Successful data recovery of broken eMMC chip MCU1

[randvegeta]

Does anyone know if the fw version of the car is stores somewhere on the motherboard which the cid is attached to, or only on the cid?

Could one use a bench MCU and put in a cid from a different car? Im my interpritstion the fw version is store on the cid and the oc, but i could be wrong?

You can definitely move the CID from 1 MCU to another.

I did just that in order to repair a broken MCU quickly.

Apparently there is the version data stored in the GW and IC, but I didnt know it was important and didnt save that info before swapping tegraboarda and performing a software update. So in my case, it's all lost. All I can try now is read whatever is in the spansion chip.

 

[eligs]

Well you could do a trial-and-error process and just install different versions to the eMMC until it boots.

 

[Slexs]

You can definitely move the CID from 1 MCU to another.

I did just that in order to repair a broken MCU quickly.

Apparently there is the version data stored in the GW and IC, but I didnt know it was important and didnt save that info before swapping tegraboarda and performing a software update. So in my case, it's all lost. All I can try now is read whatever is in the spansion chip.

Thats Great, so in theory you could boot a MCU with a different tegra than the original if yiu dont connect the IC?

Do you know where the gw is located?
I know there is some ethernet cabling between the IC and MCU but im not sure of the gw placement.

Im sorry to hear you had an unfortunate event with your update. I havent yet attempted to read out the spansion chip but i Will make an attempt in the near future and let you know if i figure things out.

 

[rooter]

I didn't know that the firmware version was important to know before hand. Now i have Tegraboard with no eMMC, and I don't know what version was on the IC/MCU before it was pulled.

I offer a number of recovery methods and one will almost certainly allow you to pull an image from the eMMC. The version is in 1and2/deploy/platform.ver . Whichever is newer is likely the one you had been running. If your car is 2016 or older it's also in the IC, if you can get to that.

As far as I know, the version info is somewhere on the spansion chip. Unfortunately I'm not clear on how to access the data in the spansion chip. I would very much like to repair the Tegra board.

Nah, the version in the Spansion chip version is mated to the main version, and if they differ, code-signing fail and black screen since the CID won't boot.

Does anyone know if the fw version of the car is stores somewhere on the motherboard which the cid is attached to, or only on the cid?

A given firmware version is in all of the 16 or so ECMs throughout the car, although in binary form. You can retrieve it from the gateway if you've opened the Diag port (script), but in all likelihood you can recover it from the eMMC.

Could one use a bench MCU and put in a cid from a different car? Im my interpritstion the fw version is store on the cid and the oc, but i could be wrong?

Sure, I did that. But it's important to make sure you have certain files on the eMMC like carkeys, VIN, birthday, gateway, and so on. You just need partitions 3 & 4, and can build a whole new eMMC image with my methods.

Apparently there is the version data stored in the GW and IC, but I didnt know it was important and didnt save that info before swapping tegraboarda and performing a software update. So in my case, it's all lost. All I can try now is read whatever is in the spansion chip.

I don't understand why ppl are not using my articles. Your data is still on the old board, and you can recover it.

Thats Great, so in theory you could boot a MCU with a different tegra than the original if yiu dont connect the IC?

You can connect an IC. But it is imperative that the version in the CID matches the version in the Spansion chip, or it won't boot.

Do you know where the gw is located?

I know there is some ethernet cabling between the IC and MCU but im not sure of the gw placement.

The gateway is the chip that's partly under the CID on the mainboard, a Freescale SPC5668GVMG.
It runs FreeRTOS and and has 6 CAN interfaces to the car. It also has an Ethernet interface and talks to the IC and CID over that acting like a CAN-IP bridge/firewall. It's also responsible for much of the logging and handles all the firmware updates in the car for all the modules. (although the IC is master for that)

I haven't yet figured out where the gateway's main flash is yet, although there's a Sandisk chip nearby. The gateway uses that large SD card as a sort of scratchpad, and in that is stored the config of your car... important.

 

[randvegeta]

Well you could do a trial-and-error process and just install different versions to the eMMC until it boots.

That's not really an option. There are dozens of versions, and unsoldering and resoldering the eMMC to the board every single time it fails is hardly an option.

I know the car the board was pulled from was from a salvage car that crashed in August 2019, so I suppose it narrows down the options somewhat, but still. Brute forcing this is not something I want to do. Id rather be able to find out what's in the spansion chip. Just need to figure out how to do that.

Nah, the version in the Spansion chip version is mated to the main version, and if they differ, code-signing fail and black screen since the CID won't boot.

Sorry this statement confuses me. So are you saying that I cannot pull data off the spansion chip to determine the correct version of firmware that was running? If the correct image is required so that the signatures match, surely if I can read the signiture I could somehow determine the signatures would match? Not sure what's on that Spansion chip, so not really sure what I'm looking for.

 

[randvegeta]

I don't understand why ppl are not using my articles. Your data is still on the old board, and you can recover it.

Where on the board? Please don't say the eMMC because that's already been removed. And I've taken it to a few mobile phone repair shops, and none have been able to read it or pull any data off it (yet).

Since I don't want to spent thousands on data recover for a car that is salvaged and unsupported by Tesla any way, I'd rather just figure out another way which version is the correct version to load into a new eMMC, and just abandon all the keys. I can live without those.

You can connect an IC. But it is imperative that the version in the CID matches the version in the Spansion chip, or it won't boot.

Does it not boot AT ALL? Meaning it wont ping (192.168.90.100), and CID updater won't load, etc.

I haven't yet figured out where the gateway's main flash is yet, although there's a Sandisk chip nearby. The gateway uses that large SD card as a sort of scratchpad, and in that is stored the config of your car... important.

Is there supposed to be an internal.dat file in the SD card somewhere? Or is there an integrated flash memory that stores that file? If there is integrated storage in the gateway, I wonder why they even bothered with an SD card....

 

[rooter]

Sorry this statement confuses me. So are you saying that I cannot pull data off the spansion chip to determine the correct version of firmware that was running? If the correct image is required so that the signatures match, surely if I can read the signiture I could somehow determine the signatures would match? Not sure what's on that Spansion chip, so not really sure what I'm looking for.

You can pull data off the Spansion chip, but why not recover the data from your eMMC. Please go to the trouble of reading my fscking articles.

Where on the board? Please don't say the eMMC because that's already been removed. And I've taken it to a few mobile phone repair shops, and none have been able to read it or pull any data off it (yet).

Read my articles.

Since I don't want to spent thousands on data recover for a car that is salvaged and unsupported by Tesla any way, I'd rather just figure out another way which version is the correct version to load into a new eMMC, and just abandon all the keys. I can live without those.

Read my articles.

Or don't.

Does it not boot AT ALL? Meaning it wont ping (192.168.90.100), and CID updater won't load, etc.

Correct. I explain all this and hate repeating myself.

 

[randvegeta]

Read my articles.

I have read your articles multiple times, trying to find some inspiration. Admittedly I didn't read every single article because not all seem applicable to what I'm trying to achieve.

I assume you are referring to this article.

If so, I have already tried to use DDRescue, in addition to other methods commonly used for recovering data from mobile phones. I've tried using an SD adapter (which works on eMMCs that are readable) as well as a Medusa Pro Box.

What makes you so confident that the EMMCs are readable?

Edit: To be clear, I cannot even see the partitions.

 

[rooter]

The Hynix chip is not marked for pin 1 and it's very important to get orientation right. If you look at the underside of the chip, there's an extra pad inside which indicates the corner of pin 1.

Also that chip must be properly re-balled (with a stainless mask and solder balls) or you won't be able to read it.

If all this is done the cold spray method is the first and most likely to succeed. Unless the pads of the chip are damaged.

 

[eligs]

Still - In some cases the controller inside the eMMC is bust - then even cooling down the chip down to -40°C in a climate chamber won't help (ask me how I know ). But recovery of the files directly from the NAND array could still be possible.

 

[rooter]

When you cool it to those temps it will cause other breakage in the internal circuits due to differing coefficients of expansion. Anything below freezing is risky.

And yes I've noticed that sometimes several partitions won't read consistently, which indicts the support circuitry, as opposed to wear of the flash. (yaay Hynix!)

You'll find the firmware version in the Spansion but not the custom files for that car. But the IC will have them. (if the car is older than 2017)

 

[randvegeta]

The Hynix chip is not marked for pin 1 and it's very important to get orientation right. If you look at the underside of the chip, there's an extra pad inside which indicates the corner of pin 1.

I have the orientation correct. I have working eMMCs from which I can reference

Also that chip must be properly re-balled (with a stainless mask and solder balls) or you won't be able to read it.

Contacts with the pads seem fine. I have not re balled, but it was not required on any of the working chips. Are you suggesting that without reballing, the contacts may not actually be good?

If all this is done the cold spray method is the first and most likely to succeed. Unless the pads of the chip are damaged.

I'm not familiar with the cold spray method. Either way, I'm not even able to see the partitions. Would a cold spray make them visible?

You'll find the firmware version in the Spansion but not the custom files for that car. But the IC will have them. (if the car is older than 2017)

I have a small library of different firmware versions. Hopefully I have the right one for tegra board I need to repair. So I'm very much hoping to just get the version from the Spansion chip and then try and write a to a new Swissbit EM-20 16GB eMMC chip I have available. I'm perfectly happy to not get the keys back. I'll have another app to replace the functionality of the official one.

 

[rooter]

Contacts with the pads seem fine. I have not re balled, but it was not required on any of the working chips. Are you suggesting that without reballing, the contacts may not actually be good?

I'm not suggesting... I am telling you, if you take what I write, erh, literally.

OTOH if you take what I write just figuratively, well now.... that's a whole 'nother sack o' potatoes from the state of China.

I'm not familiar with the cold spray method. Either way, I'm not even able to see the partitions. Would a cold spray make them visible?

Oh I see now. You obviously haven't read my articles.

I have a small library of different firmware versions. Hopefully I have the right one for tegra board I need to repair. So I'm very much hoping to just get the version from the Spansion chip and then try and write a to a new Swissbit EM-20 16GB eMMC chip I have available. I'm perfectly happy to not get the keys back. I'll have another app to replace the functionality of the official one.

Don't give up your keys.

I assume the app you mean is nikola?

 

[randvegeta]

I'm not suggesting... I am telling you, if you take what I write, erh, literally.

Hmm... I'll give it a go but if it doesn't work I'm going to be back here to you know about it!

Oh I see now. You obviously haven't read my articles.

I have read it. Perhaps you underestimate my ignorance in this area! Do not underestimate the ignorance of people. Most people don't know jack *sugar*.

Don't give up your keys.

I assume the app you mean is nikola?

I don't need the keys. The keys are for another car. So even with the keys, I'm not sure how useful they would be. Cant use the Tesla app to control the car no matter what. The car will never get back on the road and I would need to have a registration / vehicle license to get Tesla to link it to my account.

And no, the APP is something I'm doing myself. It's basically just a web page that sends signals to the car via HTTP to do *sugar*.

 

[rooter]

Hmm... I'll give it a go but if it doesn't work I'm going to be back here to you know about it!

Ok friend, then I'll whirl up my extraterrestrial being(s) into a swirling vortex, and cast my lava-like essence and precious bodily fluids out to your chip and micro-mend it. There is a fee though of two and a quarter million.
(Paypal not accepted, since I'm banned for giving them a bad survey)

I have read it. Perhaps you underestimate my ignorance in this area! Do not underestimate the ignorance of people. Most people don't know jack *sugar*.

Well, Ah'm just sayin' somehow you missed my methods of recovery, the first of which explains in detail the cold spray recovery method.

 

[widodh]

Can we please stop this discussion? It's not really benefiting the topic at all.

This topic is about the data recovery from eMMC chips

 

[randvegeta]

Can we please stop this discussion? It's not really benefiting the topic at all.

This topic is about the data recovery from eMMC chips

Reading the spansion doesn't count as a related topic?

 

[tga]

Read my articles.

Are these all on unofficial-tesla-tech.com? I thought at one point you were using diyelectriccar.com. Just want to confirm, TIA.

 

[rooter]

Wido just doesn't like me contributing for some reason. Ok I'll dismiss myself from your thread and put you on Ignore. Sorry man.

And yes I've moved to my own UTT wiki since DIY's and TMC's Cloudflare prohibits the gibberish I have to sometimes post, stupidly thinking it's a SQL injection attack.

 

[eligs]

Anything below freezing is risky.

Then you better not park your car outside during wintertime
Seriously, things (complex electronics) don't break that easy when its getting cold, most parts only start to misbehave (for example flash memory takes a lot more time to erase). I know because I use the climate chamber I talked about regularly to check the hardware I build for spec-compliance (which most time is "works as specified until -20°C" and "works reliable at -40°, even when slightly out of spec").
What could be problematic is, when there is a large temperature gradient applied to a PCB or even a part (which is the case when excessively using 'cold spray' ... which usually provides between -25°C and -55°C), then there is a possibility for micro-fractures in solder-joints or traces.