Interested in a RPi0 based AIO chip option

D

D337z

Member
Hey, I know this can be done because it sort of has, but I've been looking into the possibility of using a Raspberry Pi Zero as an all-in-one chip reader and writer for downgrading due to its ease of programming, ability to run an OS, low cost, ability to do everything from the RPi0, and just being a generally better option than a Teensy. If used with a chip reader, it shouldn't be difficult to program for. I'll take a look at the mapping and see what I can do, but would anyone be able to assist as I'm a bit of a novice in the programming side of things? I can optimize code and read code, but I can't write it worth a darn.
 
Alright, so after looking at it, NAND should be simple. NOR will require the setting of pins for IO based on read or write operations in which data pins should be mostly disabled during write operations and, with luck, shouldn't be damaged by 3.3V pulses to the input of the NOR chips. Has anyone looked at the possibility of using pins for dual duty? Just looking for some input here.
 
littlebalup said:
I already made a proof of concept of a RPI NAND dumper / writer. Need some cleanup and improvements. I can share it if you want.
For NOR, there are not enough IO on a RPI...

http://www.psx-place.com/threads/a-way-to-fix-via-dump-flash-nor-using-a-pi-3-ps3-20x.16473/
Click to expand...
I beg to differ about NOR. Depending on whether or not the data output pins of the NOR chip will tolerate 3.3V input while not being used, the RPi pins can pull double duty based on whether you need to read or write. So, you would connect data out and data in to the same pin and set sense or high output for the Pi pins based on what you're doing. This, effectively, gives you at least 44 connections not including power, clk, etc.

From what I can tell, there are modes in the NOR chips which allow them to be programmed faster with buffered writes that allow fewer address and data pins to be utilized. It looks like we've been programming in single byte mode the whole time instead of taking advantage of the chip's capabilities. What do you think about it?
 
Last edited by a moderator:
Well, I've figured out what I believe will work.
When the WE# and CE# are low, the data pins are tri-stated and addresses can be locked in. With a 5 nanosecond window of error, the WE# and CE# can be set to high and the address latched onto and the data set (hopefully with the address pins in tri-state). IF this holds true, the same pins can be utilized by address and data with their function being set by WE# and CE# within the chip and run at full 16-byte (or 64-byte if you want to use buffered writes [which I haven't thoroughly explored yet]).
So, in theory, it'll work as long as the address pins enter a tri-state under data-writes.
 
You can talk with judges (who made nandway, norway, and spiway for the teensy) in this IRC server
He has a bot/script in the #home channel with his nick and uses to be inactive, but advise him and eventually you will be lucky to summon him for a talk

As you can imagine he is very used to all the problems, prococols, control signals, etc... needed to deal with PS3 flashes
I guess he could give you some hints with the procedures, but is not going to be able to help you with the raspi code though
 
pink1 said:
That would be a neat tool. If you don't mind sharing I'd like to check it out sometime.
Click to expand...

Sorry for the delay. Here the binary to use on a Pi2 or 3 : https://www.dropbox.com/s/dgck6rflma155we/RasPS3_b3_Pi2-3?dl=1
Rename it "RasPS3".

If you want to play with the source code (very uggly, unpolished, not optimized, etc... it is as I left it two years ago) : https://www.dropbox.com/s/sbad1b23tlnf6ku/rpi-tsop48-nand-b3.c?dl=0
Feel free to do what you want with that. I don't planed to do whatever else.


First of all be warned:
- it's a POC
- it as never been tested yet by me on a PS3 mainboard. Only tested on a naked unsoldered NAND chip. So, use at your own risk. Better to test it on an YLODed console.
- it performs only basic operations : read chip ID, read/program page(s), erase block(s).
- it may be buggy


How to:

RasPS3_pinout.png


Code: 
usage: sudo ./RasPS3 <delay> <command> ...

<delay> used to slow down operations (50 should work, increase if bad reads)

Commands:
read_id (no arguments)                        : read and decrypt chip ID
read_full <page #> <# of pages> <output file> : read N pages including spare
read_data <page #> <# of pages> <output file> : read N pages, discard spare
write_full <page #> <# of pages> <input file> : write N pages, including spare
write_data <page #> <# of pages> <input file> : write N pages, discard spare
erase_blocks <block number> <# of blocks>     : erase N blocks

Notes:
This program assumes PAGE_SIZE == 2112
Run as root (sudo) required (for /dev/mem access)


As you can see you'll have to give some arguments like page number, block number.... it may be a little bit complicated. So i'll give you the basic sequence to dump then write a complete PS3 nand:

Note, you must remember two important numbers: the retail PS3 NAND's have 1024 blocks, 65536 pages


1- Read the chip ID data :
Code: 
sudo ./RasPS3 50 read_id
read_id.png

ensure the nand is correctly identified.


2- Dump the full NAND content:
Code: 
sudo ./RasPS3 50 read_full 0 65536 yourdumpfile.bin
dump.png

note: you may have a couple of "Page failed to read correctly! retrying" message. It's not an issue to have some of them. If you have too many failed, try increasing the delay parameter.


3- Erase the full NAND content:
It is mandatory before to write as the write command only set the '1' bits to '0'. So, all the bits must be set to '1' first (set all bytes to 0xFF) using the erase command.
Code: 
sudo ./RasPS3 50 erase_blocks 0 1024
erase.png

note: you may have some "Failed to erase block correctly! retrying" followed by "Too many retries. Perhaps bad block?". it's normal if your nand has some physical bad blocks.


4- Write the full NAND content.
Code: 
sudo ./RasPS3 50 write_full 0 65536 yourdumpfile.bin
write.png



That's it. Enjoy :)


Edit : @lord3490 you tested it some years ago. Maybe you could say a few words for the community ;)
 
Last edited:
Now that I have some free time, I'll go ahead and try to modify this to work with NOR by allowing the pins to do double-duty for address and data if possible. Thank you for sharing it with us.
 
littlebalup said:
Edit : @lord3490 you tested it some years ago. Maybe you could say a few words for the community ;)
Click to expand...
It's been a while so I'm not sure if I remember correctly.
I tested it on 2 consoles: iirc I was able to read at least 1 chip on each board, my soldering skills are not that great so I later tried it with a clip.
Not sure how far I got there, but never a full read/write process on both chips on one board (lack of skill on my side I'm sure).
Later I got a colleague to desolder all nands and I was able to fully read and write with minor issues.
AFAIK both consoles should be flashed correctly so a cfw installation should have been possible, but unfortunately when the nands were back in place none of the two consoles booted anymore :(
I'm pretty sure something else was damaged on the main boards during the soldering :-/

I haven't investigated further, but at least I can say reading and writing was successful because I read after writing and it matched the modified dumps ;)
 
You must log in or register to reply here.

Similar threads

Back
Top