====== Android Partitions on MTK Devices ======
The following notes were checked against a smartphone **ZTE Blade A610**, running **Android 6.0**.
===== NAND Flash vs eMMC Flash =====
**NAND flash** can only be read in pages, some bits in a page may be wrong and need to be corrected by an error correction mechanism.
With NAND flash the OS and device drivers are responsible to handle these issues.
**eMMC Flash** combines NAND memory with a built-in controller, that handles most of the things you have to take care of when dealing with NAND flash.
===== The Scatter File =====
A Scatter File is a .txt file which is used to describe **parts of flash memory** in an Android device which is running on a MediaTek’s MTK chipeset. Usually, such files are needed at the time of flashing firmware using tools like the **[[sp_flash_tool|SP Flash Tool]]**.
Here it is an **excerpt** of a scatter file, showing **where** to **flash** or **readback** the **recovery partition**:
- partition_index: SYS9
partition_name: recovery
file_name: recovery.img
is_download: true
type: NORMAL_ROM
linear_start_addr: 0x2D80000
physical_start_addr: 0x2D80000
partition_size: 0x1000000
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: UPDATE
reserve: 0x00
The most important data is **linear_start_addr** and **physical_start_addr** (which are always the same, or not?) that states the starting point of that partition into the flash memory, and **partition_size** which is obviously its lenght.
The **SP Flash Tool** program - when performing a //download// (it means a //flashing//) operation - will write the file into the phone starting at the specified address, checking that the file does not exceed the partition size. During a //readback// operation it will read the entire size specified in the scatter file.
===== EMMC Regions =====
**Embedded Multi-Media Controller** (eMMC) refers to a package consisting of both flash memory and a flash memory controller integrated into a single on-board chip. Device supports several hardware partitions, it is on-board and thus non removable.
* **BOOT** - one or more small partitions intended for boot firmware; eMMC 4.3 spec requires 2 boot partitions.
* **RPMB** - Replay Protected Memory Block - intended to store secure data (ie DRM content protection keys); eMMC 4.4 spec adds the requirement of an RPMB partition.
* **USER** - a large partition intended for general storage; eMMC 4.3 spec requires 1 user partition.
Into a **scatter file** you can see references to **region** labeled **EMMC_BOOT_1** and **EMMC_USER**, because partition images can live in that different //partitions// or //regions//. NOTICE: the USER partition or region is normally partitioned in turn into other partitions, so - when referring to eMMC partition - it is advisable to use the //region// term, to avoid confusion.
===== Inspecting partitions on the command line =====
The following commands were executed on a **ZTE Blade A610**, running **Android 6.0**, via the **adb shell** command line. The phone was rooted so that the **su** command was available.
==== cat /proc/partitions ====
cat /proc/partitions
major minor #blocks name
7 0 12910 loop0
254 0 986264 zram0
179 0 15388672 mmcblk0
179 1 3072 mmcblk0p1
179 2 5120 mmcblk0p2
179 3 10240 mmcblk0p3
179 4 10240 mmcblk0p4
179 5 512 mmcblk0p5
179 6 512 mmcblk0p6
179 7 16384 mmcblk0p7
179 8 16384 mmcblk0p8
179 9 8192 mmcblk0p9
179 10 10240 mmcblk0p10
179 11 512 mmcblk0p11
179 12 2048 mmcblk0p12
179 13 6144 mmcblk0p13
179 14 8192 mmcblk0p14
179 15 5120 mmcblk0p15
179 16 5120 mmcblk0p16
179 17 1024 mmcblk0p17
179 18 32768 mmcblk0p18
179 19 37888 mmcblk0p19
179 20 3022848 mmcblk0p20
179 21 409600 mmcblk0p21
179 22 11759104 mmcblk0p22
179 23 16384 mmcblk0p23
179 96 4096 mmcblk0rpmb
179 64 4096 mmcblk0boot1
179 32 4096 mmcblk0boot0
253 0 11759104 dm-0
The **mmcblk0** partition is actually the eMMC **USER** region, sized 15388672 blocks (15028 Mb). It is in turn partitioned in 23 partitions. The **boot0**, **boot1** and **rpmb** partitions have a size of 4096 blocks each, i.e. **4194304 (0x400000) bytes**.
==== sgdisk ====
The **/system/bin/sgdisk** command is accessible only with root privileges.
sgdisk --print /dev/block/mmcblk0
Disk /dev/block/mmcblk0: 30777344 sectors, 14.7 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 00000000-0000-0000-0000-000000000000
Partition table holds up to 23 entries
First usable sector is 1024, last usable sector is 30776319
Partitions will be aligned on 1024-sector boundaries
Total free space is 0 sectors (0 bytes)
Number Start (sector) End (sector) Size Code Name
1 1024 7167 3.0 MiB 0700 proinfo
2 7168 17407 5.0 MiB 0700 nvram
3 17408 37887 10.0 MiB 0700 protect1
4 37888 58367 10.0 MiB 0700 protect2
5 58368 59391 512.0 KiB 0700 lk
6 59392 60415 512.0 KiB 0700 para
7 60416 93183 16.0 MiB 0700 boot
8 93184 125951 16.0 MiB 0700 recovery
9 125952 142335 8.0 MiB 0700 logo
10 142336 162815 10.0 MiB 0700 expdb
11 162816 163839 512.0 KiB 0700 seccfg
12 163840 167935 2.0 MiB 0700 oemkeystore
13 167936 180223 6.0 MiB 0700 secro
14 180224 196607 8.0 MiB 0700 keystore
15 196608 206847 5.0 MiB 0700 tee1
16 206848 217087 5.0 MiB 0700 tee2
17 217088 219135 1024.0 KiB 0700 frp
18 219136 284671 32.0 MiB 0700 nvdata
19 284672 360447 37.0 MiB 0700 metadata
20 360448 6406143 2.9 GiB 0700 system
21 6406144 7225343 400.0 MiB 0700 cache
22 7225344 30743551 11.2 GiB 0700 userdata
23 30743552 30776319 16.0 MiB 0700 flashinfo
Doing the math, you can see that the 23 partitions existing in **mmcblk0** leave some space: One is at the begin, sized 1024 sectors or **524288 (0x80000) bytes**. The other unpartitioned space is at the end, the size can be calculated by the difference of size shown by ''cat /proc/partitions'', it is again **524288 (0x80000) bytes**. Theese two spaces are referred into the scatter file as **pgpt** and **sgpt** respectively (primary and secondary GPT parition tables?).
==== /dev/block/mmcblk0boot0 ====
The partition **/dev/block/mmcblk0boot0** is the one referred as region **EMMC_BOOT_1** in the scatter file, and it is dedicated to the **preloader**.
The actual Linux device content starts with the characters **EMMC_BOOT**. It seems that it is an header of **2048 (0x800) bytes** and the actual preloader follows that header. FIXME Some stock ROMs include the preloader image, without that header. But if you readback the preloader partition using **SP Flash Tool**, you get an image with that heder included.
===== Web References =====
* **[[http://www.lieberbiber.de/2015/07/02/mediatek-details-soc-startup/|MediaTek details: SoC startup]]**
* **[[http://www.lieberbiber.de/2015/07/04/mediatek-details-partitions-and-preloader/|MediaTek details: Partitions and Preloader]]**
* **[[http://trac.gateworks.com/wiki/MMC|MultiMediaCard (MMC)]]**
* **[[https://www.getdroidtips.com/scatter-file-txt-android-mediatek-device/|What is Scatter File txt? How to Create Scatter File for Any Android MediaTek device?]]**.
* **[[https://forum.hovatek.com/thread-468.html|How to use MTK Droid tools to backup Mediatek firmware]]**
* **[[https://forum.hovatek.com/thread-7655.html|List of MTK Droid Tools errors and how to fix them]]**
* **[[https://forum.hovatek.com/thread-455.html|How to use MTK Droid tools to create Clockworkmod recovery]]**