Dumping Mediatek EMMC

The following steps were performed on a Windows (7) computer, SP Flash Tool does exist for Linux, but I was unable (aka, didn’t try hard enough) to get it working correctly. For some unknown reason between most steps I had to restart SP Flash Tool, otherwise the Mediatek device wasn’t detected, don’t ask me why.

When Mediatek devices boot, shortly after power on, any computer connected via USB will detect an “MT65xx preloader” device, this should last for about 2 seconds and then disappear. This preloader allows user’s to flash the device, and also recover data.

Open SP Flash Tool, go to the “Download” tab and provide any Mediatek device scatter file:

Open the “Memory Test” tab:

Hit “Start” and power on the Mediatek device, plugged in to the computer via USB:

The following error message should appear:

The bad news is that you’re using the wrong scatter file (but we knew that anyway), the good news is that we now have a chip type, and we can find a more appropriate scatter file ! You can power off the Mediatek device (for now).

Load the “correct” scatter file (found somewhere on the web) into SP Flash tool, and open the “Readback” tab:

Click on “Add”, then hit “Read Back”, and turn on the Mediatek device:

The result should come back pretty quick, and in the bottom left hand corner there’s a handy little box full of info about the Mediatek device. Unfold the “EMMC Flash” panel:

Scroll down to the bottom, what’s important here is “UA Size”, the actual size of the entire EMMC_USER partition. Copy that value to your clipboard, because you’ll be needing it in the next step:

For this part, stay on the “Readback” tab and double click the only line in the table. Choose where you want to store the EMMC image, then the following window should pop up, all you need to do is paste the “UA Size” from the previous step in the “Length” field. Make sure that “Region” is “EMMC_USER” and “Start address” is just “0x00000” (the number of zeroes doesn’t matter, 0x0 = 0x00 = 0x00000000 )

Click “OK”, hit “Read Back” and power up the Mediatek device: the download will start and all you have to do is wait !

You can (should) also backup the BOOT1 and BOOT2 partitions, the required information is also provided in the “EMMC Flash” bottom-left panel.

Now that you have the image, you can move back to a reliable operating system (Linux) and see what’s inside:

$ fdisk -l emmc.img  
Disk emmc.img: 14,56 GiB, 15634268160 bytes, 30535680 sectors  
Units: sectors of 1 * 512 = 512 bytes  
Sector size (logical/physical): 512 bytes / 512 bytes  
I/O size (minimum/optimal): 512 bytes / 512 bytes  
Disklabel type: gpt  
Disk identifier: 00000000-0000-0000-0000-000000000000  
​  
Device        Start      End  Sectors  Size Type  
emmc.img1      1024     7167     6144    3M Microsoft basic data  
emmc.img2      7168    17407    10240    5M Microsoft basic data  
emmc.img3     17408    37887    20480   10M Microsoft basic data  
emmc.img4     37888    58367    20480   10M Microsoft basic data  
emmc.img5     58368    58879      512  256K Microsoft basic data  
emmc.img6     58880    59647      768  384K Microsoft basic data  
emmc.img7     59648    60415      768  384K Microsoft basic data  
emmc.img8     60416    93183    32768   16M Microsoft basic data  
emmc.img9     93184   125951    32768   16M Microsoft basic data  
emmc.img10   125952   126975     1024  512K Microsoft basic data  
emmc.img11   126976   143359    16384    8M Microsoft basic data  
emmc.img12   143360   176127    32768   16M Microsoft basic data  
emmc.img13   176128   995327   819200  400M Microsoft basic data  
emmc.img14   995328  1015807    20480   10M Microsoft basic data  
emmc.img15  1015808  1017855     2048    1M Microsoft basic data  
emmc.img16  1017856  1028095    10240    5M Microsoft basic data  
emmc.img17  1028096  1038335    10240    5M Microsoft basic data  
emmc.img18  1038336  1042431     4096    2M Microsoft basic data  
emmc.img19  1042432  1046527     4096    2M Microsoft basic data  
emmc.img20  1046528  1114111    67584   33M Microsoft basic data  
emmc.img21  1114112  5308415  4194304    2G Microsoft basic data  
emmc.img22  5308416  5922815   614400  300M Microsoft basic data  
emmc.img23  5922816 22708223 16785408    8G Microsoft basic data  
emmc.img24 22708224 30501887  7793664  3,7G Microsoft basic data  
emmc.img25 30501888 30534655    32768   16M Microsoft basic data

You can try mounting partitions, a bit of math is required, let’s say we want to mount the emmc.img23 partition:

Device        Start      End  Sectors  Size Type  
emmc.img23  5922816 22708223 16785408    8G Microsoft basic data

You need to take the “Start” offset (5922816 in this case) and multiply this by the sector size (512), which gives us: 3032481792. Now we can mount:

$ mount -o loop,offset=3032481792 emmc.img /mnt/tmp