Reverse Engineering NAND Flash Memory – POS device case study (part 1/3)

Modern life wouldn’t be quite so modern without NAND Flash memory. It is used everywhere - from USB sticks and smart phones to security cameras and the Internet of Things (IoT). I’ve spent some time reverse engineering the NAND flash memory used in popular POS (Point of Sale) devices.  (Figure 1) Aside from sharing my findings from the evaluation of these devices, I wanted to share the process I followed to acquire the right firmware and to perform the reverse engineering. You can find a brief introduction to this area in one of my previous blogs. I also recently presented the details of my research at Recon and Black Hat 2014. While the Recon presentation focused on the technical details of the technique, at Black Hat 2014, I showcased an advanced tool called DumpFlash and shared my experience with tamper detection, including a workaround method. In this series of blogs, I’m going to share these details and some other interesting facts as well.

 

fig01.png

Figure 1 Targeted device

 

The first step when reverse engineering an embedded device is to open it up and identify the chipsets, looking for any interesting points that might be JTAG or UART. Actually, it turns out that the chipsets are really standard with this POS device. (Figure 2) It uses the very popular ARM CPU (s3c2410 series) with a typical setup with DRAMs and NAND Flash memory. However, the attempt to find JTAG or UART didn’t work very well for me. Instead of struggling with something not so obvious, I took a very obvious approach – dumping NAND Flash memory and programming it directly.

 

fig02.png

Figure 2 Inside of targeted device

 

The basic pinout is shown in Figure 3 and this device works in 8bit mode. There are Flash memories that work in 16bit mode, but they have a slightly different pinout configuration.

 

fig03.png

Figure 3 NAND Flash memory pinout (x8 device)

 

 

De-soldering
The first step for directly interacting with NAND Flash memory is de-soldering it from the PCB board. But, there is another very tempting option you can take using a special clip that can be attached to the surface of the NAND Flash memory. You can find this clip in stores that stock XBOX-modding tools - it was originally used for modding XBOX 360 machines by patching them directly. However, the problem here is that this option doesn’t always work. Note that there are pins for supplying power to the NAND Flash memory and the chip remains connected to the PCB board with this method. Unfortunately using the clip in this situation can lead to current injection into the board, which wakes up other chipsets and interferes with your operations. That is certainly what happened to me when I tried this clip. But I know of several cases where this clip was used successfully, so definitely in some cases, it looks like the clip works.

 

fig04.png

Figure 4 Failed attempt – want to avoid de-soldering?

 

After I decided to de-solder the NAND Flash memory, the first method I tried was using a de-solder wire. This method is valid, but the problem I had was that there was too much residue left on the board and the chip. I was going to re-solder the chip back after I had extracted the firmware and re-programed it. I wanted the PCB board and the chip in cleaner condition, so I dropped this approach.

 

fig05.png

Figure 5 Failed attempt – want to use de-solder wire?

 

The most effective way to remove the chips cleanly was using a hot air gun from an SMT rework station. (Figure 6) Insulation tape is good for protecting the surrounding areas on the targeted PCB.

 

 fig06.png

Figure 6 SMT rework station & insulation tape

 

I prefer applying insulation tape over the area around the targeted chip.

 

fig07.png

Figure 7 Apply heat over the pin area

 

If you apply too much heat over an extended period, it will eventually damage the chip. (Figure 8) You might still try to read the chip, but if the chip is damaged, it may not be recognized at all or it might just return a series of 00 bytes when you try to read data from it.

 

fig08.png

Figure 8 Too much heat?

 

 

The following video demonstrates the detailed process of removing a chip from the PCB board using a hot air gun.

 

 

Reading NAND Flash Memory
Now you have a bare NAND Flash chip at hand. The next step is reading the bare metal image from the chip. There have been a lot of different approaches tried over time by the hobbyist community –some use special Flash reader chipsets that can provide low-level access. I tried it and it didn’t work quite as well as expected. (Figure 9)

 

fig09.png

Figure 9 Failed attempt – modding an SD reader

 

The most reliable way I found to do this was bit-banging using the FTDI FT2232H chip set. This method was originally suggested by Sprite Mod. Bit-banging is a technique that allows you to directly interact with chips through software. FT2232H is a versatile chip that provides various ways to interact with chips through a USB interface.

 

fig10.png

Figure 10 FT2231H chip and breakout board

 

 

Figure 11 shows the connection between the FT2232H chip and NAND Flash memory. The connections are mostly based on information from Sprite Mod, but there is a slight modification between the BDBUS6 and the CE (9) connection.

 

fig11.png

Figure 11 Connection between FT2232H and NAND Flash Memory

 

A detailed explanation about what each connection means is provided with my Black Hat 2014 white paper.

 

MCU Host Bus Emulation Mode

FTDI FT2232H supports multiple modes. The ‘MCU Host Bus Emulation Mode’ is appropriate for our purposes in this case. In this mode, the FTDI chip emulates an 8048/8051 MCU host bus. By sending the commands shown in Table 1 and retrieving the results, the software can read or write bits through I/O lines. More details are available in a note published by FTDI.

 

Commands

Operation

Address

0x90

Read

8bit address

0x91

Read

16bit address

0x92

Write

8bit address

0x93

Write

16bit address

0x82

Set

High byte (BDBUS6, 7)

0x83

Read

High byte (BDBUS6, 7)

Table 1 FT2232H commands

 

NAND Flash Memory Commands
Table 2 shows the basic command sets usually used by NAND Flash memory. There are more complicated commands available depending on the chipsets, but these basic commands are enough for essential operations like reading and writing data on the chip. Also, these commands tend to be the same across different models and brands. The pins and other descriptions presented here are mostly focused on small block NAND Flash models (512 bytes of data with 16 bytes OOB). Models with a large block size use a different set of commands, but the principle is the same.

 

Function

1st cycle

2nd cycle

Read 1

00h/01h

-

Read 2

50h

-

Read ID

90h

-

Page Program

80h

10h

Block Erase

60h

D0h

Read Status

70h

 

Table 2 Basic command sets for usual NAND Flash memory (small blocks)

 

Building Reader/Writer Device
Figure 12 shows the final NAND Flash reader/writer assembled based on the connection information shown in Table 2. You can make a device like this even with a relatively low budget and basic knowledge of electronics engineering. You need an FTDI FT2232H breakout board, a USB cable, a TSOP48 socket, and wires. Everything can be constructed with budget of USD $50.

 

fig12.png

Figure 12 NAND Flash reader/writer

 

Place your NAND Flash chip inside the TSOP48 socket. (Figure 13) This socket is very useful as you can safely place your NAND Flash chip inside it and then directly interact with the extended pins without touching and possibly damaging any Flash memory chip pins.

 

fig13.png

Figure 13 TSOP48 socket

 

When the NAND reader/writer is ready, just load the Flash memory. You should be careful to put the pin 1 location on the correct side of the socket. Usually the socket shows where pin 1 should be located. (Figure 14)  When things are set, you can connect the reader/writer to the computer through a USB cable.

 

fig14.png

Figure 14 Pin 1 location

 

 

DumpFlash – enhanced Flash reader/writer software

You need software to achieve bit-banging and for this there is a NANDTool open source project maintained by Bjoern Kerlers. I ported the entire C++ code to a Python project and created the DumpFlash project. I also added support for NAND Flash programming. Here are the highlights:

Read/Write support

  • Flash image manipulation and verification (ECC, Bad block check)
  • Fast sequential row read mode support for Samsung models
  • Automatic U-Boot image extraction
  • JFFS2 parsing and extraction
  • Support for enhanced schematics

Download the DumpFlash code first. You should also install prerequisite packages like pyftdi and libusbx. With everything set up, you can query basic Flash information using the –i option. (Figure 15)

 

fig15.png

Figure 15 Retrieving Flash memory information (-i)

 

With the –r option, you can read contents from the chip. The average transfer rate I usually get with my Windows 7 machine is around 50KB/sec.

 

fig16.png

Figure 16 Reading Flash memory data (-r)

 

The FlashTool also supports sequential row read mode. When you can specify the –s option, it uses the special mode with a Samsung chip and increases reading performance. The reading speed is faster than normal page-by-page mode by 5-6 times in this case. (Figure 17)

 

fig17.png

Figure 17 Reading Flash memory data in sequential mode(-r -s)

 

Conclusion

With the schematics and software I’ve provided, you have the ability to read and program NAND Flash memory. De-soldering is not a big problem, even if you are a hardware novice. You just need an SMT rework station and a little bit of a courage. The real challenge happens later when you try to dissect the firmware, put it back together and re-solder the chip back to the PCB board. However, often the purpose of firmware acquisition is to do white-box testing, so with acquired firmware, you can have a look inside the internal system and use that knowledge to pen-test the device (and that’s probably the reason why the NAND-related open source project didn’t have code for programming data back to NAND Flash memory).


Now you are ready to do something useful in an embedded system, but what’s next? In the next post, I’ll share a method for dissecting a flat bare-metal image, and throw in a few helpful tips and strategies for good measure. After that, I’ll talk about modifying firmware and putting it back into the machine again. This involves some special maneuvers with a POS device. The model I worked on featured so-called hardware tamper detection and I’ll talk about how to work around that using a software method.

Comments
Ton Smith(anon) | ‎09-16-2014 12:50 AM

The concepts of reverse engineering and NAND flash memory has been explained really well. Keep posting such blogs.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Twitter: @ohjeongwook .


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation