What's the easiest way to get a full NAND dump?

vochong · October 15, 2024, 4:02pm

I have a router whose uboot (on /dev/mtd0) is corrupted due to an unexpected power outage during its flashing. Since JTAG is disabled on the device, I will need to desolder its NAND chip and program it in an external programmer. The question is how to get the NAND dump from another working device:

Extract the full dump from a working NAND chip in an external programmer. This requires desoldering of the NAND chip from another working device (more effort).
Can I use nanddump to dump every mtd partition and then concatenate them to produce a full dump? It seems that most NAND programmer will not work with a partial dump (aka only mtd0 dump). E.g. "cat mtd0_dump.bin mtd1_dump.bin mtd2_dump.bin > full_nand_dump.bin"
Is there any way? Thanks.

root@OpenWrt:~# cat /proc/mtd 
dev:    size   erasesize  name
mtd0: 00100000 00040000 "u-boot"
mtd1: 00300000 00040000 "bootkernel1"
mtd2: 00040000 00040000 "nvram"
mtd3: 00040000 00040000 "u-boot-env"
mtd4: 00080000 00040000 "shmoo"
mtd5: 00300000 00040000 "bootkernel2"
mtd6: 3f700000 00040000 "ubi"

root@OpenWrt:~# df -k
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/root                 2816      2816         0 100% /rom
tmpfs                  1033780       276   1033504   0% /tmp
/dev/ubi0_7             352588       280    347472   0% /overlay
overlayfs:/overlay      352588       280    347472   0% /
tmpfs                      512         0       512   0% /dev

xury · October 15, 2024, 4:05pm

Partition "all" seams to by whole flash - 0x000000000000-0x00003ff00000

vochong · October 15, 2024, 11:05pm

Hi @xury,

Sorry, I pasted the wrong log. Please take a look at the correct one. Thanks.

Cthulhu88 · October 16, 2024, 1:29am

You need to take into account padding between partitions, and the address of where a partition starts.

The uboot partition should be readonly 99% of the time, it shouldn't get easily corrupted by ungraceful shutdowns. Not sure what happened there, did you make sure the chip isn't actually malfunctioning?

vochong · October 16, 2024, 3:16am

Hello,
I was flashing a modified uboot onto the mtd0 partition when an unexpected power outage occurred.

Cthulhu88 · October 16, 2024, 4:02am

Try getting the partition address, and padding between partitions info from fdisk.

xury · October 16, 2024, 11:00am

What's device? Ubi partition have 1016 MB?

vochong · October 16, 2024, 1:29pm

It's a Meraki MX65.

Here's its original PR: https://github.com/openwrt/openwrt/pull/3996

xury · October 16, 2024, 2:08pm

Partition	Size	Start offset (hex)	Start offset (dec)
mtd0: u-boot	1 MB	0x00000000	0
mtd1: bootkernel1	3 MB	0x00100000	1,048,576
mtd2: nvram	256 KB	0x00400000	4,194,304
mtd3: u-boot-env	256 KB	0x00440000	4,456,448
mtd4: shmoo	512 KB	0x00480000	4,718,592
mtd5: bootkernel2	3 MB	0x00500000	5,242,880
mtd6: ubi	1016 MB	0x00800000	8,388,608

You can merge partitions as above description. But I not 100% sure. I don't know where is missed 1MB to fill up 0x40000000

Cthulhu88 · October 16, 2024, 8:49pm

Where is the missing 1 MB? 8 MB + 1016 MB = 1024 MB / 1 GB.

Is that partition table correct, though? Non-volatile storage hardware manufacturers usually make use of KB (kilo), MB (mega) and GB (giga), rather than KiB (kibi), MiB (mebi) and GiB (gibi), which would give roughly 954 MiB of storage space (assuming no bad sectors).

vochong · October 16, 2024, 10:16pm

Context of /proc/mtd Output:

In the output from /proc/mtd, the sizes are typically interpreted using KiB (Kibibytes) and MiB (Mebibytes) for the following reasons:

Memory Specifications: Memory sizes in /proc/mtd are usually represented in powers of 2, aligning with the binary nature of memory allocation in computing.
Common Practice in Linux: Linux kernel interfaces and system files like /proc often utilize binary prefixes (KiB, MiB) to describe memory and storage sizes, which reflect actual hardware addressing and memory allocation.

• In the context of the provided /proc/mtd output, the units are interpreted as KiB (Kibibytes) and MiB (Mebibytes). Therefore, for instance, 0x00100000 should be interpreted as 1 MiB (1,024 KiB = 1,048,576), not 1,000 KB.

Cthulhu88 · October 16, 2024, 10:40pm

No, the sizes in the /proc/mtd table are in bytes, which isn't a factor when converting to either XiB or XB.

As for the rest, why exactly are you lecturing me on base 1000 units and base 1024 units when it's pretty clear I know about them from just reading my post above?
Your device specification shows an 1 GB flash chip. Non-volatile memory manufacturers (such as the ones manufacturing HDDs or SSDs), generally use base 1000, but it seems NAND and NOR manufacturers use base 1024, which is also used for volatile memory manufacturers.

vochong · October 16, 2024, 11:49pm

Sorry, there was no lecturing intention in the previous post at all; it was just some repetitive habit. For non-volatile memory devices sold to regular consumers, I believe vendors might want to “cheat” by using the base-1000 system to present artificially larger capacities. However, they may use the base-1024 system for commercial or professional products.

Total size = (1 + 3 + 256/1024 + 256/1024 + 512/1024 + 3 + 1016) = 1024.0 = 1 GiB.

vochong · October 18, 2024, 5:13am

Hi @xury,

Thanks a lot for the table. However, for the mtd6 partition, should its size be 1015 MiB (0x3f700000) instead of 1016 MiB as you showed? Is it possible that the "missing 1 MiB" is left unpartitioned at the end of the NAND chip?

mtd6: 3f700000 00040000 "ubi"

system · October 28, 2024, 5:14am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.