FORUMS

[EMMC CORRUPTION FIX] HOW-TO Recover EMMC Bricked Kindle Fire 1st Gen [2013-08-20]

3,428 posts
Thanks Meter: 23,889
 
By Hashcode, Senior Recognized Developer on 20th August 2013, 05:46 PM
Post Reply Email Thread
* WARNING: This post contains very loose instructions for COMPLETELY erasing the MMC chip on the Kindle Fire 1st Gen. USE WITH CAUTION *

THIS IS NOT FOR KINDLE FIRE 2 USERS WHO HAVE BRICKED IN SOME WAY. THIS IS FOR KINDLE FIRE 1ST GEN USERS WHO EXPERIENCED MMC CORRUPTION DUE TO UNFORSEEN CHANGES IN THE EARLY DEVELOPMENT OF THE 3.0 KERNEL.


----------------------
BACKGROUND:

So, yesterday I was in IRC and @Entropy512 mentioned they had found a leaked moviNAND spec sheet. This is some of the technical data for the mmc chip in our Kindle Fires:
http://web3032.sh1.magic2008.cn.m1.m...4131450191.pdf

In that spec sheet he pointed out CMD62 which is used to resize the boot0/boot1 partitions and a quote from the following paragraph (on page 11 of the PDF, section 4.1.3)
Quote:

After setting the boot partition size, all of data in the moviNAND is removed. And the value of EXT_CSD [227:226] and SEC_COUNT is automatically changing. So user should be careful changing boot partition size.

He also pointed out a git location for the mmc-utils source code (a binary used to read/write/manipulate MMC via some of the pre-determined MMC_CMDs). And that in theory it should be possible to add some kind of command there to use CMD62 in a way to perform this "reset".
https://kernel.googlesource.com/pub/...cjb/mmc-utils/

I forked this over to:
https://github.com/Hashcode/mmc-utils

Then, added a new variant to the command:
mmc_utils vendor <size> <device>

This implements CMD62 using the techsheet's instructions. And when run, it COMPLETELY ERASES the mmc chip. Everything goes. The partition tables, the boot0/boot1 contents and everything in your partitions. This should only be used if you have EMMC corruption caused by the early versions of the 3.0 kernel (You know if you have it).

----------------------
INSTRUCTIONS

Before using this, you want to backup your boot0/boot1 blocks if you can access them. They contain the MAC address info and serial #'s for your device. If you cannot access them, just know that you will need to generate a new mac and use idme to set it later, or you will have wifi issues. And you will never be able to use the Amazon OS due to security checks against the original serial # / MAC.

I'm going to paraphrase very loosely how I restored my Kindle using Ubuntu with adb already installed and configured (not going to cover that here):
  1. Download all the files here and place them in 1 directory:
    http://goo.im/devs/Hashcode/otter/unbrick
    (NOTE: I've included 2 files created by @pokey9000 in this folder: aboot.bin and usbboot. He built them for use w/ Firekit. He's an awesome dev and deserves the credit for these files.)
  2. [optional] You may or may not be able to boot to recovery depending on the emmc damage / current state of your Kindle. I recommend you try and adb pull as many of your partitions as you can for backup. To help you reboot successfully, I recommend trying the following at the very least from recovery (if you can get there):
    1. adb pull /dev/block/mmcblk0boot0
    2. adb pull /dev/block/mmcblk0boot1
  3. Download TWRP for Kindle Fire 1st Gen and place this in the same directory (used with usbboot to enter recovery when there's no recovery on the device):
    http://techerrata.com/file/twrp2/bla....0.0-otter.img

To use usbboot to load recovery from USB go into the directory where you downloaded everything and run the following command:
Code:
./usb_boot_twrp
It should be waiting for USB connection to the device.

Now you need to take the cover of the device off and short the test point located here to the surrounding metal wall (using a paper clip or some other metal object):
http://forum.xda-developers.com/show...4&postcount=51

This should trigger usbboot and it will attempt to load to recovery.

Once recovery is loaded:
(WARNING THE COMMANDS BELOW WILL COMPLETELY RESET YOUR EMMC CHIP. BE SURE YOU TRIED TO BACKUP BOOT0/BOOT1 ABOVE)
Code:
adb push mmc_utils /sbin
adb shell
mmc_utils vendor 0 /dev/block/mmcblk0
# (wait about a minute)
mmc_utils vendor 4 /dev/block/mmcblk0
# (wait another minute)
At this point your ENTIRE mmc has been erased and you should probably reboot w/ usbboot again but instead use this command:
Code:
./usb_boot_reformat
This resets your partition table to the stock Amazon layout. And then loads recovery.

Now, once back in recovery, the first thing you'll want to do is reformat the "media" partition:
  • Using TWRP go into "Wipe" -> "Advanced Wipe" -> checkbox "sdcard" and "Swipe to Wipe"

To format the "cache" partition as ext4 via adb:
Code:
adb shell
mke2fs -t ext4 /dev/block/platform/omap/omap_hsmmc.1/by-name/cache
mount /cache
exit
Then you can attempt to reload the initial set of partitions:

If you were able to backup the boot0/boot1 blocks above use this step. If not, skip this part and goto the next step.
Code:
adb push mmcblk0boot0 /sdcard
adb push mmcblk0boot1 /sdcard
adb shell
cd /sys/block/mmcblk0boot0
echo 0 > force_ro
cd /sys/block/mmcblk0boot1
echo 0 > force_ro
dd if=/sdcard/mmcblk0boot0 of=/dev/block/mmcblk0boot0
dd if=/sdcard/mmcblk0boot1 of=/dev/block/mmcblk0boot1
exit
Now we can restore the first set of partitions to make the device bootable to recovery:
Code:
adb push mmcblk0p1 /sdcard
adb push mmcblk0p2 /sdcard
adb push openrecovery-twrp-2.6.0.0-otter.img /sdcard
adb shell
dd if=/sdcard/mmcblk0p1 of=/dev/block/platform/omap/omap_hsmmc.1/by-name/xloader
dd if=/sdcard/mmcblk0p2 of=/dev/block/platform/omap/omap_hsmmc.1/by-name/bootloader
dd if=/sdcard/openrecovery-twrp-2.6.0.0-otter.img of=/dev/block/platform/omap/omap_hsmmc.1/by-name/recovery
exit
At this point you *should* be able to reboot the device w/o the use of usbboot, and get a normal bootloader screen where you can use the power button to choose a recovery boot.

To complete your device recovery you need to find your preferred ROM (or download from http://get.cm/?device=otter), and place that on your sdcard and flash w/ gapps like any normal ROM install.


For those who couldn't restore the boot0/boot1 partitions, you will want to use the "idme" command to reset the following field, or else wifi will probably have issues.:
Code:
idme mac <a random MAC addr>

Enjoy.

PS. The instructions above were completely written from memory AFTER I had fixed my device. I'm looking for any comments / cleanup you might experience if you try these instructions.
The Following 34 Users Say Thank You to Hashcode For This Useful Post: [ View ]
20th August 2013, 05:46 PM |#2  
Hashcode's Avatar
OP Senior Recognized Developer
Thanks Meter: 23,889
 
Donate to Me
More
RESERVED
The Following 6 Users Say Thank You to Hashcode For This Useful Post: [ View ]
20th August 2013, 05:52 PM |#3  
firered365's Avatar
Senior Member
Flag Houston
Thanks Meter: 154
 
More
Thanks Hash!
20th August 2013, 07:05 PM |#4  
tobiascuypers's Avatar
Senior Member
Flag A little town called Proctor
Thanks Meter: 427
 
More
Very nice write up @Hashcode. Im just wondering what "unforseen changes" would you be talking about?

Sent from my TF300T using Tapatalk 4
20th August 2013, 07:25 PM |#5  
Hashcode's Avatar
OP Senior Recognized Developer
Thanks Meter: 23,889
 
Donate to Me
More
Quote:
Originally Posted by tobiascuypers

Very nice write up @Hashcode. Im just wondering what "unforseen changes" would you be talking about?

Sent from my TF300T using Tapatalk 4

There were a few devices which were running a CWM recovery built from the initial 3.0 kernel back in May 2012. That kernel was not patched for MMC_CAP_ERASE, and on our emmc chip it caused a wear levelling bug which basically made the device unusable.

The entire thread is here:http://forum.xda-developers.com/show....php?t=1651413

This issue should not be hit by current Kindle Fire users.
The Following 5 Users Say Thank You to Hashcode For This Useful Post: [ View ]
20th August 2013, 09:10 PM |#6  
Senior Recognized Developer
Flag Owego, NY
Thanks Meter: 25,479
 
Donate to Me
More
Quote:
Originally Posted by Hashcode

There were a few devices which were running a CWM recovery built from the initial 3.0 kernel back in May 2012. That kernel was not patched for MMC_CAP_ERASE, and on our emmc chip it caused a wear levelling bug which basically made the device unusable.

The entire thread is here:http://forum.xda-developers.com/show....php?t=1651413

This issue should not be hit by current Kindle Fire users.

This is a major victory in the fight against Superbrick.

Unfortunately, the users hit hardest by the Superbrick bug (Samsung Galaxy S2 family) have devices that cannot be USB-booted in any way.

Also, you might want to rename the command to be more descriptive. "vendor" could be anything - this is a very specific vendor command sequence here.
The Following 3 Users Say Thank You to Entropy512 For This Useful Post: [ View ]
20th August 2013, 09:33 PM |#7  
Hashcode's Avatar
OP Senior Recognized Developer
Thanks Meter: 23,889
 
Donate to Me
More
Quote:
Originally Posted by Entropy512

This is a major victory in the fight against Superbrick.

Unfortunately, the users hit hardest by the Superbrick bug (Samsung Galaxy S2 family) have devices that cannot be USB-booted in any way.

Also, you might want to rename the command to be more descriptive. "vendor" could be anything - this is a very specific vendor command sequence here.

Yeah I'll probably set it up "mmc_utils vendor bootsize <size> <device>" as there is a report summary I may add later.
The Following 4 Users Say Thank You to Hashcode For This Useful Post: [ View ]
21st August 2013, 02:32 AM |#8  
Senior Member
Flag Niteroi, RJ
Thanks Meter: 90
 
Donate to Me
More
@Hashcode my device suffered from the brick but i could "fix" it, but i lost some blocks on my partitions. I had to shrink some partitions, so i could use the device again.

Doing this process can fix this for me, will i have back all my partition size right?
21st August 2013, 04:07 AM |#9  
Senior Recognized Developer
Flag Owego, NY
Thanks Meter: 25,479
 
Donate to Me
More
Quote:
Originally Posted by vbdss

@Hashcode my device suffered from the brick but i could "fix" it, but i lost some blocks on my partitions. I had to shrink some partitions, so i could use the device again.

Doing this process can fix this for me, will i have back all my partition size right?

It should. Unlike workarounds that avoid touching damaged areas, this resets the chip so completely that the corrupted wear leveller data structures are reset. At least that was the theory, and Hashcode's results with his Superbricked KFire confirm that this appears to be the case.
The Following 4 Users Say Thank You to Entropy512 For This Useful Post: [ View ]
21st August 2013, 05:20 AM |#10  
soupmagnet's Avatar
Retired Forum Moderator
Flag Austin, TX
Thanks Meter: 2,545
 
More
Quote:
Originally Posted by Entropy512

It should. Unlike workarounds that avoid touching damaged areas, this resets the chip so completely that the corrupted wear leveller data structures are reset. At least that was the theory, and Hashcode's results with his Superbricked KFire confirm that this appears to be the case.

Great! Now all we have to do is get him to brick his HD
The Following User Says Thank You to soupmagnet For This Useful Post: [ View ] Gift soupmagnet Ad-Free
21st August 2013, 01:04 PM |#11  
oVeRdOsE.'s Avatar
Senior Member
MTL
Thanks Meter: 223
 
More
Wow cool!

I had this exact problem back in days. You've helped me on that and most user find out that it was probably a emmc bricked problem.

Fortunately, I had no problem to get a new one from amazon. I was happy after weeks working on it. I even tried to restore it from knoppix.

For now, I'm running the most recent roms on the board, hope this problem will never come back.
If it does, you'll be my hero.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes