Reading and writing nand flash memory

[sarah90]

I could do with some pointers and suggestions for reading nand flash memory. I'm planning to desolder a nand flash chip from a device to do some hacking The device under investigation is a Samsung K9F4G08U0B.

I understood that timing is an issue. Could it be done with a beefy mcu (pic32 or the stellaris launchpad) or would it require an fpga or clpd. I found some references on the web to an avr attempt that had problems meeting the timing requirements.

Your input is highly appreciated and so is some sample code.

I'm also looking for a place to buy one of two these chips cheap to do some experiments before touching the real thing.

[solutions]

Time limit expired

I just spent 10 minutes looking for the datasheet.  Post it and you might get some help.

In any case, you don't need a "beefy" CPU to read and write memory.  From the sounds of your skill level, you're better off buying a programmer and attaching it to your PC.

Have you LOOKED at the distributors to see if they carry this device or are you asking us to do everything for you?

It also helps to tell us exactly what you are doing or trying to do

[Gallymimu]

timing with most flash memory is a max speed problem not a min speed problem.  In all likelihood almost any mcu would be able to write to it.

Seems the chip is a 4Gb SLC flash chip.  First and second google search hits.
http://www.alldatasheet.com/view.jsp?Searchword=K9F4G08U0B-PIB0

Does anyone else HATE alldatasheet.com and all those other junk sites that you get instead of a real manf website during a google search.  PISSES ME OFF!

Honesty one of the most painful parts of your project is that it is parallel flash.  That's a lot of I/O lines to wire up by hand.

Another point of pain will be address mapping of bad memory blocks, meaning you will have to write around those blocks.  You'd need to understand how the main system handles those bad blocks as well.
------------------ FROM DATASHEET--------------
Initial Invalid Block(s)
Initial invalid blocks are defined as blocks that contain one or more initial invalid bits whose reliability is not guaranteed by Samsung.
The information regarding the initial invalid block(s) is called the initial invalid block information. Devices with initial invalid block(s)
have the same quality level as devices with all valid blocks and have the same AC and DC characteristics. An initial invalid block(s)
does not affect the performance of valid block(s) because it is isolated from the bit line and the common source line by a select transistor. The system design must be able to mask out the initial invalid block(s) via address mapping. The 1st block, which is placed on
00h block address, is guaranteed to be a valid block up to 1K program/erase cycles with 1bit/512Byte ECC.

Identifying Initial Invalid Block(s)
All device locations are erased(FFh) except locations where the initial invalid block(s) information is written prior to shipping. The initial invalid block(s) status is defined by the 1st byte in the spare area. Samsung makes sure that either the 1st or 2nd page of every
initial invalid block has non-FFh data at the column address of 2048.   Since the initial invalid block information is also erasable in
most cases, it is impossible to recover the information once it has been erased. Therefore, the system must be able to recognize the
initial invalid block(s) based on the original initial invalid block information and create the initial invalid block table via the following
suggested flow chart(Figure 3). Any intentional erasure of the original initial invalid block information is prohibited.
-----------------------------------------------------

It isn't that hard to write one of these things, but if this is your first time working with flash memory there are easier places to start such as with small serial flash chips or EEPROMs.  This is a little more advanced.

What are you trying to do?  Hack the firmware out of an Xbox or something?

Posted on: November 21, 2012, 04:26:08 04:26 - Automerged
Also, your part number is incomplete for purchasing one:

K9F4G08U0B-BCB0T00   K9F4G08U0B-PCB   K9F4G08U0B-PCB0
K9F4G08U0BPCB0   K9F4G08U0B-PCB0000   K9F4G08U0B-PCB0T
K9F4G08U0B-PCB0T00   K9F4G08U0B-PCBO   K9F4G08U0B-PIB
K9F4G08U0B-PIB0   K9F4G08U0BPIB0   K9F4G08U0B-PIB0000

They come in a lot of flavors.  a quick look suggests that whichever one you need probably won't be easy to get your hands on.

[sarah90]

timing with most flash memory is a max speed problem not a min speed problem.  In all likelihood almost any mcu would be able to write to it.

That's good to hear. This posting gave me the impression that timing was an issue: http://hardcoreforensics.com/blog/2012/01/02/arduino-mega-direct-reading-of-a-nand-flash-memory-chip/

Honesty one of the most painful parts of your project is that it is parallel flash.  That's a lot of I/O lines to wire up by hand.

I'm planning to make a pcb with an usb microcontroller and room for the flash chip. So wiring should not be the issue. What will be more of an issue is getting the chip out and back in without killing it.

Another point of pain will be address mapping of bad memory blocks, meaning you will have to write around those blocks.  You'd need to understand how the main system handles those bad blocks as well.

I was aware of that and it's part of the reason I'm looking for sample code.

It isn't that hard to write one of these things, but if this is your first time working with flash memory there are easier places to start such as with small serial flash chips or EEPROMs.  This is a little more advanced.

Skill level *should* not be a problem. Done lots of interfacing serial flash and static ram memory. What I found hard was interfacing ddr from an xilinx fpga.

What are you trying to do?  Hack the firmware out of an Xbox or something?

You guessed right 

Also, your part number is incomplete for purchasing one

K9F4G08U0B-BCB0T00   K9F4G08U0B-PCB   K9F4G08U0B-PCB0
K9F4G08U0BPCB0   K9F4G08U0B-PCB0000   K9F4G08U0B-PCB0T
K9F4G08U0B-PCB0T00   K9F4G08U0B-PCBO   K9F4G08U0B-PIB
K9F4G08U0B-PIB0   K9F4G08U0BPIB0   K9F4G08U0B-PIB0000

They come in a lot of flavors.  a quick look suggests that whichever one you need probably won't be easy to get your hands on.

It's the PCB0. It's available on ebay from china for USD 14 and thats seems a bit high to me.

[Gallymimu]

I don't think that's an unreasonable price for a single.  I'm honestly surprised you could find it at all.  I am sure it is because there is some hobbyist market since it is from a game console.  Remember SLC costs more than MLC, I don't know what you are comparing to but it certainly isn't going to be competitive with a 4gb flash drive

This similar chip costs $5 from Arrow (with no stock)
http://components.arrow.com/part/detail/50856249S8857101N1398

What are you planning to do exactly?  I'm curious.  I've done a lot of work with Xboxes.

[solutions]

Arrow never seems to have stock. They only seem to ship nice prices in volume.

There are a fair number of Chinese counterfeits out there these days. Many are mined from old circuit boards (I've even seen them reclaiming parts using a bonfire, but I can't find that pic right now) and sold as new. I've heard they also do things like restamp a 2Gbit part as 4Gbit

IMO, components + eBay + China = disaster

Not 100%, but an alarmingly high % is possible. If it's too good to be true, it probably is.

[sarah90]

This similar chip costs $5 from Arrow (with no stock)
http://components.arrow.com/part/detail/50856249S8857101N1398

Did see that part through octoparts and it made me feel that the 14 bucks was a bit much. Although it includes shipping via registered mail.

There are a fair number of Chinese counterfeits out there these days. Many are mined from old circuit boards (I've even seen them reclaiming parts using a bonfire, but I can't find that pic right now) and sold as new. I've heard they also do things like restamp a 2Gbit part as 4Gbit

IMO, components + eBay + China = disaster

It is a risk indeed. And I only want a part to practice before touching the real thing. Another brand might do as well as long as the interface is the same or similar.

What are you planning to do exactly?  I'm curious.  I've done a lot of work with Xboxes.

I've only done some for friends and those went smooth. This particular unit has seen its trouble. The regular spi interface does not react. I think the spi part from the southbridge is dead. It might have been esd or wrong wiring by the previous owner. Who also tried to install a cygnos which went sour and destroyed the test points on the mb. These accidents did not destroy it and the unit still works like a charm. Desoldering and reading/writing the flash directly is the only was I see forward. Suggestions welcome of course.

[Gallymimu]

Arrow will charge you $14 shipping for one part BTW.

I've actually never done a JTAG on a 360.  I'd really like to but don't have time.  I stupidly updated the dash to a non-JTAGable version a long time ago before they had glitch hacks.  It would be fun to try it now.  Back in the day I was writing custom (but simple) firmware hacks for the XBOX 1 and wiring in alternate flash chips on a vectorboard

[sarah90]

I've actually never done a JTAG on a 360.  I'd really like to but don't have time.  I stupidly updated the dash to a non-JTAGable version a long time ago before they had glitch hacks.  It would be fun to try it now.  Back in the day I was writing custom (but simple) firmware hacks for the XBOX 1 and wiring in alternate flash chips on a vectorboard

Nice. I remember soldering a bridge for the write line to the flash on the xbox1 for the james bond hack. A very simple procedure but a daring experience for me at the time.