USB storage » History » Version 1
Karsten, 11/11/2014 03:31 PM
| 1 | 1 | Karsten | h1. USB Storage |
|---|---|---|---|
| 2 | 1 | Karsten | |
| 3 | 1 | Karsten | h2. Overview |
| 4 | 1 | Karsten | |
| 5 | 1 | Karsten | There are a few reasons why many USB Sticks have an upgradeable firmware: |
| 6 | 1 | Karsten | * There is no additional cost for a rewriteable storage for the firmware, it can be placed on the big NAND flash chip with a small bootloader in ROM |
| 7 | 1 | Karsten | * The flash chip market is evolving quickly and not all chips are fully compatible. Many compatibility issues can be fixed in firmware. |
| 8 | 1 | Karsten | * Some vendors want to implement special features such as CD Emulation or a Write-Protect Switch |
| 9 | 1 | Karsten | * There are many leaked tools |
| 10 | 1 | Karsten | |
| 11 | 1 | Karsten | The Russian sites below are best viewed with Chrome due to the built-in translation feature. |
| 12 | 1 | Karsten | |
| 13 | 1 | Karsten | Overview of USB Sticks with information about contained chip and matching tool: |
| 14 | 1 | Karsten | http://flashboot.ru/iflash/ |
| 15 | 1 | Karsten | |
| 16 | 1 | Karsten | Overview of available leaked tools: |
| 17 | 1 | Karsten | http://flashboot.ru/files/ |
| 18 | 1 | Karsten | |
| 19 | 1 | Karsten | Unfortunately the existence of a leaked tool for a given chip does not necessarily mean that the firmware can be upgraded. Some tools only provide other features such as the following: |
| 20 | 1 | Karsten | * Change configuration data (Product Name, VID, PID) so that it matches for the OEM Vendor |
| 21 | 1 | Karsten | * Enable CD Emulation |
| 22 | 1 | Karsten | * Change capacity of stick (Sticks are typically sold with 4/8/16/32/64 GB capacity and a stick with enough good blocks for 25 GB is often software-limited to 16 GB. |
| 23 | 1 | Karsten | * Do a low-level format |
| 24 | 1 | Karsten | |
| 25 | 1 | Karsten | Some leaked firmware images appear to be partial and do not contain USB descriptors and no 8051 interrupt table. |
| 26 | 1 | Karsten | Partial firmware images probably are nothing more than a fancy way to abstract differences in |
| 27 | 1 | Karsten | flash geometry, where a simple static table would not be expressive enough. |
| 28 | 1 | Karsten | It is conceivable that they also implement block management functions as this is an area where |
| 29 | 1 | Karsten | new features might be developed to improve the product while access to a given hardware |
| 30 | 1 | Karsten | can be expected to be reasonably efficient and generic enough so as to not require firmware |
| 31 | 1 | Karsten | update. High level features such as volume management and USB vendor/product/serial IDs |
| 32 | 1 | Karsten | should be found in the updated part too. |
| 33 | 1 | Karsten | With a little bit of dedication one can probably figure out how to get information in |
| 34 | 1 | Karsten | and out and thus dump the whole of the firmware (for example 4 bytes of firmware per |
| 35 | 1 | Karsten | USB descriptor read in the VID/PID |
| 36 | 1 | Karsten | |
| 37 | 1 | Karsten | h2. Popular chips |
| 38 | 1 | Karsten | |
| 39 | 1 | Karsten | h3. Phison USB2 / USB3 controllers |
| 40 | 1 | Karsten | |
| 41 | 1 | Karsten | All vulnerable -- see "BlackHat talk":https://www.youtube.com/watch?v=nuruzFqMgIw and "Psychson":https://github.com/adamcaudill/Psychson/ |
| 42 | 1 | Karsten | |
| 43 | 1 | Karsten | h3. ALCOR AU698X |
| 44 | 1 | Karsten | |
| 45 | 1 | Karsten | * Leaked tool: ALCOR MP_v14.01.24.00.zip |
| 46 | 1 | Karsten | Contains many .bin files, which actually contain hex data |
| 47 | 1 | Karsten | * Unpacking hex data results in raw 8051 code with interrupt table, code mapped at 0xC000 |
| 48 | 1 | Karsten | * No USB Descriptors found, it is possible that the upgradeable code is only used for interfacing the NAND Flash |
| 49 | 1 | Karsten | * => %{color:orange}Probably vulnerable% |
| 50 | 1 | Karsten | |
| 51 | 1 | Karsten | h3. SMI SM325X/SM326X |
| 52 | 1 | Karsten | |
| 53 | 1 | Karsten | * Many variants of recovery tool available, downland RecoverTool_V2.00.33_L1224.exe |
| 54 | 1 | Karsten | http://www.usbdev.ru/files/smi/ |
| 55 | 1 | Karsten | * Exe file contains rar with 500 .BIN files |
| 56 | 1 | Karsten | * Examined two example files, found 8051 code starting at 0x800 in file, mapped at 0x8000 in address space |
| 57 | 1 | Karsten | * USB Descriptors found |
| 58 | 1 | Karsten | * => %{color:red}Most likely vulnerable% |
| 59 | 1 | Karsten | |
| 60 | 1 | Karsten | h3. Skymedi SK62XX SK66XX |
| 61 | 1 | Karsten | |
| 62 | 1 | Karsten | * Available tool: http://flashboot.ru/files/file/4/ |
| 63 | 1 | Karsten | SK6211_PDT_20090828.rar |
| 64 | 1 | Karsten | * Contains ihex files with valid 8051 code, but no USB Descriptors found |
| 65 | 1 | Karsten | * => %{color:orange}Probably vulnerable% |
| 66 | 1 | Karsten | |
| 67 | 1 | Karsten | h3. Solid State System SSS6677, SSS6690 and SSS6691 |
| 68 | 1 | Karsten | |
| 69 | 1 | Karsten | * Tool available: |
| 70 | 1 | Karsten | http://flashboot.ru/files/file/270/ |
| 71 | 1 | Karsten | SSS_MP_Utility_v2162.rar |
| 72 | 1 | Karsten | * Contains valid 8051 code, but no USB Descriptors found |
| 73 | 1 | Karsten | * => %{color:orange}Probably vulnerable% |
| 74 | 1 | Karsten | |
| 75 | 1 | Karsten | h3. Innostor IS903-A2, IS903-A3 |
| 76 | 1 | Karsten | |
| 77 | 1 | Karsten | * Tool available: |
| 78 | 1 | Karsten | http://flashboot.ru/files/file/379/ |
| 79 | 1 | Karsten | Innostor_IS903_MP_Package_V105_04_1303281.7z |
| 80 | 1 | Karsten | * Found valid 8051 code, but no USB descriptors |
| 81 | 1 | Karsten | * => %{color:orange}Probably vulnerable% |