> Hi, > Thank you for your reply. > Flash is > HY27US(08/16)12(1/2)B Series > 512Mbit (64Mx8bit / 32Mx16bit) NAND Flash and you are probably right. > It seems to be a block structured device. >=20 > Further in a log I found out >=20 > BrcmNAND mfg ad 76 Hynix HY27US08121A (dream) 64MB This type of device seems to be widely used as the "disc" in embedded devic= es, and a lot of processor chips are designed to directly interface to them= .. Which brings me to a similar, but different request to what the OP on this = thread has, I have a device that has an embedded Linux running on a Sharp p= rocessor, using a NAND Flash chip similar to that listed above. There is a = dedicated touch panel LCD display for the application the device is designe= d for, and there is an Ethernet port. The root user is locked down with a p= assword, and all updates are done by using a web browser, using the on-devi= ce web engine to download a file. I want to get access to the file system on this device, and the only way se= ems to be to break the root password, and the only way I can see to do that= is to remove the NAND chip, read its contents, and see if I can find the p= assword file, and work from there in dumping it to pass it through a cracke= r. However having followed this discussion I am wondering if there may poss= ibly be another way of getting into it with removing the chip. I haven't done a port scan to see what other ports may be open, but I belie= ve they are likely to be well tied down, as the first batch of these device= s had no root password set up, and this was realised by people, but later d= evices were tied down to limit access. Eventually the web page method was l= oaded (after passing the unit back to the factory for updates) so the updat= es could be applied in the field. Early versions that had no root password returned this ... Here is the output from cat /proc/cpuinfo. root@uclibc:/proc#cat cpuinfo Processor : ARM720T rev 3 (v4l) BogoMIPS : 37.99 Features : swp half thumb CPU implementer : 0x41 CPU architecture: 4T CPU variant : 0x00 CPU part : 0x720 CPU revision : 3 Hardware : ESU LH79525 Board Revision : 0000 Serial : 0000000006090501 And the disk information is=20 root@uclibc:~#df -k Filesystem 1k-blocks Used Available Use% Mounted on /dev/mtdblock0 16384 2620 13764 16% / tmpfs 15284 8 15276 0% /tmp root@uclibc:~# early units gave this as a port scan ... Port Scanning host: 10.0.1.4 Open TCP Port: 7 echo Open TCP Port: 13 daytime Open TCP Port: 21 ftp Open TCP Port: 23 telnet Open TCP Port: 37 time Port Scan has completed ... And apparently there was an update.sh script listed as well, although wheth= er that is still the method of updating is unknown. If anyone knows of a method of getting at the password file, it would be ni= ce to access it, without changing the root password that I want to find out= .. --=20 Scanned by iCritical. --=20 http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist .