Difference between revisions of "Monolith pinout search guide"

From Z3X-TEAM
Jump to: navigation, search
 
(7 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
''This article was planned as a short guide for monolith pinout research. The main idea of this article is not to study step-by-step how to search pinout in all possible cases, but to understand the main principle and main idea of this process which is rather complicated and required a lot of experience. In other words – this article is posted “as it is”. We don’t want to say that the current example is the best one, and all tools and hints that we are describing would be the best choiсe in the world. Exist a lot of methods, and we are going to share only one of them''.<br>
 
''This article was planned as a short guide for monolith pinout research. The main idea of this article is not to study step-by-step how to search pinout in all possible cases, but to understand the main principle and main idea of this process which is rather complicated and required a lot of experience. In other words – this article is posted “as it is”. We don’t want to say that the current example is the best one, and all tools and hints that we are describing would be the best choiсe in the world. Exist a lot of methods, and we are going to share only one of them''.<br>
  
[[File:21.jpg|200px|thumb|left|PINOUT]]
+
[[File:21.jpg|200px|thumb|left|pic.1,PINOUT]]
  
 
PC-3000 products are produced for data recovery, but monolith pinout research is an additional branch (rather large by the way) which is not contact with our technology directly. It’s the additional market, with its own “underwater rocks”, problems and profits. That’s why we provide only overview information, for better understanding and realizing ''“Do I really want to spend my life for dealing with this pinout research or not?”''<br>
 
PC-3000 products are produced for data recovery, but monolith pinout research is an additional branch (rather large by the way) which is not contact with our technology directly. It’s the additional market, with its own “underwater rocks”, problems and profits. That’s why we provide only overview information, for better understanding and realizing ''“Do I really want to spend my life for dealing with this pinout research or not?”''<br>
Line 9: Line 9:
 
=== Equipment preparing ===
 
=== Equipment preparing ===
  
In our article, we will start our research line from the point where we will use '''healthy monolith'''. Of course, sometimes we can try to find pinout even if we have only damaged monolith. But this process would be more complicated, and sometimes it will not provide any result after a long time of attempts to get it. Why should we use healthy donor monolith? Because for detecting some bus lines and command lines, we should make writing operations on monolith. And of course, in case of real corruption, all writing operations would be impossible to make with damaged monolith. So, here are 3 main things that we should have before starting:<br>
+
In our article, we will start our research line from the point where we will use '''healthy monolith'''. Of course, sometimes we can try to find pinout even if we have only damaged monolith. But this process would be more complicated, and sometimes it will not provide any result after a long time of attempts to get it. Why should we use healthy donor monolith? Because for detecting some bus lines and command lines, we should make writing operations on monolith. And of course, in case of real corruption, all writing operations would be impossible to make with damaged monolith. So, here are 3 main things that we should have before starting - see attached(pic.2)
  
[[File:0-1.jpg|200px|thumb|left|before starting]]
+
[[File:0-1.jpg|200px|thumb|left|pic.2,before starting]]
  
 
If you don’t have patience – better even not to start this process at all. You will save your time and your nerves.<br>
 
If you don’t have patience – better even not to start this process at all. You will save your time and your nerves.<br>
  
  
Ok, what about other equipment? Let's see…<br>
+
Ok, what about other equipment? Let's see…(pic.3)<br>
  
[[File:1-1.jpg|200px|thumb|left|equipment]]
+
[[File:1-1.jpg|200px|thumb|left|pic.3, Equipment]]
  
 
==== Healthy Monolith with the same pinout, as our damaged monolith have. ====
 
==== Healthy Monolith with the same pinout, as our damaged monolith have. ====
Line 34: Line 34:
  
 
=== STEP 1. Goals and first connection ===
 
=== STEP 1. Goals and first connection ===
[[File:2.png|200px|thumb|left| Find the following contacts]]
+
[[File:2.png|200px|thumb|left| pic.4, Find the following contacts]]
[[File:3.png|200px|thumb|left| MicroSD to SD adapter ]]
+
[[File:3.png|200px|thumb|right|pic.5, MicroSD to SD adapter ]]
[[File:0-0.jpg|200px|thumb|left|Another example construction of soldering]]
+
[[File:00.jpg|200px|thumb|right|pic.6, Another example construction of soldering]]
[[File:4-1.jpg|200px|thumb|left| Plug all Digital Logical Analyser contacts to Monolith]]
+
[[File:4-1.jpg|200px|thumb|left|pic.7, Plug all Digital Logical Analyser contacts to Monolith]]
What we are looking for? We are trying to find all technological outputs signals, which will help us to find pinout. In our example, we will take a common MicroSD card with 8-bit bus line. Finally, we should find the following contacts:
+
What we are looking for? We are trying to find all technological outputs signals, which will help us to find pinout. In our example, we will take a common MicroSD card with 8-bit bus line. Finally, we should find the following contacts(pic.4):
  
 
Usually, VCC and GND are not required to be found on technological pins. You can just use a default Monolith interface for providing the power supply. But of course, sometimes GND and VCC pins could be also found on technological pinouts, and we recommend to check all pins and found GND and VCC on pin map too. It will help us to detect pins that we should exclude from research.
 
Usually, VCC and GND are not required to be found on technological pins. You can just use a default Monolith interface for providing the power supply. But of course, sometimes GND and VCC pins could be also found on technological pinouts, and we recommend to check all pins and found GND and VCC on pin map too. It will help us to detect pins that we should exclude from research.
  
Let's prepare our monolith. As we told before, it’s a MicroSD card which we are going to solder to special Circuit PCB for convenient working process. We should solder wires to all targeting pins (excluding VCC and GND). The main idea of this preparation – Monolith should be soldered through techno pins + should be connected with SD or microSD interface. In our example we put microSD to SD adapter for making reading and writing operations on it.
+
Let's prepare our monolith. As we told before, it’s a MicroSD card which we are going to solder to special Circuit PCB for convenient working process. We should solder wires to all targeting pins (excluding VCC and GND). The main idea of this preparation – Monolith should be soldered through techno pins + should be connected with SD or microSD interface. In our example we put microSD to SD adapter for making reading and writing operations on it(pic.5)
  
But construction of soldering might be different. It’s only example 🙂
+
But construction of soldering might be different. It’s an only example(pic.6)
 
+
Finally, we should plug all Digital Logical Analyser contacts to our Monolith, and prepare everything like this: (pic.7)
Finally, we should plug all Digital Logical Analyser contacts to our Monolith, and prepare everything like this:
 
  
 
=== STEP 2. Logical Analyser Interface and steps of Monolith initialization ===
 
=== STEP 2. Logical Analyser Interface and steps of Monolith initialization ===
 +
[[File:5-3.jpg|200px|thumb|right|pic.8,Commands which send on monolith after power supply]]
 +
[[File:7-2.jpg|200px|thumb|right|pic.9,Command cycles for NAND flash operations]]
 +
[[File:8-2.jpg|200px|thumb|left|pic.10,АКИП-9102 Logical Analyser software]]
 +
First of all we should remember, that every time when we starting the power supply on the healthy monolith, it makes some steps for reaching it initialization status. Here is the example of commands which are going to be sent on monolith after power supply (pic.8,9)
  
First of all we should remember, that every time when we starting the power supply on healthy monolith, it makes some steps for reaching it initialization status. Here is the example of commands which are going to be send on monolith after power supply:
+
With the help of documentation, we can try to detect how our lines will be changed after the power supply. We can compare signals from Logical Analyser with our documentation schemes, and finally – find their values.
 
 
With the help of documentation, we can try to detect how our lines will be changed after power supply. We can compare signals from Logical Analyser with our documentation schemes, and finally – find their values.
 
  
Here is the main screen of АКИП-9102 Logical Analyser software. We found that from 24 lines, 8 – are connected to GND, VCC or not changing their status after POWER ON. That’s why we leave only 16 of them – those lines, which are changing their values. Settings of LA you can see below:
+
Here is the main screen of АКИП-9102 Logical Analyser software. We found that from 24 lines, 8 – are connected to GND, VCC or not changing their status after POWER ON. That’s why we leave only 16 of them – those lines, which are changing their values. Settings of LA you can see on pic.10
  
 
Also, please note that PC-based Logical Analysers (further – LA) doesn’t have enough RAM for showing you changes by all lines in real time. That’s why during first 5-10 seconds after power supply, LA make a snapshot (it situated below in the screen) that will allow us to move along it, change the scale and see how lines are changing.
 
Also, please note that PC-based Logical Analysers (further – LA) doesn’t have enough RAM for showing you changes by all lines in real time. That’s why during first 5-10 seconds after power supply, LA make a snapshot (it situated below in the screen) that will allow us to move along it, change the scale and see how lines are changing.
  
 
=== STEP 3. Pinout Research. Command Line ===
 
=== STEP 3. Pinout Research. Command Line ===
 +
[[File:9-2 (1).jpg |200px|thumb|right|pic.11,POWER ON Command]]
 +
[[File:10-2.jpg|200px|thumb|right|pic.12, RESET Command]]
 +
[[File:11-2.jpg|200px|thumb|right|pic.13,RESET Command]]
 +
[[File:12-1.jpg|200px|thumb|right|pic.14,READING ID Command (90h)]]
 +
[[File:13-1.jpg|200px|thumb|right|pic.15,READING ID Command (90h)]]
 +
[[File:14-1.jpg|200px|thumb|right|pic.16,READING ID Command (90h)]]
 +
[[File:15-1.jpg|200px|thumb|right|pic.17,READING ID Command (90h)]]
 +
[[File:16-1.jpg|200px|thumb|right|pic.18,READING ID Command (90h)]]
  
Using documentation for NAND signals we know that the first 4 contacts which makes a small jump after Power Supply – CE, RE, R/B, WE. Right now we don’t know where are exactly each of them, but at least we know that those 4 lines – are our the targets.
+
Using documentation for NAND signals we know that the first 4 contacts which makes a small jump after Power Supply – CE, RE, R/B, WE. Right now we don’t know where are exactly each of them, but at least we know that those 4 lines – are our the targets(pic.11)
 
 
Next, lets try to detect where our BUS Group and WE, R/B are situated. Using the following scheme, we will detect where all of them are situated. We know that all lines in I/Ox (Bus line) should goes UP, when WE goes down. After some tome, R/B also should goes down. Lets see:
 
 
 
////////////////////////
 
  
Then, lets try to find CLE, ALE and RE using the same algorithm:
+
Next, lets try to detect where our BUS Group and WE, R/B are situated. Using the following scheme, we will detect where all of them are situated. We know that all lines in I/Ox (Bus line) should goes UP, when WE goes down. After some tome, R/B also should goes down. Lets see:(pic.12,13)<br>
  
CLE goes UP when WE goes DOWN:
+
Then, lets try to find CLE, ALE and RE using the same algorithm:(pic.14)<br>
  
//////////////////////////
+
CLE goes UP when WE goes DOWN:(pic.15)<br>
  
ALE goes UP when WE goes DOWN, some time after CLE:
+
ALE goes UP when WE goes DOWN, some time after CLE:(pic.16)
  
RE goes UP-DOWN, UP-DOWN, UP-DOWN:
+
RE goes UP-DOWN, UP-DOWN, UP-DOWN:(pic.17)<br>
  
Finally, we know WE, R/B and RE. Now, we can detect CE if we will return back on the first screen:
+
Finally, we know WE, R/B and RE. Now, we can detect CE if we will return back on the first screen:(pic.18)
  
 
Now, all command lines are found. Next step would be – searching for the Bus Lines.
 
Now, all command lines are found. Next step would be – searching for the Bus Lines.
  
 
=== STEP 4. BUS line detection ===
 
=== STEP 4. BUS line detection ===
 +
[[File:17.jpg|200px|thumb|right|pic.19,]]
 +
[[File:18.jpg|200px|thumb|right|pic.20,]]
 +
[[File:19.jpg|200px|thumb|right|pic.21,]]
 +
[[File:20.jpg|200px|thumb|right|pic.22,]]
  
 
Bus line detection would be the most complicated step, because for most cases we have to write bytes on monolith and read them to detect which lines are changing. But in our example we will describe another way which is not required any writing operations.
 
Bus line detection would be the most complicated step, because for most cases we have to write bytes on monolith and read them to detect which lines are changing. But in our example we will describe another way which is not required any writing operations.
  
Lets check our monolith more detail. We know that manufacture is Toshiba, and capacity of this chip is 8GB. Using information about chip ID, we can try to imagine what is the first two bytes should be in our monolith:
+
Lets check our monolith more detail. We know that manufacture is Toshiba, and capacity of this chip is 8GB. Using information about chip ID, we can try to imagine what is the first two bytes should be in our monolith:(pic.19)<br>
  
Then, lets try to find how our lines in BUS area are changing:
+
Then, lets try to find how our lines in BUS area are changing:(pic.20)<br>
 +
And after that, lets try to split our screen on the areas where BUS lines are changing. It will help us to detect commands that have been read:(pic.21)<br>
 +
And the same for second part:(pic.22)<br>
  
f course in our example we put all BUS lines together, one by one. In real case they would be mixed. But this information will help you to detect how to find group of lines and how to detect all I/O lines.
+
Of course in our example we put all BUS lines together, one by one. In real case they would be mixed. But this information will help you to detect how to find group of lines and how to detect all I/O lines.
  
Finally, we can say that pinout has been found. And now we can try to start solder wires to real monolith, and read it content in DUMP file 🙂
+
Finally, we can say that pinout has been found. And now we can try to start solder wires to real monolith, and read it content in DUMP file?

Latest revision as of 09:45, 10 June 2019

Description

This article was planned as a short guide for monolith pinout research. The main idea of this article is not to study step-by-step how to search pinout in all possible cases, but to understand the main principle and main idea of this process which is rather complicated and required a lot of experience. In other words – this article is posted “as it is”. We don’t want to say that the current example is the best one, and all tools and hints that we are describing would be the best choiсe in the world. Exist a lot of methods, and we are going to share only one of them.

pic.1,PINOUT

PC-3000 products are produced for data recovery, but monolith pinout research is an additional branch (rather large by the way) which is not contact with our technology directly. It’s the additional market, with its own “underwater rocks”, problems and profits. That’s why we provide only overview information, for better understanding and realizing “Do I really want to spend my life for dealing with this pinout research or not?”

So, where should we start? Of course – from

Equipment preparing

In our article, we will start our research line from the point where we will use healthy monolith. Of course, sometimes we can try to find pinout even if we have only damaged monolith. But this process would be more complicated, and sometimes it will not provide any result after a long time of attempts to get it. Why should we use healthy donor monolith? Because for detecting some bus lines and command lines, we should make writing operations on monolith. And of course, in case of real corruption, all writing operations would be impossible to make with damaged monolith. So, here are 3 main things that we should have before starting - see attached(pic.2)

pic.2,before starting

If you don’t have patience – better even not to start this process at all. You will save your time and your nerves.


Ok, what about other equipment? Let's see…(pic.3)

pic.3, Equipment

Healthy Monolith with the same pinout, as our damaged monolith have.

We should find exactly the same model, with the same capacity and brand, which have the same technological pinout on the bottom side of the chip;

Logical Analyser

If you can buy a good Logical Analyser with the price of 6000-10000$ – it would be perfect. But for beginners we recommend to use PC-Based Logical Analysers with the price of 500-1000$. We can recommend:

  • АКИП-9102 – Russian Model with 32 channels and 200MHz Frequency. It also contains ENGLISH menu and it’s convenient to use even for foreign customers;
  • GoodWill GLA-1032 – the same twin-brother to АКИП-9102 with 32 channels, 200MHz Frequency and almost the same interface.
  • Actually, you can buy any logical analyzer that you want. The main terms – it should have at least 32 channels and support 200MHz Frequency.

In our example we will use PC-3000 Flash with Card Adapter, but in real life you can use a common Card Reader. The only thing – it would be more complicated to control the power supply on on it. Sometimes we will need to switch it ON/OFF;

Circuit PCB

actually, it’s just a specific board for more convenient soldering wires on MicroSD. You can try to find similar boards in Aliexpress or in Amazon;

ONFI documentation

ONFI documentation with description of NAND signals (pretty useful for our task!).

STEP 1. Goals and first connection

pic.4, Find the following contacts
pic.5, MicroSD to SD adapter
pic.6, Another example construction of soldering
pic.7, Plug all Digital Logical Analyser contacts to Monolith

What we are looking for? We are trying to find all technological outputs signals, which will help us to find pinout. In our example, we will take a common MicroSD card with 8-bit bus line. Finally, we should find the following contacts(pic.4):

Usually, VCC and GND are not required to be found on technological pins. You can just use a default Monolith interface for providing the power supply. But of course, sometimes GND and VCC pins could be also found on technological pinouts, and we recommend to check all pins and found GND and VCC on pin map too. It will help us to detect pins that we should exclude from research.

Let's prepare our monolith. As we told before, it’s a MicroSD card which we are going to solder to special Circuit PCB for convenient working process. We should solder wires to all targeting pins (excluding VCC and GND). The main idea of this preparation – Monolith should be soldered through techno pins + should be connected with SD or microSD interface. In our example we put microSD to SD adapter for making reading and writing operations on it(pic.5)

But construction of soldering might be different. It’s an only example(pic.6) Finally, we should plug all Digital Logical Analyser contacts to our Monolith, and prepare everything like this: (pic.7)

STEP 2. Logical Analyser Interface and steps of Monolith initialization

pic.8,Commands which send on monolith after power supply
pic.9,Command cycles for NAND flash operations
pic.10,АКИП-9102 Logical Analyser software

First of all we should remember, that every time when we starting the power supply on the healthy monolith, it makes some steps for reaching it initialization status. Here is the example of commands which are going to be sent on monolith after power supply (pic.8,9)

With the help of documentation, we can try to detect how our lines will be changed after the power supply. We can compare signals from Logical Analyser with our documentation schemes, and finally – find their values.

Here is the main screen of АКИП-9102 Logical Analyser software. We found that from 24 lines, 8 – are connected to GND, VCC or not changing their status after POWER ON. That’s why we leave only 16 of them – those lines, which are changing their values. Settings of LA you can see on pic.10

Also, please note that PC-based Logical Analysers (further – LA) doesn’t have enough RAM for showing you changes by all lines in real time. That’s why during first 5-10 seconds after power supply, LA make a snapshot (it situated below in the screen) that will allow us to move along it, change the scale and see how lines are changing.

STEP 3. Pinout Research. Command Line

pic.11,POWER ON Command
pic.12, RESET Command
pic.13,RESET Command
pic.14,READING ID Command (90h)
pic.15,READING ID Command (90h)
pic.16,READING ID Command (90h)
pic.17,READING ID Command (90h)
pic.18,READING ID Command (90h)

Using documentation for NAND signals we know that the first 4 contacts which makes a small jump after Power Supply – CE, RE, R/B, WE. Right now we don’t know where are exactly each of them, but at least we know that those 4 lines – are our the targets(pic.11)

Next, lets try to detect where our BUS Group and WE, R/B are situated. Using the following scheme, we will detect where all of them are situated. We know that all lines in I/Ox (Bus line) should goes UP, when WE goes down. After some tome, R/B also should goes down. Lets see:(pic.12,13)

Then, lets try to find CLE, ALE and RE using the same algorithm:(pic.14)

CLE goes UP when WE goes DOWN:(pic.15)

ALE goes UP when WE goes DOWN, some time after CLE:(pic.16)

RE goes UP-DOWN, UP-DOWN, UP-DOWN:(pic.17)

Finally, we know WE, R/B and RE. Now, we can detect CE if we will return back on the first screen:(pic.18)

Now, all command lines are found. Next step would be – searching for the Bus Lines.

STEP 4. BUS line detection

pic.19,
pic.20,
pic.21,
pic.22,

Bus line detection would be the most complicated step, because for most cases we have to write bytes on monolith and read them to detect which lines are changing. But in our example we will describe another way which is not required any writing operations.

Lets check our monolith more detail. We know that manufacture is Toshiba, and capacity of this chip is 8GB. Using information about chip ID, we can try to imagine what is the first two bytes should be in our monolith:(pic.19)

Then, lets try to find how our lines in BUS area are changing:(pic.20)
And after that, lets try to split our screen on the areas where BUS lines are changing. It will help us to detect commands that have been read:(pic.21)
And the same for second part:(pic.22)

Of course in our example we put all BUS lines together, one by one. In real case they would be mixed. But this information will help you to detect how to find group of lines and how to detect all I/O lines.

Finally, we can say that pinout has been found. And now we can try to start solder wires to real monolith, and read it content in DUMP file?