nokia lumia, why we need 3 wires to eMMC ? - Page 2 - GSM-Forum

Bph&co · 09-16-2012, 15:15

Hi,

No problem, i was also too lazy to code routines and dump from the Lumia.

BR

the_laser · 09-16-2012, 22:55

sent PM with links to bootrom with crippled security

karwos · 09-17-2012, 12:13

Tekronix mode ON

MOURAD™ · 09-17-2012, 12:49

Quote:

Originally Posted by karwos

Tekronix mode ON

must be 371B High Power Curve Tracer, or better

bluezak · 09-18-2012, 03:06

I hope this might be usefull old post but contains interesting posts.

evasoft · 09-18-2012, 05:23

nice to see big boys making toys and thanks for let us read the research y development backstage

my 3 whishes for the genie:
1-standalone
2-ultra hard hard test point.
3-$$$$$$$$$

Bph&co · 09-18-2012, 08:10

Good morning,

Just recall some design problems with the old Dejan's TP unlock. It had similar
problem with two masters on the same bus(back then was CFI flash and box).

So here the problem with enforcing logic high is resolved with a bit higher
level on the bus. The more difficult problem is enforcing low on the bus. The
internal transistor on the GPIO pin on a typical microcontroller can not do that
as the output impedance is quite high in open state. ATF box has the advantage
of configurable FPGA that allows bridging few high drive gates in parallel to an
output pin and create low impedance load. It is possible this way to assert low,
when say the Qcom cpu tries to force the bus to high.

So it might be not possible to implement this on standard microcontroller at all.

BR

karwos · 09-18-2012, 11:33

Quote:

Originally Posted by Bph&co

Good morning,

Just recall some design problems with the old Dejan's TP unlock. It had similar
problem with two masters on the same bus(back then was CFI flash and box).

So here the problem with enforcing logic high is resolved with a bit higher
level on the bus. The more difficult problem is enforcing low on the bus. The
internal transistor on the GPIO pin on a typical microcontroller can not do that
as the output impedance is quite high in open state. ATF box has the advantage
of configurable FPGA that allows bridging few high drive gates in parallel to an
output pin and create low impedance load. It is possible this way to assert low,
when say the Qcom cpu tries to force the bus to high.

So it might be not possible to implement this on standard microcontroller at all.

BR

By attaching in bus between CPU and eMMC - may be yes, work still in progres.
But not a problem to solder another testpoint (eMMC VCC, R1519 resistor @ NK 800) and DON'T POWER TARGET BOARD (CPU+PM8058+...), just power eMMC via box... then "two masters" problem disappears and eMMC can be read/written easily, as MCU becomes only one master on SPI bus.

karwos · 09-18-2012, 11:50

About dejan hack:
It was bit diffrent.
FPGA was attached as a slave (it didn't generated own clock - only captured data at AD0,AD1,ADx, on rising/falling flash clock edges generated by CPU) and when pattern was matched, put ADx high/low.
So x ns job. Here need to FULL capture 2 lines for SO long time.

And remember: in dejan hack target CPU needs to be WORKING (because it patched return jump from PA call on-the-fly), so it needed to execute rest part of code (re-create pm-308,etc..)..

Here we don't need have system running - that's why we can deal with eMMC directly.

Bph&co · 09-18-2012, 13:48

Hi,

Yes all true, but still was the same challenge on phones that needed bit cleared in the
jump instruction. Phones with bit set, could have been done easy with MCU GPIO - np.

BR

hrcell · 09-18-2012, 15:51

some birds in nokia told me :
can be reset all the "data " for emmc
specially "dead" emmc after reset by third party software
with special" trick "

hope can be done too from all programer in here

oblio · 09-20-2012, 00:25

Quote:

Originally Posted by karwos

...as MCU becomes only one master on SPI bus.

SPI mode support was available on maximum v4.2 MMC system spec.Not the case of Lumia 800 using H26M52002CKR -> JEDEC eMMC 4.41 specs.

karwos · 09-20-2012, 00:41

Quote:

Originally Posted by oblio

SPI mode support was available on maximum v4.2 MMC system spec.Not the case of Lumia 800 using H26M52002CKR -> JEDEC eMMC 4.41 specs.

By generic eMMC specs, you are right . but if you are attaching such details here, let's put all details:

Full backward compatibility with legacy Multi Media Card system.
Ą¤ Data bus width: 1bit /4bit /8bit

What is 1bit "legacy" MMC data bus compatiblity? Isn't SPI native 1 bit bus

Source: Hynix Newsletter

oblio · 09-20-2012, 08:03

Quote:

Originally Posted by karwos

What is 1bit "legacy" MMC data bus compatiblity? Isn't SPI native 1 bit bus

SPI is using a four-wire serial bus.
A lot of phones are using I²C protocol (SCL&SDA).As I see in the schematics, Lumia is using 8bit data bus width between eMMC and MSM8255.

But enough with my off-topic.

karwos · 09-20-2012, 15:18

Quote:

Originally Posted by oblio

SPI is using a four-wire serial bus.
A lot of phones are using I²C protocol (SCL&SDA).As I see in the schematics, Lumia is using 8bit data bus width between eMMC and MSM8255.

But enough with my off-topic.

i2c is completly different story. especially about electric characteristics AND speed. MOST transmissions in embedded world occurs in synchronic way.

You are right, wikipedia say SPI uses 4 wires. THIS is true, because basic spi uses 4 wires:

Clock - generated by master device
Mosi - can say is "TX" from master side
Miso - can say is "RX" from master side
CS - chip select

How do you think, how many bits is send during one clock cycle? ( i skip DDR situation, when data are captured on both falling and rising edges of clock ).
I tell you: SPI transmission is pure full duplex. So, during one clock cycle, a 1 bit of data will be exchanged between master and slave - and vice versa. That's why this bus is called "1 bit" bus.

CS is not data signal, is only asserted on multi-slave SPI configurations, so Slave device know data is addressed to it's device.

So, basic SPI version is 1-bit only.

Also read MMC specs. MMC controller might be initialized to use 1-bit SPI mode, but you may also use it in 4-bit or 8-bit mode... all just for compatibility.
That's why during normal phone operation, eMMC is clocked 50MHz, and during one clock cycle all 8 bit are used.
BUT you can always re-INIT eMMC and force it to use 1 bit mode... as its 100% conforms MMC standard I don't see any problem.

09-16-2012, 15:15	#16 (permalink)
Bph&co No Life Poster Join Date: Feb 2000 Location: UK Posts: 3,186 Member: 1024 Status: Offline Thanks Meter: 5,510	Hi, No problem, i was also too lazy to code routines and dump from the Lumia. BR

09-16-2012, 22:55	#17 (permalink)
the_laser No Life Poster Join Date: Feb 2002 Location: Russia Age: 44 Posts: 2,681 Member: 9519 Status: Offline Thanks Meter: 2,150	sent PM with links to bootrom with crippled security

09-17-2012, 12:13	#18 (permalink)
karwos No Life Poster Join Date: Feb 2005 Location: Poland Age: 34 Posts: 4,943 Member: 117496 Status: Offline Sonork: 100.83919 Thanks Meter: 22,689	Tekronix mode ON

09-18-2012, 03:06	#20 (permalink)
bluezak Freak Poster Join Date: Jul 2006 Location: inside out Posts: 328 Member: 303799 Status: Offline Sonork: inside outside Thanks Meter: 59	I hope this might be usefull old post but contains interesting posts.

09-18-2012, 05:23	#21 (permalink)
evasoft Freak Poster Join Date: May 2007 Posts: 498 Member: 515830 Status: Offline Thanks Meter: 80	nice to see big boys making toys and thanks for let us read the research y development backstage my 3 whishes for the genie: 1-standalone 2-ultra hard hard test point. 3-$$$$$$$$$

09-18-2012, 08:10	#22 (permalink)
Bph&co No Life Poster Join Date: Feb 2000 Location: UK Posts: 3,186 Member: 1024 Status: Offline Thanks Meter: 5,510	Good morning, Just recall some design problems with the old Dejan's TP unlock. It had similar problem with two masters on the same bus(back then was CFI flash and box). So here the problem with enforcing logic high is resolved with a bit higher level on the bus. The more difficult problem is enforcing low on the bus. The internal transistor on the GPIO pin on a typical microcontroller can not do that as the output impedance is quite high in open state. ATF box has the advantage of configurable FPGA that allows bridging few high drive gates in parallel to an output pin and create low impedance load. It is possible this way to assert low, when say the Qcom cpu tries to force the bus to high. So it might be not possible to implement this on standard microcontroller at all. BR

09-18-2012, 11:50	#24 (permalink)
karwos No Life Poster Join Date: Feb 2005 Location: Poland Age: 34 Posts: 4,943 Member: 117496 Status: Offline Sonork: 100.83919 Thanks Meter: 22,689	About dejan hack: It was bit diffrent. FPGA was attached as a slave (it didn't generated own clock - only captured data at AD0,AD1,ADx, on rising/falling flash clock edges generated by CPU) and when pattern was matched, put ADx high/low. So x ns job. Here need to FULL capture 2 lines for SO long time. And remember: in dejan hack target CPU needs to be WORKING (because it patched return jump from PA call on-the-fly), so it needed to execute rest part of code (re-create pm-308,etc..).. Here we don't need have system running - that's why we can deal with eMMC directly.

09-18-2012, 13:48	#25 (permalink)
Bph&co No Life Poster Join Date: Feb 2000 Location: UK Posts: 3,186 Member: 1024 Status: Offline Thanks Meter: 5,510	Hi, Yes all true, but still was the same challenge on phones that needed bit cleared in the jump instruction. Phones with bit set, could have been done easy with MCU GPIO - np. BR

09-18-2012, 15:51	#26 (permalink)
hrcell Freak Poster Join Date: Sep 2005 Location: at virgin galatic Posts: 293 Member: 184884 Status: Offline Thanks Meter: 564	some birds in nokia told me : can be reset all the "data " for emmc specially "dead" emmc after reset by third party software with special" trick " hope can be done too from all programer in here