iMX8M mini eMMC write protect

Under Linux, the boot partition default is read only. 

Because the script write bootload in u-boot, so it comment the way write bootloader under linux. 

example_kernel_emmc.uuu

FB: ucmd setenv fastboot_dev mmc
FB: ucmd setenv mmcdev ${emmc_dev}
FB: flash bootloader _flash.bin

FBK: ucmd sync
# you can enable below command to write boot partition. but offset is difference at difference platform
#FBK: ucmd mmc=`cat /tmp/mmcdev`; echo 0 > /sys/block/mmcblk${mmc}boot0/force_ro
#FBK: ucp _flash.bin t:/tmp
#FBK: ucmd mmc=`cat /tmp/mmcdev`; dd if=/tmp/_flash.bin of=/dev/mmc${mmc}boot0 bs=1K seek=32
#FBK: ucmd mmc=`cat /tmp/mmcdev`; echo 1 > /sys/block/mmcblk${mmc}boot0/force_ro
FBK: ucmd mmc=`cat /tmp/mmcdev`; while [ ! -e /dev/mmcblk${mmc}p1 ]; do sleep 1; done

Hello @jackie2 ,

I hope you are doing well.

->Please make sure to download the required scripts I have shared.

->Decompress these scripts and copy them to your module, with a USB stick, or SD Card, or using the network with the SCP command.

->Execute ./a-macronix-prep.sh script and, when it finishes, reboot your module.

->Execute ./b-macronix-read.sh script. This step can take almost 30 minutes to complete, please, be patient. It will execute several read operations until it finishes. Do not reboot your module after this script finishes.

->Execute ./c-macronix-write.sh script. After it finishes, the module should be in permanent write-protection mode.

->Execute ./d-macronix-read-csd.sh to validate the write-protect bit in the CSD register.

->Now you can execute the ./run_check.sh script to verify the permanent write-protection mode, as described in the Instructions to Check section.

I hope this information helps!

Thanks & Regards,

Sanket Parekh

could not see any mmc/emmc command in emmc-scripts.zip.

Do not know the way the emmc-scripts.zip can set the protection. 

The a to c script, just dd command, if dd command to create files, I believe we can not use the emmc. 

Because those dd command is very "normal" ones. 

Only one could be is it is macronix special way.

The protection could be set by mmc utils 

https://git.kernel.org/pub/scm/utils/mmc/mmc-utils.git/tree/mmc.c

},
{ do_writeprotect_user_set, -4,
"writeprotect user set", "<type>" "<start block>" "<blocks>" "<device>\n"
#ifdef DANGEROUS_COMMANDS_ENABLED
"Set the write protect configuration for the specified region\nof the user area for <device>.\n<type> must be \"none|temp|pwron|perm\".\n \"none\" - Clear temporary write protection.\n \"temp\" - Set temporary write protection.\n \"pwron\" - Set write protection until the next poweron.\n \"perm\" - Set permanent write protection.\n<start block> specifies the first block of the protected area.\n<blocks> specifies the size of the protected area in blocks.\nNOTE! The area must start and end on Write Protect Group\nboundries, Use the \"writeprotect user get\" command to get the\nWrite Protect Group size.\nNOTE! \"perm\" is a one-time programmable (unreversible) change.",
#else
"Set the write protect configuration for the specified region\nof the user area for <device>.\n<type> must be \"none|temp|pwron\".\n \"none\" - Clear temporary write protection.\n \"temp\" - Set temporary write protection.\n \"pwron\" - Set write protection until the next poweron.\n<start block> specifies the first block of the protected area.\n<blocks> specifies the size of the protected area in blocks.\nNOTE! The area must start and end on Write Protect Group\nboundries, Use the \"writeprotect user get\" command to get the\nWrite Protect Group size.",
#endif /* DANGEROUS_COMMANDS_ENABLED */
NULL
},

a-macronix-prep.sh

# create 8 MByte file on the eMMC
dd if=/dev/zero of=readfile.bin bs=8M count=1
echo "Please reboot, then continue with step b."

b-macronix-read.sh

# read 20k times 4 kByte from eMMC
echo "Make sure you have an USB drive connected which is mounted at /media/sda1"
echo -e "\n\n\n\n\n"
for i in `seq 1 20000`
do
echo -e "\e[4A$i"
dd if=readfile.bin of=/media/sda1/readfile.bin bs=4k count=1 >/dev/null
sh -c 'echo 1 > /proc/sys/vm/drop_caches'
sleep 0.05s
done

echo "Please continue with setp c."

c-macronix-write.sh

# write > 4 GByte to eMMC
echo "write 2x 800MB - be patient, feedback is shown only after about 1 minute"
dd if=/dev/zero of=mty1.bin bs=1M count=800
dd if=/dev/zero of=mty2.bin bs=1M count=800

echo "delete 2x 800MB"
rm mty1.bin
rm mty2.bin

echo "write 6x 800MB (expect 'error: no space left' at one point)"
dd if=/dev/zero of=mty3.bin bs=1M count=800
dd if=/dev/zero of=mty4.bin bs=1M count=800
dd if=/dev/zero of=mty5.bin bs=1M count=800
dd if=/dev/zero of=mty6.bin bs=1M count=800
dd if=/dev/zero of=mty7.bin bs=1M count=800
dd if=/dev/zero of=mty8.bin bs=1M count=800

echo "Done. We expect that the device is now write-protected."
echo "Validate by running step d."

d-macronix-read-csd.sh

echo "--------- CSD ---------------------------"
CSD_STRING=`find /sys/devices -name 'csd'| grep mmc| xargs cat| sed 's/.\{2\}/& /g'`
echo "CSD Binary: $CSD_STRING"

echo "CSD Register bit13 is PERM_WRITE_PROTECT ('..... 20 00' = issue happened)"

I really don't believe, the scripts in emmc-scripts.zip can do user partition protect. 

The scripts are just dd files to emmc. 

If so, how we can write(dd) exactly the same files into the emmc? 

The mmc until can do temp user partition protection as boot partition does. 

root@imx8mmevk:~# mmc
Usage:
mmc extcsd read <device>
Print extcsd data from <device>.
mmc writeprotect boot get <device>
Print the boot partitions write protect status for <device>.
mmc writeprotect boot set <device>
Set the boot partitions write protect status for <device>.
This sets the eMMC boot partitions to be write-protected until
the next boot.
mmc writeprotect user set <type><start block><blocks><device>
Set the write protect configuration for the specified region
of the user area for <device>.
<type> must be "none|temp|pwron".
"none" - Clear temporary write protection.
"temp" - Set temporary write protection.
"pwron" - Set write protection until the next poweron.
<start block> specifies the first block of the protected area.
<blocks> specifies the size of the protected area in blocks.
NOTE! The area must start and end on Write Protect Group
boundries, Use the "writeprotect user get" command to get the
Write Protect Group size.
mmc writeprotect user get <device>
Print the user areas write protect configuration for <device>.
mmc disable 512B emulation <device>

Here is the test for user partition protection.

The fat size is 170391(186775 - 16384 ), the protection need to be multiple of 16384.

So it is 180224

root@imx8mmevk:~# fdisk -l /dev/mmcblk2
Disk /dev/mmcblk2: 14.68 GiB, 15758000128 bytes, 30777344 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x49023ba9

Device Boot Start End Sectors Size Id Type
/dev/mmcblk2p1 * 16384 186775 170392 83.2M c W95 FAT32 (LBA)
/dev/mmcblk2p2 196608 9645155 9448548 4.5G 83 Linux

tmpfs on /var/volatile type tmpfs (rw,relatime)
/dev/mmcblk2p1 on /run/media/boot-mmcblk2p1 type vfat (rw,relatime,gid=6,fmask=0007,dmask=0007,allow_utime=0020,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)

dd if=/dev/zero of=/run/media/boot-mmcblk2p1/test1.bin bs=1M count=1 conv=fsync

mmc writeprotect user set temp 16384 180224 /dev/mmcblk2

root@imx8mmevk:~# mmc writeprotect user get /dev/mmcblk2
Write Protect Group size in blocks/bytes: 16384/8388608
Write Protect Groups 0-0 (Blocks 0-16383), No Write Protection
Write Protect Groups 1-11 (Blocks 16384-196607), Temporary Write Protection
Write Protect Groups 12-1877 (Blocks 196608-30769151), No Write Protection

rm -f /run/media/boot-mmcblk2p1/test1.bin

root@imx8mmevk:~# rm -f /run/media/boot-mmcblk2p1/test1.bin
root@imx8mmevk:~# sync
[ 139.770494] blk_update_request: I/O error, dev mmcblk2, sector 16451 op 0x1:(WRITE) flags 0x0 phys_seg 3 prio class 0
[ 139.781142] Buffer I/O error on dev mmcblk2p1, logical block 67, lost async page write
[ 139.789095] Buffer I/O error on dev mmcblk2p1, logical block 68, lost async page write
[ 139.797041] Buffer I/O error on dev mmcblk2p1, logical block 69, lost async page write
[ 139.805103] blk_update_request: I/O error, dev mmcblk2, sector 16619 op 0x1:(WRITE) flags 0x0 phys_seg 3 prio class 0
[ 139.815747] Buffer I/O error on dev mmcblk2p1, logical block 235, lost async page write
[ 139.823773] Buffer I/O error on dev mmcblk2p1, logical block 236, lost async page write
[ 139.831798] Buffer I/O error on dev mmcblk2p1, logical block 237, lost async page write
[ 139.839923] blk_update_request: I/O error, dev mmcblk2, sector 16733 op 0x1:(WRITE) flags 0x0 phys_seg 1 prio class 0
[ 139.850560] Buffer I/O error on dev mmcblk2p1, logical block 349, lost async page write

root@imx8mmevk:~# dd if=/dev/zero of=/run/media/boot-mmcblk2p1/test2.bin bs=1M count=1 conv=fsync
[ 171.588983] blk_update_request: I/O error, dev mmcblk2, sector 84200 op 0x1:(WRITE) flags 0x4800 phys_seg 120 prio class 0
[ 171.594582] blk_update_request: I/O error, dev mmcblk2, sector 85224 op 0x1:(WRITE) flags 0x800 phys_seg 105 prio class 0
dd: fsync failed for '/run/media/boot-mmcblk2p1/test2.bin': Input/output error
1+0 records in
1+0 records out
1048576 bytes (1.0 MB, 1.0 MiB) copied, 0.134416 s, 7.8 MB/s

mmc writeprotect user set none 16384 180224 /dev/mmcblk2

root@imx8mmevk:~# rm -f /run/media/boot-mmcblk2p1/test1.bin
root@imx8mmevk:~# rm -f /run/media/boot-mmcblk2p1/test1.bin
root@imx8mmevk:~# sync

root@imx8mmevk:~# dd if=/dev/zero of=/run/media/boot-mmcblk2p1/test2.bin bs=1M count=1 conv=fsync
1+0 records in
1+0 records out
1048576 bytes (1.0 MB, 1.0 MiB) copied, 0.0305469 s, 34.3 MB/s

Hello @stanAn ,

I hope you are doing well.

If the dd command is used in a script to copy files to an eMMC (embedded Multimedia Card), one can still use the dd command to achieve the same file write operation.

To write the same file into the eMMC using dd, you would need to specify the input file and the output file, as well as any other necessary options. Here's an example command:
dd if=/path/to/source/file of=/dev/emmc_device

I hope this helps!

If the issue is solved then can I close this thread?

Thanks & Regards,

Sanket Parekh

Sanket Parekh,

No, You could not close this thread. 

1. If your dd way can make the partition read only, what is your way to turn it back to writable. 

2. If we have the same files, the same size, the same file name, everything is exactly the same. 

    It will trigger a risk, the emmc cannot write any more, in your script, no way to turn it writable. 

   I don't believe macronix will do this. And it is NXP get scripts from macronix  and say it could.

   I am considering to check with macronix, who gives NXP those scripts. 

3. I tried the scripts, doesn't work. You show me the test log on your board. 

Hello @stanAn 

I hope you are doing well.
Please accept my apology for the delayed response.

->There are two approaches: use the MMC-utils software to put the eMMC into the write-protected mode or use a script to write and read from memory.
If one wants to test how the software behaves, the MMC-utils approach is recommended, since the read-only mode lasts only until the next reboot.
->So whatever script I have provided that are used to put your module into an unrecoverable state.
->If one wants to turn off the write protection mode, Please refer to using the first method.
->I have shared the first method for reference, please take a look at it.

Set up everything needed for Yocto, as described in the Build a Reference Image with Yocto Project/OpenEmbedded article.
Go to your oe-core/build/ folder and edit the file conf/local.conf.
Select the right MACHINE variable. Close and save the file.
Inside the oe-core/build/, run the command below.
$ bitbake mmc-utils

Wait for the process to finish.
The compiled ipk package will be inside oe-core/build/deploy/ipk/armv7at2hf-neon/ folder.
Copy the package mmc-utils_0.1+git0+73d6c59af8-r0_armv7at2hf-neon.ipk. Note that the hash in the name of the package can be different depending on which commit it is based on. In general, the mmc-utils_0.1* file should be copied, either by SCP or using a USB stick.
Inside the module, install the package by running
# opkg install mmc-utils_0.1+git0+d7b343fd26-r0_armv7at2hf-neon.ipk

To put the boot partition in write-protected mode until the next reboot, run
# mmc writeprotect boot set /dev/emmc

Next, to put the rest of the eMMC storage in write-protected mode, first run
# mmc writeprotect user get /dev/emmc

The output should be as follows (depending on the size of the eMMC)
Write Protect Group size in blocks/bytes: 8192/4194304
Write Protect Groups 0-931 (Blocks 0-7634943), No Write Protection

In the example above, the blocks go from 0 to 7634943. To set all blocks in write-protected mode, run the command below with the max numbers of block plus 1 (for example, 7634943 + 1).
# mmc writeprotect user set pwron 0 7634944 /dev/emmc

Now the eMMC will be in write-protected mode until the next reboot and all the tests can be executed.

I hope this information helps!

Thanks & Regards,

Sanket Parekh

I don't need "I hope you are doing well." and I don't need any " apology for the delayed response"

I already show how to use mmc utils and You don't need to repeat that. 

And I should correct use the if use temp not perm. which need turn on  DANGEROUS_COMMANDS_ENABLED to have perm, you don't have to have any power clycle for temp, which as I presented before. 

In your reply, 

To put the boot partition in write-protected mode until the next reboot, run
# mmc writeprotect boot set /dev/emmc

It is equal to "echo 0 > /sys/block/mmcblk${mmc}boot0/force_ro"

Next, to put the rest of the eMMC storage in write-protected mode, first run
# mmc writeprotect user get /dev/emmc

Previous is boot partition, now it is user partition. 

You don't know how to use the mmc utils and even you have no log shown here when you use this tool. 

But I have full and complete log to show how to use mmc utils. 

Questions still remain:

1. If your dd way can make the partition read only, what is your way to turn it back to writable. 

2. If we have the same files, the same size, the same file name, everything is exactly the same. 

    It will trigger a risk, the emmc cannot write any more, in your script, no way to turn it writable. 

   I don't believe macronix will do this. And it is NXP get scripts from macronix  and say it could.

   I am considering to check with macronix, who gives NXP those scripts. 

3. I tried the scripts, doesn't work. You show me the test log on your board. 

Show me the test log of emmc-scripts.zip on your board. 

I take your solution seriously and I have tried it. 

I know mmc util very well. 

The scripts obviously are from Macronix.

You are a NXP employee.

You provided a sets of scripts of Macronix.

You can not explain the scripts. 

you have not show the full/complete log of the scripts on your board, this solustion does really work. 

Hello @jackie2 

As the script process is irreversible, Hence I Can't Perform the test locally.
But it is tested and proven right.
Please accept my apology for the inconvenience.

I'm glad the solution works!
Hence Closing this thread now!

Thanks & Regards,

Sanket Parekh

No, You could not close this thread. lots of things have to get answers.

You have no knowledge of emmc and NXP sent you here as NXP TechSupport to handle this emmc question. It is problem of you or problem of NXP?

The scripts are not  irreversible, I tried those scripts. those do not work. 

Before I tried those scripts. I am very sure those scripts do not work.

It is proven, not right. 

And Aslo monitoring the emmc session, no any cmds issued  from host to device for PERM_WRITE_PROTECT.  

That is why I asked you to try.  and show me the log. 

You don't need the emmc knowledge. 

You just think about this logical fact, which I asked you to answer. Till now, you still haven't answered.

Again, You don't need the emmc knowledge. You just think about this logical fact.

If the scripts work, and  irreversible.

If we have the same files, the same size, the same file name, everything is exactly the same.
It will trigger a risk, the emmc cannot write any more, in your script, no way to turn it writable.

That is logical reason why, I am very sure those scripts do not work  after I read them. And to be careful. I tried them.

again,

If the scripts work, and  irreversible.

If we have the same files, the same size, the same file name, everything is exactly the same.
It will trigger a risk, the emmc cannot write any more, in your script, no way to turn it writable.

How to resolve this problem. I do not believe Macronix as emmc vendor uses such tricky, I should say stupid,  way, which contains a very very big risk. 

How do you think Macronix use this stupid  way can work? We need to like files in the emmc file system. The scripts dd files. 

If this solution works, it is stupid way and a joke.

Let's "assume" the scripts work. How to protect a fat partition as I use mmc jave shown you in your scripts way? How to modify those dd scripts?

I could not image the vendor Macronix do not know the emmc spec. 

Do not try to take us as a fool, I know emmc spec very well, which makes me also know about mmc very well. 

And you don't need to copy/repeat my mmc method as your answer, which is new for you that leant from me. Acuatly, your copy of my answer, let me find  you don't understand the mmc utils and emmc spec. 

And You do not understand my answer using mmc. 

You have no knowledge of emmc and NXP sent you here as NXP TechSupport to handle this emmc question.

Hello @stanAn ,

I Sincerely apologies for the inconvenience, please accept my apology.

->Please make sure that PERM_WRITE_PROTECT is a bit, and can be used to permanently write and protect the card. When this bit is set, the card can no longer be written to. This can be useful for protecting sensitive data

Thanks for the clarification.
Yes, CSD registers (card-specific data) provide more information regarding access to the card contents.

one can set the field 13 to set permanent write protection and 12 for temporary write protection.
PERM_WRITE_PROTECT(CSD[13]) & TMP_WRITE_PROTECT(CSD[12])

->Please make sure that these registers allow the host to apply to write protection to the whole device including Boot Partition, RPMB Partition, and User Area.

->Further USER_WP (EXT_CSD[171]) register allows the host to apply to write protection to all the partitions in the user area. The host has the ability to check the write protection status of segments by using the SEND_WRITE_PROT_TYPE command (CMD31). When full card protection is enabled all the segments will be shown as having permanent protection.

->Please make sure to do boot partition write protection, BOOT_WP (EXT_CSD [173]) register allows the host to apply write protection to Boot Area Partitions.

->An attempt to set both the disable and enable bit for a given protection mode (permanent or power-on) in a single switch command will have no impact and a switch error occurs.
->Setting both B_PERM_WP_EN and B_PWR_WP_EN will result in the boot area being permanently protected.

To see more about the CSD register setting kindly refer these below-given links.
https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imx-processors/113200/2/08EMCP08-NL3DT22...
https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imx-processors/173296/2/E-00784%20FORESE...
https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imx-processors/41600/1/KMKUS000VM-B410_1...

I hope this information also helps you!

Thanks & Regards,

Sanket Parekh

You don't need to tell me the JEDEC emmc spec and emmc knowledge. 

I know that than you know. 

You know nothing about emmc of protection of emmc partition including user partition before  till I show here with mmc util. 

You know nothing about emmc then NXP sent you here to support emmc questions.

And NXP uses Macronix another chip vendor scripts to do support. And even could not prove the scripts are right and refuse to  tried them.

It is simple logic, Macronix uses those stupid scripts to do emmc partition protection. Macronix could be that stupid?

I read the scripts and I am very sure they are wrong and till now you still insist on its right and proven working, even I have tried on my board. 

The scripts are not  irreversible, you said it is irreversible. 

I tried, again they are not irreversible. 

Questions still remain:

1. If your dd way can make the partition read only, what is your way to turn it back to writable. 

2. If we have the same files, the same size, the same file name, everything is exactly the same. 

    It will trigger a risk, the emmc cannot write any more, in your script, no way to turn it writable. 

   I don't believe macronix will do this. And it is NXP get scripts from macronix  and say it could.

   I am considering to check with macronix, who gives NXP those scripts. 

3. I tried the scripts, doesn't work. You show me the test log on your board. 

Show me the test log of emmc-scripts.zip on your board. 

Sanket Parekh,

Under Linux, the boot partition default is ready only. 

You need to issue the follow command to make the boot partition can write..

echo 0 > /sys/block/mmcblk${mmc}boot0/force_ro

after write the bootloader flash.bin to the boot partition. 

dd if=/tmp/_flash.bin of=/dev/mmc${mmc}boot0 bs=1K seek=32

turn on the read only again.

echo 1 > /sys/block/mmcblk${mmc}boot0/force_ro

question from stanAn is stanAn want to do write protection on emmc. 

It already has under linux. 

You can try without “echo 0 > /sys/block/mmcblk${mmc}boot0/force_ro”

You will see the boot partition can not write. 

Hello @stanAn ,

I hope you are doing well.

->One can do the same by using OTP mem, which means one can use one-time programmable memory which will let the user write one time and then one can only boot it, which means one can only read it not write it.
->Please follow the below docs for the same.
https://www.nxp.com/webapp/Download?colCode=IMX8MMRM

->Please follow the section 6.3 On-Chip OTP Controller for efuse settings.

Thanks & Regards,

Sanket Parekh

Thx for e reply, I m looking at write protect 1.2GB of memory space partition 1, from 0x00000 to 0x04CCC CCCC not sure if OTP is viable  

Hello @stanAn ,

I hope you are doing well.

->Yes, one can protect write mode from 0x00000 to 0x04CCC CCCC as described in the script that is shared in the previous thread, please refer to that.
->Please make sure to select the range as one wants to protect from writing.

It will help you!

Thanks & Regards,

Sanket Parekh