Hi All,
So recently i decided to dive into my dead device bin and see what i could play with. The two items that stood out were two $800 tri band routers/AP's both with firmware malfunctions that stop the devices from operating.
My plan of action is to somehow fix the firmware issues both have so I started first with what stores the firmware.
Both device have the same BCM947xx of BCM47xx depending of what document you read, both have jtag ports (i'll start another thread for that road ) & both have same Spansion S34ML01G1 128Mbit TSOP Nands
So I grabbed my hot air gun and proceeded to remove both NANDs and attach them to a couple of dev boards (Namely two VCCGND designed stm32f407zg dev boards)
https://github.com/mcauser/VCC_GND_F407ZGFind basic nand code on the net is fairly easy , both in arduino format or plain c so i set to dumping my nands.
This is where simple gets thrown out of the window
Initially both dumps contained lots of zero's in random places, I assumed at first it was a assembly issue , code issue but no amount of resoldering or code changes seem to have fixed the data read's using that code base (remember, I have no idea what I am doing here) , how ever all my code can read the ID's (8 bit using ID7-ID0) which is sent in 8bits correctly confirming my soldering is good at least.
So I decided to do more research in to EEC/Spare area's and BBT which got really complicated real fast.
Then I stumbled across NANDO flash reader project, it uses a stm32f103 with FSMC to read nands and being stm32 based it should be easy to port to f407 right? right ? wrong lol
first off was the code base was based on stm's PRE-Hal & PRE -LL- libs so almost none of the h/w code would work my what am using currently (stm HAL and LL libs) so i set out to update it first to HAL/LL and then port to stm32f407 chips I have on hand.
After giving myself a much unneeded bald patch I finally got to a point where the code base can compile, upload and read a NAND
https://github.com/darkspr1te/nand_flasher(go easy on my coding skills as i am only a hobby programmer)
So progress right ? I can read the nand, read the spare area so we done ?
Well sadly no, you see despite starting a complete new code base , rewriting all the reading routines and such I have still got a batch of random zeros in my dump (remember two different nands from two different hardware but both have the zero's issue )
I have attached the dumps below and provided the source code am currently using, Am wondering if anyone out there could give me a hint on how i can add the Error correction code to dump the nands correctly
I am studying the ASUSWRT-Merlin code base for the CFE (bootloader) and main kernel drivers for the NAND/MTD controls to see if there is some trick, a example would be is that some nands store spare area at the end, some at the start plus a whole bunch of other factors am still getting my head around.
but the main thing is why is there always 144 bytes worth of random numbers in my dump ( i say random but it's normally 0x30 or 0x31 which displays as zero) and this 144 bytes of data is embedded every 1904 bytes , initially just changed the code to ignore this info and not dump it but i feel that maybe i'am missing something here
Here are the two nand dumps , one from asus rt-5300 and the other from Netgear Nighthawk
https://mega.nz/file/6YBCQBwJ#IeaDogYxYWdX2quDbTIy7ndJqZadEIX3vf1iG7d59CIBefore anyone says it, am not worried about stored passwords in these files, both networks they belonged too dont exist anymore nor do the owners,
So am wondering if there is anyone out there that could clue me into what that data is, how do i use spare area to correct dumped data ?
I know it's a long shot and even if nothing comes of this thread i will still continue to dig into it, maybe the info or code could help someone in the future .
Darkspr1te