SD card adapters¶

Disassembled devices¶

Cheap noname USB2.0 SD card reader¶

• AU6331 no flash chip, only voltage regulator, ROM only
• => Most likely not vulnerable

HAMA USB3 Cardreader all in one¶

• Genesys Logic GL3220 with pm25lv512 SPI Flash (512 Kbit / 64 KiB)
• SPI Flash is probably used for firmware
• 8051 Core with ROM (probably bootloader and/or default firmware) and RAM
• It supports ISP (In System Programming) for firmware upgrade from the external SPI Flash via USB port => Most likely vulnerable
• We could unsolder and read out the flash chip to dump the firmware
  Firmware upgrades (including Windows tools) available, two different firmware images: Version TS22 and Version 551
  http://www.necacom.net/index.php/genesys/8243-genesys-logic-gl3220-usb-3-0-card-reader-firmware-551
  http://www.station-drivers.com/index.php/downloads/Drivers/Genesys-Logic/USB-3.0/
  => Contains binary firmware file 0551.bin with 64 KiB size => Heuristics indicate that the file is raw 8051 code mapped directly into the code address space of the 8051.
  => Most likely vulnerable, practical reversing and firmware patching could start very quickly

Unknown multi-card reader [from lab, case already missing]¶

• AU6477CL, no additional chips
• 30MHz 8051 CPU, ROM only
• Chip doesn't even support external SPI Flash
  => Most likely not vulnerable

Noname (yellow) USB 2.0 SD Card reader from lab¶

• AU6331
• Processor (unknown architecture) with ROM
  => Most likely not vulnerable

Hama USB3.0 SD/MicroSD Reader (Mediamarkt 20141106)¶

• RTS5306 with Pm25LD010 (128 KiB SPI Flash)
• Datasheet found on obscure Chinese site
  With the external Serial flash interface, the control firmware could be easily re-configured through
  USB link.
• External SPI Flash is optional according to datasheet, but the particular Hama card reader does contain a flash chip
  => Most likely vulnerable

RTS5111 (No physical device available)¶

• http://www.realtek.com.tw/products/productsView.aspx?Langid=1&PFid=25&Level=4&Conn=3&ProdID=48
• The RTS5111 has an internal ROM for MCU programs, and provides an external program flash memory interface for firmware update purposes. Firmware code can be downloaded through the USB interface to the RTS5111, and then be written into external flash memory automatically.
  => Most likely vulnerable

ISY USB 2.0 Universal card reader ICR 2100 (Mediamarkt 20141106)¶

• GL834, no external flash/eeprom
• 8051 Controller with integrated ROM
• http://www.usbdev.ru/cics/icgenesyslogic/
• Chip would support firmware upgrades with an external SPI flash, but this device doesn't have one
  => Most likely not vulnerable

CSL USB3.0 Card reader, All-in-One, CSL-Nr 25048¶

• GL3233 with PM25LD010 (128 KiB SPI Flash)
• Contains 8051 core
• Supports ISP (In System Programming) for firmware upgrade into external SPI Flash via USB port.
• Leaked firmware upgrades are available
  => Most likely vulnerable