Difference between revisions of "NAND"

From The iPhone Wiki
Jump to: navigation, search
m
 
(15 intermediate revisions by 10 users not shown)
Line 1: Line 1:
[[File:8GBflash.jpg|thumb|right|A NAND chip.]]
+
[[File:8GBflash.jpg|thumb|right|An 8&nbsp;GiB Samsung <code>KMCMN0000M-B998</code> NAND chip]]<!-- info: http://www.elnec.com/device/Samsung/KMAKG0000M-B998+%5BFBGA169%5D -->
'''NAND''', so called because of its use of [[wikipedia:NAND gate|not AND gates]], is a type of [[wikipedia:Flash memory|non-volatile memory chip]] that is used in all [[iDevice]]s. This chip is where all the ''storage'' (not memory) of the device is located. NAND chips can range anywhere from 4 GiB to 128 GiB.
+
'''NAND''', so called because of its use of [[wikipedia:NAND gate|NOT AND (NAND) gates]], is a type of [[wikipedia:Flash memory|non-volatile memory chip]] that is used in all [[iDevice]]s. This chip is where all the ''storage'' of the device is located. In the case of [[iOS]], the chips can range anywhere from 4&nbsp;GiB to 1&nbsp;TiB.
   
 
== Partitions ==
 
== Partitions ==
 
{{see also|/private/etc/fstab}}
 
{{see also|/private/etc/fstab}}
In the case of [[iOS]], it is split into two [[/private/etc/fstab|partitions]], a root partition ranging from 256(?) MiB to 1 GiB, and a user partition occupying the rest. The root partition is located first on the chip and is [[/sbin/mount|mounted]]<sup>[<nowiki/>[[wikipedia:mount (Unix)|WP]]<nowiki/>][<span class="plainlinks">[http://linux.die.net/man/8/mount man]</span>]</sup> to the [[/|root of the filesystem]] (<code>/</code>). The user partition is located after the root partition on the chip and is mounted to [[/private/var]].
+
Although the NAND houses two visible filesystems, it actually has more partitions, including: NVRM (the NVRam store), SCFG (system configuration), BOOT (iBoot + more) and others. The visible filesystems are in a partition called FSYS, and are further split into two [[/private/etc/fstab|partitions]], a root partition ranging from 256(?) MiB to ~2 GiB, and a user partition occupying the rest, by using the Lightweight Volume Manager (LwVM) or on iOS 10.3 and later on A7 and newer, the Apple File System driver (APFS). It is important to emphasize that these are LOGICAL rather than PHYSICAL partitions. The root partition is mounted to the [[/|root of the filesystem]] (<code>/</code>). The user partition is located after the root partition on the chip and is mounted to [[/private/var]].
 
=== Size of Partitions ===
 
=== Size of Partitions ===
 
The size of the root partition has varied throughout [[iOS]]'s history, while the user partition just fills the rest of the space of the NAND chip. Here is a comparison of the size of the root partition compared to iOS version:
 
The size of the root partition has varied throughout [[iOS]]'s history, while the user partition just fills the rest of the space of the NAND chip. Here is a comparison of the size of the root partition compared to iOS version:
 
* 256 MiB: ?<!-- did this even exist? -->
 
* 256 MiB: ?<!-- did this even exist? -->
* 512 MiB: ? - 4.0(?)
+
* 512 MiB: ? - 4.0
* 1024 MiB: 4.0(?) - present
+
* 1024 MiB: 4.0 - 8.0
  +
* 2048 MiB: 8.0 - present
   
 
== Jailbreaking ==
 
== Jailbreaking ==
{{see also|Jailbreak}}
+
{{main|Jailbreak}}
Jailbreaking, in it's simplest form, involves modifying [[/private/etc/fstab]] before being parsed by the [[kernelcache|kernel]] to mount the [[/|root partition]] as read-write (<code>rw</code>), as opposed to read-only (<code>ro</code>). The only use of a so called "bare-bones" jailbreak is a proof-of-concept. A semi known example (the only publicly disclosed) of a "bare-bones" jailbreak is the [[k66ap|Apple TV 2G]] from [[Mojave 8M89 (Apple TV 2G)|4.0]] (4.1) to [[Jasper 8C150 (Apple TV 2G)|4.1]] (4.2).
+
Jailbreaking, in it's simplest form, involves modifying [[/private/etc/fstab]] before being parsed by the [[kernelcache|kernel]] to mount the [[/|root partition]] as read-write (<code>rw</code>), as opposed to read-only (<code>ro</code>). The only use of a so called "bare-bones" jailbreak is a proof-of-concept. A semi known example (the only publicly disclosed) of a "bare-bones" jailbreak is the [[K66AP|Apple TV (2nd generation)]] from [[Mojave 8M89 (AppleTV2,1)|4.0]] (4.1) to [[Jasper 8C150 (AppleTV2,1)|4.1]] (4.2). Not all jailbreak payloads modify [[/private/etc/fstab]], some of them remount the [[/|root partition]] manually.
   
 
== Data Layout ==
 
== Data Layout ==
 
As NAND chips are not hard drives, their "sector" sizes are different than that of a typical hard drive. In fact, they aren't even called sectors, but instead called a "page".
 
As NAND chips are not hard drives, their "sector" sizes are different than that of a typical hard drive. In fact, they aren't even called sectors, but instead called a "page".
   
The difference between a page and a sector is that a [modern] hard drive sector contains either 512 or 4096 bytes of data with anywhere from roughly 30 to 250 bytes of [[Error detection and correction|error correction code]] (ECC) data, while a page contains 8192 bytes of data and **no** ECC. ECC is most likely not used as flash memory uses transistors, which are more reliable than magnetism to store data. It has, however, been [http://www.micron.com/~/media/Documents/Products/Software%20Article/SWNL_implementing_ecc.pdf proposed to implement ECC in flash memory] as the smaller [[wikipedia:Semiconductor device fabrication|fabrication process]] has shrunk to the width of about [[wikipedia:22 nanometer|150]] helium atoms (<code>.14 nm</code>).
+
The difference between a page and a sector is that a ''modern'' hard drive sector contains either 512 or 4096 bytes of data with anywhere from roughly 30 to 250 bytes of [[wikipedia:Error detection and correction|error correction code]] (ECC) data, while a page contains 8192 bytes of data and ''no'' ECC. ECC is most likely not used as flash memory uses transistors, which are more reliable than magnetism to store data. It has, however, been [http://www.micron.com/~/media/Documents/Products/Software%20Article/SWNL_implementing_ecc.pdf proposed to implement ECC in flash memory] as the smaller [[wikipedia:Semiconductor device fabrication|fabrication process]] has shrunk to the width of about [[wikipedia:22 nanometer|150]] helium atoms (<code>.14 nm</code>, or <code>22 nm</code> total).
   
The next level up from a page is a block which is a collection of 128 pages. A block can be compared to a 4K sector hard drive that emulates 512 byte sectors.
+
The next level up from a page is a block which is a collection of 128 pages (1&nbsp;MiB). A block can be compared to a 4K sector hard drive that emulates 512 byte sectors.
   
The layout of an 8 GiB chip containing [[iOS]] has been documented by [[CPICH]]. He [https://twitter.com/cpich3g/status/15966288660660224 notes] that the document is an [[iPhone 4]], but it could easily be adapted to any other [[iDevice|device]] or [[Firmware|firmware version]]. He uploaded the document [http://freepdfhosting.com/29256fdff9.pdf FreePDFHosting]<sup>[dead]</sup>, but it was later removed after 30 days as per [http://freepdfhosting.com/faq.php their policy]. The document was later thumbnailed by [[User:MuscleNerd|MuscleNerd]] and uploaded here:
+
The layout of an 8 GiB chip containing [[iOS]] has been documented by [[CPICH]]. He [https://twitter.com/cpich3g/status/15966288660660224 notes] that an [[iPhone 4]] is documented, but it could easily be adapted to any other device or [[firmware]]. He uploaded the document to [http://freepdfhosting.com/29256fdff9.pdf FreePDFHosting], but it was later removed after 30 days as per their policy. [[User:MuscleNerd|MuscleNerd]] rasterized the document's pages and uploaded the images here:
 
<gallery>
 
<gallery>
 
File:N1.png|Page 1
 
File:N1.png|Page 1
Line 36: Line 37:
   
 
== External Links ==
 
== External Links ==
* [http://freepdfhosting.com/29256fdff9.pdf NAND Layout of iPhone 4]<sup>{{man|VERSION}}{{man|DEAD}}</sup> documented by [[CPICH]]
+
* [https://web.archive.org/web/20110124110405/http://freepdfhosting.com/29256fdff9.pdf NAND Layout of iPhone 4] documented by [[CPICH]]
* [http://esec-lab.sogeti.com/ SOGETI ESEC-Labs] on the [http://esec-lab.sogeti.com/dotclear/public/publications/11-hitbamsterdam-iphonedataprotection.pdf encryption of iOS devices]
+
* [http://esec-lab.sogeti.com/ SOGETI ESEC-Labs] on the [http://esec-lab.sogeti.com/static/publications/11-hitbamsterdam-iphonedataprotection.pdf encryption of iOS devices]

Latest revision as of 22:10, 18 December 2019

An 8 GiB Samsung KMCMN0000M-B998 NAND chip

NAND, so called because of its use of NOT AND (NAND) gates, is a type of non-volatile memory chip that is used in all iDevices. This chip is where all the storage of the device is located. In the case of iOS, the chips can range anywhere from 4 GiB to 1 TiB.

Partitions

Although the NAND houses two visible filesystems, it actually has more partitions, including: NVRM (the NVRam store), SCFG (system configuration), BOOT (iBoot + more) and others. The visible filesystems are in a partition called FSYS, and are further split into two partitions, a root partition ranging from 256(?) MiB to ~2 GiB, and a user partition occupying the rest, by using the Lightweight Volume Manager (LwVM) or on iOS 10.3 and later on A7 and newer, the Apple File System driver (APFS). It is important to emphasize that these are LOGICAL rather than PHYSICAL partitions. The root partition is mounted to the root of the filesystem (/). The user partition is located after the root partition on the chip and is mounted to /private/var.

Size of Partitions

The size of the root partition has varied throughout iOS's history, while the user partition just fills the rest of the space of the NAND chip. Here is a comparison of the size of the root partition compared to iOS version:

  • 256 MiB: ?
  • 512 MiB: ? - 4.0
  • 1024 MiB: 4.0 - 8.0
  • 2048 MiB: 8.0 - present

Jailbreaking

Main article: Jailbreak

Jailbreaking, in it's simplest form, involves modifying /private/etc/fstab before being parsed by the kernel to mount the root partition as read-write (rw), as opposed to read-only (ro). The only use of a so called "bare-bones" jailbreak is a proof-of-concept. A semi known example (the only publicly disclosed) of a "bare-bones" jailbreak is the Apple TV (2nd generation) from 4.0 (4.1) to 4.1 (4.2). Not all jailbreak payloads modify /private/etc/fstab, some of them remount the root partition manually.

Data Layout

As NAND chips are not hard drives, their "sector" sizes are different than that of a typical hard drive. In fact, they aren't even called sectors, but instead called a "page".

The difference between a page and a sector is that a modern hard drive sector contains either 512 or 4096 bytes of data with anywhere from roughly 30 to 250 bytes of error correction code (ECC) data, while a page contains 8192 bytes of data and no ECC. ECC is most likely not used as flash memory uses transistors, which are more reliable than magnetism to store data. It has, however, been proposed to implement ECC in flash memory as the smaller fabrication process has shrunk to the width of about 150 helium atoms (.14 nm, or 22 nm total).

The next level up from a page is a block which is a collection of 128 pages (1 MiB). A block can be compared to a 4K sector hard drive that emulates 512 byte sectors.

The layout of an 8 GiB chip containing iOS has been documented by CPICH. He notes that an iPhone 4 is documented, but it could easily be adapted to any other device or firmware. He uploaded the document to FreePDFHosting, but it was later removed after 30 days as per their policy. MuscleNerd rasterized the document's pages and uploaded the images here:

See Also

External Links