Need help with a NAND Interposer and or NAND Dumping

[daijoubu]

How would I go about dumping a Samsung K9BKGD8J1A-TCB0 and or Toshiba TH58LJT0T24BA4M, data is partitioned across multiple NAND chips with a custom controller - what socket would I need and what software/hardware would I use to dump it? Even if its raw/encrypted data is sufficient enough for me.

The real goal would be to make a NAND Interposer. This would save a lot of effort as I need to be able to dump/monitor/write multiple times.

I am fine with reballing so if I must I can remove the NAND and put it on a socket (not sure which) and perhaps pop it on my XGECU, but according to its software, neither of the NAND chips are supported. So my knowledge has come to a halt.



Here's what it looks like on-board.

[dmendesf]

Looks like a PS5. What If you do the other way around: cut the PCIe lanes and plug them into a PC? Maybe only one lane (PCIe 1x) needs to be connected to make It work.

[moffy]

Looks like a PS5. What If you do the other way around: cut the PCIe lanes and plug them into a PC? Maybe only one lane (PCIe 1x) needs to be connected to make It work.

Every piece of PC hardware needs an appropriate PC/OS driver, which would be needed to make it work.

[dmendesf]

Last time I checked my OS had drivers for NVME controllers. Will they work with a PS5 drive? We don't know... But it's a good bet.

[DavidAlfa]

What a weird routing, some traces are smooth whole others are sharp.

[darkspr1te]

How would I go about dumping a Samsung K9BKGD8J1A-TCB0 and or Toshiba TH58LJT0T24BA4M, data is partitioned across multiple NAND chips with a custom controller - what socket would I need and what software/hardware would I use to dump it? Even if its raw/encrypted data is sufficient enough for me.

The real goal would be to make a NAND Interposer. This would save a lot of effort as I need to be able to dump/monitor/write multiple times.

I am fine with reballing so if I must I can remove the NAND and put it on a socket (not sure which) and perhaps pop it on my XGECU, but according to its software, neither of the NAND chips are supported. So my knowledge has come to a halt.



Here's what it looks like on-board.

Am no PS5 security expert , in fact i've never even held a controller but I'am going to assume theres encryption of the nands within the controller which will also handle wear leveling etc , so your prob better targeting the other side of the controller first  , I dont think though that even if you cloned all the nands and moved them to a new system would it work due too cpu key, bus keys (maybe) , data save keys and dvd reading/usb save keys.

I would look at the hard to find docs on ps5 "spoilts" in the wild as a lot of them cover this in detail, including those that do repair which btw you can buy nand interposers used for data recovery ( originally aimed at macbook with m/b nands) , so check Louis Rossmann videos , theres also russian fellow who produced a pcb design that had a sram+fpga+buffers+nand interposer all on flexi-cable (onetime thing though, resolder was a problem)
last note, check data recovery videos on internet as they change and some now support more nand based devices like nvme systems and can recover wear level data etc



darkspr1te

[daijoubu]

Well there is a video online of a repairer swapping a single NAND chip with one from a donor as a means to test a repair, it succeeded strangely enough. Console booted and simply requested a firmware reinstall. He could have just been lucky and picked that one NAND that had no real importance, or the entire set of NAND chips arent truely reliant on each other. Note, from my discussions with other colleagues the actual NAND Controller chip in the middle is also not tied to any particular console and can be swapped.

So now I am curious what would happen if every NAND was put on another console....

Anyways it would be great if I could duplicate this repair method WITHOUT de-soldering any NANDs or using any physical donors. An interposer would allow me then to simply load a generic copy of a NAND and perhaps re-flash a faulty NAND chip (which could be corrupt or otherwise).

A colleague suggested I buy this: https://www.techpowerup.com/ssd-specs/kingston-kc2500-1-tb.d264 and simply swap its NANDs with that of the PS5 as it also uses TH58LJT0T24BA4M. From here I can use DD to clone them and use them as a means of recovery/repair.

If the actual data within the NAND has parts that arent encrypted, well that leads to novel discoveries and potentially more repair avenues.

Researching this stuff is a bit hard for me as I truly know nothing on the subject beyond dumping/flashing smaller and less complicated chips.

[darkspr1te]

When the tech swapped the NAND and the ps5 reported reinstall required is because it would have seen the drive as currupt (either due to nothing where the data is ment to be on the nand or encryption crc fail ) and using it's stored elsewhere recovery code it will do a reinstall from internet files and format the nands as a whole.
the thing about nands that differ from other flash types is the wear leveling and data allocation system provided by the controller, because of this  quite a few macbooks with direct soldered on board ssd's were left without much option of data recovery you can sorta us device like the PC-3000 though , this tool is able to work out the wear level data structure and using the cloud system get up to date data on what formula that chip used for wear leveling and data layouts. how ever no adapters exist to resolder the chips too for on board ssd ( at least according to the website ) that does not already have existing nand controller on board.

As far a repair goes yes swapping out nands is valid , but in terms of hacking then a lot of it will be specific to that system only a prob requires the system specific key from cpu to decrypt (at least according to my basic reading of how ps5 store data)  , I would suggest your read failoverflows() tweets and link as well as wooloo aboute the symmetrical key system


darkspr1te

[Haenk]

I'd says there is zero chance for a success of hacking the device.
Eventually you might be able to read the content of the Flash devices - but that's all encrypted stuff.
A team of hundreds of experts worked for years on protecting the latest consoles from happening exactly what your are hoping to do. (They still might have made exploitable errors, but that's unlikely.)
Either you are a hardware genius, being able to extract the physically protected keys from somewhere inside the controllers, or go the software-bug-crash way (which is IMHO the only way to circummvent all the implemented hardware-level protections).

[zona-zona]

Hello. There is a programmer that managed to connect to this chip. I wrote the page size, block size and plan size in the program. I read the microcircuit, but the data is not correct, out of 16kb on the page only 8kb is written, the second half of the page is empty. The programmer developer is ready to add a reading algorithm if he is provided with a datasheet for this chip, or at least for a chip with similar parameters:
page size 16kb
block size 1152 pages
plan size 1822 blocks
TLC 96-layer
If I manage to read the microcircuit, it will be possible to copy information from faulty microcircuits to a working one without decryption and get rid of errors (CE-108255-1) and crashes from games.
If anyone can help us find such datasheets, then perhaps we will get a working option for copying microcircuits.
I apologize for the not very correct text, I wrote through a translator

[sunraider20]

Information on this chip is criminally difficult to find, I can only find mention of it on the ps5 dev wiki and some chinese websites that I cant even access. However, I was able to isolate the chips bga type from a stencil some guy on youtube was using to reball one of the ps5s SSDs. I've been able to deduce that the chip profile is BGA152. If you look up BGA152 pinout online, you may be able to find the information you're looking for. It might not be the exact right pinout, but I would imagine that I would be fairly close. And if not something is better than nothing, even if it's not correct, we may be able to figure out the correct pin out. I was also able to find this? https://www.google.com/url?sa=i&url=http%3A%2F%2Fadreca.net%2FNAND-Flash-Data-Recovery-Cookbook.pdf&psig=AOvVaw0Vc_lfK2lulvTEHJV8NoRl&ust=1713775235210000&source=images&cd=vfe&opi=89978449&ved=0CBUQ3YkBahcKEwi43-Kl9NKFAxUAAAAAHQAAAAAQWA maybe it could help us dump the contents of the chips as it gives info and data on the bga152 memory chips.