Homebrew [PARTIAL] DSi NAND Flash Dump!

dsihomebrew · Jul 26, 2009

So a guy by the name of SCANLIME (Micah) of gbadev.org has managed to dump parts of the flash NAND, here is what he has found...

"This is really really rough still, but I think I have the first dump of the DSi's NAND flash reads during boot.

The MMC commands aren't decoded much yet. The "tb=1 CMD18" lines indicate that a multi-block read is starting. "arg" is the address, in bytes. So you can see that the first thing the ROM does is to load the second 512-byte block out of flash. That block is some kind of header, hopefully with some useful addresses/flags in it. The second half of that block is a bit uglier, but still looks somewhat structured. Maybe it's thumb code? I haven't tried disassembling any of this yet.

After that first block read, there is a much longer read starting at byte 0x26E00. This is probably the actual firmware image, and it looks to be compressed and/or encrypted.

Note that this log shows each block as 0x208 bytes long. Ignore those last 8 bytes, they're just the MMC protocol's CRC.

I'm just including a snippet below. I need to clean this up a lot more before posting the full log. (The biggest problem is that my hardware buffer keeps filling up, so there are some missing pieces later on <img src="style_emoticons/<#EMO_DIR#>/wink.gif" style="vertical-align:middle" emoid="

" border="0" alt="wink.gif" />"

Code:
[CMD] tb=1 CMD0 arg= 0 crc=4a end=1
[CMD] tb=1 CMD55 arg= 0 crc=32 end=1
[CMD] tb=1 CMD1 arg= 100000 crc=21 end=1
[CMD] tb=0 CMD63 arg= ff8080 crc=7f end=1
[CMD] tb=1 CMD1 arg= 100000 crc=21 end=1
[CMD] tb=0 CMD63 arg=80ff8080 crc=7f end=1
[CMD] tb=1 CMD2 arg= 100000 crc=7b end=1
[CMD] tb=0 CMD63 arg=15000041 crc=28 end=0
[CMD] tb=1 CMD6 arg=30304d03 crc=4f end=0
[CMD] tb=0 CMD10 arg=a5593cfd crc=7f end=1
[CMD] tb=1 CMD3 arg= 10000 crc=3f end=1
[CMD] tb=0 CMD3 arg= 500 crc=7d end=1
[CMD] tb=1 CMD9 arg= 10000 crc=78 end=1
[CMD] tb=0 CMD63 arg=9026012a crc=07 end=1
[CMD] tb=1 CMD25 arg= 1dff6db crc=3f end=1
[CMD] tb=1 CMD12 arg=b202056f crc=7f end=1
[CMD] tb=1 CMD7 arg= 10000 crc=6e end=1
[CMD] tb=0 CMD7 arg= 700 crc=3a end=1
[CMD] tb=1 CMD16 arg= 200 crc=0a end=1
[CMD] tb=0 CMD16 arg= 900 crc=05 end=1
[CMD] tb=1 CMD6 arg= 3b70100 crc=16 end=1
[CMD] tb=0 CMD6 arg= 900 crc=6e end=1
[CMD] tb=1 CMD18 arg= 200 crc=66 end=1
[CMD] tb=0 CMD18 arg= 900 crc=69 end=1
[CMD] tb=1 CMD12 arg= 200 crc=26 end=1
[DAT] 000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 020: 00 80 00 01 06 40 20 00 08 07 b0 30 06 60 20 00 : .....@ ....0.` .
[DAT] 030: 06 e0 20 08 87 50 20 00 08 07 b0 30 07 60 20 00 : .. ..P ....0.` .
[DAT] 040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cb : ................
[DAT] 100: 3f fe ce 58 df 06 1d a0 7e f9 72 b5 21 e8 96 b2 : ?..X....~.r.!...
[DAT] 110: f5 c1 77 99 c8 f0 09 e4 f9 f3 0a 78 0b 0b b9 40 : ..w........x...@
[DAT] 120: db 06 56 45 55 88 d0 a1 07 d0 f4 6c c0 0e 5f 1a : ..VEU......l.._.
[DAT] 130: 7a 14 f9 9c 50 e2 89 e7 25 8f 49 05 04 e8 44 89 : z...P...%.I...D.
[DAT] 140: aa 45 79 65 cf df 80 d8 be 42 73 ee a8 1b 81 94 : .Eye.....Bs.....
[DAT] 150: ab f2 28 af b9 5f 3c 51 13 b9 74 2e 40 a0 c5 6d : ..(.._<[email protected]
[DAT] 160: 39 a8 aa 23 c6 16 6e d8 5d c7 59 cc f8 62 39 f5 : 9..#..n.].Y..b9.
[DAT] 170: 93 f2 b5 ef aa 17 02 c1 63 37 a3 e3 03 50 d9 08 : ........c7...P..
[DAT] 180: 08 48 88 c8 18 58 98 d9 19 59 99 c8 18 58 98 d9 : .H...X...Y...X..
[DAT] 190: 19 59 99 dc 03 70 00 80 03 0c 00 70 03 00 00 00 : .Y...p.....p....
[DAT] 1a0: 03 00 00 00 03 04 00 0b 83 7f 80 70 00 00 0f f0 : ...........p....
[DAT] 1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................
[DAT] 1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b : ................
[DAT] 200: 3c 5a f2 99 06 36 42 8f : <Z...6B.
[CMD] tb=0 CMD12 arg= b00 crc=3f end=1
[CMD] tb=1 CMD18 arg= 26e00 crc=53 end=1
[CMD] tb=0 CMD18 arg= 900 crc=69 end=1
[DAT] 000: 99 f2 62 e1 c4 6f 23 3d fa 57 ab fe 58 49 31 ed : ..b..o#=.W..XI1.
[DAT] 010: 72 25 6c 30 f4 a1 15 fc d8 c3 59 52 e8 06 69 2a : r%l0......YR..i*
[DAT] 020: 7a 05 27 b5 47 b8 9c eb d4 ca 11 d3 64 e4 1b df : z.'.G.......d...
[DAT] 030: a8 8b 15 e9 88 f0 ac 96 7f 51 5a 48 71 7a c6 27 : .........QZHqz.'
[DAT] 040: ed 61 bd cf d3 66 1a 06 89 d5 b8 bf 34 8d 01 65 : .a...f......4..e
[DAT] 050: 2a 58 37 35 de 36 1c 50 4c 8b 56 5a 2f a9 1a bd : *X75.6.PL.VZ/...
[DAT] 060: 6a 4d 40 f2 09 8c 12 9d 0e cd 12 8d dc e8 4f 32 : [email protected]
[DAT] 070: 9e 61 1c a1 46 de 4a f8 66 f8 3b 6e 92 77 9e 52 : .a..F.J.f.;n.w.R
[DAT] 080: 61 be 46 b5 f4 7e c5 57 50 04 78 75 58 c2 0e ce : a.F..~.WP.xuX...
[DAT] 090: 22 74 79 2c aa ba 28 d4 19 47 3a 43 7c 46 23 14 : "ty,..(..G:C|F#.
[DAT] 0a0: 71 5a f5 bc f0 9e ec ef 00 53 e4 a6 76 ec 89 6a : qZ.......S..v..j
[DAT] 0b0: a8 b6 8c 59 94 4c c4 da 49 2a 86 9b 09 8e 3f 07 : ...Y.L..I*....?.
[DAT] 0c0: 3f 6e fb 3a ae 73 b4 3f 0a f7 ee a3 f7 a0 82 9e : ?n.:.s.?........
[DAT] 0d0: 3d 21 aa f1 c1 3f 0a d2 8a eb 30 95 c1 11 ab c9 : =!...?....0.....
[DAT] 0e0: d3 8d c2 e8 0b 69 77 17 1d ae 98 88 86 0c f6 78 : .....iw........x
[DAT] 0f0: 71 32 dc 58 8c e5 b1 25 e6 28 7a 63 bb 95 f1 2d : q2.X...%.(zc...-
[DAT] 100: 4d 9a 8c 40 e1 38 88 08 1d fe bb 99 87 e7 b2 9c : [email protected]..........
[DAT] 110: 57 7c ab bd 88 06 fd ff 32 59 ae 9b de 1d f2 b7 : W|......2Y......
[DAT] 120: 93 d0 25 b3 10 6c 2d 82 17 18 0f 77 2a 1c 81 fe : ..%..l-....w*...
[DAT] 130: 18 de ca b2 f7 ad 75 df 8c 00 f4 5e b3 b4 c2 e4 : ......u....^....
[DAT] 140: 62 72 3d 82 c8 eb cb b8 82 fe 4b 42 05 4c f2 4a : br=.......KB.L.J
[DAT] 150: 26 e9 5a fe 75 8c 79 57 26 0d 49 01 08 8c d5 8b : &.Z.u.yW&.I.....
[DAT] 160: 49 ec 73 81 ba 6c 84 28 94 85 c5 d1 bb 0e 2d 70 : I.s..l.(......-p
[DAT] 170: 10 86 da ca 0a 95 18 51 19 1e 0a 68 b3 04 89 22 : .......Q...h..."
[DAT] 180: 98 4c 0c 87 c9 78 b8 10 23 25 7d ec b7 a5 26 4a : .L...x..#%}...&J
[DAT] 190: 5c e2 3d 94 7f 58 c5 f2 b2 06 cf 1a ec da ee 35 : \.=..X.........5
[DAT] 1a0: cf 8a 2a 39 ed 88 d4 f8 ec cf 43 5a d9 98 6d 66 : ..*9......CZ..mf
[DAT] 1b0: 7d 6a c8 24 e8 7d 9d 67 d9 5f 23 f9 bd 72 4e 56 : }j.$.}.g._#..rNV
[DAT] 1c0: 59 f4 fd 51 01 c3 77 4f 66 32 e6 51 5a 9d 14 e5 : Y..Q..wOf2.QZ...
[DAT] 1d0: 77 75 7f 4c 99 30 dc 3b 1b 12 34 8b 0c d6 a8 26 : wu.L.0.;..4....&
[DAT] 1e0: de 49 72 ea cc 7a 9a 4c 2a 12 37 a0 26 17 18 38 : .Ir..z.L*.7.&..8
[DAT] 1f0: 78 88 74 b1 21 d4 57 07 89 2a fb 71 80 63 5a 2b : x.t.!.W..*.q.cZ+
[DAT] 200: 1c b3 8d e9 b0 89 69 af : ......i.
[DAT] 000: 49 2e b8 db b0 6a 8b 02 80 1d 3b 63 c8 b7 de c2 : I....j....;c....
[DAT] 010: 63 c1 69 f9 94 12 fc 6c 95 77 34 fd 09 d9 29 11 : c.i....l.w4...).
[DAT] 020: 9f 17 4f a6 fc 3e 80 8a 5f b4 ef 07 45 07 a9 e3 : ..O..>.._...E...
[DAT] 030: 50 eb 71 4b bd 81 8d db 11 0c 89 04 19 de 83 ec : P.qK............
[DAT] 040: f8 6b 10 dd 55 4a cd cc a7 5d 93 12 6a 7c d9 9f : .k..UJ...]..j|..
[DAT] 050: 8b 71 ec 28 a4 1a 15 ad 24 8e 3c 07 02 4f d7 a0 : .q.(....$.<..O..
[DAT] 060: c6 22 5b 57 8d df 69 2b b3 66 a7 fa d1 a9 7e 5d : ."[W..i+.f....~]
[DAT] 070: c2 2a f8 40 d7 66 dc 73 f5 0d b1 df c7 a7 ea 8a : .*[email protected]........
[DAT] 080: 41 93 10 9f 9e 71 18 34 ad bb 53 47 ce 09 b2 f4 : A....q.4..SG....
[DAT] 090: d1 33 d3 49 f1 7e c4 b6 64 86 c5 90 f5 ae e6 66 : .3.I.~..d......f
[DAT] 0a0: 91 f9 34 26 de e8 5c 2a 49 dd ab 4c 00 7e 45 d8 : ..4&..\*I..L.~E.
[DAT] 0b0: 46 f2 17 db 1d 80 8d 57 08 88 14 34 43 dc bf 02 : F......W...4C...
[DAT] 0c0: 3f 0d e2 58 b6 12 a9 6f ea 9e a8 6c ab b4 9b 83 : ?..X...o...l....
[DAT] 0d0: 96 f8 02 68 88 e1 9e 5e 37 7f 4e 61 1f 46 db 93 : ...h...^7.Na.F..
[DAT] 0e0: c5 e3 f0 76 73 a6 49 4a 6b 35 62 6f d7 08 2b ef : ...vs.IJk5bo..+.
[DAT] 0f0: 4f 5b 3b b4 e7 55 b8 fd a1 53 74 ac a9 79 65 ae : O[;..U...St..ye.
[DAT] 100: 45 89 65 fc a9 51 dc 74 01 91 94 3f fa c5 76 61 : E.e..Q.t...?..va
[DAT] 110: c1 20 56 7e 6e 03 76 f6 09 99 88 d4 73 f6 c1 45 : . V~n.v.....s..E
[DAT] 120: bc 74 b3 c0 d1 5a fd ca 36 8f 18 d3 b2 37 15 bc : .t...Z..6....7..
[DAT] 130: 0c f4 22 17 58 3f 31 87 38 40 39 b6 c0 8c 92 7c : ..".X?1.8@9....|
[DAT] 140: bb 28 66 75 76 37 5e 8f 56 bc c3 28 cd ce 68 6e : .(fuv7^.V..(..hn
[DAT] 150: 52 03 24 18 01 ee d1 65 40 87 45 bd 7f 3b 7b 6a : [email protected]..;{j
[DAT] 160: 12 3c b7 17 dd 66 54 2e 95 93 64 1c a2 65 9f 83 : .<...fT...d..e..
[DAT] 170: c4 cc c6 c7 c7 c8 55 2b 40 3c 7b ac e7 b1 f1 44 : ......U+@<{....D
[DAT] 180: 0d 4c 4e 4f ff 06 c0 8d 9d c1 fc 78 01 18 12 06 : .LNO.......x....
[DAT] 190: 19 01 84 4f dc a4 a4 fe cf 3a 2a 03 b9 af b8 dd : ...O.....:*.....
[DAT] 1a0: f6 a0 a0 52 af 3c e8 10 df 41 89 82 80 ba c7 e3 : ...R.<...A......
[DAT] 1b0: 35 f7 35 a2 c0 3e a1 a5 44 90 38 ce 84 ce ac 0c : 5.5..>..D.8.....
[DAT] 1c0: 08 e9 63 f6 2e 18 4a 8a 18 4c 1b 2d 38 4b 44 b1 : ..c...J..L.-8KD.
[DAT] 1d0: 38 cd dd ee e9 75 3f e8 98 10 8c d1 5f dc 86 e4 : 8....u?....._...
[DAT] 1e0: 27 0f 8e dd 8d a8 d4 83 ce 49 ff a7 3c 6b 4f 78 : '........I..<kOx
[DAT] 1f0: 28 7a c7 4f 47 8f bd 48 c0 e2 60 53 86 51 37 14 : (z.OG..H..`S.Q7.
[DAT] 200: 41 17 15 98 9d 85 b6 0f : A....... 

and he also released a NICER looking dump...

"My lame FPGA setup was dropping bits, so the addresses above are correct but the data dump isn't quite right. I tried hooking up an old USB SD/MMC card reader in parallel with my FPGA, and I got a nicer-looking dump:"

Code:
00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000220 00 08 00 00 10 64 02 00 00 80 7b 03 00 66 02 00 |.....d....{..f..|
00000230 00 6e 02 00 88 75 02 00 00 80 7b 03 00 76 02 00 |.n...u....{..v..|
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000002f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c |................|
00000300 b3 ff ec e5 8d f0 61 da 07 ef 97 2b 52 1e 89 6b |......a....+R..k|
00000310 2f 5c 17 79 9c 8f 00 9e 4f 9f 30 a7 80 b0 bb 94 |/\.y....O.0.....|
00000320 0d b0 65 64 55 58 8d 0a 10 7d 0f 46 cc 00 e5 f1 |..edUX...}.F....|
00000330 a7 a1 4f 99 c5 0e 28 9e 72 58 f4 90 50 4e 84 48 |..O...(.rX..PN.H|
00000340 9a a4 57 96 5c fd f8 0d 8b e4 27 3e ea 81 b8 19 |..W.\.....'>....|
00000350 4a bf 22 8a fb 95 f3 c5 11 3b 97 42 e4 0a 0c 56 |J."......;.B...V|
00000360 d3 9a 8a a2 3c 61 66 ed 85 dc 75 9c cf 86 23 9f |....<af...u...#.|
00000370 59 3f 2b 5e fa a1 70 2c 16 33 7a 3e 30 35 0d 90 |Y?+^..p,.3z>05..|
00000380 80 84 88 8c 81 85 89 8d 91 95 99 9c 81 85 89 8d |................|
00000390 91 95 99 9d c0 37 00 08 00 30 c0 07 00 30 00 00 |.....7...0...0..|
000003a0 00 30 00 00 00 30 40 00 b8 37 f8 07 00 00 00 ff |[email protected]......|
000003b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|


"The values at 0x220 are definitely offsets to other areas on the card. The firmware image that the bootloader starts reading immediately after this block is at 0x26e00, and you can see that address appear at 0x230.

As for how the rest of the card is encoded.. your guess is as good as mine <img src="style_emoticons/<#EMO_DIR#>/wink.gif" style="vertical-align:middle" emoid="

" border="0" alt="wink.gif" />"

He also posted some pictures outlining diffrent parts of the DSi on FLICKER which can be found here...

<a href="http://www.flickr.com/photos/micahdowty/sets/72157621023570420/show/with/3693367838/" target="_blank">http://www.flickr.com/photos/micahdowty/se...ith/3693367838/</a>

I found this thread last night over at gbadev.org and i thought i might share it with you guys...
<a href="http://forum.gbadev.org/viewtopic.php?t=16752&postdays=0&postorder=asc&start=0" target="_blank">ORIGINAL THREAD</a>

Technik · Jul 26, 2009

How'd he hack it to get that?

Da-Bomb1 · Jul 26, 2009

Yeah, I saw this earlier...pretty cool.

Maz7006 · Jul 26, 2009

This has already been mentioned.

dsihomebrew · Jul 26, 2009

Charmandersrule said:
How'd he hack it to get that?

"I'm still really interested in learning more about the DSi's boot process. A dump of the NAND flash would be useful, but I'm actually even more interested in getting a trace of the reads made from the NAND flash during boot.

Anyway.. I was busy with Real Life for the last few weeks, but I finally had time to revisit the DSi today

I managed to desolder the NAND flash, and get some PCB scans with the flash removed. It turns out that all of the interesting signals are in fact available on nearby components or vias. Here's a false-color image showing the top and bottom PCB layers near the flash chip:

[url=http://www.flickr.com/photos/micahdowty/37...57621023570420/]http://www.flickr.com/photos/micahdowty/37...57621023570420/[/url]

The four signals along the top are data bits (this is eMMC, and the DSi is using it in 4-bit mode). The clock is available via a test point on the back (SD11_CLK), and CMD is available from a resistor nearby.

So, as fun as it was to get the flash off, I figured I'd put it back on and build a passive sniffer that can log all of the traffic between the DSi's CPU and the flash. It was a pretty nerve-wracking process, but I did manage to get the flash back on without frying it =D

I did find out what the DSi does when you try to boot it without the flash chip installed:

[url=http://www.flickr.com/photos/micahdowty/37...57621023570420/]http://www.flickr.com/photos/micahdowty/37...57621023570420/[/url]

This would seem to confirm that there's a real boot ROM in the same package as the CPU, and they aren't just reading the SPI flash in hardware. (A hardware bootloader wouldn't be smart enough to display an error message like that.) Presumably this bootloader is also what they would use at the factory to program the NAND flash.

I also measured the clock frequency at SD11_CLK while the DSi is running. In very early boot, it runs at only 250 kHz.. but most of the time, it's running at a much more sensible 16.7 MHz.

Next step: Use an FPGA to build a protocol sniffer. I'd like to stream all of the reads/writes back to my PC over USB 2.0. This would be enough data to reconstruct the portions of the NAND flash that are actually being read during boot, and it would let us know what order the firmware is read in.

For future reference, it should also be possible to electrically separate the flash memory and the CPU without desoldering, just by cutting a few traces. Once we know more about the format of the NAND flash, it could be interesting to try installing alternate firmware by attaching an MMC card socket."

Posts merged

QUOTE(Maz7006 @ Jul 26 2009, 06:30 PM) This has already been mentioned.

Oh, I didnt know that I just found this to be quite interesting and didnt see any other thread...

Technik · Jul 26, 2009

dsihomebrew said:
Charmandersrule said:

How'd he hack it to get that?

"I'm still really interested in learning more about the DSi's boot process. A dump of the NAND flash would be useful, but I'm actually even more interested in getting a trace of the reads made from the NAND flash during boot.

Anyway.. I was busy with Real Life for the last few weeks, but I finally had time to revisit the DSi today

I managed to desolder the NAND flash, and get some PCB scans with the flash removed. It turns out that all of the interesting signals are in fact available on nearby components or vias. Here's a false-color image showing the top and bottom PCB layers near the flash chip:

[url=http://www.flickr.com/photos/micahdowty/37...57621023570420/]http://www.flickr.com/photos/micahdowty/37...57621023570420/[/url]

The four signals along the top are data bits (this is eMMC, and the DSi is using it in 4-bit mode). The clock is available via a test point on the back (SD11_CLK), and CMD is available from a resistor nearby.

So, as fun as it was to get the flash off, I figured I'd put it back on and build a passive sniffer that can log all of the traffic between the DSi's CPU and the flash. It was a pretty nerve-wracking process, but I did manage to get the flash back on without frying it =D

I did find out what the DSi does when you try to boot it without the flash chip installed:

[url=http://www.flickr.com/photos/micahdowty/37...57621023570420/]http://www.flickr.com/photos/micahdowty/37...57621023570420/[/url]

This would seem to confirm that there's a real boot ROM in the same package as the CPU, and they aren't just reading the SPI flash in hardware. (A hardware bootloader wouldn't be smart enough to display an error message like that.) Presumably this bootloader is also what they would use at the factory to program the NAND flash.

I also measured the clock frequency at SD11_CLK while the DSi is running. In very early boot, it runs at only 250 kHz.. but most of the time, it's running at a much more sensible 16.7 MHz.

Next step: Use an FPGA to build a protocol sniffer. I'd like to stream all of the reads/writes back to my PC over USB 2.0. This would be enough data to reconstruct the portions of the NAND flash that are actually being read during boot, and it would let us know what order the firmware is read in.

For future reference, it should also be possible to electrically separate the flash memory and the CPU without desoldering, just by cutting a few traces. Once we know more about the format of the NAND flash, it could be interesting to try installing alternate firmware by attaching an MMC card socket."

Posts merged

QUOTE(Maz7006 @ Jul 26 2009, 06:30 PM) This has already been mentioned.

Click to expand...

Oh, I didnt know that I just found this to be quite interesting and didnt see any other thread...

I read all that but i still didnt get much. Can someone dumb it down for me?

dsihomebrew · Jul 26, 2009

Charmandersrule said:
dsihomebrew said:

Charmandersrule said:

How'd he hack it to get that?

"I'm still really interested in learning more about the DSi's boot process. A dump of the NAND flash would be useful, but I'm actually even more interested in getting a trace of the reads made from the NAND flash during boot.

Anyway.. I was busy with Real Life for the last few weeks, but I finally had time to revisit the DSi today

I managed to desolder the NAND flash, and get some PCB scans with the flash removed. It turns out that all of the interesting signals are in fact available on nearby components or vias. Here's a false-color image showing the top and bottom PCB layers near the flash chip:

[url=http://www.flickr.com/photos/micahdowty/37...57621023570420/]http://www.flickr.com/photos/micahdowty/37...57621023570420/[/url]

The four signals along the top are data bits (this is eMMC, and the DSi is using it in 4-bit mode). The clock is available via a test point on the back (SD11_CLK), and CMD is available from a resistor nearby.

So, as fun as it was to get the flash off, I figured I'd put it back on and build a passive sniffer that can log all of the traffic between the DSi's CPU and the flash. It was a pretty nerve-wracking process, but I did manage to get the flash back on without frying it =D

I did find out what the DSi does when you try to boot it without the flash chip installed:

[url=http://www.flickr.com/photos/micahdowty/37...57621023570420/]http://www.flickr.com/photos/micahdowty/37...57621023570420/[/url]

This would seem to confirm that there's a real boot ROM in the same package as the CPU, and they aren't just reading the SPI flash in hardware. (A hardware bootloader wouldn't be smart enough to display an error message like that.) Presumably this bootloader is also what they would use at the factory to program the NAND flash.

I also measured the clock frequency at SD11_CLK while the DSi is running. In very early boot, it runs at only 250 kHz.. but most of the time, it's running at a much more sensible 16.7 MHz.

Next step: Use an FPGA to build a protocol sniffer. I'd like to stream all of the reads/writes back to my PC over USB 2.0. This would be enough data to reconstruct the portions of the NAND flash that are actually being read during boot, and it would let us know what order the firmware is read in.

For future reference, it should also be possible to electrically separate the flash memory and the CPU without desoldering, just by cutting a few traces. Once we know more about the format of the NAND flash, it could be interesting to try installing alternate firmware by attaching an MMC card socket."

Posts merged

QUOTE(Maz7006 @ Jul 26 2009, 06:30 PM) This has already been mentioned.

Click to expand...

Oh, I didnt know that I just found this to be quite interesting and didnt see any other thread...

Click to expand...

I read all that but i still didnt get much. Can someone dumb it down for me?

He [basically] put wires on the NAND and hooked it up to his computer, booted the DSi up and it sent pieces of the NAND back to his computer through USB.

kennypu · Jul 27, 2009

very interesting stuff. this is more promising and good news to me than what team twiizers did -.-

houseonfire · Jul 27, 2009

So if you can just cut the points between the CPU and the flash memory, couldn't you hook up some form of interceptor in between and log all the data that moves through?

kennypu · Jul 27, 2009

houseonfire said:
So if you can just cut the points between the CPU and the flash memory, couldn't you hook up some form of interceptor in between and log all the data that moves through?

if you went to the OP that is what the guy is doing -.-

houseonfire · Jul 28, 2009

kennypu said:
houseonfire said:

So if you can just cut the points between the CPU and the flash memory, couldn't you hook up some form of interceptor in between and log all the data that moves through?
if you went to the OP that is what the guy is doing -.-

If you read what he said after that:

QUOTE

Click to expand...

For future reference, it should also be possible to electrically separate the flash memory and the CPU without desoldering, just by cutting a few traces. Once we know more about the format of the NAND flash, it could be interesting to try installing alternate firmware by attaching an MMC card socket."

That is said as if he didn't do it yet, and that it is possible.
As in, he can do it.
As in, he hasn't done it.

He just got a partial dump.

Placeholder · Jul 28, 2009

So uhh... what does this code actually do?

bh123 · Jul 28, 2009

kennypu said:
very interesting stuff. this is more promising and good news to me than what team twiizers did -.-

agreed

Homebrew [PARTIAL] DSi NAND Flash Dump!

New Member

Well-Known Member

Well-Known Member

iSEXu

New Member

Well-Known Member

New Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Member

Similar threads

Popular threads in this forum