BadUSB Exposure

h1. SATA adapters

USB sata bridges (small dongles up to small desktop boxes) can be expected to have upgradable firmware in general. By specification they are required to have 1 ctrl + 2 bulk endpoints.

h2. Controllers

*Notes Legend*

img: firmware image available

viaUSB: firmware update via usb bus (according to advertisement)

|_.Company  |_.Models                         |_.Notes          |

|JMicron    |JMS539,JSM559,JMS567,JMS551,...  |img 8051 viaUSB  |

|ASMedia    |1153                             |img 8051 viaUSB  |

|TI         |TUSB9 260                        |cortexM3 viaUSB  |

|Fujitsu    |MB86C30A                         |img ARM7 TDMI-S viaUSB|

|Prolific   |PL2571,PL2771,PL2773,PL2775      |img 8051 viaUSB  |

|VIA        |VL700,VL701                      |img 8051 viaUSB  |

|Genesys    |GL3310,GL3321G                   |?                |

|Norelsys   |NS1066                           |img 8051 viaUSB  |

|LucidPort  |USB300,USB302                    |?                |

h2. Disassembled devices

h3. LogiLink AU0028A

* ASMedia 1051e

* Windows firmware updater .exe available

* Extracting exe file with binwalk results in firmware binary

* Contains valid 8051 code with interrupt table and USB Descriptors

* => %{color:red}Most likely vulnerable%

h3. Buffalo HD-HXU3 

* Fujitsu MB86C30A USB 3.0 to SATA Storage Controller

* Google images shows SPI flash on PCB

* No leaked tools available but a user manual on Baidu mentions that the chip has a maintenance mode, which can probably be used for upgrading the firmware

* => %{color:red}Most likely vulnerable%

h3. Unitek Y-3322 

* JMicron JMS551 SuperSpeed USB to 2 ports SATA II 3.0G Bridge

* Leaked tools for JMS551 chip are available

* No PCB Photo found, it is unclear whether the device has an SPI Flash or not

* * => %{color:orange}Probably vulnerable%

h3. Unknown USB 2.0 to SATA Adapter [from lab, case already missing]

* JMicron JM20329 chip with ATML H820\n46d

* Support external NVRAM for vendor specific VID/PID of USB Device Controller

=> %{color:green}Most likely not vulnerable%

h3. LogiLink AU0006D USB IDE & SATA Adapter wit OTB function

* JM20337, no external flash/eeprom

* Chip supports external EEPROM for configuration only

=> %{color:green}Most likely not vulnerable%

h3. External 2.5 case USB + ESATA:

* Sunplus SPIF225A-HL239, second chip is just a voltage regulator for SATA 3.3V

* 8051 Controller with 32K ROM and 768B RAM

=> %{color:green}Most likely not vulnerable%

h3. ORICO 3 SATA HDD USB2.0 Adapter

* APM4435 (MOSFET)

* AX3121 (Step-Down Convertor)

* Pm25LD512 (64 KiB SPI Flash)

* JMB352U (USB Sata Bridge)

* 60MIPS 8051 with 64k-byte mask ROM

* Official datasheet says that external storage is used for configuration data

* But: http://www.jmicron.com/solution06.html

The first application of the JMB352U: a 1:1 HDD duplicator. The USB 2.0 port is utilized to update the JMB352U firmware only, while the eSATA port can be used to access the data in the two SATA devices

=> Firmware is upgradeable via USB

=> Could not find any leaked firmware files/tools but it is not too difficult to unsolder and read out the SPI flash

=> %{color:red}Most likely vulnerable%