Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
293 views

ShmooCon2014-Controlling USB Flash Drive Controllers

My transcription of https://archive.org/details/ShmooCon2014_Controlling_USB_Flash_Drive_Controllers, and some notes copied from https://gist.github.com/warewolf/e19d6817f1d59939a32fbd9e1a30b9d2. The lecturer is Richard Harman. The text is in Markdown format.

Uploaded by

yaohao0814
Copyright
© Public Domain
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
293 views

ShmooCon2014-Controlling USB Flash Drive Controllers

My transcription of https://archive.org/details/ShmooCon2014_Controlling_USB_Flash_Drive_Controllers, and some notes copied from https://gist.github.com/warewolf/e19d6817f1d59939a32fbd9e1a30b9d2. The lecturer is Richard Harman. The text is in Markdown format.

Uploaded by

yaohao0814
Copyright
© Public Domain
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 25

# Phison PS2251-xx USB flash drive controller mode configuration

### Overview

Phison based flash drives have various modes that dictate how they operate;

1. as a regular flash drive (mode 3)

2. as a dual-volume flash drive (mode 7)

3. as a single volume flash drive + cdrom (mode 21)

For more details, please look at the ( [video]


(https://archive.org/details/ShmooCon2014_Controlling_USB_Flash_Drive_Controllers)
| [slides](https://www.slideshare.net/xabean/controlling-usb-flash-drive-
controllers-expose-of-hidden-features) ) from my shmoocon presentation.

### Preparing for dumping the drive's current configuration info

Assuming you're doing this under Linux, insert your flash drive and look at your
kernel messages. You're looking for the 'scsi generic' device:

```
Jun 07 21:48:32 darkstar kernel: usb 2-1.4: new high-speed USB device number 28
using ehci-pci
Jun 07 21:48:32 darkstar kernel: usb 2-1.4: New USB device found, idVendor=13fe,
idProduct=5500
Jun 07 21:48:32 darkstar kernel: usb 2-1.4: New USB device strings: Mfr=1,
Product=2, SerialNumber=3
Jun 07 21:48:32 darkstar kernel: usb 2-1.4: Product:
Jun 07 21:48:32 darkstar kernel: usb 2-1.4: Manufacturer:
Jun 07 21:48:32 darkstar kernel: usb 2-1.4: SerialNumber: 070A8433D0485364
Jun 07 21:48:32 darkstar kernel: usb-storage 2-1.4:1.0: USB Mass Storage device
detected
Jun 07 21:48:32 darkstar kernel: scsi host8: usb-storage 2-1.4:1.0
Jun 07 21:48:33 darkstar kernel: scsi 8:0:0:0: Direct-Access PMAP PQ: 0 ANSI: 6
Jun 07 21:48:33 darkstar kernel: sd 8:0:0:0: Attached scsi generic sg5 type 0
Jun 07 21:48:33 darkstar kernel: sd 8:0:0:0: [sdd] 15482880 512-byte logical
blocks: (7.93 GB/7.38 GiB)
Jun 07 21:48:33 darkstar kernel: sd 8:0:0:0: [sdd] Write Protect is off
Jun 07 21:48:33 darkstar kernel: sd 8:0:0:0: [sdd] Mode Sense: 23 00 00 00
Jun 07 21:48:33 darkstar kernel: sd 8:0:0:0: [sdd] No Caching mode page found
Jun 07 21:48:33 darkstar kernel: sd 8:0:0:0: [sdd] Assuming drive cache: write
through
Jun 07 21:48:33 darkstar kernel: sdd: sdd1
Jun 07 21:48:33 darkstar kernel: sd 8:0:0:0: [sdd] Attached SCSI removable disk
```

In this case, our scsi generic device is `/dev/sg5`.

### Dumping the drive's current configuration info

Run `sg_raw` from sg3_utils to dump the configuration. You're going to need to be
root to do this.

`sg_raw -r 1k -v /dev/sg5 06 05 00 00 00 00 00 00 80 00 00 00`

You should get something back similar to this:


```
[root@darksatr 8g]# sg_raw -r 1k -v /dev/sg5 06 05 00 00 00 00 00 00 80 00 00 00
cdb to send: 06 05 00 00 00 00 00 00 80 00 00 00
SCSI Status: Good

Received 528 bytes of data:


00 12 01 00 02 00 00 00 40 fe 13 00 55 00 01 01 02 .......@...U....
10 03 01 04 03 09 04 00 00 00 00 00 00 00 00 00 00 ................
20 00 00 00 00 00 00 00 00 00 00 00 00 12 03 20 20 ..............
30 20 20 20 20 20 20 00 00 00 00 00 00 00 00 00 00 ..........
40 00 00 00 00 00 00 22 03 20 20 20 20 20 20 20 20 ......".
50 20 20 20 20 20 20 20 20 00 00 00 00 00 00 00 00 ........
60 22 03 30 35 37 33 30 36 41 34 38 30 34 30 33 30 ".057306A4804030
70 33 30 44 30 30 30 34 30 38 30 30 30 30 30 30 30 30D0004080000000
80 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
90 30 30 30 30 05 06 10 11 0c 1d ff 01 20 20 20 20 0000........
a0 20 20 20 20 20 20 20 20 20 20 20 20 de 01 00 00 ....
b0 20 20 20 20 20 20 20 20 50 4d 41 50 31 00 00 00 PMAP1...
c0 0c ff ff ff 50 68 49 73 4f 6e 00 ff 01 06 07 ff ....PhIsOn......
d0 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................
e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f0 00 00 00 00 00 22 ff ff ff ff ff ff ff ff ff ff ....."..........
100 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
110 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
120 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
130 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
140 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
150 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
160 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
170 01 00 00 00 ff ff ff ff ff ff 56 52 93 10 23 07 ..........VR..#.
180 00 00 ff 20 07 69 03 ff ff 49 53 50 96 2b ff ff ... .i...ISP.+..
190 ff ff ff ff ff ff ff ff ff ff ff ff 00 ff ff ff ................
1a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
1b0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
1c0 ff ff ca fe 01 22 67 01 00 00 ff ff ff ff ff ff ....."g.........
1d0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
1e0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
1f0 ff ff ff ff 54 ff ff ff ff ff ff ff 00 00 00 00 ....T...........
200 49 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 IF..............
No errors
[root@darksatr 8g]#
```

If you don't see something on the screen like the above, either you picked the
wrong scsi generic device, or your flash drive isn't based on a Phison USB flash
drive controller.

BTW: 0x17E-0x17F (0x2307) is the phison chip ID (this drive is a PS2307, aka
PS2251-07).

You may want to save this off to a file in case you need to restore it later (not
certain on how to do that just yet):

`sg_raw -r 1k -v -o info.bin /dev/sg5 06 05 00 00 00 00 00 00 80 00 00 00`

### Dumping the drive's current configuration page

If you *do* see the above, we can proceed! Look at offset 0x200 -- you see 0x4946.
I don't really know what this configuration page is for (aside from what appears to
be the serial number and some other settings), but the 0x49 and 0x46 are necessary
for dumping the actual configuration of how the drive is configured. I mention 0x49
and 0x46 because those bytes are used in dumping the correct "page"(?) of the flash
drive's configuration, but .. when I fuzzed 0x00-0xFF for the places 0x49 and 0x46
go in the following command, I only had a few (less than 5) that returned different
data.

`sg_raw -r 1k -v -o configuration.bin /dev/sg5 06 05 49 4e 46 4f 00 00 80 00 00 00`

This should create `configuration.bin`, which will contain the binary seen in the
hex dump above. To make it easy to modify and be sent back to the drive, I like to
use `xxd` and `xxd -r`.

`xxd configuration.bin > configuration.txt`

Your configuration may be something similar to this:

```
00000000: 1201 0002 0000 0040 fe13 0055 0001 0102 .......@...U....
00000010: 0301 0403 0904 0000 0000 0000 0000 0000 ................
00000020: 0000 0000 0000 0000 0000 0000 1203 2020 ..............
00000030: 2020 2020 2020 0000 0000 0000 0000 0000 ..........
00000040: 0000 0000 0000 2203 2020 2020 2020 2020 ......".
00000050: 2020 2020 2020 2020 0000 0000 0000 0000 ........
00000060: 2203 3035 3733 3036 4134 3830 3430 3330 ".057306A4804030
00000070: 3330 4430 3030 3430 3830 3030 3030 3030 30D0004080000000
00000080: 3030 3030 3030 3030 3030 3030 3030 3030 0000000000000000
00000090: 3030 3030 0000 0000 0000 0000 2020 2020 0000........
000000a0: 2020 2020 2020 2020 2020 2020 0300 000a ....
000000b0: 2020 2020 2020 2020 504d 4150 3100 0000 PMAP1...
000000c0: 0cff ffff 5068 4973 4f6e 0007 0000 0000 ....PhIsOn......
000000d0: 0000 0000 0000 0000 0000 000d 0b11 0503 ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: 0000 0000 0000 0000 0000 0000 003f 964b .............?.K
00000100: 6432 0fd0 0000 0000 0000 0002 a0a0 0000 d2..............
00000110: 0000 0000 0000 0000 00d3 ee64 00a5 0000 ...........d....
00000120: ec00 0000 0000 0000 0000 0000 0000 00ff ................
00000130: a0a0 0000 0000 0000 0000 0000 0000 0000 ................
00000140: 0000 0000 0000 0000 0000 c000 0005 110b ................
00000150: 0104 2300 0000 0000 aa00 0000 0000 0000 ..#.............
00000160: 0000 0000 1124 906d 0000 0000 0000 0000 .....$.m........
00000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000200: 4946 0000 0000 0000 0000 0000 0000 0000 IF..............
```

### Modifying the drive's current configuration page

1. Go edit configuration.txt in your favorite text editor.

2. Go to offset 0x0AC, and change 0x03 above to 0x07 (or vice versa) to flip
between modes on the drive.
3. Remove the line for offset 0x200 entirely, if it exists. We're only going to
send 512 bytes to the drive.

4. Modify offset 0x1FC through 0x1FF. This value (in modes other than mode 3) is
the size of one of the volumes, in 512 byte sectors.

5. Write the configuration back to the drive with the following command:

`xxd -r configuration.txt | sg_raw -v -s 512 /dev/sg5 06 06 01 00 00 00 00 00 00 00


00 00`

6. Remove the drive

7. Re-insert the drive

# Your drive should now be operating with a new configuration! Happy hacking!

### warewolf commented on 8 Jan 2019

Mode 21 (0x15) stuffs:

Set your drive into mode 0x07, set your split based on your ISO9660 image size, and
set the configuration (above xxd -r | sg_raw command). Unplug and reconnect your
flash drive. dd over your ISO9660 image to the second LUN. Now that your ISO image
has been dumped to the flash drive, reconfigure it to mode 21 (0x15). Unplug and
reconnect your drive. You should now see two devices, an emulated cdrom, and a
flash drive.

### sunbqto commented on 23 Dec 2019

@warewolf

Its possible change "[5511.755408] sd 4:0:0:0: [sdc] Write Protect is on" to "Write
Protect is off" by this hacking or I must download Phison driver (on Windows).
Sorry my English.

### warewolf commented on 23 Dec 2019

@sunbqto

I don't know what turns on and off read-only mode on a Phison based USB flash
drive, sorry. You should try Phison utilities under Windows from sites like
usbdev.ru, flashboot.ru, and upan.cc.

### sunbqto commented on 24 Dec 2019

@warewolf

Thanks a lot (I'll try on windows).

### foobar commented on 13 Aug 2020

Mode 30 (0x1E) stuffs:

1. Dumping the drive's current configuration info

```
knoppix@Microknoppix:~$ sg_raw -r 1k -v /dev/sg3 06 05 00 00 00 00 00 00 80 00 00
00
cdb to send: 06 05 00 00 00 00 00 00 80 00 00 00
SCSI Status: Good

Received 528 bytes of data:


00 12 01 00 02 00 00 00 40 67 15 02 89 00 01 01 02 .......@g.......
10 03 01 04 03 09 04 00 00 00 00 00 00 00 00 00 00 ................
20 00 00 00 00 00 00 00 00 00 00 00 00 12 03 4b 69 ..............Ki
30 6e 67 73 74 6f 6e 00 00 00 00 00 00 00 00 00 00 ngston..........
40 00 00 00 00 00 00 14 03 44 54 20 31 30 31 20 47 ........DT 101 G
50 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2...............
60 32 03 41 30 42 30 43 30 44 30 45 30 46 30 30 30 2.A0B0C0D0E0F000
70 30 30 30 31 30 45 30 33 30 32 00 00 00 00 00 00 00010E0302......
80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
90 00 00 39 00 01 04 30 0f 01 08 ff 01 44 54 20 31 ..9...0.....DT 1
a0 30 31 20 47 32 20 20 20 20 20 20 20 3a 01 00 01 01 G2 :...
b0 4b 69 6e 67 73 74 6f 6e 50 4d 41 50 00 00 00 00 KingstonPMAP....
c0 0c ff ff ff 50 68 49 73 4f 6e 00 ff 01 0a 06 ff ....PhIsOn......
d0 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................
e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f0 00 00 00 00 00 20 ff ff ff ff ff ff ff ff ff ff ..... ..........
100 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
110 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
120 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
130 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
140 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
150 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
160 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
170 ff ff ff ff ff ff ff ff ff ff 56 52 93 10 22 68 ..........VR.."h
180 00 00 ff 20 0b b0 15 ff ff 49 53 50 90 0a ff ff ... .....ISP....
190 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
1a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
1b0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
1c0 ff ff ca fe 01 22 1e 01 00 00 ff ff ff ff ff ff ....."..........
1d0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
1e0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
1f0 ff ff ff ff 54 ff ff ff ff ff ff ff 01 74 a0 00 ....T........t..
200 49 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 IF..............
No errors
```

2. Dumping the drive's current configuration page

```
knoppix@Microknoppix:~$ sg_raw -r 1k -v /dev/sg3 06 05 49 4e 46 4f 00 00 80 00 00
00
cdb to send: 06 05 49 4e 46 4f 00 00 80 00 00 00
SCSI Status: Good

Received 528 bytes of data:


00 12 01 00 02 00 00 00 40 67 15 02 89 00 01 01 02 .......@g.......
10 03 01 04 03 09 04 00 00 00 00 00 00 00 00 00 00 ................
20 00 00 00 00 00 00 00 00 00 00 00 00 12 03 4b 69 ..............Ki
30 6e 67 73 74 6f 6e 00 00 00 00 00 00 00 00 00 00 ngston..........
40 00 00 00 00 00 00 14 03 44 54 20 31 30 31 20 47 ........DT 101 G
50 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2...............
60 32 03 41 30 42 30 43 30 44 30 45 30 46 30 30 30 2.A0B0C0D0E0F000
70 30 30 30 31 30 45 30 33 30 32 00 00 00 00 00 00 00010E0302......
80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
90 00 00 39 00 00 00 00 00 00 00 00 00 44 54 20 31 ..9.........DT 1
a0 30 31 20 47 32 20 20 20 20 20 20 20 1e 00 00 00 01 G2 ....
b0 4b 69 6e 67 73 74 6f 6e 50 4d 41 50 00 00 00 00 KingstonPMAP....
c0 0c ff ff ff 50 68 49 73 4f 6e 00 07 00 00 00 00 ....PhIsOn......
d0 00 00 00 00 00 00 00 00 00 00 00 0f 10 00 01 01 ................
e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
f0 18 00 00 00 00 00 00 00 00 00 00 00 00 00 32 32 ..............22
100 32 32 0f d0 00 01 02 00 00 91 81 11 a1 a2 cd 00 22..............
110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ................
130 a0 a0 00 00 00 00 bd bc 00 b8 d4 01 00 00 00 00 ................
140 00 00 00 00 00 c1 00 00 00 00 c0 00 50 10 14 ff ............P...
150 01 01 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ..0.............
160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
190 41 00 7f 07 55 50 54 6f 6f 6c 20 32 30 39 33 5f A...UPTool 2093_
1a0 32 30 31 35 31 32 31 34 2d 30 38 32 35 35 36 00 20151214-082556.
1b0 49 53 50 36 31 2e 62 69 6e 00 00 2c 53 44 54 4e ISP61.bin..,SDTN
1c0 42 4e 36 31 56 31 31 34 75 2d 39 2e 62 69 6e 00 BN61V114u-9.bin.
1d0 32 32 36 58 2d 44 32 46 57 2d 31 35 30 31 30 38 226X-D2FW-150108
1e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
1f0 00 00 00 00 00 00 00 00 00 00 00 00 01 74 a0 00 .............t..
200 49 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 IF..............
No errors
```

3. Modifying the drive's current configuration page (to mode 3)

```
00000000: 1201 0002 0000 0040 6715 0289 0001 0102 .......@g.......
00000010: 0301 0403 0904 0000 0000 0000 0000 0000 ................
00000020: 0000 0000 0000 0000 0000 0000 1203 4b69 ..............Ki
00000030: 6e67 7374 6f6e 0000 0000 0000 0000 0000 ngston..........
00000040: 0000 0000 0000 1403 4454 2031 3031 2047 ........DT 101 G
00000050: 3200 0000 0000 0000 0000 0000 0000 0000 2...............
00000060: 3203 4130 4230 4330 4430 4530 4630 3030 2.A0B0C0D0E0F000
00000070: 3030 3031 3045 3033 3032 0000 0000 0000 00010E0302......
00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000090: 0000 3900 0000 0000 0000 0000 4454 2031 ..9.........DT 1
000000a0: 3031 2047 3220 2020 2020 2020 0300 0000 01 G2 ....
000000b0: 4b69 6e67 7374 6f6e 504d 4150 0000 0000 KingstonPMAP....
000000c0: 0cff ffff 5068 4973 4f6e 0007 0000 0000 ....PhIsOn......
000000d0: 0000 0000 0000 0000 0000 000f 1000 0101 ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: 1800 0000 0000 0000 0000 0000 0000 3232 ..............22
00000100: 3232 0fd0 0001 0200 0091 8111 a1a2 cd00 22..............
00000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000120: 0000 0000 0000 0000 0000 0000 0000 00ff ................
00000130: a0a0 0000 0000 bdbc 00b8 d401 0000 0000 ................
00000140: 0000 0000 00c1 0000 0000 c000 5010 14ff ............P...
00000150: 0101 3000 0000 0000 0000 0000 0000 0000 ..0.............
00000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000190: 4100 7f07 5550 546f 6f6c 2032 3039 335f A...UPTool 2093_
000001a0: 3230 3135 3132 3134 2d30 3832 3535 3600 20151214-082556.
000001b0: 4953 5036 312e 6269 6e00 002c 5344 544e ISP61.bin..,SDTN
000001c0: 424e 3631 5631 3134 752d 392e 6269 6e00 BN61V114u-9.bin.
000001d0: 3232 3658 2d44 3246 572d 3135 3031 3038 226X-D2FW-150108
000001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
```

# Transcript of shmoocon presentation

### Page 001: Shmoocon 2014

I mean, okay. Good, excellent. Okay.

### Page 002: Richard Harman

So who am I? I am Richard Harman.

I've been doing infoSec about 10 years.

Currently, one of the intrusion analysts at SRA national sensitive response center.
I've been doing it for about 10 years.
I primarily do malware analysis, Perl scripting, and just all around SysAdmin-fu.

And if you want to get in touch with me, here's my twitter, my email address, and
my github account where I've got all kinds of crazy code.

### Page 003: (pic)

But overall, generally, I'm a hacker. This is me working on an Arduino like insect,
a programmer that I got from China. It was like 4 bucks.

### Page 004: Nova Hackers/Labs

And I wouldn't be quite such awesome hacker if a word for these two organizations,
Nova Hackers, and Nova Labs, I'm actually on the board of both these organizations.
Now, if there's anybody from either of these organizations in the audience, please
stand up.

All right, thank you. So these organizations are awesome because they promote you
to be better at speaking, doing more awesome hacks and stuff. So most people then
ask them, how do I join? And they'll hope you join.

I don't want those organizations.

There's also a women focused group starting up at a Nova Labs and Nova Hackers. Led
by Stacey and Sarah.

Somewhere in there, ok, maybe not.

But so if you're trying to get into it, or hacking your stuff in your kind of like,
free to, like go see them, and I hope you up.

### Page 005: Hacking USB thumb drives

So why are we here? We're here for hacking on USB thumb drives.

### Page 006: (pic)

So to give you a point of reference in why I started, it's because I heard about
this virus going around on twitter and on, like, Google Plus. You know, something,
it was kind of crazy.
### Page 007: (pic)

You could do amazing things, like some pretty wild things.

### Page 008: (pic)

I mean, it's just impressive to stop this. I was supposed to do.

### Page 009: (pic)

I mean, it was like this 7 headed hydra virus that was being written by some dude
in his basement.

### Page 010: (pic)

Or like these crazy computers. All right, so this is the audience participation
point.

### Page 011: BadBIOS

So this was the really scary part. All right, so say it with me. You probably know
what I'm talking about now. On the count of 3. 1, 2, 3, BadBIOS. All right. Thank
you. Yes.

### Page 012: BadBIOS features

So what were the features of BadBIOS? Okay.

1. So we have heard it gets spread via USB flash drives.

2. We heard it could infect the flash drivers, somehow.

3. We heard it could infect the host firmware, you know, like the BIOS, the
keyboard controller, et cetera.

4. Or heard it was cross platform between different motherboards, different USB


controllers, et cetera. And then it was somehow like cross platform to different
BIOSes, like efi BIOS, uefi BIOS, the regular legacy BIOS.

5. And it was cross operating system: BSD, Mac, Windows, et cetera.

6. And it also somehow had IPv6 networking, like you would do that for a command
and control.

7. And then the coup de grace of all of this was it would do audio based
networking. Sure, like your laptops, microphone, speaker to bridge air gaps, you
know, in case you unplug everything.

### Page 013: What

And to all of that, I say, wait, what.

Ok, maybe you could do it once, unlike one particular system that you're targeting.
And you would know the hardware in and out, more than the original developers did.
But I mean, to do that, where you can go between a whole bunch of different systems
that someone owns, time and time again, and keep your infection present -- I think
it's kind of difficult. So just forget all that. I don't care about BadBIOS, but I
also don't want to hear anything about it. I don't want to hear anything about
leaks that have come out recently. I hadn't read any of them.

### Page 014: Overview

* So I'm here to talk about USB flash drives and USB mass storage.

* So I'm going to go over parts of the hardware. I'm going to show you some nice
hardware part photos. I love taking hardware apart.

* I'm going to identify the block level components.

* And show you how to identify the flash controllers and what their features are.

* And then ultimately, how you can reprogram them to do cool things for yourself.

### Page 015: USB Mass Storage

So mass storage.

### Page 016: (pic)

So I've got a family of hard drives here, a mummy, a daddy, and little baby, two
3.5 inch hard drives, one 2.5 inch hard drive. And those are pretty standard. You
seen those all over.

### Page 017: (pic)

And we've also got these regular thumb drives that are about the size of your
thumb.

### Page 018: (pic)

And then we've got these things that are absolutely fricking tiny.

Okay. So the point I'm trying to make here is, USB mass storage has gone from being
absolutely massive to absolutely tiny, but conversely, the capacity of these
devices has gotten larger and larger and larger.

### Page 019: Data, Power, controller board, IDE HDD

So here, for some nice photos. So this is a really old USB hard drive where you got
your IDE hard drive, you got your data ribbon, your power cable. When tucked down
either, all of that is your control board that does the USB protocol, or IDE
protocol.

### Page 020: 2.5 inch, SATA, controller board

It's the same basic idea for your SATA hard drive where you got your plastic
clamshell case, your hard drive, and then your control board that does your data
and power.

### Page 021: USB3 flash drive

And then flash drives, I mean, they've got basically their memory chips for storing
the actual data, and then got the controller. This drive actually happens to be
USB3. You can kind of tell by there's extra pins on the USB connector instead of
just four.

### Page 022: USB HDD basic components


But, so on the USB hard drive components here.

### Page 023: USB SATA HDD Controller/Power board

* So here is your host interface, where your USB cable comes in.

### Page 024: USB SATA HDD Controller/Power board

* You've got your power for making the power nice to the hard drive, and the rest
of it.

### Page 025: USB SATA HDD Controller/Power board

* Then you've got your USB data pins, now USB pins. There are differential
signaling, so that's why there's two separate wires, so you can have better signal
fidelity.

### Page 026: USB SATA HDD Controller/Power board

* Those go to the bridge or controller chip. In this case, it's a bridge.

### Page 027: USB SATA HDD Controller/Power board

* And then coming out of the bridge chip, you've got your SATA pins. Now, these are
also differential signaling. It's 2 pair of them.

### Page 028: USB SATA HDD Controller/Power board

* And then, ultimately, down to your host device, your hard drive, CD-ROM,
whatever.

### Page 029: Controller/Bridge HDD v.s. Flash

Now, I said, bridging controllers here. The reason why is because there's a
difference between a hard drive USB enclosure controller, versus a flash drive
controller. Under the hood, they're actually kind of similar, but it's the firmware
that's running on them.

* On a USB hard drive controller, which got spinning media or a CD-ROM, it's
intentionally generic firmware. You're only going to see the hard drive or CD-ROM
drive that's actually physically connected to it.

* On a flash controller, all it's doing is logically mapping the sector that the
computer asked for to a region in the flash memory on the chip. The flash, oh, the
controller can be reprogrammed, and the host ultimately sees what the controller
wants (itself) to (be).

Now, some of you have probably taken a hardware out of an enclosure because it
wasn't working and troubleshoot it, shoot it by plugging into your computer
directly. And if you've ever done that, it works on a computer.

### Page 030: (pic)

It's because your controller lost its freaking mind. All right, so.

### Page 031: USB Flash Drive PCB

All right, so. Onto flash heart, USB flash controller parts.
### Page 032: Basic Components of Flash drives

So here's a basic USB thumb drive. And just for size reference, here is actually
this drive I took a picture of.

* So the chip I have circled here is the flash controller. It's an ASIC. ASIC, in
case you're not familiar, stands for Application Specific, Integrated Circuit. It
does one thing very special and that one thing very well. It's not generic. It
can't do a whole bunch of things.

### Page 033: Basic Components of Flash drives

* And if we flip this guy around, we've got the actual flash memory.

### Page 034: USB Mass Storage

And so USB mass storage.

* Like I mentioned before, it's differential voltage signalling, basically means


the voltage just go up and down on the different pins.

* The speed on them is between 6 megahertz and 2.5 gigahertz. 2.5 gigahertz is the
USB3 SuperSpeed end of the line.

* And all the bridge or controller chip does. It translates the USB protocol, to
what your hard drive or CD-ROM or whatever happens you plugged in, speaks.

* And the reason why, is because there's no direct translation from the USB mass
storage protocol to what the hard drive talks. You have to have that guy in the
middle doing the translation for you.

### Page 035: USB Mass Storage == SCSI

* Now what you probably weren't aware of is USB mass storage is actually SCSI. You
know those, those old old old loud ten thousand rpm drives that you have on this
chain of drives.

* And it's not a full SCSI command set. It's a subset based on whatever you have: a
hard drive, CD-ROM drive, tape drive, et cetera plugged in.

* And these SCSI commands actually ride on top of the USB protocol. It's
encapsulated. And that can sometimes cause trouble. So if you ever used the smart
control, or smartmon, a hard drive monitoring software, through USB like THAT,
sometimes it doesn't work right.

* And with this, it's still SCSI, still one SCSI target. That means you've got one
device. But you can have more than one logical unit, and that's what's called a
logical unit number.

### Page 036: USB signaling

So I keep going in this specifics of the USB protocol, and here's actually what it
looks like with the two data lines. Where you've got 1 it's a high voltage. O is a
low voltage.

### Page 037: Differential Signaling

And the reason why, is because when you have those two voltages separate from each
other like that, the device on the other end can say, oh, that was a 1, or that was
a 0.

Meanwhile, if you get some interference like EMI interference or RFI interference,
whatever that affects both of the lines (the same on the other line) you see
nothing. Because it has subtracted that noise out.

### Page 038: Phison Security Tool

So why am I going on all this detail for all this USB level protocol stuff? It's
because I found this utility that lets me mess with flash drives. This one would
actually lets you hide parts of your flash drive with a password, so that your
operating system can't see it. And it worked. It was awesome, but I had no idea how
it worked. So I said, I had to figure this out.

### Page 039: Low-Level Sniffing USB

So I decided I was going to do some sniffing of USB.

So I, I had to figure out what my options were. I could use a logic analyzer, I
could use a hardware MITM device, and there are some pros and cons of both.

* The logic analyzer generally has too much detail. I mean, it's got exactly what's
on the wire, errors included, and there's no protocol-in-protocol decoding. All
that extra effort -- that the USB mass storage protocol, and the SCSI commands, and
stuff have on top of USB -- is just bits and bytes to these logic analyzers.

* If you want to use a hardware MITM in the middle of device, go seek Dominic talk
tomorrow. He's got a BeagleBone Black board that he's converted into being a USB
MITM device.

### Page 040: Saleae Logic8

But. Here's what I used. I've got a silly logic gate.

* It's a USB2 based logic analyzer.

* And the latest beta software actually supports decoding USB.

* And so I'm sniffing a USB thumb drive that's USB2 as well. And if you're trying
to do something at 60 miles an hour, and then record exactly everything that's
going on at 60 miles an hour, or USB2 speeds, you're going to drop some data.

* So I actually had to slow down my USB flash drive by plugging it into the USB1
hub. So that way I had faster recording capabilities that my actual device is
producing data.

* So I ended up vampire tapping lines.

### Page 041: Sniffing rig (USB extension cable)

I got a USB extension cable.

### Page 042: Sniffing rig

And then stripped off the shielding and put in my test taps.

### Page 043: Results! no context though


And here's what I got. So this is me punching in the password 'password' to that
application while a hard drive was locked. And there it is in plain text, I see my
password going across the wire in USB. Hallelujah, I've got, I know how this kind
of works. But I don't have any context: I don't know what comes before, what comes
after, et cetera. I can't replicate this yet.

### Page 044: High-Level Sniffing USB

So I had to switch to high-level sniffing USB. And there's pros and cons of this as
well.

* So you can install a driver in windows called USBPcap. It basically ties in the
Wireshark, and can make a network interface that you say, does this USB interface.
And because it's so high-level, it's basically tracing the execution of the
commands, in windows, against that USB device. And in windows, you just send your
commands, and at some point down the line, like it gets actually sent on the USB
connector. And it can be in the same order you executed the commands, or can be a
different order. There's kind of scheduling that goes on, so they can or will miss
data.

* Another option is you can use your virtualization environment: VMware, QEMU,
VirtualBox or whatever. Almost all of them support: in the hypervisor, dumping out
the virtual USB stack.

* In Linux, under qemu-kvm, has got its kernel module called USBmon, and that does
the same thing as USBPcap. But it's lower level, so it actually will get all of the
data from the OS.

So there's lots of tools to look at. The USBPcaps, the usbmon variants, most
importantly, Wireshark. Wireshark has the USB protocol decoding, USB mass storage
decoding.

### Page 045: Sniffing USB

And that's what it looks like. So at the bottom of the bytes display, now we see
the word 'password' that I had from the logic analyzer. And up above, I have the
SCSI command where its SCSI command '0e', logically unit number '1'. So now I have
a much better understanding, of exactly what the command and the payload in that
command was, to describe the unlock.

### Page 046: Re-implementing USB Flash Drive Security Features Under Linux

So I was able to successfully re-implement the USB flash drive security software
under Linux.

* So I've got these random bytes here -- '0E 00 01 55 AA', that will turn off the
protection.

* And then I got one for a temporarily unlocking.

### Page 047: Re-implementing USB Flash Drive Security Features Under Linux

And, here's actually how to change or set the password under Linux. So, this is
using a command called sg_raw. It just fires SCSI commands at a device. And this is
actually basically a 64 bytes packet that gets sent: the first 16 bytes are the old
password in case you're changing the password; the next one is the new password;
and the last one, the last 32 or a password hint.

So you basically do the same thing I did for any other implementation of this --
you sniff the traffic, figure out how it's working, and then re-implement it with
sg_raw or other application.

### Page 048: UP21 Flash Controller

So that was a little bit of a teaser of the cool things that you can do, when you
get this sort of sniffing stuff set up. But how do you get there? How do you get
that up to that point?

Well, you rip apart a hardware, and you look at the flash controller. So, this is
the flash controller on this drive here. I actually darkened the photo a little
bit, so it makes it easier to read. That chip says UP21. So I went to Google and I
punched a 'UP21 flash'.

### Page 049: UP21 Flash Controller

And suddenly, bang, all these websites pop up with information about this chip. A
lot of them in Chinese or Russian (or there was a couple of veteran English
language) but a lot of them go through Google translate very well. And it got to
the point -- in some of these Chinese websites where I was downloading stuff, I
actually knew what the 'download' characters looked like: oh, it's that one, not
this one, this actually says, 'download.com toolbar' thing.

### Page 050: Consumer Flash ***Drive*** Vendors

So. So when you're researching these flash drives, you've probably heard of all of
these consumer vendors: SanDisk, Kingston Digital, et cetera. These are all the
brands that you've seen in your stores.

### Page 051: OEM Flash ***Controller*** Vendors

And what you've probably not seen is the chips that are on the inside of these. So
this is where you get all the OEM flash controller manufacturers that produce chips
that are on the inside of those drives. You're not supposed to know nor care about
what these chips are. It's supposed to be insignificant to you. The driver is
supposed to operate as a flash drive, and you're dumb with it.

### Page 052: Who uses what?

But. Going on. So the question is: what manufacturer of the consumer drives uses
what chip.

### Page 053: Consumer Vendor

So I went through a completely unscientific process, of looking at a website that


had a database, of what chip was inside of what thumb drive. And I found the most
common ones, along with the drives that I happen to have on hand.

So I've got the chip flash controller vendors on the outside, I've got the consumer
vendor on the inside, and little arrows that point to each one, and then a running
tally of how many times I've seen that flash controller vendor was used. So let's
get started.

### Page 054: Verbatim

* So Verbatim uses Phison.

### Page 055: Intel


* Intel uses Phison as well.

### Page 056: TDK

* TDK uses Phison.

### Page 057: Lenovo

* Lenovo Alcor.

### Page 058: Sony

* Sony uses Silicon Motion.

### Page 059: Corsair

* Corsair uses Silicon Motion.

### Page 060: Toshiba

* Toshiba uses a Solid State System.

### Page 061: Trend Micro

* Hold on. Trend Micro uses three different chips.

So before that, we had a kind of consistent idea: if I go by this brand of


controller, I can now do this brand of flash drive. I can do with these
controllers? And it just gets worse.

### Page 062: ADATA

* So ADATA uses two.

### Page 063: Silicon Power

* Silicon Power uses four.

### Page 064: Kingston

* And, Kingston uses like 6.

So Kingston is a name that I associate with quality, but apparently they don't
care, they don't care what flash drive controller they're going to use.

### Page 065: Flash drive lineup

So. So I went out to the store, and I bought a whole bunch of thumb drives with the
intention of tearing these bad boys apart and see what was on the inside. I tried
to get as many different ones as possible: different shapes, sizes, features, et
cetera.

### Page 066: Which controller

And the question again, is: what's on the inside?

### Page 067: Which controller brand?

So this is what they look like when they have their casing removed.
Now there's one in the middle. It's kind of hard to see in the screen, but it looks
like a little black stick that we kind of knew what it would look like, like that
from the previous pic. So because it's an absolutely tiny thing.

But the other ones are also black sticks you couldn't tell. So, I mean, it was
plastic housing around this tiny, little black stick. And I had no idea those other
two would look that way.

### Page 068: Which controller brand?

But one and one of them, these are the different vendors that are the flash
controllers on these drives. So we've got Innostor, SMI, Phison, Phison, Phison,
USBest, SMI, Phison and Phison. So I'm seeing a running pattern here.

### Page 069: Flash Lineup: Controller Chips

Phison is apparently really popular. At these drives, at least the drives that I
got from Micro Center, there were four different kinds of drives from Phison.

And these all pretty much had the same feature set between the Phison chips and
then across different manufacturers, like in a store in Silicon Motion.

### Page 070: Micro Center

* So just to give you new idea of what these capabilities are, here's this 4 gig
thumb drive that I got at Micro Center for five bucks.

* So this is a Phison controller. It's the PS2251-61. This supports multiple LUNs
(the multiple virtual drives), hidden LUNs (so now you can hide data). And then it
also supports password protecting them.

Again, for five bucks. This is not something you're supposed to be aware of.

### Page 071: Centeon Jezebel Licorice

* This is a Centeon drive. This one happens to be about a dollar a gig again.

* This one uses a different chip. This one uses the SMI SM3257ENLT, and supports
the same features of the chip I saw before.

### Page 072: Centeon Secure

* And this is one of the drives that I intentionally found, something that was
supposed to be awesome. So this is the Centeon secure chip. So this is about 2
dollars a gig.

* But wait, this one uses the same controller as the 5 dollar ,flash driver I had
before.

* So this drive doesn't support crypto.

* And what it does have is it actually has a logical unit -- another virtual hard
drive on there that's got crypto software for mac. And I'm a PC guy. So this drive
was twice as expensive and useless to me.

### Page 073: Which would you buy?

So which would you buy?


* Would you buy the 8 dollar drive that is cheap and has all the free software that
you need -- your Truecrypt or PGP to encrypt data?

* Or would you spend twice as much money on a drive that has no hardware crypto
support -- that just has software on it?

Me, I would buy the cheaper one. But the problem is you don't know what you're
getting, until you take it apart, or until you look at it.

### Page 074: Monolithic USB Close-Ups

So, just to give you guys a better idea, what those tiny little black sticks were,
those are called monolithic USB drives.

### Page 075: (pic)

So here's what they look like with part of their epoxy removed, and these photos
came from RecoverMyFlashDrive.com. But this is all in one -- one package, the
controller and the memory at the same time.

### Page 076: (pic)

And this is what they look like when they're being fabricated. These photos came
from Bunnie. If you saw Bunnie & xobs talk @ 30C3, go watch it, it's awesome. So
this is actually the bottom of these being fabricated.

### Page 077: (pic)

And this is the top. So it's 8 chips. You can barely see it on this slide, but the
flash controller and the flash memory all right next to each other.

### Page 078: Monolithic v.s. PCB

And just to point out which is which. So here is the flash drive I had (up earlier)
pointing out the flash controller, and then here's the monolithic chip together. So
that's the flash controller.

### Page 079: Monolithic v.s. PCB

And that's the flash memory.

### Page 080: Monolithic v.s. PCB (to scale)

Now, just to give you guys a better sense of scale, here's what the monolithic
drive looks like in comparison to a regular USB drive. So you guys know how big a
USB connector is. And that entire chassis is about the width of a USB connector.
It's tiny, and they seemed can get even skinnier to be absolutely like the size of
a dime.

### Page 081: Visual Flash Controller ASIC Identification

But anyways, so visual identification of these flash controllers.

* If you're going to tear apart the housing, it destroys the device.

* The consumer packaging never mentions what controllers on the inside, so it's
just a game of guesswork.
* The OEMs like Kingston can use anything that they want.

* And the monolithic drives.

* I don't have nitric acid and a fume hood to remove the epoxy from the drives.

So we can't do visual inspection for all these drives.

### Page 082: Software Flash Controller ASIC Identification

So what can we do, software wise?

* Well, the operating system sees what the flash controller wants it(self) to be: a
hard drive, CD-ROM, whatever.

* The USB product ID and vendor ID are supposed to be useful.

* But they're not. I've seen an entire line of different sizes of thumb drives that
had the same product ID and vendor ID. And, a company doesn't have to use a
different vendor ID or product ID for a different product, if it's the same basic
functionality they can bring in a new controller chip, whatever.

* So we need to talk to the controller directly.

* And there aren't any built in OS tools to do this.

* So what software is out there to mess with these drives?

### Page 083: ChipEasy

Well, I happen to find one written by some folks in China. It's an application
called ChipEasy, and this really is easy to identify your drives.

### Page 084: ChipEasy

And because I know this is kind of hard to see, I'll give you a zoom in on it. So
it's got all the details you could ever need: it's got the drive letter, the
capacity, the product ID, vender ID, serial number, et cetera. And the nice thing
about it is it shows you where the controller manufacturer, that controller type
is. And then the coup de grace on this, as it tells you where to download software
and mess with these drives. Thank you. Thank you.

### Page 085: Picking on Phison

All right, so. I had a whole bunch of Phison drives, so I decided to pick on them.

* So they are a Taiwan based flash controller manufacturer.

* They make controllers for USB 1 through 3, SATA, IDE, eMMC, SD cards, et cetera.

* Basically they have one common core that they can just bootstrap another
interface on. All of these chips seem to be based on the Intel 8051. That is what's
called an 'IP' core. Or it's such an old microcontroller that you can basically
license the software schematic of this chip and then integrate it into a chip that
you're designing.

* Some of Phison's controllers support crypto, most of them support AES, I've seen
some that supports RSA.
* And in all these drives support different modes. Modes are how the drive actually
interacts with the operating system as being a hard drive, a hidden drive, CD-ROM,
etc.

### Page 086: Flash ASIC-based Crypto

So. A note on the crypto that's built into these drives.

1. So flash controllers do wear-leveling because your flash memory can't stand


being written and rewritten at the same place over and over and over again, so they
kind of scatter your data around.

2. The encryption key ***may*** be held within the ASIC, not on your flash memory.
And this is probably done during the initial configuration of your thumb drive.

3. And then you've got logical numbers -- logical unit numbers. That are logical
drives that can be hidden or lock with a password and optionally encrypted.

4. So. Another thing that's crazy is these flash drives have more space than you
know. If you listen to Bunnie's talk, every flash chip as manufactured ultimately
ends up in some consumer device, everything is used. You fabricate an 8 gig chip
and only 7 gig of it is used well. Ok, now that's a fogging chip. So they actually
clip down. The reasons of that: the flash memory that's actually still usable, just
to make it something that you're used to on the shelf of the store. You see quarter
gig, half gig, 1 gig, 2 gig, 4 gig, etc. Even units of powers of two of your hard
drives.

So with all these things together, it's a forensics ***NIGHTMARE*** if you're


trying to recover data from these things. You might have a 4 gig chip, sorry, a 4
gig drive that's actually an 8 gig, 16 gig, 32 gig chip that has more capacity that
is just under what the next size up is. And the question is, how do you know it's
there? How do you know it's password protected? How do you know it's not pastword
protected? Et cetera. You don't, unless you use some of these vendors proprietary
tools. And I'm actually still working on re-implementing, like how to ask the
controller, what is your configuration?

### Page 087: PS2251 Series Flash Modes (Logical Units)

So these are the modes that set up the way the flash drive works. The ones which
are probably used are: the mode 3, that's your flash drive; mode 21 is basically
the USB drive would emulates the CD-ROM drive and a hard drive; and mode 7 and 8
are the cool ones where you've got hidden drives.

### Page 088: No more U3 drives!

* So, mode 21 is U3 equivalent. So there aren't really U3 drives out on the market
anymore, but you probably have a drive that supports this. You just need to find
the software that does it.

* The U3 drives are basically dead thanks to Microsoft and SanDisk, because they
superseded it with an application called 'StartKey', which appears to be related to
the 'Windows 2 Go' software. So you can take your Windows installed on a thumb
drive and go anywhere and boot up your office's PC, doesn't matter what hardware
yours being plugged into.

### Page 089: PS2251 Block Diagram

So here is the PS 2251 block diagram: you've got the USB connection coming in from
the computer to your USB PHY; you've got USB controller; your flash data module;
some ROMs and RAM; and then the little orange block in the center, that's the micro
controller.

### Page 090: Hello, Intel 8051

That's this guy, the Intel 8051. This chip came out when I was born in 1980. Like
pretty much every software out there that does reverse engineering of binary object
code supports this chip. All right.

### Page 091: Bunnie & xobs @ 30C3 'SD Card Hacking'

So. Bunnie and xobs at 30C3.

* They basically found out that SD cards have this MCU inside of it.

* And they completely got executable code running on that microcontroller. That
controller that actually operates and manages the flash memory and talks to the
computer.

* So most of their work will probably actually port over to USB drives. Fairly
standardly, up all they have to do is just figure out what pins go where, and they
can use the same thing.

* They actually wrote a debugger so they could figure out like what all the
different registers were in these microcontrollers.

* And the reason why is because this is an 'IP' core. You've got this schematic for
it, so you can, you can change it, you can make it from being a 8 bit controller to
a sort of 8 bit plus a couple of 32 bit operation chips.

So, once you've figured all this stuff out, and you can mess with flash drives,
what can you do with them?

### Page 092: MOOSEDRIVES

Well, I decided to come up with some hypothetical drives, repurposing the Micron
Center 5 dollar, 4 gig drive that I found. It'll soon makes the moosedrives, and
these aren't for sale. Sorry, I don't have enough to give around.

### Page 093: SECRETMOOSE

But so you can make a secretmoose drive.

* So the features are, I've got a USB product ID and vendor ID of leet:leet.

* I've got a 4 gig public partition.

* That has the windows app to unlock the drive.

* And then somewhere between 1 and 3 gigs of space that has been recovered from
this chip.

* Because it has additional space that is hidden and locked with a password.

* The windows software says that you can try 6 guesses and on the 6th failed
attempt it will erase the drive.

* But I found out, through reversing the actual protocol that goes across
USB, that, no, it doesn't wipe the drive. Why implement something in silicon when
you can implement it in software? So I was actually like doing hundreds of
thousands of password (against) attempts against these drives on Linux, and it
still managed just fine. So, be careful, don't trust what all the software says
because in some cases it might actually work that way.

### Page 094: PORTABLEMOOSE

You could also have an entire portable operating system. So you guys have heard of
the USB drives or the U3 drives that have portable apps. Well, this is an entire
portable operating system.

* So I put Fedora LiveCD image on there. And it's got another 3 gigs of space based
on it.

* So now I've got a persistent overlay of changes that I've made at this drive.

* And push or to shove, I can erase that overlay and get back to a bare metal
scratch image.

### Page 095: REDMOOSE

And if you're a pen tester like some people in the audience, you can have a drive
that has your Kali Linux or BackTrack or whatever your favorite image on there, and
then additional one and a half gigs of storage.

* Now, because these are emulated CD-ROM drives on these drives, you can't write to
these CD-ROM. It's read only.

* But the remaining flash memory on it, you can wipe. So for example, if you had a
customer said that I don't want you bringing in your own hardware, but they'll let
you bring in flash drives, now you can bring in your entire toolkit. And if they're
really paranoid about you ex-filling data, which was kind of what they're paying
you to do, you can say, ok, format this drive and then I've got no data, done.

### Page 096: Which is for you?

So. Which is for you?

* You can, you can buy a ISOSTICK, which is a 100 dollar project that someone made.
It's based on an Atmel processor, which is sort of the same thing that Arduinos are
made with. And they wrote a custom program for it, and they wrote a bootloader
called 'isosel'. So that'll let you bring up a menu and select what ISO you want to
boot on a computer when you plug it in. Rob says sometimes he's had problems with
it.

* There's another project out there that's not quite finished yet, called CDEMU.
This one actually has a four line LCD that gives you a menu of what ISO you want to
boot. This one is basically in beta production status. They haven't actually
produced hardware that you can assemble yet.

* Or you can use a regular thumb drive that you happen to have laying around. Out
of pocket costs could be, could be between 0 dollars or like going to the store and
buying a couple, and the only real cost is a little bit of your time, plus varying
levels of fun as you accidentally break thumb drives.

### Page 097: (Re)programming Phison Controllers

So. Here's how you reprogram drives. So with Phison, they've got a couple of
different ways.
* There's an easy, foolproof way called **Mode Converter**.

* This is literally point, click, done. There's no, like firmware that's being
rewritten, no executable code that's being re-downloaded to the drive. You're just
reconfiguring its layout.

* The more advanced way is to use their **MPAll** app. MP stands for Mass Produce,
so this lets you mass produce pretty much all of their flash controllers and
reconfigure them.

* That one comes with the app called GetInfo. This will tell you all the details
about how the drive is set up, what the block size is on the flash memory, what
mode the drive is in (you know, that mode 3 for regular drives, mode 21 for U3 like
drives).

* And this is the application that lets you reconfigure everything on the drive:
up a new firmware; reconfigured that partitioning the way it's laid out; change the
USB product ID, vendor ID strings; et cetera. And if the chip supports that, you
can turn on crypto -- hardware crypto in the flash controller that will encrypt the
flash memory.

### Page 098: Phison ModeConverter

So here's Mode Converter. It's a really simple app. Like I said, it's literally
point, click, done. You give it the number of partitions you want, and if you want
to be hidden or not.

### Page 099: Phison MPAll

And here's the more complex MPAll app. So this lets you mass produce 16 drives at
once.

### Page 100: MPAll Partitioning (LUNs)

And I know this is kind of hard to read, but these are all the different options
you have. So this is actually the page where it sets up the partitioning of the
drive, or whether you're going to have a virtual CO-ROM, a hidden hard drive, a
removable hard drive. You can actually make these drives look like they're not
removable media, make them more look like their actual hard drives.

### Page 101: (pic)

And here is GetInfo that shows you all the details of how it's set up, and here's
the leet:leet product ID and vendor ID.

### Page 102: Configurable Settings

So here are all the settings that can be set with that MPAll app. You can change
the size of the drive, change the way that the led is blinking. You can make the
logical unit numbers read only or not. And, You can recover data from the region of
the chip that have been clipped in software because it was just below the next size
up chip. All that stuff.

### Page 103: Phison MPAll Troubleshooting

So ultimately, when you're using MPAll, you're going to run into problems, because
it's not something that you're supposed to be using. It's not documented. You don't
get like training on it.
* But, so, use ChipEasy and I'll have a link for that later in the slide deck. Use
that to identify what chip and what controller are in the flash drive.

* Try the latest version of MPAll.

* And be prepared to brick drives. I've probably bricked about 7 of the 20 or 30 of


that already. It's just going to happen.

* And a lot of times these flash drives, the controllers have firmware updates. And
the reason they have firmware updates because new memory comes out that these chips
don't quite support.

* And you might have more updates to the software like this IDBlock_Timing things,
so that associates the ship identification bytes to actually what the timing of the
flash memory is. You know, when you're tuning the memory under gaming PC and it has
11, 10 or whatever, same sort of thing, but for flash memory.

* And double and triple check that you've got all the flash ID and timing settings
correct.

### Page 104: GOOD IDEA BAD IDEA

So. Now it's time for a good idea, bad idea.

### Page 105: UnRAID, by Lime Technology

So I want to introduce you to a piece of software by Lime Technology called UnRAID.

* So this is a slackware based commercial Network Attached Storage solution.

* And they've got different tiers of software that's based on how many hard drives
you want to plug in into your box -- it's between 3 and 24 drives.

* Free is on the the 3 drives and below line, and the pro version where you have 24
drives is like 120 bucks.

* And they have a very interesting licensing method. They say, go find a flash
drive, plug it in and read off what this GUID is.

### Page 106: Not so globally unique

Well, the problem is this is GUID, which is supposed to be globally unique, is not
so globally unique here.

Here is an example GUID which they have on their website. And I can tell you that
that GUID was from an Alcor flash drive. Because their GUID is literally just the
USB vendor ID, product ID, and the serial number.

### Page 107: Cloning an UnRAID Registration Key

So, here's how to clone a USB license for UnRAID: download the USB software for
maintaining the thumb drives, set the USB vendor ID and product ID to match, set
the serial number to match and win. You now have cloned your license for UnRAID.

So, developers, please use a real hardware security token like an Aladdin HASP, but
not some random thumb drive laying around.

### Page 108: Looking for a HW USB Sniffer?


* All right, so if you're looking for a hardware USB sniffer, please see dominic's
talks tomorrow.

* The reason why I need something like this is because there's no documentation on
how to talk to these controllers.

* And like I've mentioned before, USBpcap under windows can kind of miss data.

* And under Linux, there's no software that supports any of this stuff. Like the
usb_modeswitch that you may have seen before when you're using your, like 3G USB
modems or a thing officially show up as a CD-ROM drive, yet that doesn't work on
these drives at all.

### Page 109: Similar Work / Research

So similar work and research.

* Bunnie and xobs talk at 30C3 where they went over getting that direct code
execution on the controller in the SD card

* And a lot of the photos I had in the monolithic drives. That was also done by
Bonnie -- he went to an actual fab plant and saw where they were born.

* Wesley McGrew. He actually took some U3 drives and turn them into a incident
response -- oh no, sorry, that's next. He had a product on actually reconfiguring
them, to make them not have to use the software that came with it. But for some
reason it phoned home to their websites to download an ISO image that had the U3
Launch app.

### Page 110: Similar Work / Research

Anyways, so. Some additional things, that's cool.

* The password protection on some of these drives. You would expect it to actually
pass the password, or some encrypted version of that password down the wire to the
drive to authenticate it. Well, there were some researchers that found out that,
no, the software just sends an unlock command, regardless of the password. And all
they had to do was just repeat, sending the unlock command, and suddenly there's
all your data. Oops.

* So and Russel Butturini also created an incident response, U3 switchblade.

### Page 111: Links & Contact

So this is the slide you want to take pictures of if you're interested in messing
with these drives. This is all the links to all the software you want.

* If you want to download ChipEasy, that is the app that will tell you what the
chip is for the controller and what flash memory is on your drive, and that will
link you to upan.cc, which is unfortunately in Chinese. You'll have to run that
through Google translate.

* Or you've got other websites like flashboot.ru or usbdev.ru or an English


language site is usb-fix.blogspot.com.

* So and again, my contact info: I'm xabean on Twitter, warewolf on GitHub and
there's my email address.
### Q&A

And now I have time for questions.

Got it. Okay, so the question was, have I seen anybody doing any research on adding
new modes for these drives? So, like there is mode 3 for the regular flash drive,
Have I seen different modes for replicating what's going on there?

I haven't. I just found this software out there to reconfigure it, and I've re-
implemented some of the features under Linux.

But that's an excellent idea, I mean for people about doing forensics, probably
going to have to figure out what mode is this drive in. So you can get a general
idea of is this drive. Does it have hidden partitions or not? And then you can go
from there on other things.

But yeah, I don't have, like access an Intel 8051, like assembly language done.

# Transcript ends here

You might also like