The following notes were checked against a smartphone ZTE Blade A610, running Android 6.0.
NAND flash can only be read in pages, some bits in a page may be wrong and need to be corrected by an error correction mechanism. With NAND flash the OS and device drivers are responsible to handle these issues.
eMMC Flash combines NAND memory with a built-in controller, that handles most of the things you have to take care of when dealing with NAND flash.
A Scatter File is a .txt file which is used to describe parts of flash memory in an Android device which is running on a MediaTek’s MTK chipeset. Usually, such files are needed at the time of flashing firmware using tools like the SP Flash Tool.
Here it is an excerpt of a scatter file, showing where to flash or readback the recovery partition:
- partition_index: SYS9 partition_name: recovery file_name: recovery.img is_download: true type: NORMAL_ROM linear_start_addr: 0x2D80000 physical_start_addr: 0x2D80000 partition_size: 0x1000000 region: EMMC_USER storage: HW_STORAGE_EMMC boundary_check: true is_reserved: false operation_type: UPDATE reserve: 0x00
The most important data is linear_start_addr and physical_start_addr (which are always the same, or not?) that states the starting point of that partition into the flash memory, and partition_size which is obviously its lenght.
The SP Flash Tool program - when performing a download (it means a flashing) operation - will write the file into the phone starting at the specified address, checking that the file does not exceed the partition size. During a readback operation it will read the entire size specified in the scatter file.
Embedded Multi-Media Controller (eMMC) refers to a package consisting of both flash memory and a flash memory controller integrated into a single on-board chip. Device supports several hardware partitions, it is on-board and thus non removable.
Into a scatter file you can see references to region labeled EMMC_BOOT_1 and EMMC_USER, because partition images can live in that different partitions or regions. NOTICE: the USER partition or region is normally partitioned in turn into other partitions, so - when referring to eMMC partition - it is advisable to use the region term, to avoid confusion.
The following commands were executed on a ZTE Blade A610, running Android 6.0, via the adb shell command line. The phone was rooted so that the su command was available.
cat /proc/partitions major minor #blocks name 7 0 12910 loop0 254 0 986264 zram0 179 0 15388672 mmcblk0 179 1 3072 mmcblk0p1 179 2 5120 mmcblk0p2 179 3 10240 mmcblk0p3 179 4 10240 mmcblk0p4 179 5 512 mmcblk0p5 179 6 512 mmcblk0p6 179 7 16384 mmcblk0p7 179 8 16384 mmcblk0p8 179 9 8192 mmcblk0p9 179 10 10240 mmcblk0p10 179 11 512 mmcblk0p11 179 12 2048 mmcblk0p12 179 13 6144 mmcblk0p13 179 14 8192 mmcblk0p14 179 15 5120 mmcblk0p15 179 16 5120 mmcblk0p16 179 17 1024 mmcblk0p17 179 18 32768 mmcblk0p18 179 19 37888 mmcblk0p19 179 20 3022848 mmcblk0p20 179 21 409600 mmcblk0p21 179 22 11759104 mmcblk0p22 179 23 16384 mmcblk0p23 179 96 4096 mmcblk0rpmb 179 64 4096 mmcblk0boot1 179 32 4096 mmcblk0boot0 253 0 11759104 dm-0
The mmcblk0 partition is actually the eMMC USER region, sized 15388672 blocks (15028 Mb). It is in turn partitioned in 23 partitions. The boot0, boot1 and rpmb partitions have a size of 4096 blocks each, i.e. 4194304 (0x400000) bytes.
The /system/bin/sgdisk command is accessible only with root privileges.
sgdisk --print /dev/block/mmcblk0 Disk /dev/block/mmcblk0: 30777344 sectors, 14.7 GiB Logical sector size: 512 bytes Disk identifier (GUID): 00000000-0000-0000-0000-000000000000 Partition table holds up to 23 entries First usable sector is 1024, last usable sector is 30776319 Partitions will be aligned on 1024-sector boundaries Total free space is 0 sectors (0 bytes) Number Start (sector) End (sector) Size Code Name 1 1024 7167 3.0 MiB 0700 proinfo 2 7168 17407 5.0 MiB 0700 nvram 3 17408 37887 10.0 MiB 0700 protect1 4 37888 58367 10.0 MiB 0700 protect2 5 58368 59391 512.0 KiB 0700 lk 6 59392 60415 512.0 KiB 0700 para 7 60416 93183 16.0 MiB 0700 boot 8 93184 125951 16.0 MiB 0700 recovery 9 125952 142335 8.0 MiB 0700 logo 10 142336 162815 10.0 MiB 0700 expdb 11 162816 163839 512.0 KiB 0700 seccfg 12 163840 167935 2.0 MiB 0700 oemkeystore 13 167936 180223 6.0 MiB 0700 secro 14 180224 196607 8.0 MiB 0700 keystore 15 196608 206847 5.0 MiB 0700 tee1 16 206848 217087 5.0 MiB 0700 tee2 17 217088 219135 1024.0 KiB 0700 frp 18 219136 284671 32.0 MiB 0700 nvdata 19 284672 360447 37.0 MiB 0700 metadata 20 360448 6406143 2.9 GiB 0700 system 21 6406144 7225343 400.0 MiB 0700 cache 22 7225344 30743551 11.2 GiB 0700 userdata 23 30743552 30776319 16.0 MiB 0700 flashinfo
Doing the math, you can see that the 23 partitions existing in mmcblk0 leave some space: One is at the begin, sized 1024 sectors or 524288 (0x80000) bytes. The other unpartitioned space is at the end, the size can be calculated by the difference of size shown by cat /proc/partitions
, it is again 524288 (0x80000) bytes. Theese two spaces are referred into the scatter file as pgpt and sgpt respectively (primary and secondary GPT parition tables?).
The partition /dev/block/mmcblk0boot0 is the one referred as region EMMC_BOOT_1 in the scatter file, and it is dedicated to the preloader.
The actual Linux device content starts with the characters EMMC_BOOT. It seems that it is an header of 2048 (0x800) bytes and the actual preloader follows that header. Some stock ROMs include the preloader image, without that header. But if you readback the preloader partition using SP Flash Tool, you get an image with that heder included.