PMECC BCH Oddities

Go To Last Post
3 posts / 0 new
Author
Message
#1
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Hello,

 

I'm currently playing around with a SAMA5D4 Xplained Ultra and want to do some hacker stuff with its NAND flash memory.

 

But so far, I have not been able to correctly calculate the BCH (Bose, Chaudhuri and Hocquenghem) error correcting codes (ECCs) used in the following PMECC configuration of my SAMA5D4 test device:

  • NAND page size: 4096 bytes
  • NAND spare area size: 224 bytes
  • Sector size: 512 Bytes
  • Sectors per page: 8
  • correct 8 bits of error per sector
  • ECC bytes per sector: 13 bytes

 

The interesting part is, that I can correctly calculate and use the BCH ECCs for error correcting purposes in a SAMA5D31 device with the following PMECC configuration:

  • NAND page size: 2048 bytes
  • NAND Spare area size: 64 bytes
  • Sector size: 512 Bytes
  • Sectors per page: 4
  • correct 4 bits of error per sector
  • ECC bytes per sector: 7 bytes

 

But unfortunately, the BCH ECC method used in my SAMA5D31 test device (using the BCH polynomial 0x201b and reversing the bit order of data bytes when calculating the BCH ECC per sector) does not work for my SAMA5D4 test device.

 

Does anybody know how the BCH ECCs of the PMECC BCH hardware encoder/decoder are actually calculated for the SAMA5D4 device with the given PMECC configuration?

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Fortunately, I could answer my own question.

 

There is some eXclusive ORing going on with a non-zero key regarding the BCH ECCs of my SAMA5D4 test device. But with a simple heuristic, the correct XOR key for the ECCs of the NAND flash memory can be found out.

 

Stay tuned, I will release an open source tool for correcting errors in raw NAND flash memory dumps in the next few days on GitHub. Maybe also somebody else has a use case for it. wink

 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Today, I have published the open source SySS NAND Dump Tools for encoding and decoding dumps of NAND memory chips using implemented error correcting codes (ECC) for supported devices on GitHub.

 

There is also a YouTube-Video titled "Exploiting the Obvious But Not the Trivial: Unencrypted NAND Flash Memory" demonstrating those tools in action: https://www.youtube.com/watch?v=eTtfRDMjgww