Android Hardware Reverse Engineering

RE Lab: Bypassing Android Security with Raw NAND Flash Access and ECC Reconstruction

By Antigravity Research Published May 30, 2026 ⏱️ 6 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Deep Dive into Android’s Core Storage

Modern Android devices leverage sophisticated security mechanisms, making traditional software-based exploitation increasingly difficult. However, the physical layer often holds the keys to bypassing these defenses. One of the most powerful techniques in hardware reverse engineering involves direct access to the device’s NAND flash memory. This article delves into the intricacies of directly dumping raw NAND flash, a process that bypasses the Flash Translation Layer (FTL) and often the device’s operating system security. The real challenge, however, lies in understanding and correcting the Error Correcting Code (ECC) necessary to transform unreadable raw data into coherent, usable information.

By mastering raw NAND access and ECC reconstruction, reverse engineers can uncover bootloaders, kernels, file systems, and even sensitive user data, providing an unparalleled view into the device’s inner workings, independent of its software state.

Understanding NAND Flash Architecture and Its Security Implications

NAND vs. Other Storage Technologies

NAND flash is the predominant non-volatile storage in Android devices due to its high density, low cost, and fast read/write speeds, making it ideal for large data storage. Unlike NOR flash, which allows byte-level random access and direct execution (XIP), NAND is block-oriented, requiring data to be read and written in pages and blocks. This architecture necessitates a Flash Translation Layer (FTL) to manage wear leveling, bad block management, and present a logical block interface to the operating system.

The Flash Translation Layer (FTL) and Direct Access

The FTL acts as a crucial abstraction layer, translating logical block addresses from the OS into physical addresses on the NAND chip. This layer hides the complexities and physical imperfections of NAND flash, such as bad blocks and erase cycles. When you bypass the FTL by directly dumping the raw NAND, you gain access to the physical layout of data, including all metadata, erased blocks, and potentially remnants of previously deleted data. This direct access is invaluable for forensic analysis and deeper reverse engineering, as it circumvents any software-based encryption or access controls that rely on the FTL or operating system.

The Ubiquitous ECC: Friend and Foe

A critical characteristic of NAND flash is its inherent susceptibility to bit errors. Over time, or due to manufacturing imperfections, single-bit or multi-bit errors can occur during read operations. To counteract this, NAND controllers employ Error Correcting Code (ECC) algorithms. These codes add redundant information (parity bits) to each data chunk (typically 512 bytes or 1KB) stored in an Out-Of-Band (OOB) or spare area of each page. While ECC ensures data integrity during normal operation, it becomes a hurdle when performing raw dumps. A raw dump will include this ECC data, and without proper correction, the primary data blocks will contain uncorrected errors, rendering the entire dump unusable.

Physical Access: Extracting the Raw NAND Dump

The first step in raw NAND analysis is obtaining the physical data dump. This involves carefully disassembling the device and using specialized hardware.

Device Disassembly and Chip Identification

Accessing the NAND chip requires careful disassembly. Here’s a general approach:

  1. Step 1: Open the Device: Carefully use spudgers and heat guns (if adhesive is present) to open the device casing without damaging internal components or ribbon cables.
  2. Step 2: Locate the NAND Chip: On the mainboard, identify the NAND flash chip. It’s often a square or rectangular BGA (Ball Grid Array) package, typically labeled with manufacturer names like Samsung, SK Hynix, Micron, or Kioxia (formerly Toshiba), and a part number indicating its capacity. For older devices, it might be a TSOP package. While many modern Android devices use eMMC or UFS (which integrate controller and NAND), this tutorial focuses on raw NAND chips found in some devices or specific components.
  3. Step 3: Desoldering: Using a hot air rework station and appropriate flux, carefully desolder the NAND chip from the PCB. Precision and temperature control are crucial to prevent damage to the chip or surrounding components. Once desoldered, clean the pads on the chip and the PCB.

Reading the Raw Data with a NAND Programmer

After isolating the NAND chip, a dedicated NAND programmer is required to interface with it. These programmers are designed to read raw data directly from the chip’s pins, bypassing any on-board controllers or security features. Connect the desoldered chip to the programmer’s adapter (e.g., BGA socket) and use the programmer’s software to initiate a raw dump.

# Example command for a generic NAND programmer (conceptual) to dump 8GB raw data: nand_programmer --read /dev/sg0 --chip-id 0xXXXX --interface ONFI --size 8GB --output raw_nand_dump.bin

This command instructs the programmer to read the entire chip, specifying the interface (e.g., ONFI for Open NAND Flash Interface), size, and output file. The resulting raw_nand_dump.bin file will contain the raw page data interleaved with OOB data, including the uncorrected ECC bytes.

Reconstructing Data: The Art of ECC Correction

What is ECC and Why is it Necessary?

As discussed, ECC is essential for NAND’s reliability. Each page of NAND data is typically divided into smaller data chunks (e.g., 512 bytes). For each chunk, a set of ECC bytes is generated and stored in the page’s OOB area. When the data is read, the ECC algorithm re-calculates the parity bits and compares them to the stored ECC bytes. If they don’t match, the algorithm attempts to correct the errors based on its strength (e.g., correcting up to 8 bits per 512-byte chunk). Without applying this correction, the raw dump will be riddled with errors, rendering most data unreadable.

Identifying NAND Parameters for ECC Correction

The success of ECC reconstruction hinges on knowing the exact parameters of the NAND chip and its ECC implementation. These parameters are crucial:

  • Page Size: The primary data size of a single NAND page (e.g., 2KB, 4KB, 8KB).
  • OOB (Out-Of-Band) Size: The size of the spare area per page, where ECC and other metadata are stored (e.g., 64 bytes for a 2KB page, 224 bytes for a 4KB page).
  • ECC Chunk Size: The size of the data block to which ECC is applied (e.g., 512 bytes, 1KB).
  • ECC Bytes per Data Chunk: The number of ECC bytes generated for each data chunk.
  • ECC Algorithm and Strength: The specific algorithm (e.g., BCH, Reed-Solomon) and its correction capability (e.g., 8-bit ECC, 16-bit ECC). This is often the hardest to determine without datasheets or prior analysis.

These parameters are usually found in the NAND chip’s datasheet, through empirical analysis (e.g., by analyzing known good data and its OOB), or by reverse engineering the NAND controller firmware. They are critical; even a slight mismatch will result in incorrect corrections.

Implementing ECC Reconstruction (Conceptual Python Script)

The core of ECC reconstruction involves reading the raw dump page by page, separating data from OOB, extracting ECC bytes for each data chunk, and then applying the correct ECC algorithm to each chunk. This process is computationally intensive and requires precise handling of bit manipulation.

<code class=

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Data Recovery #ECC #NAND Flash #Reverse Engineering

Related Technical Guides

Unlocking Android: A Hardware Hacker’s Blueprint for ADB Sideloading in Forensics

May 30, 2026

DIY eMMC Programmer Build: Acquiring Data from Legacy Android Devices

May 30, 2026

Reverse Engineering Samsung Exynos Modem Firmware: A Case Study in Cellular Hacking

May 30, 2026