Table of Contents
ToggleIntroduction
Welcome to this blog! Today, we’ll explore how to read data from an eMMC chip. Based on my experience with hardware security, I’ve observed that many IoT devices utilize eMMC chips for firmware storage. Therefore, comprehending how to extract data from these chips is crucial. In this post, I’ll discuss a technique you can employ to read data from an eMMC chip and proceed with further analysis. For demonstration purposes, the eMMC chip featured in this blog post is sourced from an EV scooter. 😀
Understanding the eMMC
We all used SD cards back in our school days to store cool songs. But have you ever wondered how these SD cards work? Well, let’s delve into this topic.
Often, the SD card contains two main components: NAND flash memory for non-volatile storage and a flash controller. NAND flash memory is primarily used in embedded or IoT devices to store the firmware. Another type of flash memory is NOR flash memory. It is the NAND memory inside the SD card that stores the data, while the flash controller provides the interface for reading, writing, and erasing operations on the NAND flash.
Flash controller operation: The controller is responsible for managing communication between the NAND flash and the host device (the device communicating with the SD cards), handling data transfer protocols, wear leveling, error correction, and bad block management. The wear leveling algorithm ensures that data is evenly distributed across the memory cells, preventing premature wear of specific sectors.
Data Read operation: When the host device requests data from the SD card, the controller identifies the address of the requested data and retrieves it from the corresponding memory cells. Subsequently, the data is sent back to the host device for processing.
Data write operation: When the host device needs to store data in the eMMC, the controller manages the process. It identifies an appropriate location for the data in the memory cells, erases the existing content from that location, and writes the new data using a technique called ‘program and erase’ (P/E cycle).
Error correction: NAND flash memory is susceptible to errors, especially as it ages. The flash controller employs error correction algorithms to detect and correct errors, ensuring data integrity and reliability.
Named for its function, eMMC (Embedded Multimedia Card) chips integrate both NAND flash memory and a flash controller into a single die, which is then packaged in a format suitable for use in embedded devices, typically as a BGA (ball grid array) package. These chips utilize the same interface as SD cards, allowing hosts to communicate with them using the same protocol as that used for SD cards.
eMMC Protocol Interface (communication signals)
The eMMC chip consists of 8 data lines and based on the requirement these lines can be used. Usually, for faster communication, all the data lines can be used. The eMMC communication protocol may operate in 1-bit mode, 4-bit mode, or 8-bit mode depending on the number of data lines being used for the communication.
Mode | Data Line (DAT0-DAT7) |
1-Bit | DAT0 |
4-Bit | DAT0-DAT3 |
8-Bit | DAT0-DAT7 |
Pin | Description |
CLK | Clock line used to synchronize CMD and all DAT lines |
CMD | Bidirectional line used for sending commands and responses to/from the chip. This is used during initialization to determine the number of data lines that should be enabled, the desired clock speed, and any other operating conditions. |
DAT0 | Bidirectional data line, used in 1-bit, 4-bit, 8-bit modes |
DAT1 | Bidirectional data line, used in 4-bit, 8-bit modes |
DAT2 | Bidirectional data line, used in 4-bit, 8-bit modes |
DAT3 | Bidirectional data line, used in 4-bit, 8-bit modes |
DAT4 | Bidirectional data line, used in 8-bit modes |
DAT5 | Bidirectional data line, used in 8-bit modes |
DAT6 | Bidirectional data line, used in 8-bit modes |
DAT7 | Bidirectional data line, used in 8-bit modes |
VCC | Input voltage for flash storage, usually +3.3V |
VCCQ | Input voltage for flash controller, usually +1.8V or +3.3V |
VSS/VSSQ | GND for flash storage and flash controller |
Break the scooter!
Since our intention here is to extract the scooter’s dashboard firmware, let’s carefully remove the dashboard from the scooter.
Now, disassemble the dashboard to get a detailed view of the PCB so that the chipsets used can be easily identified, and connections on the PCB can be made easily. During the initial reconnaissance, my attention was drawn to an external eMMC chip used for storing the dashboard’s firmware.
For educational purposes, please note that the image above is AI-generated. The eMMC chip used for the demonstrations in this blog is from the Samsung 221FBGA package.
Finding our cup of tea
We have identified the external chip used for firmware storage: eMMC. Since eMMC operates on the same protocol as SD cards, there are various adapters available to read the eMMC chip, like SD card readers. Depending on the eMMC package, a compatible adapter can be used. In this case, the package is FBGA 221, and fortunately, I found a compatible adapter from All Socket for the same.
Come up with your soldering skills.
Let’s now focus on the eMMC chip. To connect this eMMC to the adapter, we need to remove the chip from the PCB. The easiest way to do this is by using either a hot air or infrared rework station. Here’s a simple tutorial on how to do this with hot air.
Race Your Scooter to Get the Dump (Don’t take it literally)
Huh! Now that I have everything I need to get the dump, let’s connect the eMMC to the adapter. Simply place the chip inside the socket, aligning the dot on the chip with the arrow on the socket, and close it.
Next, plug the adapter into the laptop’s SD card reader, and it should detect and read the eMMC chip.
Check if the laptop detects the eMMC using the ‘dmesg’ command.
Output:
It can be observed that the mounted partitions are sdb.
Let’s run the lsblk command to check the mounted partitions.
Since we have identified the eMMC-mounted partitions, let’s read the complete partition using the dd command.
The dd command will create a dump file and save the eMMC content in this file. Extract the content from this dump file using the 7z command.
Now, you can mount the files system if it is a regular file system and start analyzing the dump.
Conclusion
The technique discussed in this blog can be used to dump the eMMC content and begin analyzing the firmware for vulnerabilities. In this example, the target device was an EV scooter dashboard utilizing an external eMMC chip for firmware storage, making this method effective for reading the eMMC content.