Don
Reverse Engineering a NAND Flash Device Management Algorithm
Around June of 2012, I had gotten myself into a very bad habit. Instead of carrying my SD card in my camera, I left it sticking out of the side of my laptop, presumably intending to do something with the photos on it eventually. On my flight home from Boston, the predictable thing happened: as I got up out of my seat, the machine fell out of my lap, and as the machine hit the ground, the SD card hit first, and was destroyed.
I was otherwise ready to write off the data stored on that device, but something inside me just wasn't happy with that outcome. Before I pitched the SD card in the trash, I took a look at what remained – as far as I could tell, although the board was badly damaged, the storage IC itself was fully intact (although with a few bent pins).
The following is a description of how I went about reverse-engineering the on-flash format, and of the conclusions that I came to. My efforts over the course of about a month and a half of solid work – and a “long tail” of another five months or so – resulted in a full recovery of all pictures and videos that were stored on the SD card.
If you're just looking for the resources that go with this project, here are the pictures of the hardware, and here is the source code.
You can discuss this article on Hacker News.
Introduction
It is probably fitting to start with a motivation for why this problem is complex; doing data recovery from a mass-production SD card seems like it should be a trivial operation (especially given the interface that SD cards present), but as will become clear, it is not. From there, I will discuss the different parts of the problem in detail, both in terms of how they physically work, and in terms of what it means from the standpoint of a data recovery engineer.
Skipping on down...Data extraction
Of course, none of the device-management information is relevant if the data can't be recovered from the flash IC itself. So, I started by building some hardware to extract the data. I had a Digilent Nexys-2 FPGA board lying around, which has a set of 0.1” headers on it; those headers are good to around 20MHz, which means that with some care, I should be able to interface it directly with the NAND flash.
A bigger problem that I had facing me was that the NAND flash was physically damaged. The pins still had pads on them, ripped from the board; the pins were also bent. Additionally, the part was in a TSSOP package, which was too small for me to solder directly to. I first experimented with doing a “dead-bug” soldering style – soldering AWG 36 leads directly to each pin – but this proved ultimately too painful to carry out for the whole IC. Ultimately, I settled on using a Schmartboard; I sliced it in half, and allowed each side to self-align. This meant that I didn't have to worry about straightening both sides at the same time – as long as I got them each individually, I could get a functional breakout from the flash IC. (The curious reader might enjoy some photos of my various attempts to re-assemble the NAND flash.)
Read More...
http://joshuawise.com/projects/ndfslave
Memory Cards - Hacking SD Card & Flash Memory Controllers Reverse Engineering and Rescuing Data
- Scam-o-Matic determines if you bought fake SD cards
- Scam-o-Matic determines if you bought fake SD cards - Hack a Day
- Accessing an SD card through a parallel port, just because - Hack a Day
- GD-ROM drive emulated to use SD cards instead - Hack a Day
- Hacking Transcend Wifi SD Cards
- Making Use of the Trancend WiFi SD Card
- Keep Your SD Cards Data Safe with the SD Locker
- The Tiniest SD Card Locker
- Hacking Transcend WiFi SD Cards
- Run Away Brainz: Repair: Dell Streak 5 LCD Replacement Guide + Hidden Internal SD Card
- Reverse Engineering a NAND Flash Device Management Algorithm
- Reverse Engineering a NAND Flash Device Management Algorithm | Joshua Wise's domain
- Whitening transformation - Wikipedia, the free encyclopedia
- Forward error correction - Wikipedia, the free encyclopedia
- Hacking SD Card & Flash Memory Controllers
- Chaos Computer Club - Wikipedia, the free encyclopedia
- On Hacking MicroSD Cards « bunnie's blog
- novena « bunnie's blog
- Rescuing an SD card with an Arduino
- SD card recovery using an Arduino | tiefpunkt tech
- tiefpunkt/arduino_sd_recovery · GitHub
- A Motherboard for a WiFi Enabled SD Card
- jwise/ndfslave · GitHub
- inside an SD card
- SchmartBoard Prototyping Products
- SD card used in place of a GD-ROM Drive
- Deunan - architecture syn of GDEMU is
- Deunan - Genesis contd.
- GD-ROM - Wikipedia, the free encyclopedia
- Deunan - Genesis
- GD-ROM drive emulated to use SD cards instead - Hack a Day
- Memory - Making 128mb SIMMs from 64s
- http://jax184.com - Links
- http://jax184.com - Digitizing Laserdiscs
- http://jax184.com - Projects
- http://jax184.com - Adventures
- Chimes of Death - Apple Wiki, a wiki about Macs, iPod, iPhone, iPad, iWork, iLife and more
- Making 128mb SIMMs
- Making 128MB SIMMs From Junk