Table of Contents

Android Partitions on MTK Devices

The following notes were checked against a smartphone ZTE Blade A610, running Android 6.0.

NAND Flash vs eMMC Flash

NAND flash can only be read in pages, some bits in a page may be wrong and need to be corrected by an error correction mechanism. With NAND flash the OS and device drivers are responsible to handle these issues.

eMMC Flash combines NAND memory with a built-in controller, that handles most of the things you have to take care of when dealing with NAND flash.

The Scatter File

A Scatter File is a .txt file which is used to describe parts of flash memory in an Android device which is running on a MediaTek’s MTK chipeset. Usually, such files are needed at the time of flashing firmware using tools like the SP Flash Tool.

Here it is an excerpt of a scatter file, showing where to flash or readback the recovery partition:

- partition_index: SYS9
  partition_name: recovery
  file_name: recovery.img
  is_download: true
  type: NORMAL_ROM
  linear_start_addr: 0x2D80000
  physical_start_addr: 0x2D80000
  partition_size: 0x1000000
  region: EMMC_USER
  storage: HW_STORAGE_EMMC
  boundary_check: true
  is_reserved: false
  operation_type: UPDATE
  reserve: 0x00

The most important data is linear_start_addr and physical_start_addr (which are always the same, or not?) that states the starting point of that partition into the flash memory, and partition_size which is obviously its lenght.

The SP Flash Tool program - when performing a download (it means a flashing) operation - will write the file into the phone starting at the specified address, checking that the file does not exceed the partition size. During a readback operation it will read the entire size specified in the scatter file.

EMMC Regions

Embedded Multi-Media Controller (eMMC) refers to a package consisting of both flash memory and a flash memory controller integrated into a single on-board chip. Device supports several hardware partitions, it is on-board and thus non removable.

Into a scatter file you can see references to region labeled EMMC_BOOT_1 and EMMC_USER, because partition images can live in that different partitions or regions. NOTICE: the USER partition or region is normally partitioned in turn into other partitions, so - when referring to eMMC partition - it is advisable to use the region term, to avoid confusion.

Inspecting partitions on the command line

The following commands were executed on a ZTE Blade A610, running Android 6.0, via the adb shell command line. The phone was rooted so that the su command was available.

cat /proc/partitions

cat /proc/partitions
major minor  #blocks  name

   7        0      12910 loop0
 254        0     986264 zram0
 179        0   15388672 mmcblk0
 179        1       3072 mmcblk0p1
 179        2       5120 mmcblk0p2
 179        3      10240 mmcblk0p3
 179        4      10240 mmcblk0p4
 179        5        512 mmcblk0p5
 179        6        512 mmcblk0p6
 179        7      16384 mmcblk0p7
 179        8      16384 mmcblk0p8
 179        9       8192 mmcblk0p9
 179       10      10240 mmcblk0p10
 179       11        512 mmcblk0p11
 179       12       2048 mmcblk0p12
 179       13       6144 mmcblk0p13
 179       14       8192 mmcblk0p14
 179       15       5120 mmcblk0p15
 179       16       5120 mmcblk0p16
 179       17       1024 mmcblk0p17
 179       18      32768 mmcblk0p18
 179       19      37888 mmcblk0p19
 179       20    3022848 mmcblk0p20
 179       21     409600 mmcblk0p21
 179       22   11759104 mmcblk0p22
 179       23      16384 mmcblk0p23
 179       96       4096 mmcblk0rpmb
 179       64       4096 mmcblk0boot1
 179       32       4096 mmcblk0boot0
 253        0   11759104 dm-0

The mmcblk0 partition is actually the eMMC USER region, sized 15388672 blocks (15028 Mb). It is in turn partitioned in 23 partitions. The boot0, boot1 and rpmb partitions have a size of 4096 blocks each, i.e. 4194304 (0x400000) bytes.

sgdisk

The /system/bin/sgdisk command is accessible only with root privileges.

sgdisk --print /dev/block/mmcblk0
Disk /dev/block/mmcblk0: 30777344 sectors, 14.7 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 00000000-0000-0000-0000-000000000000
Partition table holds up to 23 entries
First usable sector is 1024, last usable sector is 30776319
Partitions will be aligned on 1024-sector boundaries
Total free space is 0 sectors (0 bytes)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            1024            7167   3.0 MiB     0700  proinfo
   2            7168           17407   5.0 MiB     0700  nvram
   3           17408           37887   10.0 MiB    0700  protect1
   4           37888           58367   10.0 MiB    0700  protect2
   5           58368           59391   512.0 KiB   0700  lk
   6           59392           60415   512.0 KiB   0700  para
   7           60416           93183   16.0 MiB    0700  boot
   8           93184          125951   16.0 MiB    0700  recovery
   9          125952          142335   8.0 MiB     0700  logo
  10          142336          162815   10.0 MiB    0700  expdb
  11          162816          163839   512.0 KiB   0700  seccfg
  12          163840          167935   2.0 MiB     0700  oemkeystore
  13          167936          180223   6.0 MiB     0700  secro
  14          180224          196607   8.0 MiB     0700  keystore
  15          196608          206847   5.0 MiB     0700  tee1
  16          206848          217087   5.0 MiB     0700  tee2
  17          217088          219135   1024.0 KiB  0700  frp
  18          219136          284671   32.0 MiB    0700  nvdata
  19          284672          360447   37.0 MiB    0700  metadata
  20          360448         6406143   2.9 GiB     0700  system
  21         6406144         7225343   400.0 MiB   0700  cache
  22         7225344        30743551   11.2 GiB    0700  userdata
  23        30743552        30776319   16.0 MiB    0700  flashinfo

Doing the math, you can see that the 23 partitions existing in mmcblk0 leave some space: One is at the begin, sized 1024 sectors or 524288 (0x80000) bytes. The other unpartitioned space is at the end, the size can be calculated by the difference of size shown by cat /proc/partitions, it is again 524288 (0x80000) bytes. Theese two spaces are referred into the scatter file as pgpt and sgpt respectively (primary and secondary GPT parition tables?).

/dev/block/mmcblk0boot0

The partition /dev/block/mmcblk0boot0 is the one referred as region EMMC_BOOT_1 in the scatter file, and it is dedicated to the preloader.

The actual Linux device content starts with the characters EMMC_BOOT. It seems that it is an header of 2048 (0x800) bytes and the actual preloader follows that header. FIXME Some stock ROMs include the preloader image, without that header. But if you readback the preloader partition using SP Flash Tool, you get an image with that heder included.

Web References