There are times when the pre-packaged firmware extractor FRMorp just isn’t what you want. In fact, we usually hate anything pre-packaged and always prefer to work with the raw data. So if you’re like us, you’ve probably either
- Already rewritten the FRMorp to dump raw NAND pages
- Muttered to yourself that we’re idiots for not releasing the raw tool
Well, you’re in luck. We’re hereby releasing nandoori to the masses so high-speed raw USB nand dumping is now at your fingertips! As we warned in previous articles, this tool can generate lots of data in a short time. For example, if your device has 8GB of flash, you can dump the entire 8GB (2,097,152 pages at 4k per page) by using the command
nandoori 0×0 0×200000 slow.bin
Yes, this will take a long time. And will probably contain mostly blank pages ($FF) so is not terribly worthwhile. But the important thing is that you CAN do it if you want to. And idiot-proofing is one thing that we’re totally against here at openschemes. We’ll warn you of potential bricks (but the SPMP8k seems brick-proof so far) but otherwise, we think you should enjoy rebuilding your system after each horrible technical mishap. One piece of advice that we always pass to new engineers is:
Make every mistake once. From simple typos to connecting power supplies backwards – go ahead! Boom, smoke, hooray! From breaking the upstream build to all-layer-change disasters, feel free! But only once. Learn from your mistakes, fix the problem, and don’t let it happen again.
Follow that rule, and your first few engineering years will be hellish, as they would be anyway. But after that, you’ll rise to the top and continue in an excellent path.
Enough musing, let’s get back to the tech. nandoori expects arguments of a start page, a stop page, and an output file. It will fetch a single page if start and stop are the same number. It expects both numbers to be hex, although it is not required for them to start with 0x. In our examples, we will always start with 0x just to be clear and unambiguous.
Some interesting pages are:
- 0×0 – The RedBoot PAT table. This page lists all the pages that contain the RedBoot.mmc file from BOOT.IMG.
- 0×2 – One of the INIT PAT tables. Hardwired to 0×2, so this must mean that the RedBoot PAT table cannot exceed 8k bytes, or the bootware cannot exceed 2044 pages and therefore cannot be larger than 8,372,224 bytes. That’s pretty huge and pretty awesome if you ask us.
- 0×12 – The other INIT PAT Table. For the actual DRAM init, IIRC.
- 0×80, 0×100, 0×180 – Three copies of DRAM config data plus RedBoot startup script. Found when working on reflash. We thought they were just used to store the ScanRam config, but it turns out the device won’t boot eCos if they’re blank. Important enough to have three copies!
- 0×2000 – The ROFS PAT table for allocating SOFT.IMG. Different format than RB’s PAT table. Haven’t studied too much.
- 0×2080 – Start of SOFT.IMG.
When we use this tool, it’s either for inspecting a single page of nand, such as..
nandoori 0×0 0×0 RBPAT.bin
Or for checking the validity of our flash tools by comparing before and after for the entire boot section, such as…
nandoori 0 0×300 BOOT.bin
Your usage may vary, these are just some simple examples.
Please keep in mind that the SPMP8k uses block-wise nand. In our case, one block is 0×80 (128) pages. This means that the smallest bit of flash that you can erase is one block: 0×80 pages, or 512k (524,288 bytes).
We mention this because we will soon release a raw write tool that can be used for flashing byte-wise backups of your device for the extra paranoid. It will take nandoori dumps as input and write them to the device. If it does not have 0×80 pages worth of data to write, you will be left with blank nand where you should have code = fail! So if you are intending to back up your device, or parts of your device – PLEASE MAKE THEM MULTIPLES OF 0×80 PAGES (512k).
For general hax0ring, use any page length you want. It’s only for backups intending to be rewritten that the 128-page multiple must be used. OK – continue on to page 2 for the source and executables. Enjoy your spicy and delicious nandoori!
By sarge November 14, 2011 - 9:47 am
Readings in the second half of each page is filled with FF.
why is this happening?
0000
0010 all 0-07FF the correct reading
….
0700
0800 FF FF FF FF….
0810 ALL #FF !!!! 0800-0FFF
….
0FF0
By openschemes November 14, 2011 - 6:51 pm
It may be that your flash has a different page size. You should check the chip used and look up it’s datasheet to see what the page size is.
By sarge November 15, 2011 - 6:11 am
Thanks for your feedback.
it seems that the page size 2k, 4k is not.
enough to change the source code option,
sizeof (mycbw), 1000 to change to sizeof (mycbw), 800 ?
Stork in each of these parameter.
nandoori.c :
………
//Read each page and save to file, flush every 255 pages as slight insurance against possibility of crashes.
for(i=startpg; i <= endpg; i++){
if (i%0×10 ==0) printf("bbbbbbbb%08X",i);
mycbw.adr=longswap(i);
result = usb_bulk_write(dev, 0×02,(char *) &mycbw, sizeof(mycbw), 1000);
if(result<0){
printf("Write rd cmd for page %x failed with error %0xn", i, result);
goto done;
}
//Get Data
result = usb_bulk_read(dev, 0×81,(char *) &nandbuff, sizeof(nandbuff), 1000);
if(result<0){
printf("Read of page %x failed with error %0xn", i, result);
goto done;
}
//Get reply
result = usb_bulk_read(dev, 0×81,(char *) &replybuff, sizeof(replybuff), 1000);
if(result<0){
printf("Read failed with error %0xn", result);
………
By openschemes November 16, 2011 - 6:16 pm
Great work! Your modifications will help all the people using 2k page size.
By rama December 13, 2011 - 6:50 pm
hola me compre un mp5 y queria cargarle juegos de neo geo me dijeron que le cambie el fimware pero no se que chip tiene lo unico que dice el sistema es “firmware p2_100423_int_us225…” desde ya muchas gracias por su entusiasmo..
By openschemes December 14, 2011 - 7:58 pm
No lo entiendo. ¿Puede explicar de una manera sencilla lo que te gustaría hacer?
¿Está buscando un nuevo firmware? Nosotros no guardamos el firmware aquí, pero tal vez otros usuarios pueden ayudar.