Majority of NAND memory devices that use scrambling algorithms generate their XOR keys statically. When a user writes new data to the NAND chip, the controller transforms this data with the XOR key that is generated every time with the same binary.
There are also scramblers that generate different XOR keys each time when the controller writes new blocks of data to the NAND memory. This type of keys is dynamic and there is no possibility to extract it from the dump, unlike static keys. This article will explain how to recognize and remove the scrambling effect from the devices equipped with Phison controllers that use dynamically generated XOR keys.
Usually, devices that use Phison dynamic XOR are monolithic cards, like microSD and SD. So it's not possible to read the controller name. Therefore, first of all, it is necessary to make sure that the device is using the Phison controller. There are a few possibilities to detect this:
- Page structure - traditional Phison page structure could be found in the Bitmap viewer.
- ECC - autodetected codeword shows the controller model name, so the controller vendor may be detected.
Following the traditional NAND data recovery process next step, after the ECC, would be the XOR transformation elimination. But when a device uses the dynamic key, the XOR analyzer will not display positive results. In such situations when dealing with the Phison controller it is necessary to check whether the device uses the dynamic key.
Phison controllers, that use dynamic XOR, generate keys individually for each virtual block.
As a result, every virtual block has a different XOR key and their
size will be equal to one virtual block. Therefore to remove the XOR effect it is necessary to determine virtual block size first.
The virtual block size may be equal to the physical block size or may be 2 or 4 times bigger if the controller used multi plane page allocation mode (for more details please check the article Multi plane page allocation). Once memory chip has been read, VNR takes virtual block size value from the memory chip configuration which has the size of the physical block usually. So it's necessary to check either the virtual block size is set correct (equal to the physical block size), or it must be adjusted (if it's 2 or 4 times bigger).
“Highlight block” function from the Bitmap viewer may help. This function shows the predefined borders of the virtual blocks. Real borders of the virtual blocks may be seen in the service area where LBN changes value. So the task comes to the checking either highlighted borders (predefined virtual block size) are set correctly (equal to the real borders), or it should be adjusted (highlighted borders do not match to the LBN change borders).”
"Highlight blocks" is available in the Bitmap viewer tab.
This example presents a situation when Virtual block size is set correctly (equal to the physical block) because each highlighted Block has a different LBN in the Service area.
In this example, two Highlighted blocks have the same LBN. It means that predefined Virtual block size has to be doubled.
There are also situations, especially in the case of Phison controllers, that physical blocks of the first plane
have the LBN in the Service area, like on the picture below. This situation also indicates that the predefined Virtual block size has to be doubled.
When Virtual block size has been determined and
it differs from the predefined,
it is necessary to assign a new block size, in the Structure menu. To do that click on '
Next, click on Block structure and edit it.
Now predefined value (physical block size) should be changed to the correct one.
When block size is changed it is necessary to assign a Dump structure once again. Click on Undefined area and assign Blocks and Pages.
To check results it is necessary to go to the first Service area and use
function. Two physical blocks should be highlighted as one, like on the example below.
If two physical blocks are highlighted as one, it means that virtual block size has been set properly.
When virtual block size has been found and set, the XOR key should be found and applied
in the next step
Phison dynamic XOR is made by conjunction of Static key and Dynamic key which is different in every Virtual block.
To unXOR data at first is necessary to remove the influence of Dynamic key from virtual blocks. To do that connect '
Phison dynamic XOR
' element to source dump element.
In the second step, the Static key should be found, and this action can be performed with the XOR analyzer tool.
It is important to tick
Skip empty areas
checkbox on the
Phison dynamic XOR
efore opening the XOR analyzer
, otherwise, it will be impossible to detect the static key.
After that XOR auto-detection can be launched.
When the static key has been found it is necessary to apply it.