| Author |
Message |
FlashNYC
Joined: 14 Apr 2011
Posts: 133
Location: EARTH
|
 Posted: Sat Oct 01, 2011 4:37 Post subject: Like a Challenge? HTC_-_HD2_-_Nand: Samsung KBY00U00VM-B50
|
|
Got A client with a Mobile phone that wont boot (to allow forensics/Recovery).
I don't have a JTAG/JRT connector (yet).
Anyone know if recovery is possible out of direct connection to the NAND?
Should I expect encrypted data?
Specs:
Parent Device Type: Mobile Smart-Phone
Parent Device MFG: HTC
Parent Device Model: HD2
Currier: T-Mobile (USA)
NAND MFG: Samsung
NAND Type: KBY00U00VM-B50
Does anyone have any schematics to JTAG/JRT access the phone?
I would assume I can dump through the JTAG/JRT connector.
I would appreciate any help ASAP.
Thanks
|
 |
Inside the HTC HD2
This side has the Memory Chip.
The other the Main CPU + WiFI Chip. |
|
|
Vladus
Joined: 01 Dec 2009
Posts: 5529
Location: Earth
|
|
Posted: Mon Oct 03, 2011 15:45 Post subject:
|
|
We got no experience with it 
|
|
|
jeremyb
Joined: 09 Dec 2008
Posts: 1950
Location: RecoverMyFlashDrive.com Bridgeport, CT, USA
|
|
Posted: Mon Oct 03, 2011 16:34 Post subject:
|
|
|
That doesn't look like NAND to me, looks like SRAM
|
|
|
Mike
Joined: 16 Feb 2006
Posts: 205
Location: UK
|
|
Posted: Mon Oct 03, 2011 17:27 Post subject:
|
|
JTAG: You need the BSDL file for the processor. Then you need to know where to connect JTAG to PCB.. A pinout of the processor is useful too 
Once here, you then need to know what info you are looking for. There are many 'phone phreaks and hackers' that will have done a lot of this type of work. So you could try searching phone phreaking/hacking forums for this type of thing.
|
|
|
FlashNYC
Joined: 14 Apr 2011
Posts: 133
Location: EARTH
|
|
Posted: Tue Oct 04, 2011 8:14 Post subject: I think it is a NAND according to the JTAG gurus..
|
|
| jeremyb wrote: | | That doesn't look like NAND to me, looks like SRAM |
I think it is according to the JTAG gurus..
"""""""""""""""""""""""""""""""""
Flash Map:
- Block Count: 0x1000
- Block Size: 0x40 pages
- Page Size: 0x800 bytes
- Total Page Size: 0x840
""""""""""""""""""""""""""""""""""""""
|
|
|
FlashNYC
Joined: 14 Apr 2011
Posts: 133
Location: EARTH
|
|
Posted: Tue Oct 04, 2011 8:20 Post subject:
|
|
| Mike wrote: | JTAG: You need the BSDL file for the processor. Then you need to know where to connect JTAG to PCB.. A pin-out of the processor is useful too
Once here, you then need to know what info you are looking for. There are many 'phone phreaks and hackers' that will have done a lot of this type of work. So you could try searching phone phreaking/hacking forums for this type of thing. |
Thanks Mike,
I know I can buy the JTAG tools, etc.. I know the pin-out for JTAG connectivity...
but what I was wondering is if its accessible through the NAND reader using an adapter...
I'm curious if a dump is made, if it will be similar to Flash memory on SD cards etc.. or encrypted or formatted different...
According to the JTAG developers.. they say a dump or similar requires a hard reset..
So my worry is having personal data deleted, in the process.
I here I can dump ("Full Backup") the Memory through JTAG (as to how much... I have no idea yet).
|
|
|
jeremyb
Joined: 09 Dec 2008
Posts: 1950
Location: RecoverMyFlashDrive.com Bridgeport, CT, USA
|
|
Posted: Tue Oct 04, 2011 9:39 Post subject: Re: I think it is a NAND according to the JTAG gurus..
|
|
| FlashNYC wrote: | | jeremyb wrote: | | That doesn't look like NAND to me, looks like SRAM |
I think it is according to the JTAG gurus..
"""""""""""""""""""""""""""""""""
Flash Map:
- Block Count: 0x1000
- Block Size: 0x40 pages
- Page Size: 0x800 bytes
- Total Page Size: 0x840
"""""""""""""""""""""""""""""""""""""" |
Something is not right with those specs.
http://www.htc.com/us/products/t-mobile-hd2/#tech-specs
The Flash Map is ~512MB, the spec's say 1GB ROM w/ 576MB RAM.
K9 is the Samsung P/N for NAND, not KB, K8 is NOR memory, maybe you misread it, I can't tell from the picture.
Its also possible the ROM is embedded in the CPU.
|
|
|
dobrevjetser
Joined: 18 Oct 2007
Posts: 415
Location: Belgium
|
|
Posted: Mon Oct 17, 2011 18:08 Post subject:
|
|
I did a similar job some time ago on a phone that was crashed by a train.
The NandFlash was intact and i could read it with a programmer.
Normally data inside flash is stored straight, there is no mix.
My case however, was a nokia; have no idea for HTC.
I could recover sms and phonebook.
Marc
|
|
|
HaQue
Joined: 16 Feb 2013
Posts: 473
Location: Adelaide, Australia
|
|
Posted: Thu May 05, 2016 20:18 Post subject:
|
|
I know this is old.
I am doing a job like this now, also a Qualcomm CPU. The other chip in my case is VFBGA (Very Fine BGA) 130-Ball 2GB+1GB NAND+LPDDR (low power DDR Ram). My chip is made by JeJu Semiconductor, JSFBAC2N72ABA-450.
NAND Density: 2G
NAND Bus : x16
NAND Type: SLC
NAND Voltage : 1.8v
DRAM Density: 1G
DRAM Bus : x16
DRAM Type: LPDDR1
DRAM Voltage : 1.8v
ECC :1-Bit
Package: VBGA130-Ball (8mm x 9mm)
I could not find a datasheet, but after looking for similar cross reference parts was able to find a micron with same characteristics, and a datasheet.. Checked pinout for NAND and all regular control signals are present with data I/o as well. the VCC and GND ball pads were in the same place, so I am half through wiring it up to test.
|
|
|
|
