those nands to one of that adapterboards. I am struggling on this for two weeks now, and I am pretty sure my wiring is correct and I checked the wirings with an ohmmeter directly from ft2232h-pins to the pins of the flash.
Theoretically it could be I damaged the flash, but I can hardly believe that, since its same issue with 4 flash chips now, and I have been insanely careful (didnt have to keep those old original usb-flash stick boards alive, so I just cared for the chip)
Could you please help me out with some info on the following ? :

• Which NAND-chips should work ? only "pure" normal SLC NAND or SLC DDP or even MLC also?
• Which pyftdi version do you use?
• On the spritesmod sheet, the pin-description of the FT2232H that goes to GND is hardly readable.
  Thanks a lot for your awesome schematics :) But could it be that this pin is BCBUS 4 instead of 6 you used in your schematics? .. Probably not, sry. Just wondering because that Number is so hard to identify on the original spritesmods sheet, and I am wondering that I wasn`t able to get any response during last two weeks, after checking everything about a hundred times.

The device I use is the one available here : http://www.elv.de/elv-highspeed-mini-usb-modul-um-ft2232h-komplettbausatz.html (german page sry). It just gives me direct access to all AC/AD and BC/BD Bus lines, as well as 3.3V and 5V pinouts. Those Rx/Tx LEDs on the picture are connected to ACBus 3 + 4 and BCBus 3 + 4, so I guess those should not interfere, but I took them out as well, with no change.
It is enumerating as default ft2232h (0403/6010), and I have tested the board itself using I2C/SPI and JTAG connections already (so I suppose the board is not done).

If you have any idea what I may be doing wrong, I would be too glad xD
Thanks a lot in advance,
Oliver

hi,
I have a problem to compile the code.

AttributeError: 'bytearray' object has no attribute 'tobytes'
Maybe someone know why this bug happen and how to solve them?

Distributor ID: Ubuntu
Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic

root@ja-H81M-HD3:/home/ja/Desktop/dumpflash-master/dumpflash# pip3 install git+https://github.com/ohjeongwook/dumpflash --upgrade
Collecting git+https://github.com/ohjeongwook/dumpflash
Cloning https://github.com/ohjeongwook/dumpflash to /tmp/pip-gvhwqu20-build
Collecting pyftdi (from dumpflash-ohjeongwook==0.0.1)
Requirement already up-to-date: pyusb>=1.0.0 in /usr/local/lib/python3.6/dist-packages (from pyftdi->dumpflash-ohjeongwook==0.0.1)
Requirement already up-to-date: pyserial>=3.0 in /usr/local/lib/python3.6/dist-packages (from pyftdi->dumpflash-ohjeongwook==0.0.1)
Installing collected packages: pyftdi, dumpflash-ohjeongwook
Found existing installation: pyftdi 0.29.6
Uninstalling pyftdi-0.29.6:
Successfully uninstalled pyftdi-0.29.6
Found existing installation: dumpflash-ohjeongwook 0.0.1
Uninstalling dumpflash-ohjeongwook-0.0.1:
Successfully uninstalled dumpflash-ohjeongwook-0.0.1
Running setup.py install for dumpflash-ohjeongwook ... done
Successfully installed dumpflash-ohjeongwook-0.0.1 pyftdi-0.42.2
root@ja-H81M-HD3:/home/ja/Desktop/dumpflash-master/dumpflash# python3 dumpflash.py
Traceback (most recent call last):
File "dumpflash.py", line 53, in
flash_image_io = flashimage.IO(options.raw_image_filename, options.start_offset, options.length, options.page_size, options.oob_size, options.pages_per_block, options.slow)
File "/home/ja/Desktop/dumpflash-master/dumpflash/flashimage.py", line 24, in init
self.SrcImage = flashdevice.IO(slow)
File "/home/ja/Desktop/dumpflash-master/dumpflash/flashdevice.py", line 56, in init
self.__get_id()
File "/home/ja/Desktop/dumpflash-master/dumpflash/flashdevice.py", line 157, in __get_id
flash_identifiers = self.__read_data(8)
File "/home/ja/Desktop/dumpflash-master/dumpflash/flashdevice.py", line 141, in __read_data
return self.__read(0, 0, count)
File "/home/ja/Desktop/dumpflash-master/dumpflash/flashdevice.py", line 100, in __read
return data.tobytes()
AttributeError: 'bytearray' object has no attribute 'tobytes'

best regards
Patrick

Hello is your project still maintened ?

If yes, it could be interesting to port it to python3 and to fix some error.
I have a project right now where I need your tool, if you want we can fix error together.

Hi,

Thanks a lot for the tool 👍

Just to say, it seems there is a typo in FlashDevice.py file ?
File "/home/xubuntu/Desktop/DumpFlash/FlashDevice.py", line 1, in
from pyftdi.pyftdi.ftdi import *

Works better with "pyftdi.ftdi import" ? I am right ?

Kind regards,
Nico

Hi, are you planned to support SPI NAND flash? For example the MX35LF1GE4AB chip? Datasheet: https://www.macronix.com/Lists/Datasheet/Attachments/7666/MX35LF2GE4AB,%203V,%202Gb,%20v1.7.pdf

Hi,

First off, thanks so much for this code, as well as awesome reverse engineering articles. They are what inspired me to try my hand at this.

On two different chips I have been looking at, I either get "AttributeError: NandIO instance has no attribute 'Manufacturer'" or "ZeroDivisionError: integer division or modulo by zero". I am looking at a Spansion and a Samsung chip. I realize that Spansion is not supported, but when supplying the hex address for the Manufacturer based upon the chip, I am presented with the same result.

Either way, is there any way to display a more verbose output as opposed to erroring out? I am using the Xbox 360 clip (which you mentioned as having potential in one of your articles along with the recommended FTDI breakout board). When I apply the appropriate pressure to the clip, I typically get unrecognized manufacturer, but I wanted to be more certain that the issue is the unrecognized chip, rather than a faulty connection with the 360 clip.

Is there any form of verbosity that can be added to your code to see what it is attempting to read? That will give me more confidence in my hardware, and that it is more of a recognition of the chip problem.

Thanks!

if add time.sleep(X) (X>0.01) in writepage fun Directly run is ok , but very Slow speed

。。。。my english is very bad

I'm attempting to read the following nand but I seem to mostly get junk data with no sign of a file system or bootloader.
https://business.toshiba-memory.com/info/docget.jsp?did=14828&prodName=TC58NVG0S3HTAI0

I'm not sure if the nand is faulty or there's an issue with reading so any help would be appreciated.

I had to make some manual changes to the code to support the nand as ONFI is not supported and the OOBSIZE was wrongly calculated as 64 instead of 128.

With those changes I get this
https://drive.google.com/file/d/1-R9nMX1x8D7rOnIg0i6P8rmleL8jthsb/view?usp=sharing

From the information I can gather the bad block check is at 0x00 in page 0 or page 1 of a block so
page_data[self.PageSize] != 0xff:

which results in a massive amount of bad blocks. Also, reading in non-seq mode is the only way to get data, with seq mode enabled only 00's are returned.

Hi, I have a couple of questions:
What Linux Distribution should work ? I tested both Ubuntu 18.04 and 20.04.
I already found that I should use pyftdi v0.48.3, otherwise I get the "AttributeError: 'Ftdi' object has no attribute 'BITMODE_MCU'" error.
But now I get "Device not ready, aborting..." Can this be related to my test NAND mx30lf1g08aa-ti ?
I read (closed issue) some things about: Can you try to pull off GND line during you try to dump the flash?
What do you mean by this ?

lsusb
Bus 003 Device 002: ID 0403:6010 Future Technology Devices International, Ltd FT2232C Dual USB-UART/FIFO IC

ftdi_urls.py
Available interfaces:
ftdi://ftdi:2232:3:2/1 (Dual RS232-HS)
ftdi://ftdi:2232:3:2/2 (Dual RS232-HS)

jffs 2= here is causing a syntax error is it supposed to be jffs2= ?

https://github.com/ohjeongwook/DumpFlash/blob/c5c16dd2087faae8147fe136e97e3813dff106ca/FlashUtil.py#L284

The flashdevice.py is missing a lot of functions as I have installed the latest pyftdi. Could anybody please update the flashdevice.py that works with the latest version of pyftdi? or Should I use the old version only ?

└─$ python2.7 DumpFlash.py -b
Traceback (most recent call last):
File "DumpFlash.py", line 4, in
from FlashDevice import *
File "/home/kali/DumpFlash/FlashDevice.py", line 7, in
from pyftdi.ftdi import *
ImportError: No module named pyftdi.ftdi

Anyone can help with the fix?

python2 dumpflash.py

Traceback (most recent call last):
  File "dumpflash.py", line 53, in <module>
    flash_image_io = flashimage.IO(options.raw_image_filename, options.start_offset, options.length, options.page_size, options.oob_size, options.pages_per_block, options.slow)
  File "/home/dev/REVERSING/dumpflash/dumpflash/flashimage.py", line 24, in __init__
    self.SrcImage = flashdevice.IO(slow)
  File "/home/dev/REVERSING/dumpflash/dumpflash/flashdevice.py", line 42, in __init__
    if self.ftdi.is_connected:
AttributeError: 'Ftdi' object has no attribute 'is_connected'

please help, thanks

In lines 393 and 399 in flashdevice.py
self.PageSize/2
results in count becoming a real, causing TypeError: 'float' object cannot be interpreted as an integer when reading the chip
I've changed it to
self.PageSize//2
and it runs fine

Hello,

I tried to use DumpFlash.py with Python2.7 .I have spent time to find the right version of pyftdi because at this time the version is 0.4 and seems not compatible with python2.7 . The right version seems to be 0.13.4 .

After the installation, there is an error when I try to use DumpFlash :

Traceback (most recent call last):
File "/home/pwn/git/DumpFlash/FlashDevice.py", line 144, in init
self.Ftdi.open(0x0403, 0x6010, interface=1)
File "/home/pwn/.local/lib/python3.7/site-packages/pyftdi/ftdi.py", line 425, in open
self.usb_dev = UsbTools.get_device(vendor, product, index, serial)
File "/home/pwn/.local/lib/python3.7/site-packages/pyftdi/usbtools.py", line 149, in get_device
raise IOError('Device not found')
OSError: Device not found
Traceback (most recent call last):
File "DumpFlash.py", line 67, in
if not flash_util.IsInitialized():
File "/home/pwn/git/DumpFlash/FlashUtil.py", line 31, in IsInitialized
return self.io.IsInitialized()
File "/home/pwn/git/DumpFlash/FlashDevice.py", line 165, in IsInitialized
return self.Identified
AttributeError: 'NandIO' object has no attribute 'Identified'

I googled this error but without success... Could you help me ?

Thanks

Serge

=======old version==== size ok======
./run2.7.sh -i
Full ID: 2CDA90956000
ID Length: 6
Name: NAND 256MiB 3,3V 8-bit
ID: 0xda
Page size: 0x800 (2048 Byte)
OOB size: 0x40 (64 Byte)
Page count: 0x20000 (131072 Page)
Size: 0x100 (256 MB)
Erase size: 0x20000 (131072)
Block count: 2048
Options: 1
Address cycle: 5
Bits per Cell: 1
Manufacturer: Micron

=======new version==== size error======
./run3.7.sh -c i
Full ID: 2CDA90956000
ID Length: 6
Name: NAND 4GiB 3,3V 8-bit
ID: 0x2c
Page size: 0x800(2048)
OOB size: 0x40 (64)
Page count: 0x200000 /?
Size: 0x1000 /?
Erase size: 0x20000 /?
Block count: 32768 /?
Options: 1
Address cycle: 5
Bits per Cell: 1
Manufacturer: Micron

Hi !
Just as a small feedback:
I found the reason for a part of the errors I experience with DumpFlash:
the nandRead function doesnt return every second byte in slow-mode only (please compare bkerlers code for nand-read in slow-mode : he explicitly states, that in slow-mode, ftdi-read function returns every byte twice ("doubled"). The read function therefore has to compensate for that, which it currently doesnt in FlashDevice.py. While writing my own pure C code, I also could verify this behaviour (doubled bytes return in slow-mode) I didnt find the reason for the erroneous Flash-Detection (works correct in NandTool) yet. But thats whats next in my own code, so I`m sure I will find it soon.. (when tinkering around with my own code).
Best regards,
Oliver

Hi, adding a reset cmd before reading the ID seems to be needed
by my setup:

diff --git a/FlashDevice.py b/FlashDevice.py
index cf94610..4637f4d 100644
--- a/FlashDevice.py
+++ b/FlashDevice.py
@@ -243,6 +243,8 @@ class NandIO:
                return self.Slow
 
        def GetID(self):
+               self.sendCmd(self.NAND_CMD_RESET)
+               time.sleep(0.1)
                self.sendCmd(self.NAND_CMD_READID)
                self.sendAddr(0,1)
                id=self.readFlashData(8)

// Greetings Konrad

Hi all,

I am able to get my NANDTool to work all well. (connection should be correct)
But when I tried to use the dumpflash in linux, entering the command "python3 dumpflash.py -c i"
would return a bunch of messages, and saying that there's insufficient permission.
However, when i tried with "sudo", it just returned "Device not ready, aborting..."

I then tried it on windows environment, When first tried, it state the following:
"File "C:\Users\JJ\Desktop\dumpflash-master\dumpflash-master\dumpflash\flashdevice.py", line 38, in init
self.Ftdi.open(0x0403, 0x6010, interface = 1)
File "C:\Users\JJ\AppData\Local\Programs\Python\Python38\lib\site-packages\pyftdi-0.43.0-py3.8.egg\pyftdi\ftdi.py", line 466, in open
device = UsbTools.get_device(devdesc)
File "C:\Users\JJ\AppData\Local\Programs\Python\Python38\lib\site-packages\pyftdi-0.43.0-py3.8.egg\pyftdi\usbtools.py", line 178, in get_device
raise IOError('Device not found')
OSError: Device not found
Device not ready, aborting..."

I then used Zadig to apply libusb-win32 on the FT2232H drivers. Retried again, and got return with just "Device not ready, aborting...".

After rolling back the drivers, and tested on NANDTool again, it still works.

Where could I have possibly done wrong, please advise :(