RSS
 
 

Arduino Mega: Direct R/W of a Nand Flash memory chip

02 Jan

Since I had little to do over New years day, I threw together some Arduino code that would allow reading of Nand-Flash chips. This includes the memory contents and both the ID and ‘secret’ ID where supported.

First thing that needs to be acknowledged is that the Arduino Mega has a 16Mhz crystal & clock speed, therefore with a 5 Volt supply rail we are looking at about 100nS* for a single instruction cycle, a nand flash chip normally operates in the 15-25nS range.

*(06/Jan/2012) There have been some complaints about rounding the cycle time up, actually the cycle time is about 62ns (1 second /16,000000). Since I work with micro-controllers, generally I add in a margin when reckoning timing for code, saves any expensive mistakes when designing for production.

There are a couple of things to keep in mind:

  • The Arduino mega employs interrupts, which run in the background unless specifically disabled
  • There are not many single cycle instructions for port manipulation, you have to load a value before you can store or mask it, which already puts you ‘over’ 100ns, yes you can toggle a line in a single instruction, but you have to be 100% sure of its status before you start.

By the time we throw something together that can communicate a command to the nand flash chip there is not going to be much ‘change’ left over from 900nS.

From the timing diagrams we see that it takes about 3uS to read a 5 digit Nand Flash chip ID, specifically because there is the I/O toggling plus a subroutine call and return plus memory store for each byte recovered.

The above assumes we consider a design with direct read/write of the ‘Arduino Mega’ ports.
If we were to design a system that relied on the standard Arduino libraries, then the design would become unstable and potentially fail(for some stupid reason a “DigitalWrite()” library command takes over 6uS to execute, which would mean nearly 40uS to perform the same functionality with the Arduino library functions).
Other considerations in the design were to reduce down the number of subroutines, whilst it would be good programming practice to have the Read/Write bytes routines as callable subroutines, doing so would add the stack call timings to each byte that we read/write. (consider the time cost of >2 BILLION stack calls!! needed to fully read a device)

So here is the hardware setup along with some pictures of the results.

I’m currently working on cleaning up the library and trying to work round some ‘issues’ resulting from when the Arduino Mega is reset,powered up or code loaded.
It appears the Arduino Mega really hammers the I/O ports and creates a lot of spurious binary noise which has the potential to ‘trash’ any attached Nand Flash chip if the wrong set of I/O lines are thrashing about, it *may* require some sort of gating control that locks out the chip control lines UNTIL after the Arduino is powered up.

Finally I need to decide ‘how’ one might get all this information out of the Arduino, after all there is hardly the room to store the multi Gb data in the Arduino device.

Options currently under consideration:

  • Make the current Nand Flash code a full library.
  • Write a communication system to pass the data over ethernet to a ‘server’ hosted on a PC.
  • Write a library to store the data in a suitably sized SD card.
  • (Tried and it is FAR too slow)

Finally

Good luck on finding a data-sheet for a DYNET DN27UT088G2M (ID:ADD314A564), there are plenty of references to this part on the web but no data-sheets interestingly most of the references find their way back from China.  Initial findings show the part to be connected  with the manufacturer ‘HYNIX’, since the closest 4 digit ID for the matching Hynix product  HY27UT088G2M is  ID:ADD314A5.

See the Hardcore forensics forum for: Further work on the Nand Flash Chip Library…… If there is the interest
HC.

 

Leave a Reply

 
*

 
  1. Daniel

    January 6, 2012 at 5:33 am

    Time to move to a big boy’s controller. If you know C, learning to use a PIC18F controller is easy, and you can easily achieve the 100Mhz+ switching speeds you’re looking for. I’d say invest your time in learning a capable controller instead of in trying to stretch the *duino functionality. It’ll be time well spent!

     
    • Destroyer

      January 6, 2012 at 10:07 am

      LOL,
      Normally I work with embedded systems or Xilinx FPGA’s, you may even find my ‘real’ name in the linux kernel if you looked.
      This was more about wasting a day and seeing how far the Arduino Mega hardware could be pushed, a bit like the number of people on the internet building MOS 6502 computers.
      Plus I had seen the number of people trying to accomplish this task and was interested in seeing if it was actually possible.
      Sometimes you can learn far more from doing stupid things (I have the burns and cuts) rather than approaching learning from a sensible angle.

      HC

       
  2. Jack

    January 6, 2012 at 6:55 am

    Good work, mate ! I think pass data to a PC is excellent idea ! Question is can we use normal Arduino, instead of Mega ?

     
    • Destroyer

      January 6, 2012 at 10:00 am

      Well I looked at the clock rates of using a normal Arduino, but it is only about 8Mhz, I cannot see the Nand-Flash chip working reliably at those sorts of frequencies.
      The main issue is going to be related to the memory on the ‘Uno’ the thing only has 2kb of ram, which means trying to extract a range of bytes then getting them off the board ASAP, which would mean the Nand flash chip would need to be held in an ‘active’ state whilst it was being dealt with, or the only other solution would be to dump the data to the SD card, but again the issue is the page size of a modern Nand flash chip, then we have the potential of ‘glitches’ that occur whilst you are toggling the various I/O lines needed to set the Chip up.

      I might try with a Arduino ‘Nano’ next, but that would mean bringing all the data back via the FTDI chip in ‘real time’ since the board only has 1-2Kb of ‘real’ memory (not even enough storage for a full page of data from a modern nand-flash chip).

      The ‘mega’ is just about the minimum that is sensibly possible.

       
  3. marcus

    January 6, 2012 at 1:14 pm

    very interesting.
    Hope u can open source the library and circuit.

    Happy New year!!

     
    • Destroyer

      January 6, 2012 at 1:42 pm

      Need to get the bugs out of the code and get hold of some more Nand Flash chips (maybe from ShenZhen, it’s only 30 minutes away).
      The circuit is just a simple case of wiring the chip to the Mega on pins 22-37 for the I/O and the 0v & 3v3 line , plus a couple of pull-up resistors on the R/B# lines, so it is really not that complicated as regards the circuit and since the speed is so low it can be thrown together on a Bread board (as can be seen from the picture).

       
  4. numenorian

    January 26, 2012 at 6:36 am

    Very interesting project…I’m interested if you plan on extending it out to get a dump of the nand for possible data recovery. Looks like you are using a tsop reader…any plans to try BGA?

     
    • Destroyer

      January 28, 2012 at 8:53 am

      Hi,
      I did some research a few years ago using FPGA’s. (related to data recovery & forensics)
      There is a big problem in China when you are buying components, many are fake or re-branded, so when I’m inspecting product I needed a quick way to verify the chip without relying on the manufacturers kit.
      The TSOP is just a socket to allow different chips to be dropped in,
      The Arduino just bit-bangs the device, it is just a ‘prototype’ of an idea I’ve had floating about for a few years
      I’m looking to release some Ideas that will revolutionize the way certain industries do things (data recovery).

       
  5. William

    July 25, 2012 at 3:16 am

    I am doing a very similar project and am having trouble getting the chip to “talk” back to me after I send it the READ ID waveform. I am trying to look at the R/B signal as an indicator if the trip is receiving my command at all. Is your R/B hooked up in the screen shots? I noticed that it does not toggle during your entire READ ID. If so, what value of pull-up resistor did you use?

     
    • Destroyer

      July 25, 2012 at 6:30 am

      Yep R/B# is connected (see -3us Samsung and the reset)
      YEP it does toggle during the READ ID …….
      just the signals from the arduino are so SLOW, that to get the signal capture to show them, the image compression is very high, therefore the R/B# has been “compressed out” of the image.

      Consider that the R/B# is only a few ‘ns’ long and that the ‘ticks’ between +1us and+2us are 1,000 , so you would need a monitor resolution of 1,000 to show each ns between +1us – +2us. That is where the R/B# has gone.

      Your R/B# pull-up should be ‘soft’ say 10k or 4k7, you are dealing with very low currents needed to pull the arduino lines high/low

      Also you MUST issue a chip reset 0xff, or the chip results will be unpredictable. (you will be surprised at how many USB flash drives do not do this.)

      And if you are using the ARDUINO….. DON’T, it is just too damned slow and overpriced. AVR sucks ass, that is WHY they give such shitty processors badass names like “MEGA”.

       
  6. William

    July 26, 2012 at 9:14 pm

    Fortunately I am using an Altera FPGA so speed is not an issue. You said you need to issue a reset command… is this needed before the READ ID command is issued? We are still not able to get any signals back from the I/O after our READ ID, so this could be the issue if the reset is needed. Thanks for the response by the way!

     
    • Destroyer

      July 27, 2012 at 7:03 am

      Hi,
      ahhh an FPGA, I also built such hardware for my masters thesis.
      1.You issue a RESET, just after power-up of the chip.
      2. Ensure that your FPGA is tri-state and the port IS set to input when reading.

       
  7. Steve

    August 3, 2012 at 12:30 am

    Hi, very nice project!
    I have only one question: IOs from Arduino mega are 0-5V levels, isn’t it? In that case is not a problem for NAND to be supplied by 3,3V and communicate at 5V ?
    Thank you.
    S.

     
    • Destroyer

      August 4, 2012 at 7:21 am

      Yep you are 100% correct on the Arduino.
      The Nand Chip is 3v3 so it HAS to be supplied at that voltage, you could add a buffer between the arduino & chip, but it would have to be Bi directional and tri-state, plus it is going to add 8-10ns to the signals, Plus you would have to do ALL the I/O lines or else you would have problems with jitter(I.E some signals would be delayed by ~8ns but some would not, and since some functions are edge triggered it may be a problem).

      Better still just keep the wires short, and AWAY from sources of interference/ computer cables/mobiles/power cables etc.
      As regards voltage levels, most chips work by splitting the rail at 50%
      So a ’0′ would be about 0.8v-2.6v, and anything over that would be a ’1′ , so even at 3v3 we have a bit to spare, as long as the cables are short and we run it at a slower speed.(which we do)

      But seriously this was ONLY a test to see if it could actually be done, I would never build a commercial/community product using this setup because it is too bloody slow.
      Especially now as the ‘Raspberry Pi’ is CHEAPER than the Arduino and running nearly 100X faster.

      Also If you consider that a USB Nand-Flash stick usually has an integral 8051 CPU running at 50Mhz and even that is SLOW.

      HC

       
  8. Lad

    August 5, 2012 at 4:34 am

    HI,
    is there a source code avaiable?I was also thinking about making Arduino NAND flasher.for Hynix NAND HY27US08121A
    Thanks for your reply

     
    • Freelancer

      August 5, 2012 at 8:18 am

      Obviously you missed the point.

      To extract a SMALL Nand-Flash chip would take nearly A DAY using this method.
      The Arduino is TOO SLOW for such tasks, the whole point of this experiment was to assess the Arduino’s capability in extraction.
      Unfortunately it was found to be TOTALLY lacking, EVEN with hand crafted assembly routines.
      Use the figures in the article to work out the extraction rate per second!!!

      They only way to make this a feasible exercise with the Arduino, would be to use it to control some external CMOS gates.
      Send the main commands by the Arduino, then use external CMOS to clock the data out of the Nand-Flash and into secondary storage.

      By the time you had built such a beast and the associated cost in materials & time, it would be cheaper to mail order a ‘Raspberry PI’ or some other CPU

      You will need something that is ATLEAST 50Mhz if you are to accomplish anything meaningful, better still find an ARM CPU running at over 100Mhz.

       
  9. Lad

    August 6, 2012 at 5:05 pm

    Thanks for the reply.
    First I was thinking about buying a NAND programmer but could not find any at a good price.( XELTEK offers but at +1000USD). So I was thinking about making by myself and found a link
    http://arduino.cc/forum/index.php/topic,56698.0.html
    so I was happy that Arduino would help.

    Are you thinking about another solution?
    I do not think there is a NAND programmer( preferably open hardware programmer) at a good price available these days. Or do you know about any?
    Thanks

     
    • For Hire

      August 6, 2012 at 7:57 pm

      This is the problem……, there are far too many IDIOTS and too much MIS-INFORMATION on the net.

      The chip SST IS NOT NAND-Flash it WILL NEVER BE NAND-Flash.
      It is SERIAL FLASH. http://www.sst.com/dotAsset/40490.pdf

      Just some people mark their articles as “Nand-Flash” so that google kicks to their articles.(At the last count, there are less than five articles worldwide on Arduino & ‘real’ Nand-Flash)
      Serial Flash is a doddle, because the Arduino contains hardware to deal with it directly.

      The first issue is:
      EXACTLY what do you want to do, if it is “cloning” flash chips for games consoles, then you will be out of luck, because each and every Nand-flash chip is unique, insofar as the error/bad map.

      Second: XELTEK can be had for about $100-$200
      Third: comes down to how competent you are with software/hardware.
      I can point you in the RIGHT direction for high speed extraction and at a REALLY… REALLY… LOW COST.

      Low cost Nand-Flash reader
      first off:
      You need background in Nand-Falsh Technology.
      How it works
      What is it
      What are the pitfalls

      Be prepared to do AT LEAST two weeks SOLID reading and get as many NAND-FLASH data-sheets as you can, because each manufacturers chip has different functionality (yes basic commands are the same, but that is about it)

      Now for the Hardcore “pointers”
      GO HERE:
      http://www.cypress.com/?rID=14320
      follow any article links.
      AND here For the secret sauce (including ‘secret’ commands):
      http://onfi.org/wp-content/uploads/2009/02/onfi_1_0_gold.pdf

      Basically the Cypress system is a FULL USB Nand Flash drive implementation with example software.
      It works with ANY CY7C68033 but more importantly the CY7C68033 is the BROTHER of CY7C68013A (it is the same CPU apple use in THEIR MOUSE… ).
      This means the software for CY7C68033 can be loaded into a CY7C68013A development board, and it will cost you $20USD!!!! instead of the $500USD that Cypress want.

      All you need is some wiring and a socket, then modify the software from CYPRESS and you have a ‘SHIT HOT’ Nand reader/writer AT FULL SPEED.
      IT WORKS because I already built one 4-5 years ago.
      CY7C68013A
      ( And a picture for the *rude* TROLL who sent me a PM saying i’m a liar!!!)

      The answer is out there on the net, you just need to be a little more ‘flexible’ in your thinking, thats what makes a good hardware hacker.

      HC

       
      • Lad

        August 6, 2012 at 8:28 pm

        Thanks for the reply. Can you please let me know where I can get XELTEK programmer that can program NAND memories at the price you mentioned( below 200USD)?
        I have never found at such good price. I have not even found any cheap NAND programmer( that can program HY27US08121A or similar.
        Thanks

         
        • For Hire

          August 7, 2012 at 7:12 am

          You need to be in Hong Kong Or Shenzhen.

           
          • Lad

            August 7, 2012 at 2:00 pm

            From Shenzhen we BUY XELTEK but only Superpro 500p model and there is no support for that NAND HY27US08121A, as far as I know.
            So I did not find a real programmer( not only reader) for that NAND that costs only about 200USD.So it would be great to have a such open hardware programmer

             
      • nadle

        September 6, 2012 at 1:45 pm

        or you can use the $5 dollar TI Stellaris board, with arm cortex m4
        80MHz max
        128K flash
        32K RAM

         
        • For Hire

          September 6, 2012 at 1:50 pm

          Nope!!!!
          This is what TI said:

          I am sorry for the inconveniences caused. Not only Hong Kong but also mainland China cannot buy this product. TI of course hopes to sell our products to more customers no mater where they are, but the US law does not allow us to ship to these places. Even we ship your order, the American customers(SIC) will hold back the order.

          So there you go then……. Thanks TI
          The American government working to ship jobs abroad, but preventing sales of American products.
          Incidentally I’m not 100% convinced that the development Product is not assembled in China.

           
          • nadle

            September 10, 2012 at 1:19 am

            Did not know that, and can understand why….
            anyway I also found this
            LPC1114FN28 (DIP28) for ~$2 dollars
            arm cortex-m0
            50 Mhz
            32 kB flash
            4 kB SRAM

            This is more powerfull then old CY7C68013A
            Spec:
            http://www.nxp.com/products/microcontrollers/cortex_m0/lpc1100_x_l/LPC1114FN28.html

            programing cortex-m0: http://www.meatandnetworking.com/tutorials/lpc1114fn28-with-open-source-tools/

             
          • For Hire

            September 10, 2012 at 6:53 am

            Yes, it appears to be a case of: “where do you keep your nucular ressles”.
            The absolute madness of course is that the Americans allow ‘students’ to enter work placement in some of their biggest most secret Aerospace companies and all in the name of education.

            Anyway back to the non-political world of hardware abuse.
            There is suddenly a rush of reasonably high spec micro-controllers coming onto the market at really ‘silly’ prices.
            I’ve ordered a few different ones to have a play about with.

            The CY7C68013A whilst it appears to be ‘under powered’ actually has a very neat trick.
            you can setup a waveform statemachine to toggle pins at clock speed.
            What this means is you do not need to load the values into registers and then into the ports, rather it is a binary recording of required pin states.

            This is why I prefer it for the Nand-flash chips, because the biggest time waster is the clocking out of the data, which has to be done a byte at a time.
            with the CY7C68013A, you can send the commands to read a page, then set the state-machine to automatically clock the data out of the Nand Flash chip and DIRECTLY into the USB buffer for transfer to the desktop.
            you can get close to 45Mhz data from the Nand flash to the USB infrastructure and all without a need for the micro-controller to execute read/write instructions.

            Even with a fast micro-controller this is a difficult trick to match.

             
          • nadle

            September 11, 2012 at 10:46 am

            Thanks for your great inside, I overlooked the part of it being a logic analyzer.

            I have some questions, do you think CY7C68013A can be used for NOR flash?
            I used teensy ++2.0 with NORway but it’s very slow compared to expensive Progskeet (NOR/NAND flash) .
            http://www.ps3devwiki.com/wiki/Hardware_flashing#Speed_comparison_NOR_flashers

            I see that it can also do Jtag, guessing at full speed?
            http://www.sonsivri.to/forum/index.php?topic=33114.0
            I use the BusPriate and it struggles with Jtag. http://dangerousprototypes.com/docs/Bus_Pirate

             
          • For Hire

            September 11, 2012 at 11:34 am

            Yes I also use the bus pirate, good solid tool for small jobs.

            The Nand-Flash is a real shitty system, because both the commands AND the data are passed over the I/O lines under a couple of CLK control lines (ALE/CLE) and the whole system is block based.
            But yes the CY7C68013A can also be used for any sort of memory (as long as you have enough I/O pins) including NOR Flash.

            Basically for any sort of chip flashing/reading, the main issue is address setup and data handling.
            That is to say, if you have to code an address increment/setup, followed by bit toggles (R/W etc) then a read/write of the data lines, any code is going to get bogged down……, but as previously stated the CY7C68013A has a trick up its sleeve, in that it is not a ‘pure’ binary coded instruction based system AND it can transfer data DIRECTLY to the USB buffers and handle USB transactions WITHOUT needing the intervention of the embedded 8051.

            Cypress is also the home of the PSOC range, which is based around the technology of the CY7C68013A.

            You will see many people blowing steam about how fast a CPU is, but potentially it is all bollox if the system bottle necks some place else (like having to transfer data a byte/word at a time into/out of a USB buffer)

            What you need is a CPU that is rich in DMA from its data pins to USB and allows for “state machine” constructs.

            Ultimately, It depends how fast you want to go, absolutely the fastest system I have built was using an FPGA with a 100/1000 ethernet connection, which can outperform USB for data transfer.
            When USB 3.0 is released all I have to do is drop a new network adapter into the FPGA design and take it optical.(MII GMII,RGMII,SGMII)

            The system was designed about 4 years ago when I was ‘hot’ for SSD’s and realized that no one had any forensic tools for extracting 8/16 or 32 Nand-flash chips at once in real time, it also had the option to replace Nand-flash chips in ANY design, so as to be able to spy on the wear leveling and data distribution systems.(something that would be critical for evaluating SSD and wear leveling behavior) which is WHY I made the system ethernet and not USB since it would bottle neck the USB port, currently I would just need to add switches and cabling for it to scale.

             
  10. nadle

    December 17, 2012 at 10:22 am

    do you have any source code or bins to use CY7C68013 for jtag or isp flashing.

    link has changed directory
    http://www.onfi.org/~/media/ONFI/specs/BA_NAND_rev_1_1_Gold.pdf

     
    • Hardcorefs

      December 17, 2012 at 10:36 am

      Yep all the source code is available on the Cypress site.

       
  11. ma

    May 15, 2013 at 10:30 pm

    Hey ! Nice work. Could I have your code so I can test it on my arduino ?
    I’m really interested in ID part to find if pinout is correct or not…

    Thanks

     
    • Site_owner

      May 16, 2013 at 10:27 am

      Hi,
      Sorry to rain on your parade but
      ID code is NOT a reliable way to identify a device.

      Not only did different manufacturers use the SAME ID for their devices ,but some manufacturers use the SAME ID for different parts.

      It was all just a massive waste of time……, also I suspect some parts can be re-programmed on the ID.. which is what some Chinese criminals have been doing when re-branding devices.

      Also just HOW can you use the ID to identify the pinout?, since you MUST have the pinout to read the ID code.

       
      • mat

        May 16, 2013 at 1:08 pm

        I do not want to identify a device, I just want to test pinout. If the device return something which look like an ID, I will try read it with another reader.
        I need to test many combinations of pinout and thus need something which can programmaticaly change pinout and read the ID.