EMMC Hacks For The Speed And Capacity Upgrade Win

You could say that it is the essence of a site like this one, that the kind of people who form our readership are also the kind of people who examine the specs of the devices in front of them to reveal hidden features. Such was the case with [Ryan], who noticed that the eMMC controller on his 96Boards HiKey development board supports both HS200 data transfer speeds and 1.8v signaling, both of which it wasn’t using.

In unlocking the extra performance, he takes readers through a primer on the device tree, and is happy to report that his transfer rate has increased from 26 to 36 MB/s, a tidy return on his work.

However, the story doesn’t end there. The 8GB Samsung eMMC chip wasn’t quite as roomy as he’d have liked, so it was time to replace it with a 32GB version. Even with careful desoldering, he managed to lift a few pads, though very fortunately they were ones that were either NC or power rails that were duplicated elsewhere. Some tricky reflowing of what is quite a formidable BGA package to do by hand, and he was rewarded with a working board featuring higher flash capacity. We salute him for taking it on, we probably wouldn’t have had the courage.

We’ve brought you a similar upgrade before, this time an eMMC on a Nexus 5 phone.

Thanks [darkspr1te] for the tip.

eMMC to SD Hack Rescues Data from a Waterlogged Phone

How do I get the data off this destroyed phone? It’s a question many of us have had to ponder – either ourselves or for friends or family. The easy answer is either spend a mint for a recovery service or consider it lost forever.  [Trochilidae] didn’t accept either of those options, so he broke out the soldering iron and rescued his own data.

A moment’s inattention with a child near a paddling pool left [Trochilidae’s] coworker’s wife with a waterlogged, dead phone. She immediately took apart the phone and attempted to dry it out, but it was too late. The phone was a goner. It also had four months of photos and other priceless data on it. [Trochilidae] was brought in to try to recover the data.

The phone was dead, but chances are the data stored within it was fine. Most devices built in the last few years use eMMC flash devices as their secondary storage. eMMC stands for Embedded Multimedia Card. What it means is that the device not only holds the flash memory array, it also contains a flash controller which handles wear leveling, flash writing, and host interface. The controller can be configured to respond exactly like a standard SD card.

The hard part is getting a tiny 153 ball BGA package to fit into an SD card slot.  [Trochilidae] accomplished that by cutting open a microSD to SD adapter. He then carefully soldered the balls from the eMMC to the pins of the adapter. Thin gauge wire, a fine tip iron, and a microscope are essentials here. Once the physical connections were made,  [Trochilidae] plugged the card into his Linux machine. The card was recognized, and he managed to pull all the data off with a single dd command.

[Trochilidae] doesn’t say what happened after the data was copied, but we’re guessing he analyzed the dump to determine the filesystem, then mounted it as a drive. The end result was a ton of recovered photos and a very happy coworker.

If you like crazy soldering exploits, check out this PSP reverse engineering hack, where every pin of a BGA was soldered to magnet wire.

Roll Your Own 64GB SD Card From An EMMC Chip

It’s well-known that buying Flash storage devices from cheap online retailers is fraught with danger. Stories abound of multi-gigabyte drives that turn out to be multi-megabyte ones engineered to falsely report their capacity. So when [Jason Gin] found a source of 64GB Toshiba eMMC chips for only $6 per device he bought a few, but was prepared for disappointment.

To test them, he decided to use an SD card interface. There are minor differences between eMMC and SD, but the interfaces are electrically the same and in most cases an SD controller will happily do business with an eMMC. It was not however an easy task to connect the two — these eMMCs were in BGA packages, hardly the easiest ones to work with. He resorted to dead-bug soldering the relevant interface wires to SD lines, and connecting up his computer.

His first attempt was something of a failure, wiring the chip to the PCB of a cheap USB-to-SD adaptor. This did not put him off though, he followed it up by cracking open a very old 2GB SD card that contained a PCB instead of being potted, and soldering his eMMC in place of its Flash and controller. This even fit in the original SD housing, and met with success when plugged into more reliable SD card readers. He was thus able to confirm the capacity of his chips.

His blog post is worth a read for more than just the very fine soldering involved. He takes us through some of the intricacies of SD interfacing, as well as talking at length about the decoupling and termination required to make a reliable connection. We particularly like his use of an area of unconnected BGA balls as prototyping space for decouplers.

If you marvel at the exceptional dexterity required for hand BGA work, we’ve a couple of other treats for you. There is this TI infra-red sensor BGA soldered to a piece of stripboard, and this wafer-level chip package soldered to an SOIC prototyping board.

Single Board Revolution: Preventing Flash Memory Corruption

An SD card is surely not an enterprise grade storage solution, but single board computers also aren’t just toys anymore. You find them in applications far beyond the educational purpose they have emerged from, and the line between non-critical and critical applications keeps getting blurred.

Laundry notification hacks and arcade machines fail without causing harm. But how about electronic access control, or an automatic pet feeder? Would you rely on the data integrity of a plain micro SD card stuffed into a single board computer to keep your pet fed when you’re on vacation and you back in afterward? After all, SD card corruption is a well-discussed topic in the Raspberry Pi community. What can we do to keep our favorite single board computers from failing at random, and is there a better solution to the problem of storage than a stack of SD cards?

Continue reading “Single Board Revolution: Preventing Flash Memory Corruption”

Upgrading a Nexus 5 eMMC to 64GB

Sometimes we feel confident in our soldering skills (but only sometimes) — and then we see something like this done.

IMG_20160324_205427Someone over on the XDA developers forum managed to upgrade his Nexus 5 from 16gb to 64gb — and not only that, upgraded the eMMC type from 4.5 to 5.0 so it writes and reads much faster.

While the details on the actual conversion are a bit vague, we did manage to dig up another video of someone replacing an eMMC chip from a Samsung Note 2.

It most certainly is possible… but would you look at the size of that chip!

Continue reading “Upgrading a Nexus 5 eMMC to 64GB”

DEFCON 22: Hack All the Things

This morning I went to a fantastic talk called Hack All the Things. It was presented by GTVHacker. If you don’t recognize the name, this is the group that hacked the GoogleTV. They haven’t stopped hacking since that success, and this talk is all about 20+ devices that they’ve recently pwned and are making the info public (that link still had oath when I checked but should soon be public).

The attacks they presented come in three flavors: UART, eMMC, and command injection bugs. I’m going to add the break now, but I’ll give a rundown of most of the device exploits they showed off. I found all amusing, and often comical.

Continue reading “DEFCON 22: Hack All the Things”