DRAM address mapping remains a black-box abstraction, hindering accurate memory behavior modeling and limiting the precision of RowHammer attacks. To address this, we propose the first fully software-based, automated timing side-channel analysis framework. Leveraging intrinsic DRAM refresh timing and latency variations under consecutive accesses as side-channel signals, our approach integrates refresh modeling, differential latency measurement, constraint solving, and bit-level positioning algorithms. This enables, for the first time, end-to-end decomposition of physical address mappings—precisely identifying bit-level allocations for channel, rank, bank group, bank, row, and column within the physical address space. We validate the framework on state-of-the-art Intel and AMD platforms, demonstrating robustness and accuracy. Our work establishes a reproducible, high-precision foundation for memory security analysis and controlled RowHammer experimentation.

Decomposing DRAM address mappings into component-level functions is critical for understanding memory behavior and enabling precise RowHammer attacks, yet existing reverse-engineering methods fall short. We introduce novel timing-based techniques leveraging DRAM refresh intervals and consecutive access latencies to infer component-specific functions. Based on this, we present Sudoku, the first software-based tool to automatically decompose full DRAM address mappings into channel, rank, bank group, and bank functions while identifying row and column bits. We validate Sudoku's effectiveness, successfully decomposing mappings on recent Intel and AMD processors.