Mysterious Mp3 player
Mystery Mp3 player
When i was walking aside the road towards my internship job, i passed a
abadoned house and in the sand i saw a green glimmer of PCB solder
resist. That always triggers the "there might be something useful
there" part in my brain. I saw there a small circuit board with several
chips and it looked like this:
I recognised one chip right away. The Atmel SND01 8051 controller. Its
a 64k OTP rom with a mp3 decoder on board. After looking around i
became curious about what was on it. So i soldered the USB plug to it
and attached it to the computer. Nothing "unknown device detected", so
i didnt went far. My plan is to use some chipquik removal solder and solder
the TSSOP flash chip to a TSSOP converter PCB. Then using a AVR read
out the contents, send it out via serial port, and pipe the output to a
file. And mount it in linux. I am curious what would be on it.
A most interesting detective story. Stay Tuned!
Update 25 january 2006
The chipquick worked perfect, i am going to put it on my to buy list.
You just add some solder, cover all the pins, slosh it around a bit.
And the chip just slides off, you have to use the chipquik flux with
it. I used some SMD rework flux on it, but had to wash it off with some
denatured alcohol.
I dont have a picture of the whole procedure, but it went without a
hitch. There was one problem, chipquik was meant to rework PCB's but i
wanted to save the part. Well after removing most of the solder with a
cotton swab. I just placed the chip on TSSOP adapter board that i
bought from farnell (item number 3479493) and soldered it down, what i
notice right away, chipquik wets poorly if you want to reuse the part.
So i added a whole bunch of normal solder to "dilute" the chipquik and
hope for the best. After the gobs of solder have been placed, and
removed with some solder litze. I used a long haired brush with pure
alcohol to clean the flux off the board up to make it look like this:
Now i need to solder some pins on it, attach it to a micro and read it
out sector by sector into a file. Hopefully i can mount the raw format
via linux or something, otherwise i will have to get cracking manually.
No biggy, if it is a sector by sector copy of a fat 32 harddisk i am
set, i can reuse my old fat32 library from my 8051 harddisk project to examine the
structure of the chip. Or i can just DD it to some old harddisk and see
what happens. Otherwise it will be a while before i reverse engineer
this baby. Reading out the micro is not a option, wading trough
disassembled 8051 code is not my idea of a good time.
Anybody have some experience with this kind of thing? Mail me.
Update 15 november 2006
After a long hiatus, I finally got to get some more data from the NAND
flash chip. I am actually currently dumping the data, but it takes a
lot of time to transfer it trough 112500BPS, becouse its a 256MiB chip.
Basically I have programmed a simple XMODEM
CRC
protocol so i can painlessly transfer the contents of the NAND flash to
the PC. Problem is the last packet but I can live with that. I can
analyse the file in peace when i get it on the PC. Currently i am
skipping the last 64bytes of each page as they only read 0xFF and are
for extra information like wearleveling (out of band information). I
will try and get that sorted out ASAP, as
there must be a clue to how the wear leveling algorithm works of the
mp3 player, if there is one.
This is the setup. AVRISP II programming a ATmega16V running at 7.379
MHz powered bij 3.3V. PORTA is connected to the control signals of the
flash, PORTC is connected to the databus.
This is the front side of the flash chip adapter board. The 2 yellow
things are the decoupling capacitors for the flash chip. Pinheaders
have been soldered to the PCB and put in another PCB with a header that
will fit in my 40 pin header socket to CUP headers that i have just for
this thing. (CUP pin headers are so expensive).
This is the back side of the flash chip adapter board. Blue kynar wires
connect the relevant pins to the header below. Lots of pins on the
flash chip are unused, i assume the chip is quite large so thats why
the chose TSSOP.
Results
I have managed to read out some data.
As you can see the telltale sign of a FAT16 boot sector. NO NAME FAT16
is present.
Some quick browsing and revealed the FAT, it refers to MP3 files
unsurprisingly. In my opinion a particular bad taste too like 50CT,
usher, bubbling and other RAP and R&B songs. Alas not the proof of
the existence of aliens, a treasure map, sensitive documents to some
elaborate plot and such. I
will still need to properly mount this filesystem to get all the data
from it.
Conclusion
hooking up the NAND flash was easy, the routines worked first try and
the chip identified itself without a problem. The data on it will be
another matter, I assume a wearleveling algorithm is used to reduce
wear on the flash chip, but I am not sure. I need to inspect the flash
out of band data to be 100% sure.
If i could retrieve the files from the chip without any problems, this
could be a viable method of recovering USB sticks that have died
becouse of a accident or electrostatic discharge. Usually the USB
interface chip dies, but the flash is still in tact, its would be a
simple matter of transplanting the chip on one of the converter boards
and dump its contents. Then mount the resultant image and retrieve the
files.
Here is the sourcecode I used: NANDflashdumper.zip
Back
Last update at: 16-11-2006
Keywords: NAND flash chip reader recovery AVR