Hi,
The following is relevant to NAND flash only. This was originally written about the HomeHub3.0b. After much confusion, it transpires that the HH3.0b does use NAND flash! Burakkucat has kindly clarified that the flash IC on the HH3.0b is an ST NAND256W3A2BN6, a 256Mbit NAND flash device. [9] Some earlier models of BT HomeHub used NOR flash which is where the confusion arose. NOR is a completely different flash technology that cannot be 'hacked' in the same way.
cheers, a
-----------------------
Sometimes it is not possible to read a NAND flash IC while it is still fitted to the PCB of a router. This can be overcome by removing the IC using a hot-air rework station. [1] [2]
Once removed, the NAND flash IC can be fitted to a TSOP48 breakout board. The board is then wired to a flash memory card reader for reading and writing.
TSOP breakout boards (TSOP-48 to DIP converters)(click for full-size)
Some camera flash memory cards such as the xD-Picture cards, are just standard x8 width NAND ICs in a more convenient package. Those memory cards have no on-board controller. The flash controller logic is located off-chip, in the camera itself and in the readers for those card types. This raw flash interface can be exploited to dump the contents of a NAND flash memory IC. [3] [4] [5] [6]
The pinout for the xD-Picture card is documented. For an ONFI x8 NAND IC, of the kind found on the HH3.0b board, around 14 data and control lines need to be run from the NAND flash IC to the xD-Picture card reader. The breakout board makes it relatively easy to form these connections.
From the NAND Flash Specifications [9]
x8 NAND flash pinout
(click for full-size)
From the xD-Picture Card Specifications [3]:
xD-Picture card pinout
A suitable USB-based card reader to perform this hack costs very little. A couple of quid at most.
All-In-One Multi-Card Reader
(click for full-size)
All-In-One Multi-Card Reader
(click for full-size)
This card reader relies on ITE Tech's
IT1337, a USB multi-card reader controller. [7]
ITE Tech IT1337E/FN - a USB multi-card reader controller
(click for full-size)
The
IT1337 controller provides a standard USB Mass Storage Class (MSC) Bulk-Only 1.0 interface to the NAND device. [8] This USB device class is well supported in the Linux kernel.
With the kit all wired up, Linux has tools like 'dd' to perform the actual extraction of the raw NAND flash contents.
cheers, a
[1]
http://www.youtube.com/watch?v=VjZXOcGfEQ8[2]
http://www.youtube.com/watch?v=yhhLyxkTVQI[3]
http://read.pudn.com/downloads92/ebook/355684/Xd-Picture%20Card%20Card%20Specification%20Version%201.0%20489.pdf (better link ;-)
[4]
http://sites.google.com/site/brandonu/camcorderhack[5]
http://www.uchobby.com/index.php/2007/05/05/read-embedded-flash-chips/[6]
http://busydizzys.com/index.php/2010/12/24/reading-embedded-flash-chips-nand-tsop-without-removal[7]
http://www.ite.com.tw/en/products_more.aspx?CategoryID=4&ID=14,123[8]
http://www.usb.org/developers/devclass_docs/usbmassbulk_10.pdf[9]
http://www.datasheetcatalog.org/datasheets2/89/891899_1.pdfWARNING:The pinouts for the xD-Picture card that are listed in the official specs [3] are not consistent with the pinouts listed elsewhere [10][11][12]
[10]
http://pinouts.ru/reports/xd_card.shtml[11]
http://www2.picturepush.com/photo/a/7721430/img/7721430.png[12]
http://img372.imageshack.us/img372/7238/xdpinoutox2.jpgEDIT: resized pictures
