IS918 XOR

IS918 XOR


One of the most persistent challenges when working with IS918 flash microcontrollers is that each device uses a unique, non-static XOR key. Traditional workflows struggle because the extracted XOR key cannot be validated or corrected—ECC processing occurs after the XOR scrambler in the data chain, so any error in the key remains undetected. To make matters even more complex, the controller’s spare area is also scrambled, further hindering reliable data recovery and analysis. With this element, Visual NAND Reconstructor users can seamlessly find, verify, and apply XOR keys on IS918-based flash dumps, simplifying workflows of data recovery. The element handles key validation and spare-area descrambling behind the scenes, delivering reliable results with minimal user intervention.


Picture 01 - Device with IS918 controller. 


How to Use the IS918 XOR Element

To find the page layout, you must first locate a data block.

To do this, open the physical image, select “Highlight Blocks” in the Bitmap Viewer Mode, and scroll to find a block containing data. Before XOR operation, the data typically looks like random noise.

Then, left-click in the middle of the data block.



Picture 02 – The Data Block


To place the pointer at the beginning of the block, switch to Navigation Mode, set the block size, and use the arrow with border to jump up or down to the start of the block.



Picture 03 – Navigation Options: Setting Block Size and Jumping by Entire Areas


Picture 04 – Pointer at the Beginning of the Data Block


When the pointer is at the beginning of the data block, go to the Workspace, select the physical image, and click "Extract" in the Offsets toolbar.



Picture 05 – Extract Option


In the "Extract Area" window, the Start Address is the position of the pointer in the dump. To extract one data block, set the "Length" to match the block size. To do this, click the dropdown arrow and select “Set Block Size.”



Picture 06 – Extracting a Data Block


Once the block with data has been extracted, it will be used as a temporary XOR key. While it won’t be the final key, this step helps determine the page layout, which is necessary to generate the correct XOR key.



Picture 07 – Extracted Block Used as XOR


Next, open the XOR key element and locate the data with patterns and a visible SA (spare area) at the 1024-byte position.



Picture 08 – Position of the First SA


In all IS918 devices, the page layout starts with two 512-byte data sectors.

It’s important to add them separately: first from 0 to 511, then from 512 to 1023.



Picture 09 – Adding First Data Area


After the two 512-byte data sectors, there are always 4 bytes of SA.



Picture 10 – Data Areas and First SA in the First Codeword


The next step is to determine the ECC size.
The structure of codewords in IS918 is static, so place the pointer on the first byte after the SA—this will be byte 1028.
To identify this byte more clearly, enlarge the Bitmap Viewer using Ctrl + mouse scroll up. The Yellow and orange rectangles indicate byte-size borders. Rectangle line contains 8 bits (8 grey or white squares). One square equals one bit.
To mark the byte position, place the pointer in the middle of the byte.



Picture 11 – One Byte Width in Bitmap


Next, scroll to the right. Between positions 1100 and 1150, you should find the second SA.
To measure the distance between the first and second SA, place a second pointer on the last byte before the second SA—on the same line as the first pointer.
To do this, press Shift and right-click on the last byte before the second SA.
Holding Shift ensures the pointer stays on the same line regardless of click position. The key is the byte position.

In this way, we determine that the distance between the first and second SA is 1136 bytes:



Picture 12 – Distance Between First and Second SA


Now we can calculate the ECC size.
Between the two SA positions, there is one ECC area and two 512-byte data areas (1024 bytes total).
So, 1136 - 1024 = 112 bytes of ECC.

Now, it’s possible to add the ECC area after the first SA:



Picture 13 – Final Structure of the First Codeword (Including ECC)


There are 16 codewords in total, all static within one page.
So there’s no need to add every structure manually.

You can mark the first codeword by clicking the first data area (left mouse button), then Shift + left-click on the ECC area to select all structures in the first codeword:



Picture 14 – Marked Structures of the First Codeword


When the first codeword is selected, right-click on the marked area and choose “Copy ”:



Picture 15 – Copying Structures to Clipboard


Now, select an undefined area, right-click, and choose “Paste till End of Page”:



Picture 16 – Pasting Structures from Clipboard


To verify the correctness of the page layout, check a few SA positions. If they align correctly, you can proceed to the next step.



Picture 17 – Last SA Position in Page Layout


When the page layout is fully defined:
Go to the Workspace, select the XOR element with the page layout (left-click), then right-click and choose “Copy Structure to Buffer.”



Picture 18 – Copying Structure to Buffer


Next, left-click on the physical image, right-click, and select “Paste Structure from Buffer.”



Picture 19 – Pasting Structure from Buffer


Once the page layout is applied to the physical image, connect the IS918 XOR element and run the XOR key synthesis.



Picture 20 – IS918 XOR


Picture 21 – XOR Synthesis Process


Picture 22 – De-XORed Dump via IS918 XOR Element


If the XOR is correctly added, the ECC codewords can be identified.



Picture 23 – Selecting Innostor Vendor to Speed Up ECC Detection


Picture 24 – Selecting the Correct ECC


Once the XOR key is correctly found and ECC is functioning, you can re-read the dump and remove bit errors.



Picture 25 – ECC Map


Conclusion

Using the AI XOR IS918 element effectively requires a methodical approach—starting from identifying the data block, extracting a sample XOR, defining the page layout, and finally running the XOR synthesis. Following this process ensures accurate layout identification and successful error correction. With a valid ECC structure and a proper XOR key, you can significantly improve data readability and recovery precision.

Thank you for reading! — Lukasz Pietrzykowski, Rusolut Team
    • Related Articles

    • Phison dynamic XOR

      Majority of NAND memory devices that use scrambling algorithms generate their XOR keys statically. When a user writes new data to the NAND chip, the controller transforms this data with the XOR key that is generated every time with the same binary. ...
    • VNR Silicon Motion AI XOR

      When you work with devices based on modern Silicon Motion controllers, it is essential to separate a dump by planes. Before separating the planes, it's necessary to determine how many planes exist per crystal/dump. There are two methods to verify the ...
    • VNR File Assembler

      NAND controllers write data to memory chips by logical blocks in mixed order. Therefore, recovering files from such mixed dumps would fail as files may begin in one block and continue in another that is located somewhere else, not necessarily after. ...
    • XOR transformation

      Scrambling (XOR) Modern Flash controllers utilize scrambling algorithms when recording data into flash memory. A typical scrambler implementation is based on the method where the special scrambling (XOR) key is generated by a controller and mixed ...
    • Chipsbank(CBM) Adaptive XOR

      Majority of NAND controllers which we can find in removable flash devices are using simple static XOR keys. Except the controllers which are using dynamic XOR keys there are also Chipsbank controllers which are using sophisticated adaptive scrambling ...