SATA adapters¶
USB sata bridges (small dongles up to small desktop boxes) can be expected to have upgradable firmware in general. By specification they are required to have 1 ctrl + 2 bulk endpoints.
Controllers¶
Notes Legend
img: firmware image available
viaUSB: firmware update via usb bus (according to advertisement)
Company | Models | Notes |
---|---|---|
JMicron | JMS539,JSM559,JMS567,JMS551,... | img 8051 viaUSB |
ASMedia | 1153 | img 8051 viaUSB |
TI | TUSB9 260 | cortexM3 viaUSB |
Fujitsu | MB86C30A | img ARM7 TDMI-S viaUSB |
Prolific | PL2571,PL2771,PL2773,PL2775 | img 8051 viaUSB |
VIA | VL700,VL701 | img 8051 viaUSB |
Genesys | GL3310,GL3321G | ? |
Norelsys | NS1066 | img 8051 viaUSB |
LucidPort | USB300,USB302 | ? |
Disassembled devices¶
LogiLink AU0028A¶
- ASMedia 1051e
- Windows firmware updater .exe available
- Extracting exe file with binwalk results in firmware binary
- Contains valid 8051 code with interrupt table and USB Descriptors
- => Most likely vulnerable
Buffalo HD-HXU3¶
- Fujitsu MB86C30A USB 3.0 to SATA Storage Controller
- Google images shows SPI flash on PCB
- No leaked tools available but a user manual on Baidu mentions that the chip has a maintenance mode, which can probably be used for upgrading the firmware
- => Most likely vulnerable
Unitek Y-3322¶
- JMicron JMS551 SuperSpeed USB to 2 ports SATA II 3.0G Bridge
- Leaked tools for JMS551 chip are available
- No PCB Photo found, it is unclear whether the device has an SPI Flash or not
- * => Probably vulnerable
Unknown USB 2.0 to SATA Adapter [from lab, case already missing]¶
- JMicron JM20329 chip with ATML H820\n46d
- Support external NVRAM for vendor specific VID/PID of USB Device Controller
=> Most likely not vulnerable
LogiLink AU0006D USB IDE & SATA Adapter wit OTB function¶
- JM20337, no external flash/eeprom
- Chip supports external EEPROM for configuration only
=> Most likely not vulnerable
External 2.5 case USB + ESATA:¶
- Sunplus SPIF225A-HL239, second chip is just a voltage regulator for SATA 3.3V
- 8051 Controller with 32K ROM and 768B RAM
=> Most likely not vulnerable
ORICO 3 SATA HDD USB2.0 Adapter¶
- APM4435 (MOSFET)
- AX3121 (Step-Down Convertor)
- Pm25LD512 (64 KiB SPI Flash)
- JMB352U (USB Sata Bridge)
- 60MIPS 8051 with 64k-byte mask ROM
- Official datasheet says that external storage is used for configuration data
- But: http://www.jmicron.com/solution06.html
The first application of the JMB352U: a 1:1 HDD duplicator. The USB 2.0 port is utilized to update the JMB352U firmware only, while the eSATA port can be used to access the data in the two SATA devices
=> Firmware is upgradeable via USB
=> Could not find any leaked firmware files/tools but it is not too difficult to unsolder and read out the SPI flash
=> Most likely vulnerable