Reading Obscure Memory

Reading Obscure Memory

Extracting data from memory chips is always an exciting part of any hardware assessment. I have a few chip readers at my disposal which can do the heavy lifting in the majority of cases. In fact, my TNM5000 boasts 23,000 supported devices with the supplied 16 adapters. But what do you do when the chip is not supported by your reader? Or maybe you have no adapter for the exact package you intend to read? 

 

While digging into a smart meter to gain a better understanding of its operation, I came across a memory chip I had not seen before. Behold the Spansion 98GL064NB0. 

 

Fig-1

 

 

Figure 1: The Spansion 98GL064NB0 in its natural habitat 

 

A datasheet can be found for a S98GL064NB0 which explains the chip has 64 Mbit of flash and 32Mbit of RAM which share addressing pins, how cool. Furthermore, the datasheet also specifies that the flash portion is internally an S29GL064N flash device. Let’s confirm if the TNM5000 supports the newly identified S29GL064N.

 

Fig-2

 

 

Figure 2: The S29GL064N is supported by the TNM5000

 

Confirmed! Now all that is left to do is fabricate an adapter board so our chip reader can talk to the internal flash portion of the S98GL064NB0. The memory chip was removed using hot air rework station and the footprint was confirmed to be a 56-ball Fine-Pitch-Ball Grid Array (FBGA). The outside dimensions of this chip are 7mm x 9mm which is quite small to have 56 connections. 

 

Fig-3

 

 

Figure 3: A peek underneath the S29GL064N

 

The TNM5000 expects to read the S29GL064N which is available in a more common 48 Pin Thin Small Outline Package (TSOP) package which would easily fit into the provided TSOP adapter.  

 

TSOP packages are quite often used in NAND chips as the Open NAND Flash Interface (ONFI) specification details a pinout to adhere to. The S29GL064N however is based on Spansion’s MirrorBit flash and is not ONFI compliant.  The pinout for the S29GL064N which the TNM5000 expects is: 

 

Fig-4

 

 

Figure 4: S29GL064N TSOP48 footprint 

 

And the S98GL064NB0 chip we have is a 56 pin FBGA where the pins are underneath the chip and not exposed.  

 

Fig-5

 

 

Figure 5: the S98GL064NB0 TLC56 footprint 

 

Basically, we are going to cross reference the two datasheets and wire the S98GL064NB0 to appear as a S29GL064N TSOP48. We only want the flash portions of the S98GL064NB0, so all the RAM specific pads can be left unconnected.  

 

The adapter board was then designed in Kicad. Routing traces out of the confined footprint of a BGA can be tough. Macrofab has an excellent blog post on the subject. It’s important to check what the minimum clearance between traces your PCB manufacturer provide, especially on a low volume prototype. In my case, Gold Phoenix is able to do 4 mil minimum clearance for an extra $10. You can enter this value into the design rules for your Kicad project. Kicad will now keep you honest and draw a keepout ring around every pad.  

 

Fig-6

 

 

Figure 6: Adding a minimum clearance design rule 

 

I was able to escape the BGA with only 5 vias and stick with a 2 layer board. Routing this by hand was very therapeutic and I found myself very calm by the time the process was done. 

 

Fig-7

 

 

Figure 7: BGA escaped! 

 

A very simple secondary board was also made allowing the adapter to fit into the ZIF socket provided by the TNM5000.  

 

Fig-8

 

 

Figure 8: Main board ready for export

 

Fig-9

 

 

Figure 9: ZIF adaptor ready for export

 

Kicad generated the Gerber files nicely which I then submitted to Gold Phoenix who manufactured and delivered the PCBs in seven business days. We are now ready to assemble an adapter! 

 

Chipfigure10

 

Figure 10: TLC56 FBGA footprint looks great up close

 

Chipfigure11

 

Figure 11: Pins, FBGA adapter, ZIF adapter 

 

The S98GL064NB0 was reballed by hand which I have had good success with and I didn’t want to wait for a stencil. The S98GL064NB0 was then soldered back on using hot air and the headers where soldered to complete the adapter.

 

 

 

This was then stacked onto a custom ZIF adapter to allow it to plug into the TNM5000: 

 

Chipfigure12

 

Chipfigure13

 

The TNM5000 can now detect the chip correctly and a successful read is performed. 

 

Fig-12

 

 

Figure 12: S29GL064N is now recognized

 

Fig-13

 

 

Figure 13: We have data! 

Loren Browman
Application Security Consultant
Loren Browman is an application security consultant at Optiv with a demonstrated history of working in the computer and network security industry. He is skilled in physical security, reverse engineering, vulnerability assessment, computer security, and printed circuit board (PCB) design.