Tuesday, 3 January 2017

Adventures into NAND Dumping Part 2

Following on from my previous post into NAND dumping, I thought I would post about a recent issue I encountered, and also how to extract UBI file-systems.

In this particular case the NAND chip was a SK Hynix H27U1G8F2BTR-BC.

DumpFlash successfully dumped the contents, and listed it with a ID of: ADF101DA.

When running the Nand-dump-tool.py (to remove the OOB data), the tool reported back an error:

I had an immediate suspicion that the ID code was incorrect, so I resorted to the datasheet:

The 1st bytes represents the Manufacturer Code.
The 2nd bytes represents the Device Code.
The 3rd bytes represents the Internal chip number, Cell Type, Number of Simultaneously Programmed Pages.
The 4th bytes represents the Page size, Block size, Organization, Spare size.

I was then able to remove the OOB data using the new ID (ADF1001D):

Extracting UBI contents:

From here Binwalk was able carve out the UBI data, but was unable to successfully extract its contents:

Using the ubireader package (which is a Binwalk dependency), you can list the Volumes which are contained within the UBI data:

Then we can extract the volumes:

It should be noted, not all the extracted files are actually UBIFS:

Next I let Binwalk automagically extract all the contents:

No comments:

Post a Comment