Controlling USB Flash Drive Controllers: Expose of Hidden Features
- 1. Controlling USB Flash Drive Controllers: Exposé of hidden features Richard Harman Shmoocon 2014
- 2. Richard Harman ● InfoSec Analyst for ~10 years ● Lead Intrusion Analyst at SRA SOC – Malware analysis – Perl scripting – Incident Response & all around SysAdmin-fu @xabean warewolf Richard@RichardHarman.com
- 5. Hacking USB thumb drives
- 11. #B ad BI OS
- 12. #BadBIOS ... features ? 1) Spread via USB flash drives 2) Infect USB flash drive firmware 3) Infect host firmware 4) Cross-platform 5) Cross-operating system 6) IPv6 networking 7) Audio-based communication for bridging air-gaps
- 13. What?
- 14. Overview ● USB mass storage hardware ● Hardware Disassembly ● Block-level Components ● ● Flash Controller Identification & Their Features Reprogramming Flash Controllers
- 15. USB Mass Storage
- 19. Data, Power, controller board, IDE HDD
- 20. 2.5”, SATA, controller board
- 21. USB3 flash drive
- 23. USB SATA HDD Controller/Power board ● Host Interface ● Power
- 24. USB SATA HDD Controller/Power board ● Host Interface ● Power
- 25. USB SATA HDD Controller/Power board ● USB differential signaling pins
- 26. USB SATA HDD Controller/Power board ● Device Interface ● Bridge/Controller
- 27. USB SATA HDD Controller/Power board ● SATA differential signaling pins (2 pair)
- 28. USB SATA HDD Controller/Power board ● Device Interface ● Bridge/Controller
- 29. Controller/Bridge HDD v.s. Flash ● HDD (Bridge) – – ● USB → HDD protocol translation Generic firmware - host sees what is connected Flash (Controller) – Logical mapping LBAs to Flash Memory – Controller can be reprogrammed! – Host sees what the controller wants!!
- 32. Basic Components of Flash drives ● Controller ASIC ● Flash Memory
- 33. Basic Components of Flash drives ● Controller ASIC ● Flash Memory
- 34. USB Mass Storage ● Signaling: Differential Voltage ● Speed: 6MHz, 12MHz, 24MHz, 2.5GHz (SS) ● ● Bridge/Controller chip translates USB to storage device No direct translation from USB-MS protocol to SATA/IDE protocol or Flash Chips
- 35. USB Mass Storage == SCSI ● ● ● ● USB-MS is encapsulated SCSI Subset of SCSI commands, based on peripheral type Encapsulation can cause trouble (smartmon, smartctl, etc) Generally one SCSI target, one or more Logical Units (LUNs)
- 36. USB signaling
- 39. Low-Level Sniffing USB ● Logic Analyzer – – Too much detail – ● Low level No protocol-in-protocol decoding Hardware MITM device – Low level – See Dominic's talk tomorrow
- 40. Saleae Logic8 ● USB2 based logic analyzer ● v1.1.18 beta software supports USB ● USB2 sniffing a USB2 device? Inconceivable! – Use a USB1 hub to slow down target. – Vampire tap lines
- 41. Sniffing rig (USB extension cable)
- 42. Sniffing rig
- 43. Results! … no context though
- 44. High-Level Sniffing USB ● USBPcap (self-snoop) + Wireshark – ● Virtualization dumping USB – ● Windows, High level, can/will miss data Full & complete dump Linux usbmon → tcpdump -i usbmon2 – Lots of tools to inspect – Wireshark! ● USB decoding, USB-MS decoding
- 45. Sniffing USB Virtualization + usbmon dumping USB
- 46. Re-implementing USB Flash Drive Security Features Under Linux ● Disable LUN Protection: # echo -n password | sg_raw -s 8 /dev/sg3 0E 00 01 55 AA 00 ● Unlock LUN: # echo -n password | sg_raw -s 8 /dev/sg3 0E 00 00 00 00 00
- 47. Re-implementing USB Flash Drive Security Features Under Linux ● Change Password / Lock LUN: # perl -e 'print pack("a16 a16 a32", "old pass", "new pass", "pw hint")' | sg_raw -v -s 64 /dev/sg3 0E 06 01 00 00 00
- 50. Consumer Flash Drive Vendors ● SanDisk ● Patriot ● Kingston Digital ● ADATA ● Lexar ● Silicon Power ● PNY ● Transcend ● HP ● Verbatim ● Sony ● Toshiba ● TDK ● Lenovo
- 51. OEM Flash Controller Vendors ● Phison ● Ameco ● ALCOR ● ChipsBank ● Innostor ● Efortune ● Skymedi ● Icreate ● Silicon Micro ● Netac ● Solid State System ● OTI ● USBest ● Prolific
- 52. Who uses what? ?
- 53. Silicon Motion (SMI) x1 Alcor Phison x1 x1 Consumer Vendor Innostor x1 Skymedi x1 x1 Solid State System (SSS)
- 54. Silicon Motion (SMI) Alcor Phison x1 Verbatim Skymedi Innostor Solid State System (SSS)
- 55. Silicon Motion (SMI) Alcor Phison x2 Intel Skymedi Innostor Solid State System (SSS)
- 56. Silicon Motion (SMI) Alcor Phison x3 TDK Skymedi Innostor Solid State System (SSS)
- 57. Silicon Motion (SMI) Alcor Phison x1 x3 Lenovo Skymedi Innostor Solid State System (SSS)
- 58. Silicon Motion (SMI) x1 Alcor Phison x1 x3 Sony Skymedi Innostor Solid State System (SSS)
- 59. Silicon Motion (SMI) x2 Alcor Phison x1 x3 Corsair Skymedi Innostor Solid State System (SSS)
- 60. Silicon Motion (SMI) x2 Alcor Phison x1 x3 Toshiba Skymedi Innostor x1 Solid State System (SSS)
- 61. Silicon Motion (SMI) x3 Alcor Phison x2 x3 Trend Micro Skymedi Innostor x1 x1 Solid State System (SSS)
- 62. Silicon Motion (SMI) x4 Phison Alcor x2 x3 ADATA Skymedi Innostor x2 x1 Solid State System (SSS)
- 63. Silicon Motion (SMI) Phison x5 Alcor x3 x4 Silicon Power Skymedi Innostor x3 x1 Solid State System (SSS)
- 64. Silicon Motion (SMI) Phison x6 Alcor x4 x5 Kingston Skymedi Innostor x4 x1 x2 Solid State System (SSS)
- 65. Flash drive lineup ● All purchased at Micro Center ● Tried to get as different as possible ........
- 69. Flash Lineup: Controller Chips Count Brand Chip 1 Innostor IS916E 2 Phison PS2251-61 1 Phison PS2261-68 1 Phison PS2251-03 1 Phison PS2251-67 2 Silicon Motion SM3257ENLT
- 70. Microcenter 4G USB2 ● 4G @ $5 ● Phison PS2251-61 – Supports multiple LUNs – Supports hidden LUNs – Supports PW protected LUNs
- 71. Centeon Jezebel Licorice ● 8GB @ $8 ● SMI SM3257ENLT – Supports multiple LUNs – Supports hidden LUNs – Supports PW protected LUNs
- 72. Centeon Secure ● 8GB @ $17 ● Phison 2251-61 – Supports multiple LUNs – Supports hidden LUNs – Supports PW protected LUNs ● No HW Crypto support ● Contains LUN w/ crypto SW
- 73. Which would you buy? ● 8GB @ $8 Centeon Jezebel Licorice – All the Flash controller features – Use FREE PGP or Truecrypt OR ● 8GB @ $17 Centeon Secure – 2x as expensive – No additional benefits
- 80. Monolithic v.s. PCB (to scale)
- 81. Visual Flash Controller ASIC Identification ● ● Destroys/mangles device housing Consumer packaging never mentions controllers ● OEMS use anything (Kingston) ● Monolithic drives are epoxied ● I don't have nitric acid + fume hood.
- 82. Software Flash Controller ASIC Identification ● OS sees what the ASIC wants it to ● USB PID:VID is supposed to be useful ● lsusb & friends are useless ● Need to talk to the ASIC directly ● No OS tools to talk to ASIC ● What software?
- 83. ChipEasy
- 84. ChipEasy
- 85. Picking on Phison ● ● Taiwan based Flash controller ASIC manufacturer Controller interfaces: USB 1/2/3, SATA, IDE, eMMC, SD & more ● Core CPU: Intel 8051 (on-die) ● Hardware AES-256 (in some controllers) ● Multiple device “modes”
- 86. Flash ASIC-based Crypto... 1) Flash controllers do wear-leveling 2) Encryption key may be held in the ASIC, initially set during ASIC programming 3) LUNs (drives) can be hidden, locked w/ password AND encrypted 4) Flash drives have more space than you know This is a forensics NIGHTMARE
- 87. PS2251 Series Flash Modes (Logical Units) Mode # LUN0 (common) 3 HDD 7 HDD HDD* 8 HDD*‡ HDD‡ HDD HDD (common) 21 CD HDD 30 CD 31 CD HDD* 32 CD CD 14 LUN1 * LUN invisible until unlocked w/ app ‡ Only one LUN visible at a time LUN2 CDROM HDD
- 88. No more U3 drives! ● ● Mode 21 is “U3” like U3 drives are dead as of 2009 thanks to Microsoft & SanDisk – – ● Superseded by “StartKey” Appears to be related to “Windows 2 Go” Flash drives you already have most likely support mode 21.
- 91. Bunnie & xobs @ 30C3 “SD Card Hacking” ● ● ● Re-purposing 8051 MCU inside SD cards Arbitrary code execution on controller in SD Cards Most likely will work with these flash drives too, similar controllers ● RE'd a controller, wrote a debugger! ● 8051 is an “IP” core – it's EVERYWHERE
- 92. MOOSEDRIVES (NOT FOR SALE, SORRY) 4GB Flash $5 Microcenter Brand Phison 2251-61
- 93. SECRETMOOSE Features: ● USB PID:VID 1337:1337 ● 4GB Public partition – ● Containing windows unlock app 1-3G Secure (hidden) partition (recovered space) – Password protected, unlock w/ Windows app – 5 guesses, 6th failed attempt erases device .. or not. ● Windows app appears to do wiping
- 94. PORTABLEMOOSE Features: ● Fedora 19 LiveCD image – – Reset Persistent storage – ● Bootloader Modified for persistent overlay Non-persistent boot 3G overlay storage Not just portable apps, an entire portable OS.
- 95. REDMOOSE Features: ● 32bit Kali Linux CDROM image ● 1.5G storage
- 96. Which is for you? ● ISOSTICK – ● CDEMU – ● $99, uSD (up to 64g), “isosel” boot loader Open source project, still in development Regular thumb drives – $0 - $?? – A little of your time + varying levels of “fun”
- 97. (Re)programming Phison Controllers ● Foolproof/Easy Mode: – – ● Mode Converter Switch between different modes easy Dangerous/Advanced: – MPAll – GetInfo utility bundled (more info than ChipEasy) – Change firmware, partitioning, USB identification, password lock, enable crypto (if supported)
- 99. Phison MPAll
- 102. Configurable Settings ● Drive Size ● Set LUNs R/O ● Multi-LUN ● LUN PW Protect ● Device IDs & Strings ● Turn LED on/off ● Emulate CDROMs ● Memory voltages ● Serial Number ● Reformat (recover) ● # of ECC bits ● Memory Timing
- 103. Phison MPAll Troubleshooting ● Use ChipEasy Flash ID to help ● Try the latest version of MPAll ● Be prepared to brick drives! (until you learn) ● Find Controller Firmware updates ● ● IDBLK_TIMING.dll updates – Updated Flash ID & Timing params Tripple check Flash ID & Timings are correct
- 105. UnRAID, by Lime Technology ● Slackware based commercial NAS solution ● Different Tiers for supported # of HDD: – ● Cost per Server: – ● Free: <= 3, Plus: <= 7, Pro: <= 24 Free: $0, Plus: $69, Pro: $119 Licensing Method: – 27 character USB Flash drive GUID
- 106. Not so globally unique lime-technology.com/registration-keys/ ● Example GUID: – – ● 058F-6387-0000-0000B65F1E82 This was an Alcor Flash Drive s/n: B65F1E82 www.linux-usb.org/usb.ids – VID 058F: Alcor Micro Corp – PID 6387: Flash Drive
- 107. Cloning an unRAID Registration Key 1) Set USB VID and PID to match 2) Set Serial number to match 3) Win! Please use a real hardware security token like the Aladdin HASP.
- 108. Looking for a HW USB Sniffer? ● See Dominic's Talk tomorrow: – ● An Open and Affordable USB Man in the Middle device No public documentation on programming flash controllers ● Windows + USBpcap + Wireshark insufficient :( ● No Linux support – usb_modeswitch has no idea about these controllers
- 109. Similar Work / Research ● 2013: Bunnie & xobs – 30C3 – SD Card Hacking http://www.bunniestudios.com/blog/?p=3554 ● 2013: Bunnie – Where USB memory sticks are born http://www.bunniestudios.com/blog/?p=2946 ● 2011: Wesley McGrew @McGRewSecurity – Hacking U3 drives http://mcgrewsecurity.com/pub/hackingu3
- 110. Similar Work / Research ● 2010: Digital Forensics Research Center – Korea – ● Secure USB Bypassing Tool http://www.dfrws.org/2010/proceedings/bang.pdf 2010: SySS – – ● PW protected flash drives unlocked w/ single command http://www.darkreading.com/security/news/222200174 2008: Russel Butturini / TCSTool – Incident Response U3 Switchblade
- 111. Links & Contact ChipEasy: Google “Chipeasy English” flashboot.ru usbdev.ru usb-fix.blogspot.com upan.cc xabean warewolf richard@richardharman.com