Arduino Mega: Direct R/W of a Nand Flash memory chip

02 Jan

Since I had little to do over New years day, I threw together some Arduino code that would allow reading of Nand-Flash chips. This includes the memory contents and both the ID and ‘secret’ ID where supported.

First thing that needs to be acknowledged is that the Arduino Mega has a 16Mhz crystal & clock speed, therefore with a 5 Volt supply rail we are looking at about 100nS* for a single instruction cycle, a nand flash chip normally operates in the 15-25nS range.

*(06/Jan/2012) There have been some complaints about rounding the cycle time up, actually the cycle time is about 62ns (1 second /16,000000). Since I work with micro-controllers, generally I add in a margin when reckoning timing for code, saves any expensive mistakes when designing for production.

There are a couple of things to keep in mind:

  • The Arduino mega employs interrupts, which run in the background unless specifically disabled
  • There are not many single cycle instructions for port manipulation, you have to load a value before you can store or mask it, which already puts you ‘over’ 100ns, yes you can toggle a line in a single instruction, but you have to be 100% sure of its status before you start.

By the time we throw something together that can communicate a command to the nand flash chip there is not going to be much ‘change’ left over from 900nS.

From the timing diagrams we see that it takes about 3uS to read a 5 digit Nand Flash chip ID, specifically because there is the I/O toggling plus a subroutine call and return plus memory store for each byte recovered.

The above assumes we consider a design with direct read/write of the ‘Arduino Mega’ ports.
If we were to design a system that relied on the standard Arduino libraries, then the design would become unstable and potentially fail(for some stupid reason a “DigitalWrite()” library command takes over 6uS to execute, which would mean nearly 40uS to perform the same functionality with the Arduino library functions).
Other considerations in the design were to reduce down the number of subroutines, whilst it would be good programming practice to have the Read/Write bytes routines as callable subroutines, doing so would add the stack call timings to each byte that we read/write. (consider the time cost of >2 BILLION stack calls!! needed to fully read a device)

So here is the hardware setup along with some pictures of the results.

I’m currently working on cleaning up the library and trying to work round some ‘issues’ resulting from when the Arduino Mega is reset,powered up or code loaded.
It appears the Arduino Mega really hammers the I/O ports and creates a lot of spurious binary noise which has the potential to ‘trash’ any attached Nand Flash chip if the wrong set of I/O lines are thrashing about, it *may* require some sort of gating control that locks out the chip control lines UNTIL after the Arduino is powered up.

Finally I need to decide ‘how’ one might get all this information out of the Arduino, after all there is hardly the room to store the multi Gb data in the Arduino device.

Options currently under consideration:

  • Make the current Nand Flash code a full library.
  • Write a communication system to pass the data over ethernet to a ‘server’ hosted on a PC.
  • Write a library to store the data in a suitably sized SD card.
  • (Tried and it is FAR too slow)


Good luck on finding a data-sheet for a DYNET DN27UT088G2M (ID:ADD314A564), there are plenty of references to this part on the web but no data-sheets interestingly most of the references find their way back from China.  Initial findings show the part to be connected  with the manufacturer ‘HYNIX’, since the closest 4 digit ID for the matching Hynix product  HY27UT088G2M is  ID:ADD314A5.

See the Hardcore forensics forum for: Further work on the Nand Flash Chip Library…… If there is the interest


Leave a Reply



  1. Daniel

    January 6, 2012 at 5:33 am

    Time to move to a big boy’s controller. If you know C, learning to use a PIC18F controller is easy, and you can easily achieve the 100Mhz+ switching speeds you’re looking for. I’d say invest your time in learning a capable controller instead of in trying to stretch the *duino functionality. It’ll be time well spent!

    • Destroyer

      January 6, 2012 at 10:07 am

      Normally I work with embedded systems or Xilinx FPGA’s, you may even find my ‘real’ name in the linux kernel if you looked.
      This was more about wasting a day and seeing how far the Arduino Mega hardware could be pushed, a bit like the number of people on the internet building MOS 6502 computers.
      Plus I had seen the number of people trying to accomplish this task and was interested in seeing if it was actually possible.
      Sometimes you can learn far more from doing stupid things (I have the burns and cuts) rather than approaching learning from a sensible angle.


  2. Jack

    January 6, 2012 at 6:55 am

    Good work, mate ! I think pass data to a PC is excellent idea ! Question is can we use normal Arduino, instead of Mega ?

    • Destroyer

      January 6, 2012 at 10:00 am

      Well I looked at the clock rates of using a normal Arduino, but it is only about 8Mhz, I cannot see the Nand-Flash chip working reliably at those sorts of frequencies.
      The main issue is going to be related to the memory on the ‘Uno’ the thing only has 2kb of ram, which means trying to extract a range of bytes then getting them off the board ASAP, which would mean the Nand flash chip would need to be held in an ‘active’ state whilst it was being dealt with, or the only other solution would be to dump the data to the SD card, but again the issue is the page size of a modern Nand flash chip, then we have the potential of ‘glitches’ that occur whilst you are toggling the various I/O lines needed to set the Chip up.

      I might try with a Arduino ‘Nano’ next, but that would mean bringing all the data back via the FTDI chip in ‘real time’ since the board only has 1-2Kb of ‘real’ memory (not even enough storage for a full page of data from a modern nand-flash chip).

      The ‘mega’ is just about the minimum that is sensibly possible.

  3. marcus

    January 6, 2012 at 1:14 pm

    very interesting.
    Hope u can open source the library and circuit.

    Happy New year!!

    • Destroyer

      January 6, 2012 at 1:42 pm

      Need to get the bugs out of the code and get hold of some more Nand Flash chips (maybe from ShenZhen, it’s only 30 minutes away).
      The circuit is just a simple case of wiring the chip to the Mega on pins 22-37 for the I/O and the 0v & 3v3 line , plus a couple of pull-up resistors on the R/B# lines, so it is really not that complicated as regards the circuit and since the speed is so low it can be thrown together on a Bread board (as can be seen from the picture).

  4. numenorian

    January 26, 2012 at 6:36 am

    Very interesting project…I’m interested if you plan on extending it out to get a dump of the nand for possible data recovery. Looks like you are using a tsop reader…any plans to try BGA?

    • Destroyer

      January 28, 2012 at 8:53 am

      I did some research a few years ago using FPGA’s. (related to data recovery & forensics)
      There is a big problem in China when you are buying components, many are fake or re-branded, so when I’m inspecting product I needed a quick way to verify the chip without relying on the manufacturers kit.
      The TSOP is just a socket to allow different chips to be dropped in,
      The Arduino just bit-bangs the device, it is just a ‘prototype’ of an idea I’ve had floating about for a few years
      I’m looking to release some Ideas that will revolutionize the way certain industries do things (data recovery).

  5. William

    July 25, 2012 at 3:16 am

    I am doing a very similar project and am having trouble getting the chip to “talk” back to me after I send it the READ ID waveform. I am trying to look at the R/B signal as an indicator if the trip is receiving my command at all. Is your R/B hooked up in the screen shots? I noticed that it does not toggle during your entire READ ID. If so, what value of pull-up resistor did you use?

    • Destroyer

      July 25, 2012 at 6:30 am

      Yep R/B# is connected (see -3us Samsung and the reset)
      YEP it does toggle during the READ ID …….
      just the signals from the arduino are so SLOW, that to get the signal capture to show them, the image compression is very high, therefore the R/B# has been “compressed out” of the image.

      Consider that the R/B# is only a few ‘ns’ long and that the ‘ticks’ between +1us and+2us are 1,000 , so you would need a monitor resolution of 1,000 to show each ns between +1us – +2us. That is where the R/B# has gone.

      Your R/B# pull-up should be ‘soft’ say 10k or 4k7, you are dealing with very low currents needed to pull the arduino lines high/low

      Also you MUST issue a chip reset 0xff, or the chip results will be unpredictable. (you will be surprised at how many USB flash drives do not do this.)

      And if you are using the ARDUINO….. DON’T, it is just too damned slow and overpriced. AVR sucks ass, that is WHY they give such shitty processors badass names like “MEGA”.

  6. William

    July 26, 2012 at 9:14 pm

    Fortunately I am using an Altera FPGA so speed is not an issue. You said you need to issue a reset command… is this needed before the READ ID command is issued? We are still not able to get any signals back from the I/O after our READ ID, so this could be the issue if the reset is needed. Thanks for the response by the way!

    • Destroyer

      July 27, 2012 at 7:03 am

      ahhh an FPGA, I also built such hardware for my masters thesis.
      1.You issue a RESET, just after power-up of the chip.
      2. Ensure that your FPGA is tri-state and the port IS set to input when reading.

  7. Steve

    August 3, 2012 at 12:30 am

    Hi, very nice project!
    I have only one question: IOs from Arduino mega are 0-5V levels, isn’t it? In that case is not a problem for NAND to be supplied by 3,3V and communicate at 5V ?
    Thank you.

    • Destroyer

      August 4, 2012 at 7:21 am

      Yep you are 100% correct on the Arduino.
      The Nand Chip is 3v3 so it HAS to be supplied at that voltage, you could add a buffer between the arduino & chip, but it would have to be Bi directional and tri-state, plus it is going to add 8-10ns to the signals, Plus you would have to do ALL the I/O lines or else you would have problems with jitter(I.E some signals would be delayed by ~8ns but some would not, and since some functions are edge triggered it may be a problem).

      Better still just keep the wires short, and AWAY from sources of interference/ computer cables/mobiles/power cables etc.
      As regards voltage levels, most chips work by splitting the rail at 50%
      So a ‘0’ would be about 0.8v-2.6v, and anything over that would be a ‘1’ , so even at 3v3 we have a bit to spare, as long as the cables are short and we run it at a slower speed.(which we do)

      But seriously this was ONLY a test to see if it could actually be done, I would never build a commercial/community product using this setup because it is too bloody slow.
      Especially now as the ‘Raspberry Pi’ is CHEAPER than the Arduino and running nearly 100X faster.

      Also If you consider that a USB Nand-Flash stick usually has an integral 8051 CPU running at 50Mhz and even that is SLOW.


  8. Lad

    August 5, 2012 at 4:34 am

    is there a source code avaiable?I was also thinking about making Arduino NAND flasher.for Hynix NAND HY27US08121A
    Thanks for your reply

    • Freelancer

      August 5, 2012 at 8:18 am

      Obviously you missed the point.

      To extract a SMALL Nand-Flash chip would take nearly A DAY using this method.
      The Arduino is TOO SLOW for such tasks, the whole point of this experiment was to assess the Arduino’s capability in extraction.
      Unfortunately it was found to be TOTALLY lacking, EVEN with hand crafted assembly routines.
      Use the figures in the article to work out the extraction rate per second!!!

      They only way to make this a feasible exercise with the Arduino, would be to use it to control some external CMOS gates.
      Send the main commands by the Arduino, then use external CMOS to clock the data out of the Nand-Flash and into secondary storage.

      By the time you had built such a beast and the associated cost in materials & time, it would be cheaper to mail order a ‘Raspberry PI’ or some other CPU

      You will need something that is ATLEAST 50Mhz if you are to accomplish anything meaningful, better still find an ARM CPU running at over 100Mhz.

  9. Lad

    August 6, 2012 at 5:05 pm

    Thanks for the reply.
    First I was thinking about buying a NAND programmer but could not find any at a good price.( XELTEK offers but at +1000USD). So I was thinking about making by myself and found a link,56698.0.html
    so I was happy that Arduino would help.

    Are you thinking about another solution?
    I do not think there is a NAND programmer( preferably open hardware programmer) at a good price available these days. Or do you know about any?

    • For Hire

      August 6, 2012 at 7:57 pm

      This is the problem……, there are far too many IDIOTS and too much MIS-INFORMATION on the net.

      The chip SST IS NOT NAND-Flash it WILL NEVER BE NAND-Flash.
      It is SERIAL FLASH.

      Just some people mark their articles as “Nand-Flash” so that google kicks to their articles.(At the last count, there are less than five articles worldwide on Arduino & ‘real’ Nand-Flash)
      Serial Flash is a doddle, because the Arduino contains hardware to deal with it directly.

      The first issue is:
      EXACTLY what do you want to do, if it is “cloning” flash chips for games consoles, then you will be out of luck, because each and every Nand-flash chip is unique, insofar as the error/bad map.

      Second: XELTEK can be had for about $100-$200
      Third: comes down to how competent you are with software/hardware.
      I can point you in the RIGHT direction for high speed extraction and at a REALLY… REALLY… LOW COST.

      Low cost Nand-Flash reader
      first off:
      You need background in Nand-Falsh Technology.
      How it works
      What is it
      What are the pitfalls

      Be prepared to do AT LEAST two weeks SOLID reading and get as many NAND-FLASH data-sheets as you can, because each manufacturers chip has different functionality (yes basic commands are the same, but that is about it)

      Now for the Hardcore “pointers”
      GO HERE:
      follow any article links.
      AND here For the secret sauce (including ‘secret’ commands):

      Basically the Cypress system is a FULL USB Nand Flash drive implementation with example software.
      It works with ANY CY7C68033 but more importantly the CY7C68033 is the BROTHER of CY7C68013A (it is the same CPU apple use in THEIR MOUSE… ).
      This means the software for CY7C68033 can be loaded into a CY7C68013A development board, and it will cost you $20USD!!!! instead of the $500USD that Cypress want.

      All you need is some wiring and a socket, then modify the software from CYPRESS and you have a ‘SHIT HOT’ Nand reader/writer AT FULL SPEED.
      IT WORKS because I already built one 4-5 years ago.
      ( And a picture for the *rude* TROLL who sent me a PM saying i’m a liar!!!)

      The answer is out there on the net, you just need to be a little more ‘flexible’ in your thinking, thats what makes a good hardware hacker.


      • Lad

        August 6, 2012 at 8:28 pm

        Thanks for the reply. Can you please let me know where I can get XELTEK programmer that can program NAND memories at the price you mentioned( below 200USD)?
        I have never found at such good price. I have not even found any cheap NAND programmer( that can program HY27US08121A or similar.

        • For Hire

          August 7, 2012 at 7:12 am

          You need to be in Hong Kong Or Shenzhen.

          • Lad

            August 7, 2012 at 2:00 pm

            From Shenzhen we BUY XELTEK but only Superpro 500p model and there is no support for that NAND HY27US08121A, as far as I know.
            So I did not find a real programmer( not only reader) for that NAND that costs only about 200USD.So it would be great to have a such open hardware programmer

      • nadle

        September 6, 2012 at 1:45 pm

        or you can use the $5 dollar TI Stellaris board, with arm cortex m4
        80MHz max
        128K flash
        32K RAM