GSM Shop

Welcome to the GSM-Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features.
Only registered members may post questions, contact other members or search our database of over 8 million posts.

Registration is fast, simple and absolutely free so please - Click to REGISTER!

If you have any problems with the registration process or your account login, please contact contact us .

Go Back   GSM-Forum > Product Support Sections > Hard/Software Products (official support) > Easy-Jtag

Closed Thread
LinkBack Thread Tools Display Modes
Old 04-13-2019, 13:32   #1 (permalink)
Product Supporter
Join Date: Jun 2002
Location: Belarus
Age: 42
Posts: 970
Member: 13148
Status: Offline
Thanks Meter: 881
RPMB section: what it is and what to do with it.

The eMMC and UFS memory chips have an access protected section called the RPMB (Replay Protect Memory Block).
In a UFS chip, the section that performs the RPMB functions is ID: W-LUN 0xC4

This section is intended for storage of information to which direct access is closed.

The paper presents the use case of Replay Protected Memory Block (RPMB) partition in eMMC to store the phone's critical modem data, network operator billing information and/or application data in a secured manner which is protected from the attackers/hackers. In current software architecture, User Area partition stores the modem critical data which is known as modem EFS partition, but EFS partition doesn't guarantee memory protection against REPLAY attacks. So in this paper we are proposing the RPMB block to store the secure data which will give additional protection against the REPLAY attacks. We have developed the RPMB driver interface in Android OS, Jelly Bean (JB) software. The functionality of RPMB has been verified successfully and results indicate the proposed mechanism guarantees a secured data storage.
The picture from the Samsung presentation shows how it works.

How it works in more detail:

If the key (Key) is absent, then the device (processor) programs the key into the microchip.
The key is generated from the processor SN and the eMMC CID, and thus the key is different for different processors and different eMMCs. Further work occurs in the mode as with the programmed key. The programmed key cannot be changed.

If the key (Key) already exists, then, as a rule, the counter has a value greater than 0.
With a microcircuit that already has a key (16 bytes), the device (processor) can work only through data encoded with a key (Key) and a counter.

Read mode: the device (processor) receives the counter value from the eMMC, requests reading data (in blocks of 256 bytes), receives the data encoded by the counter and key, decrypts it using the stored key and counter value, checks the validity of the data.

Recording mode: the device (processor) receives the counter value from the eMMC, encodes the data using a key and a counter (in blocks of 256 bytes) and sends it to the microchip. The chip decrypts them using the stored key and the value of the counter, checks the validity of the data. If the data is valid, the block is written, and the value of the record counter (Counter) is incremented by 1.

Thus, the value of the write counter (Counter) shows how many blocks of 256 bytes (or how many times) were written into the RPMB area.

In order to write to the RPMB section, you need to know the key that is stored in the microchip (eMMC).

In order to read, you can try to apply a certain method of obtaining data. Although it is impossible to guarantee their validity, but experiments conducted by the Z3x Easy JTAG team show that the data read in this way is valid in more than 90% of cases.

In the latest versions of the Z3x EasyJTAG Classic program ( and above), the output has been added to the log of the status bar of the RPMB area (did it ever write to the data or not).

An example of a line in the program log:
EMMC RPMB is not yet programmed (clear) or NO Error
EMMC RPMB is programmed and written 12 times

At the same time, the ability to read RPMB experimentally is available through the choice of the RPMB partition (in the ROM select box).


1) when the Firmware is written to the eMMC, the internal NAND memory of the eMMC is re-initialized, erasing the key, the counter and the RPMB data
2) it is not possible to remove the key from the RPMB or change the counter other than increasing the counter value by writing data encoded with a valid key.
The Following 7 Users Say Thank You to layder For This Useful Post:
Show/Hide list of the thanked
Old 04-13-2019, 13:36   #2 (permalink)
Product Supporter
Join Date: Jun 2002
Location: Belarus
Age: 42
Posts: 970
Member: 13148
Status: Offline
Thanks Meter: 881
For the end user, it is enough to know the status of the RPMB partiton in order to select the used eMMC chips that can be put into devices with Exynos CPU line Samsung N8000 (of that require a clean RPMB).

Writing to RPMB is impossible without a key that is generated by the CPU of the device and is written to the eMMC once.
The Following 9 Users Say Thank You to layder For This Useful Post:
Show/Hide list of the thanked
Closed Thread


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT +1. The time now is 03:49.

Powered by Searchlight © 2019 Axivo Inc.
vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2017 -
Page generated in 0.15359 seconds with 7 queries