Restore factory firmware

[yoyebie]

Hi, I got a problem. I have Patriot 8GB Supersonic Xpress and I modified it with your script. I used RubberDucky Hello World payload and it work perfectly, but unfortunately, when I connect my USB drive, the payload executes but the drive won't show up in the Windows Explorer. So I'm trying to restore factory firmware in the drive, but it won't work. SetBootMode works (I use command DriveCom.exe /drive=D /action=SetBootMode. The drive letter is the one I used when I flashed the firmware for the first time, since now the drive won't show up), the LED on the drive stays on but I still can't flash the factory firmware. When I try to execute command DriveCom.exe /drive=D /action=SendFirmware /burner=BN03V104M.BIN /firmware=fw.bin (where the burner image is the image downloaded from USBDEV.ru and which I used to flash my drive for the first time, and the firmware file is the file I dumped before I flashed my drive) I get the error: Action specified: SendFirmware Gathering information... FATAL: System.InvalidOperationException: DeviceIoControl failed: 048F w DriveCom.PhisonDevice._SendCommand(SafeFileHandle handle, Byte[] cmd, Byte[] data, Int32 bytesExpected) w DriveCom.PhisonDevice.SendCommand(Byte[] cmd, Int32 bytesExpected) w DriveCom.PhisonDevice.RequestVendorInfo() w DriveCom.PhisonDevice.GetChipType() w DriveCom.Startup._GetInfo() w DriveCom.Startup._SendFirmware() w DriveCom.Startup.Main(String[] args)

The same error I get when I try to execute commad GetInfo.

Did I do something wrong? The payload works, so I suppose that flashing process went well but I'm concerned about the fact that the drive won't show up in Windows Explorer.

In addition, I tried to flash the custom firmware but I get the same result.

What can I do to get my USB drive work again?

Thanks in advance for your help.

Kind regards from Poland, yoyebie

[brandonlw]

Windows has a setting that hides drive letters for empty or ejected drives, which is what the drive will be when custom firmware is flashed to it. You might try changing that setting in Folder Options in Control Panel to see if you can get the drive letter to appear.

I suspect that once you do that, the tools will work.

[yoyebie]

Ok, now the drive shows up in Windows Explorer when I connect it, but the tools still don't work, returning the same error.

[groverito]

I have the same error 048F can not restore or return to another cfw o ofw

my pen toshiba transmemory 16gb

[ghost]

Got the Toshiba TransMemory-MX as well and after dumping original fw and flashing custom fw I can't use tools. I receive the following:

FATAL: System.InvalidOperationException: DeviceIoControl failed: 0079 bei DriveCom.PhisonDevice._SendCommand(SafeFileHandle handle, Byte[] cmd, Byt e[] data, Int32 bytesExpected) in ...\DriveCom\DriveCom\PhisonDevice.cs:Zeile 365. bei DriveCom.PhisonDevice.SendCommand(Byte[] cmd, Int32 bytesExpected) in...\DriveCom ßDriveCom\PhisonDevice.cs:Zeile 295. bei DriveCom.PhisonDevice.RequestVendorInfo() in...\DriveCom\DriveCom\PhisonDevice.cs:Zeile 140. bei DriveCom.PhisonDevice.GetChipType() in...\DriveCom\DriveCom\PhisonDevice.cs:Zeile 170. bei DriveCom.Startup._GetInfo() in ...\DriveCom\DriveCom\Startup.cs:Zeile 384. bei DriveCom.Startup._SendFirmware() in ...\DriveCom\DriveCom\Startup.cs:Zeile 365. bei DriveCom.Startup.Main(String[] args) in...\DriveCom\DriveCom\Startup.cs:Zeile 114.

Any suggestions what to do?

edit: At least I can use DriveCom.exe /drive=E /action=GetNumLBAs without getting errors. edit2: After setting to BootMode I can't even use DriveCom.exe /drive=E /action=GetNumLBAs any longer: FATAL: System.InvalidOperationException: DeviceIoControl failed: 0006

[groverito]

i have repair my toshiba ,0006 is error no comonicacion .

DriveCom.exe /drive=E /action=SetBootMode ,or manual boot mode is Recommended safer

DriveCom.exe /drive=E /action=SendExecutable /burner=BN03V104M.bin

DriveCom.exe /drive=e /action=SendFirmware /burner=BN03V104M.bin /firmware=cfw.bin

[ghost]

Thanks for reply, but still not working for me. When I want to sSendExecutable I get error again:

FATAL: System.InvalidOperationException: DeviceIoControl failed: 0079

[groverito]

https://github.com/adamcaudill/Psychson/tree/master/docs docs/PinsToShortUponPlugInForBootMode.jpg Fixed Manual boot mode and then led

DriveCom.exe / drive = E / action = SendExecutable /burner=BN03V104M.bin

[air101]

Hello,

does anyone have a low level format tool for Toshiba TransMemory-MX USB 3.0 16GB ? Or working stock firmware? I can write images and send "SendExecutable /burner=BN03V104M.bin" but cant get it to work as "normal" usb stick again ;)

Thanks

[phaq01]

@air101 Did you get a rubber duck sample working with that stick?

[aminazek]

Hi,

I've managed to inject Rubber Ducky's "Hello World" into my Toshiba TransMemory-MX USB 3.0 16GB. Based on my testing, so far it works on Win7 (32 bit) but NOT on Win7 (64 bit).

Right now, I'm facing the same problem by not able to "SendFirmware" to my Toshiba's thumdrive. I can see the drive label and I can do "SetBootMode" . But "SendFirmware" and "GetInfo" failed.

Thanks.

[air101]

@phaq01 Yes, the rubber duck sample works with that stick. I've tested it on Win 8.1 64Bit, Win7 64Bit and Windows XP. @aminazek SendFirmware works when you do the Hardware Boot Mode (Short Pin2+3) but cant get it to work as "normal" USB Stick again. Apparently my DumpFirmware is corrupted. Do you have the Backup of your Firmware?

[aminazek]

@air101 Please try this firmware (see attachment).

[air101]

@aminazek I dont see an Attachment?

[ghost]

Here is my dump of original FW from Toshiba TransMemory-MX USB 3.0 16GB black. Just rename to .bin

[ghost]

Ok, after I manually set the device to bootmode at least "something" happened:

...DriveCom.exe /drive=E /action=SendFirmware /burner=BN03V104M.BIN /firmware=orig_fw.bin Action specified: SendFirmware Gathering information... Reported chip type: 2303 Reported chip ID: 98-3A-A8-92-76-57 Reported firmware version: 1.01.10 Mode: BootMode Rebooting... Sending firmware... Executing... FATAL: System.InvalidOperationException: DeviceIoControl failed: 0079 bei DriveCom.PhisonDevice._SendCommand(SafeFileHandle handle, Byte[] cmd, Byt e[] data, Int32 bytesExpected) in ...\DriveCom\DriveCom\PhisonDevice.cs:Zeile 365. bei DriveCom.PhisonDevice.SendCommand(Byte[] cmd, Byte[] data) in ...\DriveCom\DriveCom\PhisonDevice.cs:Zeile 314. bei DriveCom.PhisonDevice.SendCommand(Byte[] cmd) in ...\DriveCom\DriveCom\PhisonDevice.cs:Zeile 304. bei DriveCom.PhisonDevice.JumpToPRAM() in ...\DriveCom\DriveCom\PhisonDevice.cs:Zeile 228. bei DriveCom.Startup._RunFirmware(String fileName) in ...\DriveCom\DriveCom\Startup.cs:Zeile 439. bei DriveCom.Startup._SendFirmware() in ...\DriveCom\DriveCom\Startup.cs:Zeile 378. bei DriveCom.Startup.Main(String[] args) in ...\DriveCom\DriveCom\Startup.cs:Zeile 114.

Without (manually) setting to bootmoode anything before "FATAL" does not appear. The problem is there is still the problem. ;)

While opening the device's case, I realised that there is no Phison-Chip inside (see picture). May this be the problem? It is the Toshiba TransMemory-MX 16GB black, which ist listed in the supported devices... maybe a mistake?

I hope anyone could help with this.

[ghost]

Ok, last update: after manual bootmode I installed a custom fw without problems. The Hello World Payload is working. I can't restore original fw but I can use custom fw now. Problem solved.

[phaq01]

Maybe this link is helpfull: http://www.flashdrive-repair.com/2014/01/how-to-format-Phison-ps2251-03-ps2303-up303-Toshiba-TC58NC2303G5T-chip-controller.html

[Gaara4]

@CitNils and all other

I habe the same problem after flashing the Hello Wold Demo. Could anyone make a picture with the pin with this stick need to use for the Bootmode? Its the same like CitNils´s

[cubic3d]

@Gaara4 look in the docs/ directory of the source.

[Gaara4]

This stick doesn´t looks like my stick. https://cloud.githubusercontent.com/assets/9080593/4591190/2a5e93da-5069-11e4-9daa-9e22539ec801.JPG

[cubic3d]

Must be same pin layout, I think they just rebranded the Physon chip.

[Gaara4]

This ? http://www.directupload.net/file/d/3771/ebzmc8gx_jpg.htm

I trys often with a pocket knife. I hold the pocket knife to pin 2 or 3. If the LED flashes i remove the knife, but the Bootmod not start.

[air101]

@Gaara4 I have the same Toshiba Stick. Its just a rebranded Phison. @CitNils and @aminazek Thank you for the firmware. I can test it out on Monday.

[sbatman]

Hi guys, I've been fighting the same set of issues too, the software boot mode doesnt work and hardware boot mode is a little tricky but seem to have it nailed.

Might be wrong but is working for me with this drive :

These are the pins i've been using and are working reliably now http://imgur.com/yf85fIR Contact the pins before and whilst plugging the drive in and the light should remain lit, if it goes off or flashes before you've sent the first command that means its not in boot mode and try again.

send the executable : DriveCom.exe / drive = E / action = SendExecutable /burner=BN03V104M.bin (i've been using 114m instead)

then send your custom firmware as normal

Hope this info is of use to you guys :)

[cubic3d]

@Gaara4 Wrong pins. Look again at the image, there's a red dot marker. Hint: pins are on the left side.

[Gaara4]

Everything works know thanks all. It is normal then you can´t use the stick normaly after the patching fw?

[pascalschmiederer]

Don't use a USB Hub for flashing. It will not work. After I connected the Stick (DataTraveler 111 32GB) directly to the USB Port and set the Boot Mode via the two Pins, I was able to flash the original Firmware again. :)

And yes it is normaly that you cant use it. While somebody writes a custom Firmware for your stick, that is able to talk to the flash of the stick. :(

[Gaara4]

@pascalschmiederer thank you for your answer, i actually knows it but thanks ^^

[linuxFR]

@CitNils Could you explain how you boot in manual mode ? thanks

[ghost]

@linuxFR Take a look at this picture: https://cloud.githubusercontent.com/assets/9080593/4591190/2a5e93da-5069-11e4-9daa-9e22539ec801.JPG

You can boot manually, if you unplug the device, put a needle (or some other very small/fine metalthing) between pin 2 and 3 at the side above the TOSHIBA label. According to the picture it would be left side of the chip and the second and third pin counting upside down. With the needle at the pins you have to replug the device and wait for ~1 second, remove the needle and the stick is in boot mode (lamp keeps glowing). Now you can flash, but to me it only worked for custom firmware and I couldn't get back to original firmware.

Hope I could help.

[ka1ias]

The first thing I made I dumped the original firmware, then dumped it again and again, making a total of 5 copies - and each and every copy is different. Very much different. And when I compare them to "stock fw" I don't think any of those dumps is valid.

[linuxFR]

@CitNils Thanks I will try this.

And I don't know if it helps but I have a Toshiba TransMemory-MX 8GB and my original firmware is very different than yours.

[ghost]

@linuxFR Hm, maybe the 8GB version is not supported: https://github.com/adamcaudill/Psychson/issues/4

But good luck!

[linuxFR]

@CitNils I can confirm that I inject Rubber Ducky's "Hello World" without any problem.

[phaq01]

@linuxFR Have a look at sbatman's pic http://imgur.com/yf85fIR - these pins worked for me to get the toshiba stick into boot mode.

[Foppel81]

Can somebody test this firmware: FW03FF01V10053M.BIN with burner Image: BN03V101.BIN from Phison_MPALL_v3.63.0D_for_Netac.rar Source: http://flashboot.ru/flash_recovery/2014/02/03/snyatie-zaschity-ot-zapisi-toshiba-16g.html

[linuxFR]

@phaq01 CitNils's explanation works for me.

If you see the docs it's :

• pin 46 (VCC3IO -> 3.3V IO power)
• pin 47 (PO_FLH_CEB -> Flash chip enable)

[kamilsss655]

Where do i find stock firmware for PATRIOT Supersonic Xpress 8GB (2251-07) ? I bricked it ..

[ghost]

I was able to restore a Toshiba USB stick using this: http://flashboot.ru/forum/index.php?topic=24989.0

[scomans]

Flashing FW03FF01V10353M.BIN restored the USB stick for me.

Edit: Model: Toshiba TransMemory-MX™ Black 16 GB

[Foppel81]

To restore your Toshiba USB Stick to a flash disk you can do the following steps:

1. Bring it Into Boot Mode
2. Download and extract: MPALL_v3.63_0D
3. Create QC.ini with following content: [PenDriveMP] IC Type=PS2251-03 [Parameter Mark] Parameter Type=F1_MP_21 [Customize Info] USB VID=0x13FE USB PID=0x5200 String Product Name=USB DISK 3.0 String Manufacturer Name=Toshiba Inquiry Version=PMAP [Configuration] Reset Serial Number=0 Partition Boundary MB=999999999 [TestItemOption] Do Preformat Test=1 [Extra] Mode=3 [Misc] Privacy Volume Label=USB DISK Wafer Erase All=1 set1667=0x00 [Advance] FC1=0xFF FC2=0x01 CheckUSBConnectorType=0x22 [Firmware] ISP=1 Burner File=BN03V101.BIN Firmware Name=FW03FF01V10053M.BIN
4. Start: MPALL_F2_v363_0D.exe -> Click on Start
5. Unplug the stick after finishing
6. Mode 3 will use the complete storage (Windows will see only a few MB Storage on the first partition of the stick. I used cfdisk from ubuntu to erase the first partition and create one big partition. You can also use the Windows Tool: Restore-v3.13.0.0.rar to restore the storage. After that you can format it with windows.)
7. Now you have a brand new Flash Stick with 14,44 GB Memory free :)

[ludovic-decampy]

@Foppel81

What do you mean about the download mode? Is it about jumping the pins on the chip? or is it something else?

Thanks

[Foppel81]

@ludovic-decampy Yes that's right. Sorry in this case they call it BootMode. Keep in mind. If you flash the firmware file for the first time the DriveCom Program will reboot the flash disk with the Command: 0x06, 0xBF into BootMode. But this software Command will only work with Toshibas stock firmware. So if you try to get into the BootMode with the Command:

DriveCom.exe /drive=E /action=SetBootMode

it will not work anymore. At this point you have to connect this two pins to geht into Bootmode. I hope this picture is good enough:

http://s14.directupload.net/images/141016/rdp6bktt.jpg

If you get write errors, try the following:

• disconnect the stick and start it again into BootMode
• dont use long USB cables
• dont use USB Hubs for flashing

[mkleiber]

@Foppel81 Great! That worked for my TOSHIBA TransMemory-MX 16GB. If you set "Mode=3" instead of "Mode=7" in QC.ini then all space will be in one partition and you don't need to re-partition it. Mode 7 splits the space into two partitions, usually a public and a hidden one (look for "Production Tool - ParamEdt User Manual v1.1.pdf" in the web).

[mkleiber]

@Foppel81 In addition I successfully tried the following combinations of burner and firmware files: BN03V101.BIN + FW03FF01V10053M.BIN BN03V104.BIN + FW03FF01V10053M.BIN BN03V104.BIN + FW03FF01V10353M.BIN

And by replacing "IDBLK_TIMING.dll" in "Phison MPALL v3.63.0D for Netac" with the one in "idblk_timing_v12590.rar" (see at http://www.usbdev.ru/files/phison/) even this combination worked: BN03V104M.BIN + FW03FF01V10353M.BIN

But I had NO luck with some other combinations (e.g. BN03V101.BIN + FW03FF01V10353M.BIN) and the custom firmware (BN03V104.BIN + CFW.BIN, BN03V104M.BIN + CFW.BIN). Always got the error "Read OnlyPage 0x6018".

[ludovic-decampy]

@Foppel81 Thanks, I'll try this week-end, I'll give a feedback on it

[mkleiber]

@ka1ias I can confirm what you said. All my firmware dumps are different and I'm quite sure they are corrupted. If you look inside the dumps there is only few data and a lot of zeros. The firmware files from http://www.usbdev.ru/files/phison/ look completely different.

[gfleck]

@yoyebie Hello.

Did you succeed recover the Patriot 8GB Supersonic Xpress? I already try recover with Phison MPALL tools but didn't work.

The device letter appear on my system, but when I try GetInfo the error "Device not found" shown.

Thanks.

[wiederma]

Hello everyone,

I would like to share my experience here. I am working with a SanDisk Ultra 16GB USB3.0 flash drive.

In the very beginning I did a GetInfo with DriveCom, here is what I got:

DriveCom.exe /drive=E /action=GetInfo Action specified: GetInfo Gathering information... Reported chip type: 2303 Reported chip ID: 45-DE-94-93-76-D7 Reported firmware version: 1.09.10 Mode: Firmware

In order to retrieve the original firmware on the chip of the flash drive, I dumped the firmware following the explanations in the wiki:

First setting the device in BootMode, using a burner and then dumping the firmware: DriveCom.exe /drive=E /action=SetBootMode DriveCom.exe /drive=E /action=SendExecutable /burner=BN03V104M.BIN DriveCom.exe /drive=E /action=DumpFirmware /firmware=dump.bin

After that, the device replied to GetInfo like this:

DriveCom.exe /drive=E /action=GetInfo Action specified: GetInfo Gathering information... Reported chip type: 2302 Reported chip ID: 45-DE-94-93-76-D7 Reported firmware version: 1.01.10 Mode: Burner

I was able to create an inject.bin with the DuckEncoder and embed it into the new compiled firmware from the github trunk tree like this: EmbedPayload.exe inject.bin fw.bin

Flashing the modified firmware to the chip worked like a charm DriveCom.exe /drive=E /action=SendFirmware /burner=BN03V104M.BIN /firmware=fw.bin

And the flash drive behaves like expected: Plug it in, wait 3 seconds and then notepad is opened and "Hello World" is written.

Ok, now the problems: I am not any long able to reflash the firmware on the chip. /action=GetNumLBAs replies with something that makes sense, but /action=GetInfo or /action=SendExecutable gives me a "DeviceIoControl failed: 0079" error /action=SetBootMode seems to be performed but the error still keeps the same.

Any further ideas except for taking the stick apart and shorting the pins?

[mertsarica]

Hey @wiederma I have the same stick. You injected it without downgrading it from v1.09.10 to v1.03.53 ? Mine is v1.08.53 btw.