Several months ago, during a hardware device assessment, I encountered a TC58NVG2S0HBAI4 NAND EEPROM which hosted the firmware of the target device. The problem I had was that my MiniPro Universal Programmer did not support this specific variant. It did however, support several similar variants from the same vendor.
For those who may be unaware of the MiniPro, it is a cost effective universal programmer with support for 10’s of thousand of chips and variants. The latest MiniPro, the TL866II+, is available for around $50-$60 but also can come packaged with numerous adapters and sockets for around $100-$120.
- Base TL866II+: https://amzn.to/2Erlrpm
- TL866II+ w/ Adapter Kit: https://amzn.to/2BPstCn
The following is a quick on how to modify the MiniPro’s chip info .dll to change the necessary information to support this variant. Couple things to note first though. This method does not “add” support so much as it replaces an existing configuration meaning you’ll end up removing support for the source chip. Also, I make no guarantees that the offsets used here work for other chips, but the guess-and-check methodology should still apply. Lastly, I’ll refer to all TL866 models as MiniPro, same for the software. Where differences exist, I’ll note that then. Oh, and make backups, lots of them.
Modding the .dll
Before we get started, we need a few things. We need to find the .dll to modify and we need the datasheets for our source and target chip variants. For older TL866 models you’ll find InfoIC.dll in your MiniPro installation directory. For the newer TL866II+, you find InfoIC2plus.dll in the Xgpro installation directory. In my case, I installed both C:/. The datasheets for the chips are:
- Source Chip (Already Supported): http://www.mouser.com/ds/2/408/TC58NVG2S3ETA00-771597.pdf
- Target Chip (Not Supported): https://business.toshiba-memory.com/info/docget.jsp?did=14847&prodName=TC58NVG2S0HBAI4
According to the first sentences of each datasheet, the primary differences were the sizes of pages and blocks. I also figured it was safe to assume that the pinouts were identical. The source chip info in MiniPro matched the datasheet.
Source Chip:
- Page Size: 2048
- Spare Size: 64
- Pages Per Block: 64
- Blocks: 4096
Target Chip:
- Page Size: 4096
- Spare Size: 256
- Pages Per Block: 64
- Blocks: 2048
I used IDA Pro, but any hex editor should do. Upon opening the .dll in IDA, I noted a very large data section. I opened the strings few to quickly find the section I wanted to modify.
Each chip’s info section appeared to be 73 bytes long and started with the chip name in ASCII. Here is the unmodified source chip:
x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 xA xB xC xD xE xF ------------------------------------------------------------------ 0x00|54 43 35 38 4E 56 47 32 53 33 20 40 54 53 4F 50 TC58NVG2S3 @TSOP 0x10|34 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48.............. 0x20|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 ...............! 0x30|00 00 00 00 00 00 00 00 A0 00 00 00 00 21 40 08 ........á....!@. 0x40|08 00 00 00 00 08 00 00 00 10 00 00 40 00 01 01 ............@... 0x50|98 DC 00 00 00 00 00 00 02 00 00 00 40 00 00 00 ÿ_..........@... 0x60|08 00 00 00 F8 00 00 00 13 00 00 00 00 00 00 00 ....°........... 0x70|01 00 00 00 ....
After some experimentation, I determined that the sizes were stored in little endian, in the following locations:
0x44-0x45: Page Size 0x48-0x49: Blocks 0x4C-0x4D: Spare Size 0x5C-0x5D: Pages per Block
If we check the locations in the chip info, we see that 0x44-0x45 equals 0x0800 or 2048. 0x48-0x49 and 0x4C-0x4D equal 0x40 or 64. And 0x5C-0x5D equal 0x1000 or 4096.
Modified each of those section to set the correct values for my target chip and successfully dumped the contents.
Methodology TL;DR
The methodology here is pretty straight forward. If you want to “add” support for a chip, simply look for another chip variant or at least something that would have the same pinout or physical form factor to use as your source chip.
Once you have a source chip, determine the differences by comparing datasheets.
Take your source values and convert to little endian base 16 and look for for those numbers in the source chip’s section of the MiniPro .dll. Be sure to make a backup first.
Save your edits, open mini pro, and confirm your changes are correct.
Dump contents of your target chip and profit or whatever.
Hi,
we’re you able to write to the nand after the modification?
Trying to write to a TC58NVG2S0FTA00
But I’m only able to read it. Writing gets stuck…if I select any other NVG device writing is possible but with wrong parameters…
Honestly, I never tried writing. My purpose was simply to dump the contents for some hacking. I’ll try to keep it in mind next time I’m messing around with this though and see if I can figure anything out.
I have a TC58NVG2S0HBAI4 chip that I am unsoldering from an IoT device to dump the firmware.
I have a Dangerous Prototypes FT2232H Breakout Board 1.0 to connect it to to read it out and I have the pin-out diagram, but I can’t figure out what kind of socket/adapter I need to connect to the chip. Thus far, I have surmised it is a TFBGA63 package? Can you throw me a bone here? What type of adapter do I need for this?
Thanks in advance!
Sorry for the delay, I don’t recall getting a notification about this comment. Using an FT2232H, you should (but I’m not positive) be able to just connect to the specific pins on the chip. That said, here’s a socket you can use with the TL866II: https://www.ebay.com/itm/222891339149.
I am trying to add support for a PROM to the T56 programmer and I’m wondering if you ever worked out if there was a way to modify pinouts and voltage in the chip definitions. It’s clear that there’s more information there but as I’m new to reverse engineering (and most of the data is just 0s) I wouldn’t know where to begin with adding a whole new chip.