Hello,
I am working on embedded automotive systems repair and investigating
behavior of Samsung eMMC (KLMBG4GEUF) in systems that appear to use OP-TEE
for secure storage.
Real scenario:
- Two identical devices (same hardware)
- One working, one not booting
- Full eMMC dump taken from working device:
- USER
- BOOT1 / BOOT2
- EXT_CSD
- RPMB (reported readable, but content appears empty or not usable)
Tests:
- Writing full dump to another device → no boot
- Swapping eMMC between boards → both fail
- Writing only USER → no change
From observations:
- RPMB appears non-clonable
- Secure storage likely bound to hardware
- Boot seems dependent on this binding
Questions:
1. In OP-TEE, is RPMB always tied to a hardware unique key (HUK)?
2. Is it expected that RPMB content cannot be reused across identical
devices?
3. Does OP-TEE enforce secure storage binding in a way that prevents
cloning?
4. In case of damaged eMMC, is there any supported way to reinitialize
or recover secure storage?
I am not trying to bypass security, but to understand the architectural
limitation in real repair scenarios.
Any clarification would be highly appreciated.
Best regards,
