Several months ago, during a hardware device assessment, I encountered a TC58NVG2S0HBAI4 NAND EEPROM which hosted the firmware of the target device. The problem I had was that my MiniPro Universal Programmer did not support this specific variant. It did however, support several similar variants from the same vendor.
For those who may be unaware of the MiniPro, it is a cost effective universal programmer with support for 10’s of thousand of chips and variants. The latest MiniPro, the TL866II+, is available for around $50-$60 but also can come packaged with numerous adapters and sockets for around $100-$120.
- Base TL866II+: https://amzn.to/2Erlrpm
- TL866II+ w/ Adapter Kit: https://amzn.to/2BPstCn
The following is a quick on how to modify the MiniPro’s chip info .dll to change the necessary information to support this variant. Couple things to note first though. This method does not “add” support so much as it replaces an existing configuration meaning you’ll end up removing support for the source chip. Also, I make no guarantees that the offsets used here work for other chips, but the guess-and-check methodology should still apply. Lastly, I’ll refer to all TL866 models as MiniPro, same for the software. Where differences exist, I’ll note that then. Oh, and make backups, lots of them.
Modding the .dll
Before we get started, we need a few things. We need to find the .dll to modify and we need the datasheets for our source and target chip variants. For older TL866 models you’ll find InfoIC.dll in your MiniPro installation directory. For the newer TL866II+, you find InfoIC2plus.dll in the Xgpro installation directory. In my case, I installed both C:/. The datasheets for the chips are:
- Source Chip (Already Supported): http://www.mouser.com/ds/2/408/TC58NVG2S3ETA00-771597.pdf
- Target Chip (Not Supported): https://business.toshiba-memory.com/info/docget.jsp?did=14847&prodName=TC58NVG2S0HBAI4
According to the first sentences of each datasheet, the primary differences were the sizes of pages and blocks. I also figured it was safe to assume that the pinouts were identical. The source chip info in MiniPro matched the datasheet.
Source Chip:
- Page Size: 2048
- Spare Size: 64
- Pages Per Block: 64
- Blocks: 4096
Target Chip:
- Page Size: 4096
- Spare Size: 256
- Pages Per Block: 64
- Blocks: 2048
I used IDA Pro, but any hex editor should do. Upon opening the .dll in IDA, I noted a very large data section. I opened the strings few to quickly find the section I wanted to modify.
Each chip’s info section appeared to be 73 bytes long and started with the chip name in ASCII. Here is the unmodified source chip:
x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 xA xB xC xD xE xF ------------------------------------------------------------------ 0x00|54 43 35 38 4E 56 47 32 53 33 20 40 54 53 4F 50 TC58NVG2S3 @TSOP 0x10|34 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48.............. 0x20|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 ...............! 0x30|00 00 00 00 00 00 00 00 A0 00 00 00 00 21 40 08 ........á....!@. 0x40|08 00 00 00 00 08 00 00 00 10 00 00 40 00 01 01 ............@... 0x50|98 DC 00 00 00 00 00 00 02 00 00 00 40 00 00 00 ÿ_..........@... 0x60|08 00 00 00 F8 00 00 00 13 00 00 00 00 00 00 00 ....°........... 0x70|01 00 00 00 ....
After some experimentation, I determined that the sizes were stored in little endian, in the following locations:
0x44-0x45: Page Size 0x48-0x49: Blocks 0x4C-0x4D: Spare Size 0x5C-0x5D: Pages per Block
If we check the locations in the chip info, we see that 0x44-0x45 equals 0x0800 or 2048. 0x48-0x49 and 0x4C-0x4D equal 0x40 or 64. And 0x5C-0x5D equal 0x1000 or 4096.
Modified each of those section to set the correct values for my target chip and successfully dumped the contents.
Methodology TL;DR
The methodology here is pretty straight forward. If you want to “add” support for a chip, simply look for another chip variant or at least something that would have the same pinout or physical form factor to use as your source chip.
Once you have a source chip, determine the differences by comparing datasheets.
Take your source values and convert to little endian base 16 and look for for those numbers in the source chip’s section of the MiniPro .dll. Be sure to make a backup first.
Save your edits, open mini pro, and confirm your changes are correct.
Dump contents of your target chip and profit or whatever.