4. NAND (Raw) Flash vs eMMC (Managed Flash)
to Host Processor
• In order to maximize the value of Flash Memory, FTL (Flash Translation Layer) is
used to achieve bad block management, rubbing, Write balance, ECC, garbage
collection and other functions.
• Also RAW Flash has to communicate with the Host through a dedicated NFI
(NAND Flash Interface).
• eMMC in its internal integration Flash Controller, used to FTL and other functions.
• Compared to direct access to the NAND Flash to the Host side, eMMC shielded
the physical characteristics of NAND Flash, you can reduce the complexity of the
Host side software, so that the Host side focused on the upper business,
eliminating the need for NAND Flash special treatment.
• At the same time, eMMC through the use of Cache, Memory Array and other
technologies, read and write performance is much better than the NAND Flash.
• eMMC, SD Card, UFS, U disk and other products are part of Managed Flash.
6. SLC vs MLC vs TLC
• NAND Flash According to the number of bits stored in each storage unit, it
can be divided into three categories: SLC (Single-Level Cell), MLC (Multi-
Level Cell) and TLC (Triple-Level Cell). Among them, in a storage unit, the
SLC can store 1 bit, the MLC can store 2 bits, and the TLC can store 3 bits.
• NAND Flash Within a storage unit, is through a different voltage level, to
represent the information it stores.
• In the SLC, the voltage of the memory cell is divided into two levels,
representing 0 and 1, respectively, 1 bit.
• In the MLC, the memory cell voltage is divided into four levels, respectively,
said 00, 01, 10, 11 four states, that is, two bits.
• Similarly, in the TLC, the voltage of the memory cell is divided into 000,
001, 010, 011, 100, 101, 110, 111 eight levels, and 3 bits of information are
stored.
9. eMMC Bus protocol
• CLK - Signal is used to output the clock signal from the Host, the data transmission
synchronization and equipment operation of the drive.
• In one clock cycle, CMD and DAT0-7 signals can support the transmission of a bit, that is, SDR (Single Data
Rate) mode. In addition, the DAT0-7 signal also supports configuration for DDR (Double Data Rate) mode, in a
clock cycle, you can transmit 2 bits.
• Host The frequency of the clock signal can be dynamically adjusted during communication (note that the
frequency range needs to meet the definition of Spec). By adjusting the clock frequency, you can achieve
power saving or data flow control (to avoid Over-run or Under-run) function. In some scenarios, the host can
also turn off the clock, such as eMMC in Busy state, or receive data, into the Programming State.
• CMD - The signal is mainly used by Host to send command and eMMC to eMMC to the Host for
the Response.
• DAT0-7 - The signal is mainly used for data transfer between Host and eMMC. After the eMMC is
powered on or soft reset, only DAT0 can transmit data. After initialization, DAT0-3 or DAT0-7 can
be configured for data transmission. That is, the data bus can be configured as 4 bits or 8 bits.
• Data Strobe - The clock signal is sent by the eMMC to the Host, the frequency is the same as the
CLK signal, and is used for the synchronization of the data reception. Data Strobe signal can only
be configured in HS400 mode enabled, enabled after the data transmission can improve the
stability, eliminating the bus tuning process.
13. CID Register
• The Card Identification (CID) register is 128 bits wide.
• It contains the device identification information used during the card
identification phase as required by eMMC protocol.
• Each device is created with a unique identification number.
15. Operations Conditions Register (OCR)
• The 32-bit Operations Conditions Register (OCR) stores the VDD
voltage profile of the device and the access mode indication.
• In addition, this register includes a status information bit. This status
bit is set if the device power up procedure has been finished.
17. Card-Specific Data (CSD) register
• The card-specific data (CSD) register provides information about
accessing the device contents.
• The CSD register defines the data format, error correction type,
maximum data access time, and data transfer speed, as well as
whether the DS register can be used.
• The programmable part of the register (entries marked with W or E in
the following table) can be changed by the PROGRAM_CSD (CMD27)
command.
20. Extended Card-Specific Data (Ext_CSD)
register
• The 512-byte extended card-specific data (ECSD) register defines
device properties and selected modes.
• The most significant 320 bytes are the properties segment.
• This segment defines device capabilities and cannot be modified by
the host.
• The lower 192 bytes are the modes segment.
• The modes segment defines the configuration in which the device is
working.
• The host can change the properties of modes segments using the
SWITCH command.
28. Utilities for eMMC configuration
• mmc-utils- Configure MMC storage devices from userspace and does the
following.
• Print and parse extcsd data. - Determine the eMMC writeprotect status. - Set the eMMC
writeprotect status. - Set the eMMC data sector size to 4KB by disabling emulation.
• Create general purpose partition. - Enable the enhanced user area. - Enable write reliability per
partition. - Print the response to STATUS_SEND (CMD13).
• Enable the boot partition. - Set Boot Bus Conditions. - Enable the eMMC BKOPS feature. -
Permanently enable the eMMC H/W Reset feature.
• Permanently disable the eMMC H/W Reset feature. - Send Sanitize command. - Program
authentication key for the device.
• Counter value for the rpmb device will be read to stdout. - Read from rpmb device to output.
• Write to rpmb device from data file. - Enable the eMMC cache feature. - Disable the eMMC cache
feature.
• Print and parse CID data. - Print and parse CSD data. - Print and parse SCR data.
• http://manpages.ubuntu.com/manpages/zesty/man1/mmc.1.html
• https://github.com/haoxingz/emmc5_register_reader
29. Decode CID & CSD Register
• To decode CID & CSD follow the links
• http://goughlui.com/2014/01/02/project-read-collect-decode-sd-
card-cid-register-data/
• http://goughlui.com/static/multicid.htm
• http://goughlui.com/2014/01/03/project-read-collect-decode-sd-
card-csd-register-data/
• CSD Version 1.0 (SDSC) Decoder
http://goughlui.com/static/csdecode.htm
• CSD Version 2.0 (SDHC) Decoder
http://goughlui.com/static/csdecode2.htm
32. eMMC Host Interfaces
• The CLK, CMD, and DAT[7:0] pins are used for all MMC bus communication.
• The CLK signal synchronizes data between the MMC device and the host (system processor) on the MMC
bus. With each CLK LOW-to-HIGH cycle, a bit transfer occurs on the CMD and DAT lines.
• The CLK frequency can vary from 0 to 200 MHz depending on the current state of the MMC device.
• The bidirectional CMD channel transfers commands from the host to the MMC device and transfers
responses from the device back to the host.
• The CMD channel operates in 400 kHz open-drain mode during initialization of the MMC device.
• The CMD channel switches to a higher-frequency push-pull mode for fast READ, WRITE, and ERASE
command transfers.
• Push-pull mode supports frequencies of up to 200 MHz
• The host uses the ROD pull-up resistor on the CMD line to control transitions between open-drain and push-
pull mode.
• The DAT channels support only push-pull mode and are bidirectional. Most data is read from or written to
the MMC device via the DAT channels.
• DAT channels also indicate the device status (ready or busy) during some MMC commands.
35. eMMC Partitions
• Standard, the internal Flash memory is divided into four areas, up to 8 hardware partitions can be
supported, as shown on the previous slide.
• Boot Area Partitions,
• RPMB (Replay Protected Memory Block) Partition,
• User Data Area (UDA) Partition,
• General Purpose Partitions (GPP).
• In general, Boot Area Partitions and RPMB Partition capacity is usually 4MB, some chip
manufacturers will also provide configuration opportunities.
• General Purpose Partitions (GPP) are not supported by default at the factory, that is, they do not
exist, require the user to actively enable and configure the capacity of the GPP to be used.
• The number of GPPs can be 1 to 4, each GPPs size of the capacity can be different.
• The capacity size of the User Data Area (UDA) is the total capacity minus the capacity occupied by
the other partitions. More details of each partition will be described in subsequent sections.
36. Partition addressing
• Each hardware partition of the storage space are independently
addressed, that access address is 0 - partition size.
• The specific data read and write operation to access which hardware
partition is determined by the eMMC Extended CSD register
PARTITION_CONFIG Field Bit [2: 0]: PARTITION_ACCESS decision, the
user can configure PARTITION_ACCESS to switch the hardware
partition access. That is, the user needs to send the command,
configure PARTITION_ACCESS, and then send the relevant data access
request before accessing the specific partition.
37. Boot Area Partitions
• Boot Area Contains two Boot Area Partitions, mainly used to store
Bootloader, support SOC from eMMC boot system.
• Capacity
• The size of the two Boot Area Partitions is exactly the same, by the
Extended CSD register BOOT_SIZE_MULT Field decision, the size of the
formula is as follows: Size = 128Kbytes x BOOT_SIZE_MULT
• In general, the Size of the Boot Area Partition is 4 MB, that is,
BOOT_SIZE_MULT is 32, and some chip manufacturers will provide the
function of rewriting BOOT_SIZE_MULT to change the capacity of the Boot
Area Partition. BOOT_SIZE_MULT can be a maximum of 255, that is, the
maximum capacity of the Boot Area Partition can be 255 x 128 KB = 32640
KB = 31.875 MB.
38. Boot Area Partitions (Boot from Boot Area)
• eMMC In the Boot State, in the Power-up, HW reset or SW reset, if
meet certain conditions, eMMC will enter the State. The conditions
for entering Boot State are as follows:
• (Original Boot Operation) CMD The signal remains low for at least 74
clock cycles, triggering Original Boot Operation, enter Boot State.
• (Alternative Boot Operation) After 74 clock cycles, when the CMD
signal is pulled down for the first time or the host sends CMD1, the
Host sends the Alternative Boot Operation to the Boot State when
sending the CMD0 with the parameter 0xFFFFFFFA.
41. Boot Area Partitions
• In Boot State, if the configuration BOOT_ACK, eMMC will first send "010"
ACK packet, then eMMC will be up to 128Kbytes x BOOT_SIZE_MULT Boot
Data sent to the Host. During the transmission, the Host can interrupt the
eMMC data by pulling the CMD signal (Original Boot) or sending the Reset
command (Alternative Boot) to complete the Boot Data transmission.
• Boot Data Bit [5: 3]: BOOT_PARTITION_ENABLE of PARTITION_CONFIG Field
of Extended CSD register can be read from Boot Area Partition 1, Boot Area
Partition 2 or User Data Area.
• Boot Data Stored in the Boot Area than in the User Data Area to be more
secure, you can reduce the unexpected changes caused the system can not
start, and can not update the system situation.
42. Boot Area Partitions (Write protection)
• By setting the BOOT_WP Field of the Extended CSD register, write
protection can be configured independently for both Boot Area
Partitions to prevent data from being accidentally rewritten or erased.
• eMMC In the definition of the two Boot Area write protection mode:
• Power-on write protection, After enabling, if the eMMC is powered down, the
write-protect function is disabled and needs to be configured after each
Power on.
• Permanent write protection, Enable, even if the power failure will not fail,
take the initiative to shut down will be invalid.
43. RPMB (Replay Protected Memory Block)
Partition
• RPMB (Replay Protected Memory Block) Partition is a partition with
security features in eMMC.
• eMMC will write data to the RPMB, will check the legitimacy of the data,
only the specified Host can write, while reading data, also provides a
signature mechanism to ensure that the Host read the data is RPMB
internal data, and Not an attacker forged data.
• RPMB in practice, usually used to store some data to prevent illegal
tampering, such as fingerprints on the phone to pay the relevant public key,
serial number and so on. RPMB can authenticate the write operation, but
the read does not require authentication, anyone can read the operation,
so the data stored in the RPMB is usually encrypted and then stored.
44. RPMB (Replay Protected Memory Block)
Partition --- Capacity size
• The size of the two RPMB Partition is determined by the
BOOT_SIZE_MULT Field of the Extended CSD register. The size is
calculated as follows: Size = 128Kbytes x BOOT_SIZE_MULT
• In general, the size of the Boot Area Partition is 4 MB, that is,
RPMB_SIZE_MULT is 32, and some chip manufacturers will provide
the function of rewriting RPMB_SIZE_MULT to change the capacity of
the RPMB Partition. RPMB_SIZE_MULT can be up to 128, or the
maximum capacity of the Boot Area Partition can be 128 x 128 KB =
16384 KB = 16 MB.
45. RPMB (Replay Protected Memory Block)
Partition
• It uses HMAC SHA-256 and Write Counter to ensure that the data
stored in the RPMB is not illegally tampered.
• In the production line, for each product will produce a unique 256
bits of Secure Key, programmed to the eMMC OTP area (only
programming once the region), while Host in the security zone will
also retain the Secure Key.
• Inside the eMMC, there is also an RPMB Write Counter. Each time a
regular write operation is made by the RPMB, the Write Counter is
automatically incremented.
• With Secure Key and Write Counter, RPMB enables data read and
write of Replay Protect.
47. RPMB Read
• The process of RPMB data reading is as follows
• The host initiates a request to read the RPMB to the eMMC and generates a random
number of 16 bytes and sends it to the eMMC.
• The eMMC reads the requested data from the RPMB and uses the Secure Key to
calculate the signatures of the read data and the received random numbers by the HMAC
SHA-256 algorithm. Then, eMMC will read the data, receive the random number, the
calculated signature sent to the Host.
• Host received the RPMB data, random number and signature, the first comparison of
random number is consistent with their own sent, if consistent, and then use the same
Secure Key HMAC SHA-256 algorithm on the data and random numbers together to sign,
If the signature is consistent with the signature sent by eMMC, it is possible to determine
that the data is the correct data read from the RPMB, not the attacker's forged data.
• Through the above read process, you can ensure that the Host correctly read the RPMB
data.
49. RPMB Write
• The process of writing RPMB data is as follows:
• The Host reads the Write Counter of the RPMB according to the read data
flow above.
• Host will need to write the data and Write Counter together and calculate
the signature, and then the data, Write Counter and signature together to
eMMC.
• After receiving the data, the eMMC compares the Write Counter with the
current value, and if it is the same, then the combination of the data and
the Write Counter is signed and then compared with the signature sent by
the Host. If the signature is the same, Data is written to RPMB.
• Through the above writing process, you can ensure that RPMB will not be
illegally tampered.
51. General Purpose Partitions
• eMMC provides General Purpose Partitions (GPP), primarily for storage systems and application
data. In many products that use eMMC, GPP is not enabled, because it is functionally similar to
UDA, the product can be used directly to meet the needs of UDA
• Capacity size
• eMMC can support up to four GPPs, the size of each GPP can be configured separately. The user can set the
capacity of GPPx (x = 1 ~ 4) by setting the following three fields of the Extended CSD register:
• GP_SIZE_MULT_x_2
• GP_SIZE_MULT_x_1
• GP_SIZE_MULT_x_0
• The capacity of GPPx is calculated as follows:
• Size = (GP_SIZE_MULT_x_2 * 2^16 + GP_SIZE_MULT_x_1 * 2^8 + GP_SIZE_MULT_x_0 * 2^0) * (Write protect
group size)
• Write protect group size = 512KB * HC_ERASE_GRP_SIZE * HC_WP_GRP_SIZE
• (In eMMC, erase and write protection are performed in blocks. HC_WP_GRP_SIZE is the write-protected
operation block size in the above expression. HC_ERASE_GRP_SIZE is the fast size of the erase operation.)
• (The configuration of the GPP of the eMMC chip is usually only one (OTP), which is typically done in the
production phase of the product.)
52. General Purpose Partitions
• Partition attribute
• In the eMMC standard, two types of attributes, Enhanced attribute, and Extended attribute are defined for GPP. Each GPP
can set one of the two attributes, and can not set multiple attributes at the same time.
• Enhanced attribute
• Default, Enhanced attribute is not set.
• Enhanced storage media, Set GPP to Enhanced storage media.
• In the eMMC standard, the effect of setting the enhanced attribute on eMMC is not actually defined. The specific role of the
Enhanced attribute is defined by the chip manufacturer. In the actual product, set the Enhanced storage media, the general
is the partition of the storage medium from the MLC to SLC, to improve the partition read and write performance, life and
stability. Since the capacity of the MLC is twice that of the SLC, the capacity of the original MLC is changed to SLC, and the
capacity of the eMMC is reduced, that is, when the total number of the storage units is constant The actual total capacity of
the eMMC is smaller than the nominal total capacity.
• Extended attribute
• Default, Extended attribute not set.
• System code, Set GPP to System code attribute, which is mainly used in storage operating system class, rarely rewrites the
updated partition.
• Non-Persistent, Set GPP to Non-Persistent attribute, which is mainly used to store temporary data partition, such as tmp
directory where the partition, swap partition, etc.
• In the eMMC standard, there is no definition of Extended attribute after the impact of eMMC. The specific
role of the Extended attribute is defined by the chip manufacturer. Extended attribute is mainly related to
the application of the partition scene, manufacturers can not apply the scene of the partition to do different
optimization.
54. User Data Partitions
• User Data Area (UDA) Usually the largest eMMC a partition, is the actual product,
the most important storage area.
• Capacity size
• UDA The size of the capacity does not need to set, after the allocation of other partition size,
and then subtract the capacity to set the Enhanced attribute loss, the remaining capacity is
UDA capacity.
• Software partition
• In order to more rational management of data to meet the needs of different applications,
UDA in the actual product, the software will be re-zoning. At present the mainstream
software partition technology MBR (Master Boot Record) and GPT (GUID Partition Table) two.
The basic principles of these two partition technologies are similar, as shown in the figure 1:
• Software partitioning technology is generally divided into multiple areas of storage media,
both SW Partitions, and then through a Partition Table to maintain these SW Partitions. In the
Partition Table, each entry holds a SW Partition starting address, size and other attribute
information. After the software system starts, the Partition Table will be scanned to obtain
the information of each SW Partitions on the storage medium. Then, according to the
information, the Partitions will be loaded into the system for data access.
55. User Data Partitions
• Area attribute
• eMMC Standard, support for the UDA in a specific size of the region set Enhanced
attribute. As with the Enhanced attribute in GPP, the eMMC standard does not
define the effect of the region's enhanced attribute on eMMC. The specific role of
the Enhanced attribute is defined by the chip manufacturer.
• Enhanced attribute
• Default, Enhanced attribute not set.
• Enhanced storage media, Set the zone to Enhanced storage media.
• In the actual product, UDA area is set to Enhanced storage media, the
general is the region of the storage medium from MLC to SLC. Typically, the
product can be a SW Partition set to Enhanced storage media, in order to
obtain better performance and robustness.
58. eMMC operation modes
• Five operation modes are defined for the eMMC system (hosts and devices):
• Boot mode
• The device will be in boot mode after power cycle, reception of CMD0 with argument of
0xF0F0F0F0 or the assertion of hardware reset signal.
• Device identification mode
• The device will be in device identification mode after boot operation mode is finished or if host
and/or device does not support boot operation mode. The device will be in this mode, until the
SET_RCA command (CMD3) is received.
• Interrupt mode
• Host and device enter and exit interrupt mode simultaneously. In interrupt mode there is no data
transfer. The only message allowed is an interrupt service request from the device or the host.
• Data transfer mode
• The device will enter data transfer mode once an RCA is assigned to it. The host will enter data
transfer mode after identifying the device on the bus.
• Inactive mode
• The device will enter inactive mode if either the device operating voltage range or access mode is
not valid. The device can also enter inactive mode with GO_INACTIVE_STATE command (CMD15).
The device will reset to Pre-idle state with power cycle.
60. Booting from e-MMC Embedded Memory
• e-MMC embedded memory does not inherently support execute in
place (XIP).
• Operating system (OS) code and boot code can be stored in the
e-MMC device, but the code must be copied (or shadowed) to RAM
before it can be executed.
64. eMMC 5.1 SELECTED FEATURES OVERVIEW
• HS400 Interface
• Support HS400 signaling to achieve a bus speed of 400 MB/s via a
200MHz dual data rate clock frequency. HS400 mode supports 4 or 8
bit bus width and the 1.7 – 1.95 VCCQ option. Due to the speed, the
host may need to have an adjustable sampling point to reliably
receive the incoming data. For additional information please refer to
JESD84-B51 standard.
65. eMMC 5.1 SELECTED FEATURES OVERVIEW
• Field Firmware Upgrade (FFU)
• Field Firmware Upgrades (FFU) enables features enhancement in the
field. Using this mechanism, the host downloads a new version of the
firmware to the eMMC device and instructs the eMMC device to
install the new downloaded firmware into the device. The entire FFU
process occurs in the background without affecting the user / OS
data. During the FFU process, the host can replace firmware files or
single / all file systems.
66. eMMC 5.1 SELECTED FEATURES OVERVIEW
• Command-Queue
• eMMC Command Queue enables device visibility of next commands
and allows performance improvement. The protocol allows the host
to queue up to 32 data-transfer commands in the device by
implementing 5 new commands.