Samsung really needs to hire you, garwynn and Entropy.
I am not surprised I9100/I777 source tree differs from E4GT in some areas. I saw a bunch of #ifdef CONFIG_MMC_DISCARD_MERGE code which indicates to me they were (for our tree) in the process of merging the discard code so it probably could have gone either way depending on when GB for a particular platform was released.Hmm. CONFIG_MMC_DISCARD is enabled on I9100/I777 Gingerbread kernels, which is why I said that MMC_CAP_ERASE was enabled (MMC_CAP_ERASE is #ifdefed based on CONFIG_MMC_DISCARD) - I'll look elsewhere tomorrow to see if maybe the "chain of doom" was broken elsewhere.
It is easier to search when you know what to search for In this case I wasn't starting with MMC_CAP_ERASE though.It's a lot easier to find stuff when you know what you're looking for.
Most likely that is correct.I believe that still, removing MMC_CAP_ERASE from mshci.c is guaranteed to render you safe - but even if it's enabled, there are other places in the kernel where the chain could be broken.
I don't think I ever stated that and I haven't found code which can support that statement with the bug as we understand it.A simple question: how do deleting a large file is suspected to trigger the bug? And how much large the file have to be?
It is not flashing them "over" ICS kernel per-se that triggers the bug.if i understand correctly, flashing CM9 or AOKP based roms over ICS kernel can trigger the bug..
Yes, that is correct. Even with the ICS-based update-binary and the format() currently in the Edify install script, if update-binary is running under a GB-based kernel, the problematic "erase" code initiated by make_ext4fs() will be blocked by the GB kernel, so no issue arises.
Thanks for trying that. The behavior you describe is as expected. When you flashed CM9 on GB rooted, the GB kernel blocked the CM9 update-binary from making the problematic call when the install script asked to format("/system") so that is why there are no issues.i tried CM9 on GB rooted and came back using nandroid backup just fine...
I don't think I ever stated that and I haven't found code which can support that statement with the bug as we understand it.
There may be a separate bug that supports the statement you are saying, but it isn't the bug we are dealing with here, though I really think we would have heard more complaints if such a bug existed.
Perhaps you are confusing with the 32KB zero bug. I don't know if we are afflicted with that bug. fwrev 0x25 definitely is and possibly we are too (which is basically what Mr. Sumrall assumed), but that one would likely end up corrupting data in a recoverable manner (as in you might lose data, but you can reformat/reflash and things should be ok), rather than a superbrick.
Background
The nature of the problem is a call to the function make_ext4fs(). This function isn't provided by the kernel, rather it is provided as a library (libext4_utils.a) that is used when compiling Recovery and the update installer. It does end up eventually calling kernel mmc driver routines, which then trigger the EMMC firmware lockup/superbrick bug.
The make_ext4fs() function changed between GB and ICS. In GB the function didn't try to erase the partition before creating the EXT4 fs. In ICS it tries to erase it first. The erase is triggering an EMMC firmware bug that was always there via the kernel MMC driver. GB is also "doubly" safe in that not only do Recovery and update-binary never attempt to do the erase, even if they did, the request to erase is blocked in the GB-kernel and never run.
Apologies if this was already tried/suggested, but since we're dealing with a Gnu/Linux kernel, and if setting up the ext4 file system triggers the bug in the eMMC firmware, what about using a different one? (See en.wikipedia.org/wiki/Flash_file_system)
That's bringing back something I suspected long long ago back when we knew far less about this bug, but I'm still not sure... Obviously a userspace-triggered erase operation will fire ERASE commands at the card - but what about TRIM (which is a variant of ERASE) - is it blocked by another mechanism? (I suspect so but I'm not entirely sure.)
I'm pretty sure the wipe code that was added between GB and ICS only gets called when creating ext4 filesystems. However I didn't specifically check if the code paths for the other filesystems would reach some variation of the wipe code.Apologies if this was already tried/suggested, but since we're dealing with a Gnu/Linux kernel, and if setting up the ext4 file system triggers the bug in the eMMC firmware, what about using a different one? (See en.wikipedia.org/wiki/Flash_file_system)
Entropy, do you recall how it came about that deleting large files was a possible suspect?
Was it just a theory or was there specific code people were looking at that led to that belief?
For completeness purposes I would like to research if this possibility exists.
Update 14:56 CEST:
Patches will be out in form of new official ROMs and also sourcecode releases after testing, which might take some time.
To clarify this...in testing done over the weekend, there was a small "subtest" group which consisted of 20 devices. This group was put together STRICTLY for the propose of testing the emmc bug and fix. The devices were all programmed with the data known to have cause bricks when wiping. Of those 20, all but 6 also had the code patch to resolve that issue, so there was a possibility for 6 hard bricks, only 4 actually bricked, therefore, on the build currently being tested, the "emmc break issue" has been deemed "resolved"
If you don't have busybox installed just visually parse the line, match the serial # (0xd3f24fe6 - example only - yours will be different) with the cid, and look at the 2 numbers before the serial #.shell@android:/ $ su
shell@android:/ # cd /sys/class/block/mmcblk0/device
shell@android:/sys/class/block/mmcblk0/device # cat cid | cut -b 19,20
19
shell@android:/ $ su
shell@android:/ # cd /sys/class/block/mmcblk0/device
shell@android:/sys/class/block/mmcblk0/device # cat serial cid
0xd3f24fe6
1501004d414734464119d3f24fe68e8b
shell@android:/ $ su
shell@android:/ # cd /sys/class/block/mmcblk0/device
shell@android:/sys/class/block/mmcblk0/device # cat name hwrev fwrev manfid oemid date type serial cid
MAG4FA
0x0
0x0
0x000015
0x0100
08/2011
MMC
0xd3f24fe6
1501004d414734464119d3f24fe68e8b
/*
* There is a bug in some Samsung emmc chips where the wear leveling
* code can insert 32 Kbytes of zeros into the storage. We can patch
* the firmware in such chips each time they are powered on to prevent
* the bug from occurring. Only apply this patch to a particular
* revision of the firmware of the specified chips. Date doesn't
* matter, so include all possible dates in min and max fields.
*/
/* set value 0x000000FF : It's hidden data
* When in vendor command mode, the erase command is used to
* patch the firmware in the internal sram.
*/
err = mmc_movi_erase_cmd(card, 0x0004DD9C, 0x000000FF);
if (err) {
pr_err("Fail to Set WL value1\n");
goto err_set_wl;
}
/* set value 0xD20228FF : It's hidden data */
err = mmc_movi_erase_cmd(card, 0x000379A4, 0xD20228FF);
if (err) {
pr_err("Fail to Set WL value2\n");
goto err_set_wl;
}
Ken Sumrall said:The patch includes a line in mmc.c setting fwrev to the rights bits from the cid register. Before this patch, the file /sys/class/block/mmcblk0/device/fwrev was not initialized from the CID for emmc devices rev 4 and greater, and thus showed zero.
(On second inquiry)
fwrev is zero until the patch is applied.
Ken Sumrall said:You probably have the bug, but rev 0x19 was a previous version of the firmware we had in our prototype devices, but we found it had another bug that if you issued an mmc erase command, it could screw up the data structures in the chip and lead to the device locking up until it was powered cycled. We discovered this when many of our developers were doing a fastboot erase userdata while we were developing ICS. So Samsung fixed the problem and moved to firmware revision 0x25. Yes, it is very annoying that 0x19 is decimal 25, and that led to lots of confusion when trying to diagnose emmc firmware issues. I finally learned to _ALWAYS_ refer to emmc version in hexadecimal, and precede the number with 0x just to be unambiguous.
However, even though 0x19 probably has the bug that can insert 32 Kbytes of zeros into the flash, you can't use this patch on devices with firmware revision 0x19. This patch does a very specific hack to two bytes of code in the revision 0x25 firmware, and the patch most likely will not work on 0x19, and will probably cause the chip to malfunction at best, and lose data at worst. There is a reason the selection criteria are so strict for applying this patch to the emmc firmware.
I passed on our results a few days later mentioning that the file system didn't corrupt until the wipe. This is a response to that follow-up.
As I mentioned in the previous post, firmware rev 0x19 has a bug where the emmc chip can lockup after an erase command is given. Not every time, but often enough. Usually, the device can reboot after this, but then lockup during the boot process. Very rarely, it can lockup even before fastboot is loaded. Your tester was unlucky. Since you can't even start fastboot, the device is probably bricked. :-( If he could run fastboot, then the device could probably be recovered with the firmware update code I have, assuming I can share it. I'll ask.
Ken Sumrall (Android SE) said:Because /data is the place the chip that experiences the most write activity. /system is never written to (except during an system update) and /cache is rarely used (mostly to receiving OTAs).
Ken Sumrall said:As I mention above, the revision 0x19 firmware had a bug that after an emmc erase command, it could leave the internal data structures of the emmc chip in a bad state that cause the chip to lock up when a particular sector was accessed. The only fix was to wipe the chip, and update the firmware. I have code to do that, but I don't know if I can share it. I'll ask.
Ken Sumrall said:e2fsck can repair the filesystem, but often the 32 Kbytes were inserted at the start of a block group, which erased many inodes, and thus running e2fsck would often result in many files getting lost.
Ken Sumrall said:You are getting a glimpse into the exciting life of an Android kernel developer. Turns out the job is mostly fighting with buggy hardware. At least, it seems that way sometimes.
Ken Sumrall (Android) said:Once the chip has locked up, no command will reset it. It must be power cycled. If instead you are asking how to clear the metadata so the chip works again, the only solution I know is to update the firmware inside the chip, and that also wipes all the data. This probably includes factory calibration data that must be saved before the firmware is updated, and restored after. Also, the boot loader is probably in the chip, and must be restored after the firmware update, or the device will be bricked. This is a dangerous operation, because if something goes wrong, the device will probably be bricked. (emphasis added)
Ken Sumrall (Android) said:It is private, I'm asking if I can release it, along with the code to update the emmc firmware. Don't get your hopes up, my guess is the answer will be no.
Ken Sumrall (Android) said:If you really want to erase data on a rev 0x19 samsung emmc chip, I suggest you just write zeros to the entire partition.
Ken Sumrall (Android) said:IIRC, when using recovery to wipe the phone on GB, the make_ext4fs() library would not issue an erase command first, it would just write one a new blank filesystem. This, of course, doesn't really erase all the private data of the user, so we changed make_ext4fs() to first erase the partition, then write out the new filesystem. You can see the code in system/extras/ext4_utils/wipe.c, which didn't exist in gingerbread, but does in honeycomb and later. It is the erase operation on the rev 0x19 firmware that can cause the emmc chip to lockup. (emphasis added)
Ken Sumrall (Android) said:Regarding the notes on MMC_CAP_ERASE, the just lists the cards ability to perform the erase command. In other words, if the mmc_erase() function works. What is more important is if anyone calls the mmc_erase() function. Looking at the mmc driver, in drivers/card/block.c, it is only called when a secure discard or discard request is made. As far as I know, those requests are only sent if the filesystem is mounted with the "discard" option, or if userspace code does an ioctl() to erase a partition, like make_ext4fs does. So check the mount options on the filesystems. *If they don't specify "discard", the erase operations are probably not happening.
Of course, a simple debugging printk() in the mmc_erase() function will tell you if anyone is calling it.
Ken Sumrall (Android) said:The lockup doesn't happen immediately after power-on. The chip doesn't lock up until a sector is referenced that has corrupted wear leveling data inside the chip. Once that sector is referenced, the chip will lockup hard, and the only thing that will get it talking again is to power cycle it. Once it is power cycled, the chip will talk again, until that bogus sector is accessed.
# CONFIG_MMC_DEBUG is not set
[B][U]# CONFIG_MMC_DISCARD is not set[/U][/B]
CONFIG_MMC_UNSAFE_RESUME=y
# CONFIG_MMC_EMBEDDED_SDIO is not set
# CONFIG_MMC_PARANOID_SD_INIT is not set
# CONFIG_MACH_C1_NA_SPR_EPIC2_REV00 is not set
# CONFIG_TARGET_LOCALE_EUR is not set
# CONFIG_TARGET_LOCALE_KOR is not set
[B][U]# CONFIG_TARGET_LOCALE_NTT is not set[/U][/B]
CONFIG_TARGET_LOCALE_NA=y
static const struct block_device_operations mmc_bdops = {
.open = mmc_blk_open,
.release = mmc_blk_release,
[B][U]#ifdef CONFIG_MMC_DISCARD[/U][/B]
.ioctl = mmc_blk_ioctl,
[B][U]#endif[/U][/B]
[B][U]#if defined(CONFIG_TARGET_LOCALE_NTT)[/U][/B]
#if 0 //def CONFIG_MMC_CPRM
.ioctl = mmc_blk_ioctl, //int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long); in blkdev.h
#endif
[B][U]#endif[/U][/B]
int wipe_block_device(int fd, s64 len)
{
u64 range[2];
int ret;
range[0] = 0;
range[1] = len;
ret = [B][U]ioctl(fd, BLKSECDISCARD, &range);[/U][/B]
if (ret < 0) {
range[0] = 0;
range[1] = len;
ret = [B][U]ioctl(fd, BLKDISCARD, &range);[/U][/B]
}
return 0;
}