eMMC sudden death research

Search This thread
By:
Advanced…
O

Oranav

Senior Member
Oct 9, 2010
53
265
vim1 said:
We ready to test your theory ;) Please answer in AIM
We have done vendor boot size change with CMD62 on VYL00M

Command 62 (ARG: 0xEFAC62EC)
Command 62 (ARG: 0x00CBAEA7)
Command 62 (ARG: bla bla)

But none of "low-level wipe happened"
Click to expand...
Click to collapse
If you're feeling adventurous, you can try a command (I found during the firmware reversing) which should low level format your chip:
CMD62 (ARG: 0xEFAC62EC)
CMD62 (ARG: 0xFAC0021)

Note that it will delete all the chip metadata (incl. wear leveling state and bad block info) and probably everything in it... Your responsibility :)
 
Product F(RED)

Product F(RED)

Senior Member
Sep 6, 2010
9,883
2,105
Brooklyn, NY
Oranav said:
If you're feeling adventurous, you can try a command (I found during the firmware reversing) which should low level format your chip:
CMD62 (ARG: 0xEFAC62EC)
CMD62 (ARG: 0xFAC0021)

Note that it will delete all the chip metadata (incl. wear leveling state and bad block info) and probably everything in it... Your responsibility :)
Click to expand...
Click to collapse

This will also wipe your bootloader and partitions. I don't recommend it. Nothing short of a JTAG will fix it.

Sent from my SGH-i337 using Tapatalk
 
vim1

vim1

Senior Member
May 7, 2006
67
38
40
Oranav said:
If you're feeling adventurous, you can try a command (I found during the firmware reversing) which should low level format your chip:
CMD62 (ARG: 0xEFAC62EC)
CMD62 (ARG: 0xFAC0021)

Note that it will delete all the chip metadata (incl. wear leveling state and bad block info) and probably everything in it... Your responsibility :)
Click to expand...
Click to collapse


It doesnt wipe any bad block info , bcoz state in smart report didnt change ;) that confirmed. Wipe erases regions, user, boot1, boot2 , most possible rpmb and also reset extcsd boot config and wipes write protection flags.
 
  • Like
Reactions: E:V:A
O

Oranav

Senior Member
Oct 9, 2010
53
265
vim1 said:
It doesnt wipe any bad block info , bcoz state in smart report didnt change ;) that confirmed. Wipe erases regions, user, boot1, boot2 , most possible rpmb and also reset extcsd boot config and wipes write protection flags.
Click to expand...
Click to collapse
Cool... Did it fix SDS though?
If the smart report wasn't changed I worry that it doesn't fix SDS.
 
vim1

vim1

Senior Member
May 7, 2006
67
38
40
Oranav said:
Cool... Did it fix SDS though?
If the smart report wasn't changed I worry that it doesn't fix SDS.
Click to expand...
Click to collapse

It dosnt fixed SDS on fully bricked devices ( eMMC name == 000000 )
Reason if very simple - all they have early revision of eMMC firmware and have not
factory reset command handler , any way if they even have it it is not enough
Need to write custom code for accessing internal NAND and recover wear leveling table. There is some ARM6 guru ? We can access card even fully dead mode
Ome thing we need to make custom code for eeprom recovery


Отправлено из моего iPad используя Tapatalk HD
 
E

Entropy512

Senior Recognized Developer
Aug 31, 2007
14,088
25,086
Owego, NY
Mashed_Potatoes said:
Guys sorry for going off topic, but can we replace the dead emmc chip? my friend had SDS and he found a broken note 2 with working emmc chip. can it be replaced?
Click to expand...
Click to collapse

Not without special soldering equipment. I think Josh at MobileTechVideos did purchase such equipment. However I think some people are pretty close to being able to resurrect these with JTAG.
 
Mashed_Potatoes

Mashed_Potatoes

Senior Member
Oct 26, 2012
738
127
Xiaomi 11T Pro
Entropy512 said:
Not without special soldering equipment. I think Josh at MobileTechVideos did purchase such equipment. However I think some people are pretty close to being able to resurrect these with JTAG.
Click to expand...
Click to collapse

Well he has been told that the repair would cost him 150 dollars minus the replacement eMMC chip.

Is that a rip-off? We've seen guys replace and solder the new eMMC in like 20 minutes on youtube.
 
Product F(RED)

Product F(RED)

Senior Member
Sep 6, 2010
9,883
2,105
Brooklyn, NY
You guys are seriously better off just buying a new phone at this point if your phone is dead. It's just not worth it. Sell it for parts (the screen w/assembly alone will get sell for around the cost of a new S3). Sell the SIM/MicroSD card reader combination. Sell the body of the phone. You might be able to sell the mobo for parts to someone who has experience. Just list it all on eBay and then buy yourselves a new phone with the money.
 
A

adfree

Senior Member
Jun 14, 2008
10,619
6,175
Samsung Galaxy Watch 4
Samsung Galaxy S22
Stupid question...

Someone checked Tizen stuff?

Test device RD-PQ has I9300 pba inside...
Not sure if Live Demo Unit... but I9300A visible on Label...

Maybe checkout s-boot-mmc.bin ca. 290 KB...
http://download.tizen.org/releases/system/

Sources for uboot are here:
ftp://ftp.denx.de/pub/u-boot/

For instance u-boot-2014.04-rc1.tar.bz2

Samsung folder inside...
TRATS is S2 related...
TRATS2 is I9300 related...

I think RD-PQ is 16 GB variant...
Partition table is inside u-boot-mmc.bin
Attached...
IS unsigned or I have not seen Signature...

I9300 retail ignored this PIT...
I think because missing Sig...

Please, I am new to I9300 :eek:
And I have only 1 damaged device with damaged Display, so I can't see nor Touch working...
So I was not able yet to dump few first Bytes from eMMC...

My obsolete knowledge about 512 Byte MBR + partition table... is from S8500/I9000...

For instance S8500 has 512 MB OneNAND and 1960 MB moviNAND... something similar like eMMC...

OS stores additional info into this MBR...
Code: 
2NDFORMATCOMPLETED
2NDRSTORECOMPLETED
[B]PRODUCTCODEINVALID[/B]

If NAND/Headerinfo is alive in OneNAND...
Instead text PRODUCTCODEINVALID is Unique number written...
sysinfo related...

I can not find I9300 dump to compare.
Maybe someone can help me to find Link or maybe someone can upload please first 512 Byte for study.

Thanx in advance.

Best Regards
 

Attachments

  • Tizen_GPT_Ver08.extractedUNSIGNED.rar
    511 bytes · Views: 336
  • Like
Reactions: duttyend and bahtsiz_bedevi
N

.NetRolller 3D

Senior Member
Jul 15, 2012
335
166
Budapest
I wonder if the previously mentioned eMMC low-level format command can be used to remove Knox from the i9305 (& possibly the i9505 as well)... ;)

EDIT: Suggested procedure:
-Make a full Nandroid of all accessible partitions (including EFS).
-Prepare SD card for bootloader repair. (Does this still work if the entire eMMC is wiped, or does some boot partition need to be preserved? If not, use JTAG.)
-Do a low-level format.
-Restore the bootloader from SD card or JTAG.
-Flash param.bin, and restore EFS, ROM and user data.
 
Last edited:
R

ryanbg

Inactive Recognized Developer
Jan 3, 2008
858
1,739
movr0.com
.NetRolller 3D said:
I wonder if the previously mentioned eMMC low-level format command can be used to remove Knox from the i9305 (& possibly the i9505 as well)... ;)

EDIT: Suggested procedure:
-Make a full Nandroid of all accessible partitions (including EFS).
-Prepare SD card for bootloader repair. (Does this still work if the entire eMMC is wiped, or does some boot partition need to be preserved? If not, use JTAG.)
-Do a low-level format.
-Restore the bootloader from SD card or JTAG.
-Flash param.bin, and restore EFS, ROM and user data.
Click to expand...
Click to collapse

I think this would work. SDC3 fuse is burned, so it should boot fine as long as the GPT and properly signed images/partitions are in place.
 
Last edited:
J

jerryspring

Senior Member
Feb 18, 2018
1,932
180
what does it mean when it says -104687000 bytes free? it shows that when i look at phone on the pc. does that mean an emmc fail? asking cuz roms wont flash to my note 2. they are stuck in boot animation
 
You must log in or register to reply here.

Similar threads

D
[DEV][Porting] Ubuntu Touch on Galaxy Note II (GT-N7100)
Replies
182
Views
217K
psndna88
psndna88
Crescendo Xenomorph
[RESEARCH] SDCARD unmounted unexpectedly issue, probable cause, possible fix.
Replies
4
Views
11K
N
nation888
markey97
[DEV][PORTING][I9300] Linux 3.4.x/3.1x.x Kernel for i9300/ feature requests welcome
Replies
32
Views
24K
Cancar96
Cancar96
AdamOutler
Goal: Destroy SBOOT
Replies
50
Views
29K
A
adfree
I
Remapping the Physical Buttons
Replies
18
Views
21K
iba21
iba21

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 53
    O
    Oranav
    Update from Feb 17th:
    Samsung has started to upgrade eMMC firmwares on the field - only for GT-I9100 for now.
    See post #79 for additional details.

    Update from Feb 13th:
    If you want to dump the eMMC's RAM yourself, go ahead to post #72.
    I'm looking for a dump of firmware revision 0xf7 if you've got one.
    -----------------------


    Since it's very likely that the recent eMMC firmware patch by Samsung is their patch for the "sudden death" issue, it would be very nice to understand what is really going on there.

    According to a leaked moviNAND datasheet, it seems that MMC CMD62 is vendor-specific command that moviNAND implements.
    If you issue CMD62(0xEFAC62EC), then CMD62(0xCCEE) - you can read a "Smart report". To exit this mode, issue CMD62(0xEFAC62EC), then CMD62(0xDECCEE).


    So what are they doing in their patch?

    1. Whenever an MMC is attached:
    a. If it is "VTU00M", revision 0xf1, they read a Smart report.
    b. The DWORD at Smart[324:328] represents a date (little-endian); if it is not 0x20120413, they don't patch the firmware. (Maybe only chips from 2012/04/13 are buggy?)
    2. If the chip is buggy, whenever an MMC is attached or the device is resumed:
    a. Issue CMD62(0xEFAC62EC) CMD62(0x10210000) to enter RAM write mode. Now you can write to RAM by issuing MMC_ERASE_GROUP_START(Address to write) MMC_ERASE_GROUP_END(Value to be written) MMC_ERASE(0).
    b. *(0x40300) = 10 B5 03 4A 90 47 00 28 00 D1 FE E7 10 BD 00 00 73 9D 05 00
    c. *(0x5C7EA) = E3 F7 89 FD
    d. Exit RAM write mode by issuing CMD62(0xEFAC62EC) CMD62(0xDECCEE).
    10 B5 looks like a common Thumb push (in ARM architecture). Disassembling the bytes that they write to 0x40300 yields the following code:
    Code: 
    ROM:00040300                 PUSH    {R4,LR}
ROM:00040302                 LDR     R2, =0x59D73
ROM:00040304                 BLX     R2
ROM:00040306                 CMP     R0, #0
ROM:00040308                 BNE     locret_4030C
ROM:0004030A
ROM:0004030A loc_4030A                               ; CODE XREF: ROM:loc_4030Aj
ROM:0004030A                 B       loc_4030A
ROM:0004030C ; ---------------------------------------------------------------------------
ROM:0004030C
ROM:0004030C locret_4030C                            ; CODE XREF: ROM:00040308j
ROM:0004030C                 POP     {R4,PC}
ROM:0004030C ; ---------------------------------------------------------------------
    Disassembling what they write to 0x5C7EA yields this:
    Code: 
    ROM:0005C7EA                 BL      0x40300
    Looks like it is indeed Thumb code.
    If we could dump the eMMC RAM, we would understand what has been changed.


    By inspecting some code, it seems that we know how to dump the eMMC RAM:
    Look at the function mmc_set_wearlevel_page in line 206. It patches the RAM (using the method mentioned before), then it validates what it has written (in lines 255-290). Seems that the procedure to read the RAM is as following:
    1. CMD62(0xEFAC62EC) CMD62(0x10210002) to enter RAM reading mode
    2. MMC_ERASE_GROUP_START(Address to read) MMC_ERASE_GROUP_END(Length to read) MMC_ERASE(0)
    3. MMC_READ_SINGLE_BLOCK to read the data
    4. CMD62(0xEFAC62EC) CMD62(0xDECCEE) to exit RAM reading mode


    I don't want to run this on my device, because I'm afraid - messing with the eMMC doesn't sound like a very good idea on my device (I don't have a spare one).
    Does someone have a development device which he doesn't mind to risk, and want to dump the eMMC firmware from it? :)
    View
    28
    O
    Oranav
    Okay, got a RAM dump :)
    I won't post it here (or anywhere else for that matter) because I don't want to get sued by Samsung.

    I might release a kernel which allows you to dump the RAM yourself if there's enough demand, but I don't want to right now, because:
    1. The code is ugly as hell, not implemented as a kernel module, not thread-safe etc.
    2. It is highly dangerous (messing with the eMMC chip - I really don't know how much stable this thing is), so if you want to do it on your device, you should be an expert. In that case, you can write the code yourself (with little effort) :)


    Anyway, I hope the FTL is Whimory, since I'm familiar with it. Would be easier.
    I'll let you know if I find anything interesting.


    PS I've attached a little teaser. (Yes, this is the patched function. 0x40300 is red because I've opened a partial RAM dump.)



    EDIT - Some initial results:
    0. The CPU is a Cortex-M3.
    1. No strings at all :( Just some uninteresting release asserts ("REL_ASSERT")
    2. Found the Smart Report generator function -> found the MMC command handlers.
    3. Most MMC commands handlers are stored in a function table. There are 3 special commands: MMC60, MMC62, MMC64. Depends on the arguments these special commands are provided, they modify the function table (this is the so called "vendor mode").
    4. There are a lot of possible arguments for MMC62, not the only ones we know.
    5. If you trace back the function they patch all the way up the call stack, you get to MMC24 and MMC25 handler. These commands are MMC_WRITE_BLOCK and MMC_WRITE_MULTIPLE_BLOCK. Since the function they patch is deep down the call stack, it's very likely that it is the wear level.

    Anyway, because of the lack of strings I guess it would be very hard to truly understand the SDS bug we're facing :(
    View
    18
    O
    Oranav
    Just a quick update: thanks to a kernel compiled by AndreiLux, and thanks to artesea for doing an eMMC RAM dump on his device, we've got the 0xf7 firmware!

    It seems that it is runnable on the same hardware. It means that we can probably field upgrade I9300 devices, just as Samsung does with I9100.
    The interesting question is whether we're able to preserve the data on the eMMC during the process. If the answer is no, a firmware upgrade would require PIT repartitioning and reflashing of SBOOT so that the device won't become a brick.
    View
    16
    O
    Oranav
    So I decided to do a small RAM dump after all.

    Before the patch, 0x5C7EA reads FD F7 C2 FA, which is "BL 0x59D72".
    As I thought, they replace a function call to the new one.

    I will dump function 0x59D72 later this week.
    View
    16
    R
    Rob2222
    Got a kernel log from just after such a freeze.

    I was about to power on the screen but nothing happen. Then I waited around 10 minutes and the screen came finally up and I dumped the log.

    Is this interesting? :D

    Full log is attached.

    Code: 
    U/ 4002.738352  c0 [keys]PWR 1
U/ 4002.983296  c0 [keys]PWR 0
...
U/ 4587.514100  c0 mshci: ===========================================
W/ 4587.514336  c0 mmc0: it occurs a critical error on eMMC it'll try to recover eMMC to normal state
....
V/ 4587.850296  c0 mmc0: recovering eMMC has been done
...
W/ 4587.850849  c0 mmcblk0: unknown error -131 sending read/write command, card status 0x900
W/ 4587.851982  c0 end_request: I/O error, dev mmcblk0, sector 3126872
W/ 4587.852174  c0 end_request: I/O error, dev mmcblk0, sector 3126880
W/ 4587.852330  c0 end_request: I/O error, dev mmcblk0, sector 3126888


    EDIT: Added another log. Will add more, if I get more.


    BR
    Rob
    View

New posts