Utilities to decode raw NAND dumps taken on Mediatek MT8167/MT8516 SoCs
Two scripts to help decode raw NAND dumps with 4096+256B page size. They both work in unix pipelines so ideally they can be invoked like this:
cat raw_image.bin | ./mtk_nand_4k_scrambler.py | ./mt8167_correct_ecc.py > decoded_image.bin
(Swapping cat to pv gives a nice progress bar if the latter is installed.)
- scrambles (randomizes) raw NAND dumps generated by Mediatek MT8167/MT8516 SoCs (the code applies a XOR pattern to the data so undoing/descrambling is the same operation)
- drops any leftover bytes after the last full page
- outputs a (de)scrambled bitstream including the spare (OOB) area of the pages (the bitstream can still contain bitflips, so might need ECC correction)
- can be used in a unix pipeline - it falls back automagically to using stdin & stdout
- gets a huge performance boost if NumPy is installed
The actual hardware uses PRBS-15. At first I misidentified the pattern as a 120 bit LFSR which generated the same pattern. I liked the simplicity of the LFSR generator function I came up with so left it like that.
The 64 seed values generate sequences starting at specific byte offsets inside a full pattern cycle, so it made sense to hardcode the relative offsets instead.
Please note this is the Mediatek version of PRBS-15 with one seed value different from the industry standard: seed[22] = 0x484F instead of 0x48F4.
Corrects bit errors in NAND dumps with 4K pagesize pulled from Mediatek's MT8167 family of SoCs with hardware ECC engine.
(Actually tested on a flash dump of an MT8516B only. But it's quite likely that the whole family of SoCs based on the MT8167 use the same hardware ECC module.)
NFI's nandtool has been an invaluable tool for guessing/prototyping the BCH parameters used.
For my goal it was a bit of overkill though as my entire flash dump used the same ECC parameters.
Also I found nandtool had a few drawbacks:
- Linux-only due to extensive use of FUSE
- it cannot be ran as part of a unix pipeline
- it has multiple library dependencies whereas the only one required for the task is bchlib
bchlib:
$ pip install --user --break-system-packages bchlib
(please note this requires a basic C build environment to be installed; also better use venv)