A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Reading Obscure Memory Breadcrumb Home Insights Blog Reading Obscure Memory October 18, 2018 Reading Obscure Memory Extracting data from memory chips is always an exciting part of any hardware assessment. I have a few chip readers at my disposal which can do the heavy lifting in the majority of cases. In fact, my TNM5000 boasts 23,000 supported devices with the supplied 16 adapters. But what do you do when the chip is not supported by your reader? Or maybe you have no adapter for the exact package you intend to read? While digging into a smart meter to gain a better understanding of its operation, I came across a memory chip I had not seen before. Behold the Spansion 98GL064NB0. Figure 1: The Spansion 98GL064NB0 in its natural habitat A datasheet can be found for a S98GL064NB0 which explains the chip has 64 Mbit of flash and 32Mbit of RAM which share addressing pins, how cool. Furthermore, the datasheet also specifies that the flash portion is internally an S29GL064N flash device. Let’s confirm if the TNM5000 supports the newly identified S29GL064N. Figure 2: The S29GL064N is supported by the TNM5000 Confirmed! Now all that is left to do is fabricate an adapter board so our chip reader can talk to the internal flash portion of the S98GL064NB0. The memory chip was removed using hot air rework station and the footprint was confirmed to be a 56-ball Fine-Pitch-Ball Grid Array (FBGA). The outside dimensions of this chip are 7mm x 9mm which is quite small to have 56 connections. Figure 3: A peek underneath the S29GL064N The TNM5000 expects to read the S29GL064N which is available in a more common 48 Pin Thin Small Outline Package (TSOP) package which would easily fit into the provided TSOP adapter. TSOP packages are quite often used in NAND chips as the Open NAND Flash Interface (ONFI) specification details a pinout to adhere to. The S29GL064N however is based on Spansion’s MirrorBit flash and is not ONFI compliant. The pinout for the S29GL064N which the TNM5000 expects is: Figure 4: S29GL064N TSOP48 footprint And the S98GL064NB0 chip we have is a 56 pin FBGA where the pins are underneath the chip and not exposed. Figure 5: the S98GL064NB0 TLC56 footprint Basically, we are going to cross reference the two datasheets and wire the S98GL064NB0 to appear as a S29GL064N TSOP48. We only want the flash portions of the S98GL064NB0, so all the RAM specific pads can be left unconnected. The adapter board was then designed in Kicad. Routing traces out of the confined footprint of a BGA can be tough. Macrofab has an excellent blog post on the subject. It’s important to check what the minimum clearance between traces your PCB manufacturer provide, especially on a low volume prototype. In my case, Gold Phoenix is able to do 4 mil minimum clearance for an extra $10. You can enter this value into the design rules for your Kicad project. Kicad will now keep you honest and draw a keepout ring around every pad. Figure 6: Adding a minimum clearance design rule I was able to escape the BGA with only 5 vias and stick with a 2 layer board. Routing this by hand was very therapeutic and I found myself very calm by the time the process was done. Figure 7: BGA escaped! A very simple secondary board was also made allowing the adapter to fit into the ZIF socket provided by the TNM5000. Figure 8: Main board ready for export Figure 9: ZIF adaptor ready for export Kicad generated the Gerber files nicely which I then submitted to Gold Phoenix who manufactured and delivered the PCBs in seven business days. We are now ready to assemble an adapter! Figure 10: TLC56 FBGA footprint looks great up close Figure 11: Pins, FBGA adapter, ZIF adapter The S98GL064NB0 was reballed by hand which I have had good success with and I didn’t want to wait for a stencil. The S98GL064NB0 was then soldered back on using hot air and the headers where soldered to complete the adapter. This was then stacked onto a custom ZIF adapter to allow it to plug into the TNM5000: The TNM5000 can now detect the chip correctly and a successful read is performed. Figure 12: S29GL064N is now recognized Figure 13: We have data! By: Loren Browman Application Security Consultant Loren Browman is an application security consultant at Optiv with a demonstrated history of working in the computer and network security industry. He is skilled in physical security, reverse engineering, vulnerability assessment, computer security, and printed circuit board (PCB) design. Share: SecOps
Would you like to speak to an advisor? Let's Talk Cybersecurity Provide your contact information and we will follow-up shortly. Let's Browse Cybersecurity Just looking? Explore how Optiv serves its ~6,000 clients. Show me AI Security Solutions Show me the Optiv brochure Take me to Optiv's Events page Browse all Services