eMMC flash reading/writing

[sbav1]

I wonder if it may be in fact possible to access eMMC flash chip contents (Samsung is using eMMC flash, instead of OneNAND, more and more often in their recent devices) without desoldering it from the mainboard.
Using 1-bit eMMC mode, it should (in theory) require just 4 wires (CLK, CMD, DATA and GND). Of course the main problem is to find where exactly connect three of those wires . So far I'm unable to identify any obvious places/test pads/etc. for that in eMMC closest neighbourhood. There are some suspiciously-looking small solder points (five in a row) just below eMMC chip, but they seem to be not connected to anything else.. Any thoughts?

[oga83]

I have already looked at these pads with a magnifier, and they don't seem connected.
It might be fiducial patterns (to calibrate SMD pick&place machines) altougth I've never seen such ones before.
As the eMMC chips seem to be BGA packaging, it requires very accurate positionning that could explain these fiducial patterns close to them.

[EDIT]Anyway, there must be a mean to read/write the eMMC one they are in place. I would be surprised if these chips were programmed before pick&place...
AFAIK, they are not jtag compliant, so if jtag is used for this, it must be through the SoC.

fiducials.jpg

[E3V3A]

There's no telling what those 5 solder points are connected to, because of the multilayer PCB. You'll just have to measure on them.

Reading/writing eMMC's can be very tricky, especially if they have enabled read protection or other on-device security features. In this case I doubt it. However, there are software tools for this, but I have never used them. (But we need them for Mobile phone bootloader unlocking!)

Check these:
http://patches.linaro.org/project/linux-mmc/
http://git.kernel.org/?p=linux/kernel/g ... ;a=summary
https://kernel.googlesource.com/pub/scm ... mmc-utils/

It would be nice to include these into out ARM hacking-toolkit!

[oga83]

There's no telling what those 5 solder points are connected to, because of the multilayer PCB

Even on a multilayer PCB, you need vias to go from one layer to another one. They can be buried for internal layers but not for external ones.
No vias and no tracks in this case, so no connection.
These are definitely fiducial marks.

[E3V3A]

...Anyway, there must be a mean to read/write the eMMC one they are in place. I would be surprised if these chips were programmed before pick&place...

They are programmed with the mmc-tools mentioned above, AFAIK. If you wanna directly hack into the eMMC communications from PCB, you'd have to:
1. find the schematics of the same chip you're interested in, or derive the signals in some other way.
2. find the driver sources related to that chip so that you know what signal to inject / expect...
3. It may be hard to inject signals while being connected to other components, for obvious reasons.

PS: Most high-end ARM SoC's have secure JTAG implementation through TZ, so that is not a guarantee...although very unlikely to be implemented on a TV set.

[oga83]

Most high-end ARM SoC's have secure JTAG implementation through TZ, so that is not a guarantee...although very unlikely to be implemented on a TV set.

JTAG is implemented on BD-E :

AFAIK, eMMC does not support JTAG. So if memory can be accessed with JTAG, it is only through SoC.
I made a few tests, all of them unsuccefull

[E3V3A]

Sorry, I was not being clear. What I meant was that secure JTAG is probably not implemented. Of course nearly all modern ARM based electronic contain JTAG functionality, since it's built-in to the ARM processor.

[juusso]

We still miss report about successful jtag`ing on samsung tv mainboards.