EMMCFirmwareBugs¶

• Table of contents
• EMMCFirmwareBugs
  • Data corruption
    • Affected devices
      • VTU00M
      • Other devices

Data corruption¶

Several devices have fixes or workarounds in vendor kernels for data corruptions in the eMMC. This can lead to non-working devices as it could potentially corrupt the bootloaders for instance.

The bug #2104 has more details for the Galaxy SIII.

Affected devices¶

VTU00M¶

Affected devices: Some Galaxy SIII (GT-I9300)
Vendor kernel patch: mmc: Soft-patch MoviNAND VTU00M (16GB) eMMC failure
Upstream status: not upstream
Replicant >=9 status: In Replicant 11 only

How to check¶

As this patch shows:

+    if (!strncmp(host->card->cid.prod_name, "VTU00M", 6) &&
+        (host->card->cid.prod_rev == 0xf1) &&
+        (mmc_start_movi_smart(host->card) == 0x2))
+        host->card->movi_ops = 0x2;

• The name of the eMMC is VTU00M
• Only certain revisions are affected (revision 0xf1)

With Replicant > 6 we can find the eMMC name like that:

$ adb root
$ adb shell
i9300:/ # cat /sys/bus/mmc/devices/mmc2:0001/name
VTU00M

As for the prod_rev, we have this code in the Replicant 6 kernel:

case 4: /* MMC v4 */
        [...]
        card->cid.prod_rev    = UNSTUFF_BITS(resp, 48, 8);
        [...]
        break;

So it's a MMC v4 and uses UNSTUFF_BITS(resp, 48, 8);

In upstream Linux we have that instead:

    case 4: /* MMC v4 */
        [...]
        card->cid.prv        = UNSTUFF_BITS(resp, 48, 8);
        [...]

So we should be able to get the revision in this way:

$ adb root
$ adb shell
i9300:/ # cat /sys/bus/mmc/devices/mmc2:0001/prv
0xf7

Here I've the 0xf7 revision and not the problematic 0xf1 revision, so I should probably be ok.

Here this has been tested with a GT-I9300 with a work in progress Replicant 10 image that uses a kernel closely based on upstream Linux.

Vendor kernel workaround analysis¶

The mmc: Soft-patch MoviNAND VTU00M (16GB) eMMC failure patch patches the eMMC firmware at runtime (it patches the firmware in RAM).

The eMMC firmware patch makes the eMMC hang when a corruption is about to happen.

See also¶

• The eMMC hacking, or: how I fixed long-dead Galaxy S3 phones presentation that has a lot more background on the issue for the Galaxy SIII (GT-I9300).
• The i9300_emmc_toolbox source code related to this talk. Note that while most of it is free software it also contains nonfree code in the sdcard directory.

Other devices¶

See also¶

• The EMMC Bugs page on the archive of the CyanogenMod wiki.
• The XDA developpers eMMC sudden death research thread

TODO¶

• Document this also for other devices, like the Galaxy SII.
• There was a wiki page in LineageOS or CyanogenMod that referenced eMMC firmware bugs. find it and reference it