Best way to make a TSOP NAND / interposer for signal interception?

[abraxa]

Hello forum,

I have a device with some memory chips whose communication I want to intercept and manipulate:

- 2x SDRAM: TSOP54 with 0.8mm pin spacing
- NAND: TSOP48 with 0.5mm pin spacing

Picture is attached.

Some things I've thought of:

- Removing the ICs and re-attaching them to a custom PCM using individual wires is a non-starter because of pitch and pin count
- I couldn't find any TSOP interposer PCBs that can be plugged into a regular TSOP 48/54 footprint
- I couldn't find any flex PCBs that have a TSOP footprint on one side and a row of pins on the other but to me, this seems to be the most sensible approach
- Edge-connector PCBs like https://www.geekfactory.mx/wp-content/uploads/2020/08/RAD0043.jpg as an interposer would be cheapest but probably won't work because the pin spacing is too small, or am I wrong?

Do you have any thoughts or additional ideas on how I can achieve this?

As a last resort, I could also access the ICs using the address/data buses by using a TSOP "hat" and keeping the attached CPU in reset while hoping that it floats the GPIOs. However, I don't know if it actually does this, so I'm not too keen on trying this out and killing the CPU GPIOs in the process.

[DavidAlfa]

Nope, was checking at jlcpcb, castellated holes are 0.6mm min...

I remember using the clip 360 for modding the PS3. It's still available. It's a female socket you put on top if the nor flash.
Not cheap, but simple:
https://a.aliexpress.com/_uwHiGi


There're nand and nor versions, don't buy the wrong one! Check the socket, if there're unpopulated pins, it's for the nand...

Another cheap way would be to solder small fpc connectors to each side of the flash:


There're cheap fpc breakout boards in AliExpress.
https://a.aliexpress.com/_uxLiJu


There're also some crazy ideas...

[abraxa]

I appreciate your suggestions but that hat would only work to observe the signals, not intercept and modify them.

The FPC connector idea is intriguing but unfortunately, there's not enough space

[abyrvalg]

Define “modify” more precisely. To spoof the NAND output data it would be enough to lift and mux nRE pin, the rest of the bus could be in parallel. To modify just a couple of bits at precise address a strong parallel overdrive would be ok (NAND will survive it, many “modchips” do that). To prevent some write/erase from happening muxing the nWR should do the job. But to modify the input data you’ll need to mux entire data bus. Depending on the complexity of interventions it could be even worth doing something like disconnecting the NAND completely and emulating it (i.e. by connecting the bus to a Cypress FX2/FX3 GPIF and bridging it to PC).

[abraxa]

Thanks for your response. My goal is to to be able to monitor reads and also write into the RAM/Flash independent of the CPU. However, I can't prevent the CPU from randomly accessing the parallel bus when it's running, so performing a direct write to the bus can easily create a collision. This is why disconnecting nRE/nWR unfortunately won't be sufficient.

I should also note that the bus isn't only used by the CPU, RAM and Flash as there are also other ICs sharing the address/data lines: two more slaves and another bus master.

> it could be even worth doing something like disconnecting the NAND completely

That's what I'm trying to do but I'm looking for solutions on how to connect with the PCB footprint.

[abyrvalg]

I mean if the "active" part of your intervention is to make the CPU read some other data than real NAND content then all you need is to monitor the bus passively to detect the read of the page you want to modify, then redirect nRE from the original NAND to your spoofing data source (FPGA? another NAND in parallel? 74xx buffer?) that will output the data to the same D0-7 bus. There will be no collision in this case - from CPU’s point of view the D0-7 time is alotted to NAND, but you’ve tristated it by muxing the nRE away from it to your source, so you can drive D0-7.
But if you want to study the comms passively to find out i.e. where is some config bit telling the thing to work "the wrong way" and rewrite it later - no need to mux at all, capture the bus passively first, then hold the CPU in reset and do the write. For example, so called "ISP eMMC programmers" even don’t use hold in reset, they just disrupt the CPU boot at power on (by overdriving the bus to invalid values shortly) so the CPU aborts the boot, stops accessing the eMMC and releases the bus for them.
The generalized task looks quite complex, but particular details could simplify the life a lot.
Also the really used 8-bit NAND bus pin count is just 14, could be easier to just solder the magnet wire for a one-off project.