Security Research
Showing results for 
Search instead for 
Do you mean 

Reverse Engineering NAND Flash Memory – POS device case study (part 1/3)

Matt_Oh ‎08-21-2014 10:17 AM - edited ‎08-21-2014 10:02 PM

Modern life wouldn’t be quite so modern without NAND Flash memory. It is used everywhere - from USB sticks and smart phones to security cameras and the Internet of Things (IoT). I’ve spent some time reverse engineering the NAND flash memory used in popular POS (Point of Sale) devices.  (Figure 1) Aside from sharing my findings from the evaluation of these devices, I wanted to share the process I followed to acquire the right firmware and to perform the reverse engineering. You can find a brief introduction to this area in one of my previous blogs. I also recently presented the details of my research at Recon and Black Hat 2014. While the Recon presentation focused on the technical details of the technique, at Black Hat 2014, I showcased an advanced tool called DumpFlash and shared my experience with tamper detection, including a workaround method. In this series of blogs, I’m going to share these details and some other interesting facts as well.


Figure 1 Targeted device


The first step when reverse engineering an embedded device is to open it up and identify the chipsets, looking for any interesting points that might be JTAG or UART. Actually, it turns out that the chipsets are really standard with this POS device. (Figure 2) It uses the very popular ARM CPU (s3c2410 series) with a typical setup with DRAMs and NAND Flash memory. However, the attempt to find JTAG or UART didn’t work very well for me. Instead of struggling with something not so obvious, I took a very obvious approach – dumping NAND Flash memory and programming it directly.


Figure 2 Inside of targeted device


The basic pinout is shown in Figure 3 and this device works in 8bit mode. There are Flash memories that work in 16bit mode, but they have a slightly different pinout configuration.


Figure 3 NAND Flash memory pinout (x8 device)



The first step for directly interacting with NAND Flash memory is de-soldering it from the PCB board. But, there is another very tempting option you can take using a special clip that can be attached to the surface of the NAND Flash memory. You can find this clip in stores that stock XBOX-modding tools - it was originally used for modding XBOX 360 machines by patching them directly. However, the problem here is that this option doesn’t always work. Note that there are pins for supplying power to the NAND Flash memory and the chip remains connected to the PCB board with this method. Unfortunately using the clip in this situation can lead to current injection into the board, which wakes up other chipsets and interferes with your operations. That is certainly what happened to me when I tried this clip. But I know of several cases where this clip was used successfully, so definitely in some cases, it looks like the clip works.


Figure 4 Failed attempt – want to avoid de-soldering?


After I decided to de-solder the NAND Flash memory, the first method I tried was using a de-solder wire. This method is valid, but the problem I had was that there was too much residue left on the board and the chip. I was going to re-solder the chip back after I had extracted the firmware and re-programed it. I wanted the PCB board and the chip in cleaner condition, so I dropped this approach.


Figure 5 Failed attempt – want to use de-solder wire?


The most effective way to remove the chips cleanly was using a hot air gun from an SMT rework station. (Figure 6) Insulation tape is good for protecting the surrounding areas on the targeted PCB.



Figure 6 SMT rework station & insulation tape


I prefer applying insulation tape over the area around the targeted chip.


Figure 7 Apply heat over the pin area


If you apply too much heat over an extended period, it will eventually damage the chip. (Figure 8) You might still try to read the chip, but if the chip is damaged, it may not be recognized at all or it might just return a series of 00 bytes when you try to read data from it.


Figure 8 Too much heat?



The following video demonstrates the detailed process of removing a chip from the PCB board using a hot air gun.



Reading NAND Flash Memory
Now you have a bare NAND Flash chip at hand. The next step is reading the bare metal image from the chip. There have been a lot of different approaches tried over time by the hobbyist community –some use special Flash reader chipsets that can provide low-level access. I tried it and it didn’t work quite as well as expected. (Figure 9)


Figure 9 Failed attempt – modding an SD reader


The most reliable way I found to do this was bit-banging using the FTDI FT2232H chip set. This method was originally suggested by Sprite Mod. Bit-banging is a technique that allows you to directly interact with chips through software. FT2232H is a versatile chip that provides various ways to interact with chips through a USB interface.


Figure 10 FT2231H chip and breakout board



Figure 11 shows the connection between the FT2232H chip and NAND Flash memory. The connections are mostly based on information from Sprite Mod, but there is a slight modification between the BDBUS6 and the CE (9) connection.


Figure 11 Connection between FT2232H and NAND Flash Memory


A detailed explanation about what each connection means is provided with my Black Hat 2014 white paper.


MCU Host Bus Emulation Mode

FTDI FT2232H supports multiple modes. The ‘MCU Host Bus Emulation Mode’ is appropriate for our purposes in this case. In this mode, the FTDI chip emulates an 8048/8051 MCU host bus. By sending the commands shown in Table 1 and retrieving the results, the software can read or write bits through I/O lines. More details are available in a note published by FTDI.







8bit address



16bit address



8bit address



16bit address



High byte (BDBUS6, 7)



High byte (BDBUS6, 7)

Table 1 FT2232H commands


NAND Flash Memory Commands
Table 2 shows the basic command sets usually used by NAND Flash memory. There are more complicated commands available depending on the chipsets, but these basic commands are enough for essential operations like reading and writing data on the chip. Also, these commands tend to be the same across different models and brands. The pins and other descriptions presented here are mostly focused on small block NAND Flash models (512 bytes of data with 16 bytes OOB). Models with a large block size use a different set of commands, but the principle is the same.



1st cycle

2nd cycle

Read 1



Read 2



Read ID



Page Program



Block Erase



Read Status



Table 2 Basic command sets for usual NAND Flash memory (small blocks)


Building Reader/Writer Device
Figure 12 shows the final NAND Flash reader/writer assembled based on the connection information shown in Table 2. You can make a device like this even with a relatively low budget and basic knowledge of electronics engineering. You need an FTDI FT2232H breakout board, a USB cable, a TSOP48 socket, and wires. Everything can be constructed with budget of USD $50.


Figure 12 NAND Flash reader/writer


Place your NAND Flash chip inside the TSOP48 socket. (Figure 13) This socket is very useful as you can safely place your NAND Flash chip inside it and then directly interact with the extended pins without touching and possibly damaging any Flash memory chip pins.


Figure 13 TSOP48 socket


When the NAND reader/writer is ready, just load the Flash memory. You should be careful to put the pin 1 location on the correct side of the socket. Usually the socket shows where pin 1 should be located. (Figure 14)  When things are set, you can connect the reader/writer to the computer through a USB cable.


Figure 14 Pin 1 location



DumpFlash – enhanced Flash reader/writer software

You need software to achieve bit-banging and for this there is a NANDTool open source project maintained by Bjoern Kerlers. I ported the entire C++ code to a Python project and created the DumpFlash project. I also added support for NAND Flash programming. Here are the highlights:

Read/Write support

  • Flash image manipulation and verification (ECC, Bad block check)
  • Fast sequential row read mode support for Samsung models
  • Automatic U-Boot image extraction
  • JFFS2 parsing and extraction
  • Support for enhanced schematics

Download the DumpFlash code first. You should also install prerequisite packages like pyftdi and libusbx. With everything set up, you can query basic Flash information using the –i option. (Figure 15)


Figure 15 Retrieving Flash memory information (-i)


With the –r option, you can read contents from the chip. The average transfer rate I usually get with my Windows 7 machine is around 50KB/sec.


Figure 16 Reading Flash memory data (-r)


The FlashTool also supports sequential row read mode. When you can specify the –s option, it uses the special mode with a Samsung chip and increases reading performance. The reading speed is faster than normal page-by-page mode by 5-6 times in this case. (Figure 17)


Figure 17 Reading Flash memory data in sequential mode(-r -s)



With the schematics and software I’ve provided, you have the ability to read and program NAND Flash memory. De-soldering is not a big problem, even if you are a hardware novice. You just need an SMT rework station and a little bit of a courage. The real challenge happens later when you try to dissect the firmware, put it back together and re-solder the chip back to the PCB board. However, often the purpose of firmware acquisition is to do white-box testing, so with acquired firmware, you can have a look inside the internal system and use that knowledge to pen-test the device (and that’s probably the reason why the NAND-related open source project didn’t have code for programming data back to NAND Flash memory).

Now you are ready to do something useful in an embedded system, but what’s next? In the next post, I’ll share a method for dissecting a flat bare-metal image, and throw in a few helpful tips and strategies for good measure. After that, I’ll talk about modifying firmware and putting it back into the machine again. This involves some special maneuvers with a POS device. The model I worked on featured so-called hardware tamper detection and I’ll talk about how to work around that using a software method.

About the Author


Twitter: @ohjeongwook .

Ton Smith
on ‎09-16-2014 12:50 AM

The concepts of reverse engineering and NAND flash memory has been explained really well. Keep posting such blogs.

Lotie Brink
on ‎12-02-2014 09:54 PM

Hi there; has this been a struggle to get anyone who really works with POS and High Tech Skimming devices from the Security sector.  I am the commander of the Digital Forensic Laboratory of the Directorate for Priority Crime Investigation, South African Police Service, Bellville, Western Cape. 


Is it maybe possible for you to give step-by-step guidance in order to dump the NAND flash memory of e POS device; and/or high tech skimming devices.  Previously these devices were outsourced to be investigated by other companies and only recently have we been tasked with these investigations. The devices we investigate are seized during operations and arrests and the investigators need the data from the chips as evidence.


If possible it would be appreciated if you could maybe indicate work methodology and possible write-protection to secure the devices from tampering with evidence.

27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all