Skip to main content

Reading Obscure Memory

October 18, 2018

Extracting data from memory chips is always an exciting part of any hardware assessment. I have a few chip readers at my disposal which can do the heavy lifting in the majority of cases. In fact, my TNM5000 boasts 23,000 supported devices with the supplied 16 adapters. But what do you do when the chip is not supported by your reader? Or maybe you have no adapter for the exact package you intend to read? 

While digging into a smart meter to gain a better understanding of its operation, I came across a memory chip I had not seen before. Behold the Spansion 98GL064NB0. 

Fig-1
Figure 1: The Spansion 98GL064NB0 in its natural habitat 

A datasheet can be found for a S98GL064NB0 which explains the chip has 64 Mbit of flash and 32Mbit of RAM which share addressing pins, how cool. Furthermore, the datasheet also specifies that the flash portion is internally an S29GL064N flash device. Let’s confirm if the TNM5000 supports the newly identified S29GL064N.

Fig-2
Figure 2: The S29GL064N is supported by the TNM5000

Confirmed! Now all that is left to do is fabricate an adapter board so our chip reader can talk to the internal flash portion of the S98GL064NB0. The memory chip was removed using hot air rework station and the footprint was confirmed to be a 56-ball Fine-Pitch-Ball Grid Array (FBGA). The outside dimensions of this chip are 7mm x 9mm which is quite small to have 56 connections. 

Fig-3
Figure 3: A peek underneath the S29GL064N

The TNM5000 expects to read the S29GL064N which is available in a more common 48 Pin Thin Small Outline Package (TSOP) package which would easily fit into the provided TSOP adapter.  

TSOP packages are quite often used in NAND chips as the Open NAND Flash Interface (ONFI) specification details a pinout to adhere to. The S29GL064N however is based on Spansion’s MirrorBit flash and is not ONFI compliant.  The pinout for the S29GL064N which the TNM5000 expects is: 

Fig-4
Figure 4: S29GL064N TSOP48 footprint 

And the S98GL064NB0 chip we have is a 56 pin FBGA where the pins are underneath the chip and not exposed.  

Fig-5
Figure 5: the S98GL064NB0 TLC56 footprint 

Basically, we are going to cross reference the two datasheets and wire the S98GL064NB0 to appear as a S29GL064N TSOP48. We only want the flash portions of the S98GL064NB0, so all the RAM specific pads can be left unconnected.  

The adapter board was then designed in Kicad. Routing traces out of the confined footprint of a BGA can be tough. Macrofab has an excellent blog post on the subject. It’s important to check what the minimum clearance between traces your PCB manufacturer provide, especially on a low volume prototype. In my case, Gold Phoenix is able to do 4 mil minimum clearance for an extra $10. You can enter this value into the design rules for your Kicad project. Kicad will now keep you honest and draw a keepout ring around every pad.  

Fig-6
Figure 6: Adding a minimum clearance design rule 

I was able to escape the BGA with only 5 vias and stick with a 2 layer board. Routing this by hand was very therapeutic and I found myself very calm by the time the process was done. 

Fig-7
Figure 7: BGA escaped! 

A very simple secondary board was also made allowing the adapter to fit into the ZIF socket provided by the TNM5000.  

Fig-8
Figure 8: Main board ready for export

Fig-9
Figure 9: ZIF adaptor ready for export

Kicad generated the Gerber files nicely which I then submitted to Gold Phoenix who manufactured and delivered the PCBs in seven business days. We are now ready to assemble an adapter! 

Fig-10
Figure 10: TLC56 FBGA footprint looks great up close

Fig-11
Figure 11: Pins, FBGA adapter, ZIF adapter 

The S98GL064NB0 was reballed by hand which I have had good success with and I didn’t want to wait for a stencil. The S98GL064NB0 was then soldered back on using hot air and the headers where soldered to complete the adapter.

This was then stacked onto a custom ZIF adapter to allow it to plug into the TNM5000: 

Chip-1
Chip-2

The TNM5000 can now detect the chip correctly and a successful read is performed. 

Fig-12
Figure 12: S29GL064N is now recognized

Fig-13
Figure 13: We have data! 


    Loren Browman

By: Loren Browman

Application Security Consultant

See More

Related Blogs

August 28, 2018

Gaining Efficiencies in a Cyber Security Ecosystem

In cyber security, with threat attack surfaces growing larger each day because of cloud, mobile, social media and IoT, it’s harder than ever to keep t...

See Details

August 28, 2018

Security Operations Efficiency is Not Gained Through a Patchwork of Expensive Security Tools

Cloud, mobile, social media, IoT and big data have profoundly expanded the attack surface in the latest cyber super cycle, and it’s no surprise organi...

See Details

October 16, 2017

Predictions for Tomorrow’s Internet

Currently, an estimated 6.4 billion Internet-of-Things (IoT) devices are connected, with 67 percent residing in North America, Western Europe and Chin...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.