Project

General

Profile

SD card adapters » History » Version 2

Ben, 11/11/2014 05:22 PM

1 1 Karsten
h1. SD card adapters
2 1 Karsten
3 1 Karsten
h2. Disassembled devices
4 1 Karsten
5 1 Karsten
h3. Cheap noname USB2.0 SD card reader
6 1 Karsten
7 1 Karsten
* AU6331 no flash chip, only voltage regulator, ROM only
8 1 Karsten
* => %{color:green}Most likely not vulnerable%
9 1 Karsten
10 1 Karsten
h3. HAMA USB3 Cardreader all in one
11 1 Karsten
12 1 Karsten
* Genesys Logic GL3220 with pm25lv512 SPI Flash (512 Kbit / 64 KiB)
13 1 Karsten
* SPI Flash is probably used for firmware
14 1 Karsten
* 8051 Core with ROM (probably bootloader and/or default firmware) and RAM
15 1 Karsten
* It supports ISP (In System Programming) for firmware upgrade from the external SPI Flash via USB port => Most likely vulnerable
16 1 Karsten
* We could unsolder and read out the flash chip to dump the firmware
17 1 Karsten
Firmware upgrades (including Windows tools) available, two different firmware images: Version TS22 and Version 551
18 1 Karsten
  http://www.necacom.net/index.php/genesys/8243-genesys-logic-gl3220-usb-3-0-card-reader-firmware-551
19 1 Karsten
  http://www.station-drivers.com/index.php/downloads/Drivers/Genesys-Logic/USB-3.0/
20 1 Karsten
=> Contains binary firmware file 0551.bin with 64 KiB size => Heuristics indicate that the file is raw 8051 code mapped directly into the code address space of the 8051.
21 1 Karsten
=> %{color:red}Most likely vulnerable%, practical reversing and firmware patching could start very quickly
22 1 Karsten
23 1 Karsten
h3. Unknown multi-card reader [from lab, case already missing]
24 1 Karsten
25 1 Karsten
* AU6477CL, no additional chips
26 1 Karsten
* 30MHz 8051 CPU, ROM only
27 1 Karsten
* Chip doesn't even support external SPI Flash
28 1 Karsten
=> %{color:green}Most likely not vulnerable%
29 1 Karsten
30 1 Karsten
h3. Noname (yellow) USB 2.0 SD Card reader from lab
31 1 Karsten
32 1 Karsten
* AU6331
33 1 Karsten
* Processor (unknown architecture) with ROM
34 1 Karsten
=> %{color:green}Most likely not vulnerable%
35 1 Karsten
36 1 Karsten
h3. Hama USB3.0 SD/MicroSD Reader (Mediamarkt 20141106)
37 1 Karsten
38 1 Karsten
* RTS5306 with Pm25LD010 (128 KiB SPI Flash)
39 1 Karsten
* Datasheet found on obscure Chinese site
40 1 Karsten
With the external Serial flash interface, the control firmware could be easily re-configured through
41 1 Karsten
USB link.
42 1 Karsten
* External SPI Flash is optional according to datasheet, but the particular Hama card reader does contain a flash chip
43 1 Karsten
=> %{color:red}Most likely vulnerable%
44 1 Karsten
45 1 Karsten
h3. RTS5111 (No physical device available)
46 1 Karsten
47 1 Karsten
* http://www.realtek.com.tw/products/productsView.aspx?Langid=1&PFid=25&Level=4&Conn=3&ProdID=48
48 1 Karsten
* The RTS5111 has an internal ROM for MCU programs, and provides an external program flash memory interface for firmware update purposes. Firmware code can be downloaded through the USB interface to the RTS5111, and then be written into external flash memory automatically.
49 1 Karsten
=> %{color:red}Most likely vulnerable%
50 1 Karsten
51 1 Karsten
h3. ISY USB 2.0 Universal card reader ICR 2100 (Mediamarkt 20141106)
52 1 Karsten
53 1 Karsten
* GL834, no external flash/eeprom
54 1 Karsten
* 8051 Controller with integrated ROM
55 1 Karsten
* http://www.usbdev.ru/cics/icgenesyslogic/
56 1 Karsten
* Chip would support firmware upgrades with an external SPI flash, but this device doesn't have one
57 1 Karsten
=> %{color:green}Most likely not vulnerable%
58 1 Karsten
59 2 Ben
h3. CSL USB3.0 Card reader, All-in-One, CSL-Nr 25048
60 1 Karsten
61 1 Karsten
* GL3233 with PM25LD010 (128 KiB SPI Flash)
62 1 Karsten
* Contains 8051 core
63 1 Karsten
* Supports ISP (In System Programming) for firmware upgrade into external SPI Flash via USB port.
64 1 Karsten
* Leaked firmware upgrades are available
65 1 Karsten
=> %{color:red}Most likely vulnerable%