Successful data recovery of broken eMMC chip MCU1

[whitex]

I hope they are not implementing encryption. 2019.40 is pretty old, we've recovered plenty from that version. Never been prompted for a password for any MCU1 chip yet.

eMMC standard does support password lock (CMD42), which would prevent anyone reading the chip using a reader unless you have the password. Tesla could implement this, making is much harder to root and clone emmc (you might be able to still read it if you allow the MCU to unlock the device, then somehow switch the emmc bus to your reader without resetting the emmc chip, but that adds a whole new level of difficulty over just placing the emmc in the reader). That was the very first thing I was thinking Tesla did in response to the story about personal information leaks (nothing motivates Tesla's rapid and stealth code deployments like media attention), deploy an update which would create a random password, store in the non-emmc storage, and lock the emmc chip so that password is required to read or write it. But I'm sure they would roll the version for it, so in this case, with the old firmware, it's unlikely to be the case. It's more likely the chip is damaged, or some other issue with the EasyJTAG setup (bad pin contact on the socket, incompatible firmware or configuration, etc).

Also encrypting most older chips would probably kill them with all the additional writes.

Encryption usually does not result in additional writes as flash is already written in large enough blocks Also, unless they encrypt (or even
just authenticate via password) at the interface layer (i.e. secure the eMMC communications), you would still be able to read the chip and clone it. The other types of encryption are: chip level (all sectors, you cannot even see partitions, but can dd the whole chip), file system or partition level (you see partitions cannot mount or list them), or file level (you can see the file, but it's full of "garbage").

If Tesla were to implement password lock, it would make it harder to read chips from used devices, but even harder or impossible to clone them (even if you extract the image, the new chip would have to be programmed with the same password which you don't know - you'd have to go hunting for that password in the other flash chips in the MCU - a whole new level of reverse engineering). Password lock would not add any wear to the emmc chip either.

 

[Arturino]

I desoldered the emmc. Putting it easyjtag. It says emmc password locked. Is this normal to everyone? Mine is mcu1 from 2013 model s

Can you share the screenshot? Actually, I have problems with EasyJtag, reading brand new emmc in the provided socket, it just says - RCV timeout error, but chip can be identified.

 

[SevenWithaT]

Can you share the screenshot? Actually, I have problems with EasyJtag, reading brand new emmc in the provided socket, it just says - RCV timeout error, but chip can be identified.

I did a onboard chip reading before. I wonder if the nvidia would lock the emmc. After finding emmc being locked during the onboard reading, I thought thought it was because i woke up the nVidia chip. I have since desoldered the chip and doing chip off reading. Still locked.

the log here is what i got when doing onboard reading. I don’t have chipoff reading’s screenshot. I borrowed easyjtag and have since returned the reader.

 

[SevenWithaT]

I hope they are not implementing encryption. 2019.40 is pretty old, we've recovered plenty from that version. Never been prompted for a password for any MCU1 chip yet.

Also encrypting most older chips would probably kill them with all the additional writes.

I really don’t know what locked the emmc at the moment. The lock is of an older EMMC protocol. Access lock, it’s not like a bitlocker on ssd. I just don’t think the older version of firmware+hardware would support this or the service center guy with friendly voice would do such thing to increase my pain, yet i am looking at my emmc right now with a locked access. I am open to suggestions right now.

 

[whitex]

I really don’t know what locked the emmc at the moment. The lock is of an older EMMC protocol. Access lock, it’s not like a bitlocker on ssd. I just don’t think the older version of firmware+hardware would support this or the service center guy with friendly voice would do such thing to increase my pain, yet i am looking at my emmc right now with a locked access. I am open to suggestions right now.

Suggestion 1: Did you make sure your socket contacts well? Did you clean your pads well (or even reballed the chip?) I have noticed that the Hynix chip was a little bit thinner than the swissbit for example, so when I put it in the reader (without balls) I had to press on the socket lid for it to read properly. I ended up putting some padding on top of the chip before closing the socket (stuck a few layers of capton tape on top, not glued to the chip, just placed on top - not very thick, but enough so I didn't have to keep pushing the top of the socket).


Suggestion 2: Try a different reader, one of the AllSocket ones maybe?

 

[SevenWithaT]

Suggestion 1: Did you make sure your socket contacts well? Did you clean your pads well (or even reballed the chip?) I have noticed that the Hynix chip was a little bit thinner than the swissbit for example, so when I put it in the reader (without balls) I had to press on the socket lid for it to read properly. I ended up putting some padding on top of the chip before closing the socket.


Suggestion 2: Try a different reader, one of the AllSocket ones maybe?

1. You are very right. After chip off, nothing was readable. Then the chip was thoroughly cleaned again and it became readable. right now the chip off read message is consistent with onboard read message so i think the chip is functioning as intended. The message was indeed from EasyJTAG, so this could be a limitation of EasyJTAG.
2. I have allsocket bga153_SD_reader. In windows 10, the SD drive is detected, but the size of SD card(EMMC) was unknown. I don't have standalone ubuntu but I do have virtualbox ubuntu. I passed the SD card device from windows into my virtualbox ubuntu. The SD was not mounted or recognized in any way. My next attempt is to install a standalone ubuntu and see if that changes anything.

 

[whitex]

1. You are very right. After chip off, nothing was readable. Then the chip was thoroughly cleaned again and it became readable. right now the chip off read message is consistent with onboard read message so i think the chip is functioning as intended. The message was indeed from EasyJTAG, so this could be a limitation of EasyJTAG.
2. I have allsocket bga153_SD_reader. In windows 10, the SD drive is detected, but the size of SD card(EMMC) was unknown. I don't have standalone ubuntu but I do have virtualbox ubuntu. I passed the SD card device from windows into my virtualbox ubuntu. The SD was not mounted or recognized in any way. My next attempt is to install a standalone ubuntu and see if that changes anything.

I only used USB reader with a virtual machine, the SD reader I used only on native linux (my latop with SDIO/MMC controller happens to run linux), so can't help tell you if SD/MMC should work via virtual machine. Once you get SD to report what it sees, post the dmesg here.

PS> don't forget to disable automatic mounting of removable media on Ubuntu, you don't want to mount the partitions, especially if they are corrupt - this is where the USB reader has an advantage, it has a physical write-protect switch.

 

[SevenWithaT]

I only used USB reader with a virtual machine, the SD reader I used only on native linux (my latop with SDIO/MMC controller happens to run linux), so can't help tell you if SD/MMC should work via virtual machine. Once you get SD to report what it sees, post the dmesg here.

PS> don't forget to disable automatic mounting of removable media on Ubuntu, you don't want to mount the partitions, especially if they are corrupt - this is where the USB reader has an advantage, it has a physical write-protect switch.

Ok. Will do.

 

[SevenWithaT]

I hope they are not implementing encryption. 2019.40 is pretty old, we've recovered plenty from that version. Never been prompted for a password for any MCU1 chip yet.

Also encrypting most older chips would probably kill them with all the additional writes.

Would onboard reading make the nvidia locking the emmc?

 

[whitex]

Would onboard reading make the nvidia locking the emmc?

IMHO that would be very unlikely. This is a long shot, but are you sure the EasyJTAG wasn't executing any scripts which might have set the lock password?

 

[EV-Fixme]

Would onboard reading make the nvidia locking the emmc?

I dont think I've ever heard of anything like that.

 

[Mrquestion]

Can you share the screenshot? Actually, I have problems with EasyJtag, reading brand new emmc in the provided socket, it just says - RCV timeout error, but chip can be identified.

I have same problem with easy jtag and Hynix.
If i try to read with JTAG classic suite it shows pasword locked and data RCV timeout error.
If use EMMC tool suite software it doesnt show password locked, only RCV timeout error.
Tried with new Swissbit emmc reading writing good.

 

[SevenWithaT]

Ok. Will do.

If EMMC is completely dead, would it show as if the chip is locked? I spoke to AllSocket support and they suggested R-Studio. I used R-Studio with AllSocket, failed to scan on every sector.

I have same problem with easy jtag and Hynix.
If i try to read with JTAG classic suite it shows pasword locked and data RCV timeout error.
If use EMMC tool suite software it doesnt show password locked, only RCV timeout error.
Tried with new Swissbit emmc reading writing good.

Were you able to extract data from the old hynix chip?

 

[whitex]

If EMMC is completely dead, would it show as if the chip is locked? I spoke to AllSocket support and they suggested R-Studio. I used R-Studio with AllSocket, failed to scan on every sector.
Were you able to extract data from the old hynix chip?

Did AllSocket SD reader connected to a Linux box with SDIO/MMC slot read, or at least recognize the chip and its size correctly (dmesg on Linux would tell you)? Were you able to dump mmc registers (mmc extcsd read)?

Two people reporting a password locked chip is not yet a pattern. I'm thinking some combination of EasyJTAG and Hynix and/or its failure mode. However, I wouldn't put it passed Tesla to react to the media story about personal data leaks with a password lock on emmc - that would be an obvious "low hanging fruit" partial mitigation to the problem. If that's the case, Tony and others will start seeing it soon, and it will take the next level of reverse engineering to be able to repair your own emmc again. Here is hoping that this speculation of mine is just that, and it doesn't turn out like my speculation back in 2013 that the reason why so many people started seeing a "bug" that disallowed SAS to lower was a Tesla PR overreaction to a couple of punctured batteries hyped by the media.

 

[Mrquestion]

Were you able to extract data from the old hynix chip?

No

 

[SevenWithaT]

No

Did AllSocket SD reader connected to a Linux box with SDIO/MMC slot read, or at least recognize the chip and its size correctly (dmesg on Linux would tell you)? Were you able to dump mmc registers (mmc extcsd read)?

Two people reporting a password locked chip is not yet a pattern. I'm thinking some combination of EasyJTAG and Hynix and/or its failure mode. However, I wouldn't put it passed Tesla to react to the media story about personal data leaks with a password lock on emmc - that would be an obvious "low hanging fruit" partial mitigation to the problem. If that's the case, Tony and others will start seeing it soon, and it will take the next level of reverse engineering to be able to repair your own emmc again. Here is hoping that this speculation of mine is just that, and it doesn't turn out like my speculation back in 2013 that the reason why so many people started seeing a "bug" that disallowed SAS to lower was a Tesla PR overreaction to a couple of punctured batteries hyped by the media.

Here is the log after plugging in the AllSocket BGA153_SD to USB

[< 0.000000>] usb 1-2: USB disconnect, device number 4
[< 19.087399>] usb 1-2: new high-speed USB device number 5 using xhci_hcd
[< 0.030009>] usb 1-2: New USB device found, idVendor=05e3, idProduct=0745, bcdDevice= 9.03
[< 0.000004>] usb 1-2: New USB device strings: Mfr=0, Product=1, SerialNumber=2
[< 0.000002>] usb 1-2: Product: USB Storage
[< 0.000002>] usb 1-2: SerialNumber: 000000000903
[< 0.000998>] usb-storage 1-2:1.0: USB Mass Storage device detected
[< 0.000322>] scsi host1: usb-storage 1-2:1.0
[< 1.022847>] scsi 1:0:0:0: Direct-Access Generic STORAGE DEVICE 0903 PQ: 0 ANSI: 6
[< 0.000644>] sd 1:0:0:0: Attached scsi generic sg0 type 0
[< 0.117733>] sd 1:0:0:0: [sda] 15155200 512-byte logical blocks: (7.76 GB/7.23 GiB)
[< 0.001019>] sd 1:0:0:0: [sda] Write Protect is off
[< 0.000002>] sd 1:0:0:0: [sda] Mode Sense: 21 00 00 00
[< 0.001011>] sd 1:0:0:0: [sda] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
[< 47.974342>] scsi_io_completion_action: 2 callbacks suppressed
[< 0.000008>] sd 1:0:0:0: [sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
[< 0.000005>] sd 1:0:0:0: [sda] tag#0 Sense Key : Medium Error [current]
[< 0.000003>] sd 1:0:0:0: [sda] tag#0 Add. Sense: Incompatible medium installed
[< 0.000004>] sd 1:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 08 00
[< 0.000001>] print_req_error: 2 callbacks suppressed
[< 0.000004>] blk_update_request: I/O error, dev sda, sector 0 op 0x0READ) flags 0x0 phys_seg 1 prio class 0
[< 0.000006>] buffer_io_error: 2 callbacks suppressed
[< 0.000002>] Buffer I/O error on dev sda, logical block 0, async page read
[< 47.966202>] sd 1:0:0:0: [sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
[< 0.000005>] sd 1:0:0:0: [sda] tag#0 Sense Key : Medium Error [current]
[< 0.000003>] sd 1:0:0:0: [sda] tag#0 Add. Sense: Incompatible medium installed
[< 0.000004>] sd 1:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 08 00
[< 0.000004>] blk_update_request: I/O error, dev sda, sector 0 op 0x0READ) flags 0x0 phys_seg 1 prio class 0
[< 0.000007>] Buffer I/O error on dev sda, logical block 0, async page read
[< 47.966361>] sd 1:0:0:0: [sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
[< 0.000005>] sd 1:0:0:0: [sda] tag#0 Sense Key : Medium Error [current]
[< 0.000003>] sd 1:0:0:0: [sda] tag#0 Add. Sense: Incompatible medium installed
[< 0.000004>] sd 1:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 08 00
[< 0.000004>] blk_update_request: I/O error, dev sda, sector 0 op 0x0READ) flags 0x0 phys_seg 1 prio class 0
[< 0.000007>] Buffer I/O error on dev sda, logical block 0, async page read
[< 0.000320>] ldm_validate_partition_table(): Disk read failed.

 

[whitex]

@SevenWithaT , do you have automatic mounting enabled?

 

[SevenWithaT]

@SevenWithaT , do you have automatic mounting enabled?

no

 

[whitex]

Here is the log after plugging in the AllSocket BGA153_SD to USB

[< 0.000000>] usb 1-2: USB disconnect, device number 4
[< 19.087399>] usb 1-2: new high-speed USB device number 5 using xhci_hcd
[< 0.030009>] usb 1-2: New USB device found, idVendor=05e3, idProduct=0745, bcdDevice= 9.03
[< 0.000004>] usb 1-2: New USB device strings: Mfr=0, Product=1, SerialNumber=2
[< 0.000002>] usb 1-2: Product: USB Storage
[< 0.000002>] usb 1-2: SerialNumber: 000000000903
[< 0.000998>] usb-storage 1-2:1.0: USB Mass Storage device detected
[< 0.000322>] scsi host1: usb-storage 1-2:1.0
[< 1.022847>] scsi 1:0:0:0: Direct-Access Generic STORAGE DEVICE 0903 PQ: 0 ANSI: 6
[< 0.000644>] sd 1:0:0:0: Attached scsi generic sg0 type 0
[< 0.117733>] sd 1:0:0:0: [sda] 15155200 512-byte logical blocks: (7.76 GB/7.23 GiB)
[< 0.001019>] sd 1:0:0:0: [sda] Write Protect is off
[< 0.000002>] sd 1:0:0:0: [sda] Mode Sense: 21 00 00 00
[< 0.001011>] sd 1:0:0:0: [sda] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
[< 47.974342>] scsi_io_completion_action: 2 callbacks suppressed
[< 0.000008>] sd 1:0:0:0: [sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
[< 0.000005>] sd 1:0:0:0: [sda] tag#0 Sense Key : Medium Error [current]
[< 0.000003>] sd 1:0:0:0: [sda] tag#0 Add. Sense: Incompatible medium installed
[< 0.000004>] sd 1:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 08 00
[< 0.000001>] print_req_error: 2 callbacks suppressed
[< 0.000004>] blk_update_request: I/O error, dev sda, sector 0 op 0x0READ) flags 0x0 phys_seg 1 prio class 0
[< 0.000006>] buffer_io_error: 2 callbacks suppressed
[< 0.000002>] Buffer I/O error on dev sda, logical block 0, async page read
[< 47.966202>] sd 1:0:0:0: [sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
[< 0.000005>] sd 1:0:0:0: [sda] tag#0 Sense Key : Medium Error [current]
[< 0.000003>] sd 1:0:0:0: [sda] tag#0 Add. Sense: Incompatible medium installed
[< 0.000004>] sd 1:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 08 00
[< 0.000004>] blk_update_request: I/O error, dev sda, sector 0 op 0x0READ) flags 0x0 phys_seg 1 prio class 0
[< 0.000007>] Buffer I/O error on dev sda, logical block 0, async page read
[< 47.966361>] sd 1:0:0:0: [sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
[< 0.000005>] sd 1:0:0:0: [sda] tag#0 Sense Key : Medium Error [current]
[< 0.000003>] sd 1:0:0:0: [sda] tag#0 Add. Sense: Incompatible medium installed
[< 0.000004>] sd 1:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 08 00
[< 0.000004>] blk_update_request: I/O error, dev sda, sector 0 op 0x0READ) flags 0x0 phys_seg 1 prio class 0
[< 0.000007>] Buffer I/O error on dev sda, logical block 0, async page read
[< 0.000320>] ldm_validate_partition_table(): Disk read failed.

Why does your timestamp for USB detection start at 0.000000 and keeps going up to 47.9 seconds and then back? dmesg usually just shows time since boot. Is there a chance linux trying to boot from this? Is this Ubuntu in VMWare (when I set up Ubuntu 18 in VMWare, sda was the boot disk, Allsocket USB connected as sdb)? Here is what the AllSocket USB reader with my Hynix part connection looks like on Ubuntu 18 on VMWare on Windows 10:

Did you get a change to connect the SD reader to a native SDIO slot with Linux?

 

[SevenWithaT]

Why does your timestamp for USB detection start at 0.000000 and keeps going up to 47.9 seconds and then back? dmesg usually just shows time since boot. Is there a chance linux trying to boot from this? Is this Ubuntu in VMWare (when I set up Ubuntu 18 in VMWare, sda was the boot disk, Allsocket USB connected as sdb)? Here is what the AllSocket USB reader with my Hynix part connection looks like on Ubuntu 18 on VMWare on Windows 10:
View attachment 543171

Did you get a change to connect the SD reader to a native SDIO slot with Linux?

I did. the timestamp is with -td so i only see the latest log. it's already on sda. whole bunch error messages on failed read.