Project

General

Profile

SD card adapters » History » Version 1

Version 1/2 - Next » - Current version
Karsten, 11/11/2014 03:27 PM


SD card adapters

Disassembled devices

Cheap noname USB2.0 SD card reader

  • AU6331 no flash chip, only voltage regulator, ROM only
  • => Most likely not vulnerable

HAMA USB3 Cardreader all in one

  • Genesys Logic GL3220 with pm25lv512 SPI Flash (512 Kbit / 64 KiB)
  • SPI Flash is probably used for firmware
  • 8051 Core with ROM (probably bootloader and/or default firmware) and RAM
  • It supports ISP (In System Programming) for firmware upgrade from the external SPI Flash via USB port => Most likely vulnerable
  • We could unsolder and read out the flash chip to dump the firmware
    Firmware upgrades (including Windows tools) available, two different firmware images: Version TS22 and Version 551
    http://www.necacom.net/index.php/genesys/8243-genesys-logic-gl3220-usb-3-0-card-reader-firmware-551
    http://www.station-drivers.com/index.php/downloads/Drivers/Genesys-Logic/USB-3.0/
    => Contains binary firmware file 0551.bin with 64 KiB size => Heuristics indicate that the file is raw 8051 code mapped directly into the code address space of the 8051.
    => Most likely vulnerable, practical reversing and firmware patching could start very quickly

Unknown multi-card reader [from lab, case already missing]

  • AU6477CL, no additional chips
  • 30MHz 8051 CPU, ROM only
  • Chip doesn't even support external SPI Flash
    => Most likely not vulnerable

Noname (yellow) USB 2.0 SD Card reader from lab

  • AU6331
  • Processor (unknown architecture) with ROM
    => Most likely not vulnerable

Hama USB3.0 SD/MicroSD Reader (Mediamarkt 20141106)

  • RTS5306 with Pm25LD010 (128 KiB SPI Flash)
  • Datasheet found on obscure Chinese site
    With the external Serial flash interface, the control firmware could be easily re-configured through
    USB link.
  • External SPI Flash is optional according to datasheet, but the particular Hama card reader does contain a flash chip
    => Most likely vulnerable

RTS5111 (No physical device available)

ISY USB 2.0 Universal card reader ICR 2100 (Mediamarkt 20141106)

  • GL834, no external flash/eeprom
  • 8051 Controller with integrated ROM
  • http://www.usbdev.ru/cics/icgenesyslogic/
  • Chip would support firmware upgrades with an external SPI flash, but this device doesn't have one
    => Most likely not vulnerable

CSL USB3.0 Cardreader, All-in-One, CSL-Nr 25048

  • GL3233 with PM25LD010 (128 KiB SPI Flash)
  • Contains 8051 core
  • Supports ISP (In System Programming) for firmware upgrade into external SPI Flash via USB port.
  • Leaked firmware upgrades are available
    => Most likely vulnerable