Reverse Engineering NAND Flash

Similar documents
Introduction p. 1 Why Linux? p. 2 Embedded Linux Today p. 3 Open Source and the GPL p. 3 Free Versus Freedom p. 4 Standards and Relevant Bodies p.

Mobile phones Memory technologies MMC, emmc, SD & UFS

Anatomy of Linux flash file systems

The Early System Start-Up Process. Group Presentation by: Tianyuan Liu, Caiwei He, Krishna Parasuram Srinivasan, Wenbin Xu

ECE 598 Advanced Operating Systems Lecture 19

D1Y - Embedded Linux with Yocto

NAND/MTD support under Linux

D1S - Embedded Linux with Ac6 System Workbench

Filesystem. Disclaimer: some slides are adopted from book authors slides with permission

The kernel constitutes the core part of the Linux operating system. Kernel duties:

Android Bootloader and Verified Boot

PL-I Assignment Broup B-Ass 5 BIOS & UEFI

IPL+UBI: Flexible and Reliable with Linux as the Bootloader

Data Block. Data Block. Copy A B C D P HDD 0 HDD 1 HDD 2 HDD 3 HDD 4 HDD 0 HDD 1

Compressed Swap for Embedded Linux. Alexander Belyakov, Intel Corp.

Linux+ Guide to Linux Certification, Third Edition. Chapter 2 Linux Installation and Usage

1 The Linux MTD, YAFFS Howto

Embedded Linux Primer, Second Edition

Boot. How OS boots

Disks and RAID. CS 4410 Operating Systems. [R. Agarwal, L. Alvisi, A. Bracy, E. Sirer, R. Van Renesse]

NVDIMM Overview. Technology, Linux, and Xen

Course 55187B Linux System Administration

CST8177 Linux II. Linux Boot Process

Flash File Systems Overview

Yiying Zhang, Leo Prasath Arulraj, Andrea C. Arpaci-Dusseau, and Remzi H. Arpaci-Dusseau. University of Wisconsin - Madison

Boot Process in details for (X86) Computers

EMSOFT 09 Yangwook Kang Ethan L. Miller Hongik Univ UC Santa Cruz 2009/11/09 Yongseok Oh

Flash filesystem benchmarks

Manually Mount Usb Flash Drive Linux Command Line Redhat

Memory technology and optimizations ( 2.3) Main Memory

D1 - Embedded Linux. Building and installing an embedded and real-time Linux platform. Objectives. Course environment.

Setup Macronix NAND Flash on Freescale i.mx28 EVK

CS370: Operating Systems [Spring 2017] Dept. Of Computer Science, Colorado State University

Current Challenges in UBIFS

Linux Files and the File System

Preview. COSC350 System Software, Fall

EMBEDDED LINUX ON ARM9 Weekend Workshop

Using grub to Boot various Operating Systems

Certification. System Initialization and Services

Storage. Hwansoo Han

Project 3 Help Document

The Linux IPL Procedure

User Guide. Storage Executive. Introduction. Storage Executive User Guide. Introduction

Software Architecture Division (SARD) Sony India Software Center Pvt Ltd. Copyright 2013 Sony Corporation

File System. Preview. File Name. File Structure. File Types. File Structure. Three essential requirements for long term information storage

YAFFS A NAND flash filesystem

Installing Linux on JMU Computer-Science Department Removable Hard Drives for CS-450 and CS-550

Azure Sphere: Fitting Linux Security in 4 MiB of RAM. Ryan Fairfax Principal Software Engineering Lead Microsoft

ADS U-boot User's Manual. Applied Data Systems Old Columbia Road Columbia MD, USA

Embedded Linux system development training 5-day session

COS 318: Operating Systems. Storage Devices. Vivek Pai Computer Science Department Princeton University

Routerboard 5xx. Hardware. Initial Installation

MODULE 02. Installation

If you don't care about how it works but you just would like that it works read here. Other wise jump to the next chapter.

Filesystem. Disclaimer: some slides are adopted from book authors slides with permission 1

Exam LFCS/Course 55187B Linux System Administration

APPLICATION NOTE Using DiskOnChip Under Linux With M-Systems Driver

At course completion. Overview. Audience profile. Course Outline. : 55187B: Linux System Administration. Course Outline :: 55187B::

ECE 550D Fundamentals of Computer Systems and Engineering. Fall 2017

"Charting the Course... MOC B: Linux System Administration. Course Summary

CompTIA Linux+ Guide to Linux Certification Fourth Edition. Chapter 2 Linux Installation and Usage

HPC File Systems and Storage. Irena Johnson University of Notre Dame Center for Research Computing

OMAP3530 has 256MB NAND flash in PoP (PoP: Package-On-Package implementation for Memory Stacking) configuration.

Chapter 12: File System Implementation

Xbox Security. Daniel Butnaru. 28 th June 2006

Ubuntu - How to Create Software RAID 1 in Ubuntu Linux - Tutorial

CS370 Operating Systems

Installation of Fedora 12 with CD

File System Internals. Jo, Heeseung

Chapter 6. Storage and Other I/O Topics

Mass-Storage Structure

Exam : 1Z Title : Enterprise Linux System Administration. Version : DEMO

Presented by: Nafiseh Mahmoudi Spring 2017

Segmentation with Paging. Review. Segmentation with Page (MULTICS) Segmentation with Page (MULTICS) Segmentation with Page (MULTICS)

COS 318: Operating Systems. Storage Devices. Jaswinder Pal Singh Computer Science Department Princeton University

IRON FOR JFFS2. Raja Ram Yadhav Ramakrishnan, Abhinav Kumar. { rramakrishn2, ABSTRACT INTRODUCTION

FC-FCoE Adapter Inbox Driver Update for Linux Kernel 2.6.x. Table of Contents

Hard Disk Organization. Vocabulary

Linux FastBoot. Reducing Embedded Linux Boot Times. Embedded World Conference 2012

Computer System Management - File Systems

Computer Organization and Structure. Bing-Yu Chen National Taiwan University

Embedded Linux Architecture

An introduction to Logical Volume Management

Asymmetric Programming: A Highly Reliable Metadata Allocation Strategy for MLC NAND Flash Memory-Based Sensor Systems

Journal Remap-Based FTL for Journaling File System with Flash Memory

Full Linux on FPGA. Sven Gregori

Update on boot time reduction techniques

Differential RAID: Rethinking RAID for SSD Reliability

Overview LEARN. History of Linux Linux Architecture Linux File System Linux Access Linux Commands File Permission Editors Conclusion and Questions

CS510 Operating System Foundations. Jonathan Walpole

COS 318: Operating Systems. Storage Devices. Kai Li Computer Science Department Princeton University

Familiar Linux for the ipaq H3975 (XScale Processor) CSC 714 Real Time Computing Systems Term Project

User. Applications. Operating System. Hardware

Oracle 1Z Enterprise Linux System Administration. Download Full Version :

Linux. For BCT RE2G2. User Guide. Document Reference: BCTRE2G2 Linux User Guide. Document Issue: Associated SDK release: 1.

Installing Linux (Chapter 8) Note packet # 4. CSN 115 Operating Systems Ken Mead Genesee Community College. Objectives

Booting Linux Fast & Fancy. Embedded Linux Conference Europe Cambridge, Robert Schwebel

Application-Managed Flash

Linux Kernel Compilation

CHAPTER 11: IMPLEMENTING FILE SYSTEMS (COMPACT) By I-Chen Lin Textbook: Operating System Concepts 9th Ed.

Transcription:

Reverse Engineering NAND Flash Adapted from Josh m0nk Thomas s Black Hat PresentaBon Andrew bunnie Huang & Sean xobs Cross 30c3 PresentaBon Presented by Ben RuktanBchoke

NAND:Hard It Work FloaBng gate transistor Pages Typically 512, 2048, or 4096 Blocks Typically 16kb 512kb ShiXing to 0 is easy ShiXing to 1 is hard

NAND:Hard it Work

Faking Reliability Flash memory is unreliable You are not storing data, you are storing probabilisbc approximabons of your data Workaround: computabonal error correcbon (ECC) Flash geometry changes New ECC rules, page size, block mapping, etc.

Also, Bad Blocks TLC/MLC Flash is super cheap Work around: bad block remapping In some cases, over 80% of blocks are bad (e.g. 16GB chip sold as 2GB) Also, blocks go bad with P/E cycles

What s inside

NAND:SoX it Works RAW NAND vs. MMC/eMMC Complex Driver vs. Simple Driver Proprietary (closed) wear leveling algorithms are normally embedded

NAND:SoX it Works MTD Subsystem Kind of a meta- driver Used heavily for boot parbbons on Android

Related Works MTD at the Driver Level Flash TransiBon Layers and Reverse the Embedded Controllers

Digilient Nexys 2 Spartan- 3E FPGA + Schmartboard

What's an ini*al RAM disk? The ini#al RAM disk (initrd) is an inibal root file system that is mounted prior to when the real root file system is available. The initrd is bound to the kernel and loaded as part of the kernel boot procedure. The kernel then mounts this initrd as part of the two- stage boot process to load the modules to make the real file systems available and get at the real root file system. The initrd contains a minimal set of directories and executables to achieve this, such as the insmod tool to install kernel modules into the kernel. In the case of desktop or server Linux systems, the initrd is a transient file system. Its lifebme is short, only serving as a bridge to the real root file system. In embedded systems with no mutable storage, the initrd is the permanent root file system.

Boo*ng with an ini*al RAM disk The boot loader, such as GRUB, idenbfies the kernel that is to be loaded and copies this kernel image and any associated initrd into memory. AXer the kernel and initrd images are decompressed and copied into memory, the kernel is invoked. Various inibalizabon is performed and, eventually, you find yourself in init/ main.c:init() (subdir/file:funcbon). This funcbon performs a large amount of subsystem inibalizabon. A call is made here to init/do_mounts.c:prepare_namespace(), which is used to prepare the namespace (mount the dev file system, RAID, or md, devices, and, finally, the initrd). Loading the initrd is done through a call to init/do_mounts_initrd.c:initrd_load(). The initrd_load() funcbon calls init/do_mounts_rd.c:rd_load_image(), which determines the RAM disk image to load through a call to init/do_mounts_rd.c:idenbfy_ramdisk_image(). This funcbon checks the magic number of the image to determine if it's a minux, etc2, romfs, cramfs, or gzip format. Upon return to initrd_load_image, a call is made to init/do_mounts_rd:crd_load(). This funcbon allocates space for the RAM disk, calculates the cyclic redundancy check (CRC), and then uncompresses and loads the RAM disk image into memory. At this point, you have the initrd image in a block device suitable for mounbng. MounBng the block device now as root begins with a call to init/do_mounts.c:mount_root(). The root device is created, and then a call is made to init/do_mounts.c:mount_block_root(). From here, init/do_mounts.c:do_mount_root() is called, which calls fs/namespace.c:sys_mount() to actually mount the root file system and then chdir to it. This is where you see the familiar message shown in LisBng 6: VFS: Mounted root (ext2 file system). Finally, you return to the init funcbon and call init/main.c:run_init_process. This results in a call to execve to start the init process (in this case /linuxrc). The linuxrc can be an executable or a script (as long as a script interpreter is available for it).

MTD Subsystem Architecture

Graphical Analysis

Graphical representabon of the bytes in the firmware

Graphical representabon of the bytes in the firmware

Graphical representabon of the bytes in the firmware (zoomed in)

JFFS2 Header Fields

Bootloader Environemnet Variable Analysis

U- Boot code showing default_environment

Loading default_environment variables bootargs=root=/dev/mtdblock3 roo;stype=jffs2 noinitrd ramdisk_size=4096 mem=32m mtdparts=s3c2410- nand:16k(boot),176k(u- boot),4912k(linux- img), 27104K(roo;s),- (extra);phys_mapped_flash:- (all)

U- boot sub- images

Tamper DetecBon

Tamper protecbon in acbon

Front and Back panels

Circuits inside plasbc padding

Original JFFS2 Record

Modifed JFFS2 Record

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback