Jason Gin Reverse Engineers a SanDisk High Endurance microSD, Just to Discover the Flash Type

Electronics enthusiast Jason Gin has published an analysis, based on reverse engineering, of SanDisk's High Endurance microSDXC storage card — after the company refused to provide him with technical details he requested.

"I sent an email to SanDisk’s support team asking about what type of NAND flash they are using in their High Endurance line-up of cards, alongside endurance metrics like P/E (Program/Erase) cycle counts and total terabytes written (TBW)," Gin explains. "Unfortunately, the SanDisk support rep couldn’t provide a satisfactory answer to my questions, as they’re not able to provide any information that’s not listed in their public spec sheets. They said that all of their cards use MLC flash, which I guess is correct if you call TLC flash 3-bit MLC (which Samsung does)."

With no detail in the data sheet, no helpful information from the company itself, and a burning curiosity, Gin set about physically analyzing the cards — beginning with accessing the test pads. "With a bit of heat and some scraping, I was able to remove the (very brittle) coating on top of the test pads; this also removed the serial number which I believe is an anti-tamper measure by SanDisk."

"The breakout board is relatively simple in concept: for each test pad, bring out a wire that goes to a bigger test point for easier access, and wire up the normal SD bus to an SD connector to let the controller do its work with twiddling the NAND flash bus. Given how small each test pad is (and how many), things get a bit… messy."

The "messy" breakout board was created by using double-sided adhesive foam to fix the stripped microSD to a piece of perfboard; the pads were then tinned and soldered using 40-gauge magnet wire — 28 wires total — linked to machine-pin sockets on the board. An XTC 2 clip, originally developed for servicing Android smartphones, was used as an SD connector with flex cable and copper tape.

"The overall test pad pinout was the same for other microSD cards from SanDisk," Gin notes, "but there were some differences, primarily regarding the layout of the power pads; notably, the main power pins are backwards! This can destroy the card if you’re not careful when applying power. By sniffing the data bus at the DSLogic’s maximum speed (and using its 32 MB onboard buffer RAM), I was able to get a clear snapshot of the commands being sent to the NAND Flash from the controller during initialization."

Gin was then able to track two commands — RESET and READ ID - and from that determine the type of flash used. "Although not all byte values could be conclusively determined," Gin notes, "I was able to determine that the SanDisk High Endurance cards use BiCS3 3D TLC NAND flash, but at least it is 3D NAND which improves endurance dramatically compared to traditional/planar NAND."

Gin wasn't leaving the analysis there, though: The reverse engineering continued with an MSP430-powered system for confirming the flash ID and retrieving the JEDEC parameter page — though the latter proved useless, having been switched by SanDisk into a proprietary format. "I shouldn’t have to go this far in hardware reverse engineering to just ask a simple question of what Flash SanDisk used in their high endurance card," Gin concludes. "You’d think they would be proud to say they use 3D NAND for higher endurance and reliability, but I guess not!"

The full write-up is available on Gin's website, along with downloads for the logic captures as well as the Arduino sketch used to read the NAND ID and parameter data.