hex data in dmp is odd

[anthonyhartiddr]

I have the NANDReader and TSOP48 socket connected and working. The chip I have in the socket gets properly identified with the ./NandTool -i command. The thing that I find odd is that when I run the ./NandTool -r test.dmp command, the hex values in the file are mostly 00. I would say that there is probably about 1 hex value that isn't 00 to about 50 that are 00. I was curious as to if I had fried the chip - though my chip-offs were pretty straight forward and didn't sit under the IR station for more than 7s. When I run ./NandTool -v test.dmp it errors and recognizes a different value for every byte. Any ideas as to why this is? I can provide screenshots if need be.

[DataDrug]

Hi anthonyhartiddr,

You should start by dumping really old tsop 48 chips. That will be your best bet. That's becasue new chips have weird ECC, XOR, etc and: 1: You may be reading the chip incorrectly. 2: A Nand reader won't read last generation tsops.

This will sound weird, but "getting a good dump is hard".

With this device, I can read 4/10 tsop48's, and I can recover the files from 3 out of 4 read. Obviously, dumping, even though being a hard task is the easy part. After that you have to understand how to assemble the raw data. P.s: to save your time, don't try to waste your time and use the .dmp file with a forensic carver, nothing will be out.

Good luck !

[dogtopus]

If the error happens on random locations across the flash at random time, check your connection and settings. The wires might be too long and/or you drive the chip too fast. Try connecting the socket with shorter wires and make sure the wires form a good contact, and use -s option to operate the ftdi chip at 12MHz speed instead of 60MHz. But as others pointed out, "getting a good dump is hard", you can still get bad dumps with a lot of corruptions in it even if you followed these steps. But it's still worth trying.