NANDo-Board: the swiss-army-knife for your IoT hacking adventures

In my previous two blogposts about IoT and Hardware Hacking, were released two cool and quite useful toys: FocacciaBoard and BurtleinaBoard. If you do not remember or never read about them... here a quick reminder: 

With this new blog post I wanted to present you a new toy I created back in 2021 and that I can’t live without: NANDoBoard

This is the evolution of FocacciaBoard. Instead of a FT232H it mounts a FT2232HL chipset which doubles it capabilities. Now, in a single device you can have at the same time an UART and JTAG debuggers for example. Or even able to dump NAND flashes!


The FT2232H is a USB 2.0 Hi-Speed (480Mb/s) to Dual Channel Serial UART/FIFO/JTAG/SPI/I2C IC. It has the capability of being configured in a variety of industry standard serial or parallel interfaces. Building on the innovative features of the FT2232, the FT2232H has two multi-protocol synchronous serial engines (MPSSEs) which allow for communication using JTAG, I2C and SPI on two channels simultaneously.>

What that means for hardware hackers? With a single NANDoBoard you will be able to:

  • Debug through UART and JTAG/SWD ports AT THE SAME TIME!
  • Dump SPI memories
  • Dump NAND memories
  • Be able to sniff & decode packets

What you need to build your own NANDoBoard:

Before going through each feature and related command examples... let’s review what you need to build your own NANDoBoard:

  • This breakout is designed for the FT2232HL CJMCU board (e.g. )
  • The Pull-up Resistor is 470 Ohm. **
  • Screws to hold the PCB to the 3D-printed case are 2x6mm.
  • BE SURE to mount the FT2232HL with the FTDI chipset FACING UP!!!

**Please check the BOM.txt for the components needed. Most likely (except the R470 OHM 2010) you may have all you need already.

NANDoBoard Usage Examples:

 UART (Channel A) Usage Example:

Command to run the UART console feature: Configure minicom/putty/whatever-terminal-you-are-used-to (e.g.
screen /dev/ttyUSB0 115200
screen -L /dev/ttyUSB0 115200
screen -L -Logfile UART.log /dev/ttyUSB0 115200)

JTAG (Channel B) Usage Example:

Command to run the JTAG debugging feature:
sudo openocd -f NANDo-Board_JTAG_OpenOCD.cfg -f target_device.cfg

SWD (Channel B) Usage Example:

Command to run the SWD debugging feature (remember to move the SWD Enable switch on the PCB before using this feature!):

openocd -f NANDo-Board_SWD_OpenOCD.cfg -f target_device.cfg 

Here below you can see the wiring to get working at the same time UART on Ch.A and JTAG on Ch.B against a commercial CPE.


SPI Dumping (Channel B) Usage Example:

With this feature you will be able to use either the DIP8 socket with its related DIP-to-SOP8/16 sockets o the classic SOP8/16 Clip


Command to run the SPI dumping feature:
flashrom -p ft2232_spi:type=2232H,port=B -r firmware.bin 

Reminder: In case you need also to write a SPI flash... please do enable the WRITE PROTECT (WP) Jumper on the PCB (i.e. SPI WP Enable).

NAND Dumping Usage Example:

One of my favourite features of the FT2232HL is that has enough I/Os to allow us to communicate with NAND memories and thus dump them without buying expensive dedicated programmers.

Dump Raw Image: -r -f nand_raw_dump_withOOB.bin 

Remove OOB Data:
python -i nand_raw_dump_withOOB.bin -o nand_raw_dump_cleaned.bin --page-size 2048 --oob-size 64 --layout separate


python -i nand_raw_dump_withOOB.bin --layout=guess -I <ID-CODE-HERE> -o nand_raw_dump_cleaned.bin 

In the image below you can see an example of On-PCB NAND dumping with NANDoBoard and a 360Clip!


Of course, you could always chip-off the PCB with a hot-airgun/reflow station and place the NAND onto a TSOP48 connector directly on the NANDoBoard!

Logic Analyzer with Pulseview Usage Example:

Another cool feature that brings the FT2232HL to you is the fact that it can be used as a Logic Analyzer. I know... is lightyears away from a reliable LA... but still... does it dirty job with slow signals.

The strip pins AD0-AD7 labeled "Pulseview FTDI-LA" can be used as low-frequency Logic Analyzer Channels with Pulseview/Sigrok tool. Here the configuration you have to select in Pulseview once you plug the NANDoBoard into your PC:


An example of how still works fine, despite its limited capabilities, can be seen in the images below where it is possible to retrive the Masterkey of a hardware password manager while sniffing the SPI bus at boot time!


Here the SPI traffic dumps comparision between our NANDoBoard with Pulseview Vs a Logic Saleae. Both were able to succesfully dump and decode the SPI traffic and if you look closer you can even see what was the Masterkey of the hardware password manager under test. 8)


Multipurpose Pin Headers/Sockets

Finally, as for the FocacciaBoard... I wanted to add some pin headers/sockets that are not connected with the FT2232HL (i.e. on the lower-left part of NANDo-Board's PCB). They are there just in case you need to mess-up with many flying-wires and you want to keep all connections clean and in order like with an usual breadboard, but with screw-down terminal blocks & co.


Overall, NANDoBoard is far from being perfect, as usually I kept away messing with multi-level shifters and making this device compatible with targets having working voltages different from 3.3V. But for average needs it is all you need to hack common hardware and IoT devices!

If you reached reading so far, I salute you! Here the repo where you can get the usual Gerbers, BoM and STL to print its case:

Finally, stay tuned for upcoming hacking toys at

WHID's Trainings

The Offensive Hardware Hacking Training is a Self-Paced training including Videos, a printed Workbook and a cool Hardware Hacking Kit. And… you get everything shipped home Worldwide!
For more info… ➡