Closed aspcartman closed 10 years ago
aspcartman
commented
10 years ago Obviusly not that simple. It doesn't find the 1234567 signature. So my fw has to be patched? But patcher can't get 'scsi_tag' variable from my fw (I guess it should generate it in .h file?)... So... how do I make a rubber ducky of my drive? =)
ghost
commented
10 years ago Hi @aspcartman, the firmware for the 2251-67 is quite different from the 2251-03, the model we built this against. It's possible that in the future, support could be added for that model, but it's not supported today.
If you want to take advantage of this, I suggest getting the Patriot 8GB Supersonic Xpress, as it's known to work.
aspcartman
commented
10 years ago So fast to close the issue...
I would like to contribute. If I get my hands on 2251-67 and 2251-03 datasheets I could make appropriate changes and commit. Just tell me what steps is needed to generate a ducky fw for 2251-03? Current readme.md is misleading: what patching is for, do I need it, what are template fw...
aspcartman
commented
10 years ago Also, even if I get my hands on 2251-03 flash drive tomorrow, do I understand it right, that I need to:
Is that correct? Just killed 2 pendrives already =(
GulfBull
commented
10 years ago I tried running the process as good as I could without injecting anything into the dumped firmware. This is the output I got running it on two 2251-67 chipsets from different device manufacturers running two different firmware versions. On the first device I tried both the dumped firmware and the compiled firmware - without any luck.
I'll dump the output here, in case anyone can use it for anything. The 67 seems to be very popular. (Btw. I had trouble flashing the firmware I got from the MPALL tool: http://flashboot.ru/files/file/398/ - I'll give it another shot after some sleep).
/////////////////////////////////////////////////////// FIRST DEVICE \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
C:\Users\Bull\Desktop\Firmware\tools>DriveCom.exe /drive=G /action=SetBootMode
Action specified: SetBootMode
C:\Users\Bull\Desktop\Firmware\tools>DriveCom.exe /drive=G /action=SendExecutabl
e /burner=BN67V101M.BIN
Action specified: SendExecutable
C:\Users\Bull\Desktop\Firmware\tools>DriveCom.exe /drive=G /action=DumpFirmware
/firmware=fw.BIN
Action specified: DumpFirmware
/////////////////////////////////// DUMPED FIRMWARE \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
C:\Users\Bull\Desktop\Firmware\tools>DriveCom.exe /drive=G /action=SendFirmware
/burner=BN67V101M.BIN /firmware=fw.BIN
Action specified: SendFirmware
Gathering information...
Reported chip type: 2261
Reported chip ID: 98-DE-94-82-76-56
Reported firmware version: 1.01.10
Mode: Burner
Rebooting...
Sending firmware...
FATAL: System.InvalidOperationException: Header not accepted
at DriveCom.PhisonDevice.TransferFile(Byte[] data, Byte header, Byte body) in
c:\Users\Bull\Desktop\Firmware\DriveCom\DriveCom\PhisonDevice.cs:line 256
at DriveCom.Startup._RunFirmware(String fileName) in c:\Users\Bull\Desktop\Fi
rmware\DriveCom\DriveCom\Startup.cs:line 427
at DriveCom.Startup._SendFirmware() in c:\Users\Bull\Desktop\Firmware\DriveCo
m\DriveCom\Startup.cs:line 378
at DriveCom.Startup.Main(String[] args) in c:\Users\Bull\Desktop\Firmware\Dri
veCom\DriveCom\Startup.cs:line 114
/////////////////////////////////// FIRMWARE CREATED USING THE BUILD.BAT \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
C:\Users\Bull\Desktop\Firmware\tools>DriveCom.exe /drive=G /action=SendFirmware
/burner=BN67V101M.BIN /firmware=fw2.bin
Action specified: SendFirmware
Gathering information...
Reported chip type: 2267
Reported chip ID: 98-DE-94-82-76-56
Reported firmware version: 6.04.30
Mode: Firmware
Switching to boot mode...
FATAL: System.InvalidOperationException: DeviceIoControl failed: 0002
at DriveCom.PhisonDevice._SendCommand(SafeFileHandle handle, Byte[] cmd, Byt
e[] data, Int32 bytesExpected) in c:\Users\Bull\Desktop\Firmware\DriveCom\DriveCo
m\PhisonDevice.cs:line 365
at DriveCom.PhisonDevice.SendCommand(Byte[] cmd, Byte[] data) in c:\Users\Bullt\Desktop\Firmware\DriveCom\DriveCom\PhisonDevice.cs:line 314
at DriveCom.PhisonDevice.TransferFile(Byte[] data, Byte header, Byte body) in
c:\Users\Bull\Desktop\Firmware\DriveCom\DriveCom\PhisonDevice.cs:line 246
at DriveCom.PhisonDevice.TransferFile(Byte[] data) in c:\Users\Bull\Desktop\F
irmware\DriveCom\DriveCom\PhisonDevice.cs:line 238
at DriveCom.Startup._ExecuteImage(String fileName) in c:\Users\Bull\Desktop\F
irmware\DriveCom\DriveCom\Startup.cs:line 403
at DriveCom.Startup._SendFirmware() in c:\Users\Bull\Desktop\Firmware\DriveCo
m\DriveCom\Startup.cs:line 375
at DriveCom.Startup.Main(String[] args) in c:\Users\Bull\Desktop\Firmware\Dri
veCom\DriveCom\Startup.cs:line 114
//////////////////////////////////////////// SECOND DEVICE \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
C:\Users\Bull\Desktop\Firmware\tools>DriveCom.exe /drive=G /action=SetBootMode
Action specified: SetBootMode
C:\Users\Bull\Desktop\Firmware\tools>DriveCom.exe /drive=G /action=SendExecutabl
e /burner=BN67V101M.BIN
Action specified: SendExecutable
C:\Users\Bull\Desktop\Firmware\tools>DriveCom.exe /drive=G /action=DumpFirmware
/firmware=ny.bin
Action specified: DumpFirmware
C:\Users\Bull\Desktop\Firmware\tools>DriveCom.exe /drive=G /action=SendFirmware
/burner=BN67V101M.BIN /firmware=ny.bin
Action specified: SendFirmware
Gathering information...
Reported chip type: 2261
Reported chip ID: 98-DE-DE-DE-DE-DE
Reported firmware version: 1.01.10
Mode: Burner
Rebooting...
Sending firmware...
FATAL: System.InvalidOperationException: Header not accepted
at DriveCom.PhisonDevice.TransferFile(Byte[] data, Byte header, Byte body) in
c:\Users\Bull\Desktop\Firmware\DriveCom\DriveCom\PhisonDevice.cs:line 256
at DriveCom.Startup._RunFirmware(String fileName) in c:\Users\Bull\Desktop\Fi
rmware\DriveCom\DriveCom\Startup.cs:line 427
at DriveCom.Startup._SendFirmware() in c:\Users\Bull\Desktop\Firmware\DriveCo
m\DriveCom\Startup.cs:line 378
at DriveCom.Startup.Main(String[] args) in c:\Users\Bull\Desktop\Firmware\Dri
veCom\DriveCom\Startup.cs:line 114I guess this work was done for USB3.0 controllers and it won't work with 2067...
ghost
commented
10 years ago @aspcartman
If I get my hands on 2251-67 and 2251-03 datasheets I could make appropriate changes and commit.
This is one of the issues with this project - we don't have solid documentation for any of the controllers. So it's all reverse engineering. So figuring out what to change takes quite a bit of effort. The -67 and other USB 2.0 drives use a significantly different firmware than the USB 3.0 devices (such as the -03).
It would be nice to get this working with the -67 and other common Phison USB 2.0 controllers, but it won't be simple.
I guess this work was done for USB3.0 controllers and it won't work with 2067...
Based on the Phison web site, they are only marketing the USB 3.0 based controllers now, as such, it made sense for us to focus on those. I'm hoping that we can support older controllers in the future, but the code we have today doesn't.
aspcartman
commented
10 years ago I bought 6 drives today. Googled them to be 2303, but I guess Fortuna was drunk after all:
Silicon Power M01 8GB X
Gathering information...
Reported chip type: 2307
Reported chip ID: 98-DE-98-92-72-D7
Reported firmware version: 1.00.53
Mode: Firmware
Silicon Power M01 8GB Y
Gathering information...
Reported chip type: 2307
Reported chip ID: 45-DE-94-93-76-57
Reported firmware version: 1.01.10
Mode: Firmware
Silicon Power M01 32GB
Gathering information...
Reported chip type: 2306
Reported chip ID: 2C-84-78-63-A9-00
Reported firmware version: 1.02.10
Mode: Firmware
Kingstone DataTraveler 100 G3 8GB
Gathering information...
Reported chip type: 2307
Reported chip ID: 98-DE-98-92-72-50
Reported firmware version: 1.02.53
Mode: Firmware
Kingstone DataTraveler 100 G3 16GB
Gathering information...
Reported chip type: 2307
Reported chip ID: 98-3A-A8-92-76-50
Reported firmware version: 2.02.53
Mode: Firmware
Kingstone DataTraveler DTM30 16GB
Gathering information...
Reported chip type: 2307
Reported chip ID: 98-3A-A8-92-76-D7
Reported firmware version: 1.01.53
Mode: FirmwareI'm actually having progress with 2307. But I don't get the patch stage: I don't need password nor drive patches, I want only an ability to quack.
I tried to patch my fw and, at least, correct .h file was generated, but process crashed.
C:\Users\aspcartman\Desktop\Psychson-master\patch>build.bat
*** Generating C .h file...
Action: GenerateHFile
Firmware image: fw.bin
WARNING! This firmware version has not been verified to work with these patches.
Output file: equates.h
Generating .h file...
Done.
*** Building base.c...
*** Retrieving free space in image...
Action: FindFreeBlock
Firmware image: fw.bin
WARNING! This firmware version has not been verified to work with these patches.
Section: Base
Output file: bin\free.txt
Retriving free space...
Done.
*** Linking...
hex2bin v1.0.1, Copyright (C) 1999 Jacques Pelletier
Lowest address = 00005FFF
Highest address = 0000619B
*** Injecting...
Action: ApplyPatches
Firmware image: fw.bin
WARNING! This firmware version has not been verified to work with these patches.
code Base file: bin\output.bin
rst Base file: bin\base.rst
Output file: bin\fw.bin
Applying patches...
Injector v1.0.0
Actions:
GenerateHFile Generates C .h file of common XRAM & function equates.
FindFreeBlock Writes amount of free space for a section to file.
ApplyPatches Applies available patches from code into firmware image.
FATAL: System.ArgumentException: Destination array was not long enough. Check de
stIndex and length, and the array's lower bounds.
at System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationA
rray, Int32 destinationIndex, Int32 length, Boolean reliable)
at System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationA
rray, Int32 destinationIndex, Int32 length)
at Injector.Startup._ApplyPatches() in c:\Users\ASPCartman\Desktop\Psychson-m
aster\Injector\Injector\Startup.cs:line 334
at Injector.Startup.Main(String[] args) in c:\Users\ASPCartman\Desktop\Psychs
on-master\Injector\Injector\Startup.cs:line 127
*** There were errors! ***
*** Done.I guess I have to investigate the sources and make changes.
aspcartman
commented
10 years ago @adamcaudill could you please point me towards my goal?
1 Even if I had 2303, what stages should I do to get a rubber ducky, for starters?
My guess is:
2 May you please point where to look for 2303 and 2307 differences?
ghost
commented
10 years ago @aspcartman The 'Rubber Ducky' setup doesn't actually patch the existing firmware - it's a complete replacement. It's handled in a very different way than the others.
You build a inject.bin as you would for the rubber ducky, then make a copy of the CFW.bin file that's in the release - it's the compiled custom firmware. Use tools\EmbedPayload.exe to embed the inject.bin file in the copy of CFW.bin, then use tools\DriveCom.exe to send the firmware to the device.
The inject.bin file can only be at a maximum of around 16KB right now, as it's actually embedded in the firmware - the custom firmware doesn't access the NAND at all.
As to the 2251-07 (2307), it seems to be a simplified version of the -03, we have at least one, but haven't had time to study its firmware at all. Hopefully it's similar enough that it'll require minimal changes, but we aren't sure yet.
aspcartman
commented
10 years ago Hm. If I understand it correctly, the RubberDucky can't be embedded into a vanilla firmware and patched (\patch) vanilla firmware? So to make RubberDucky work I need to somehow modify the \firmware to support 2307?
What for the FindFreeBlock action in the patch? Tommorow I'll check all the code, but any explanation could make a difference =).
You tell me, that
This is one of the issues with this project - we don't have solid documentation for any of the controllers. So it's all reverse engineering.
Ok, having no datasheets, where do I start then?
brandonlw
commented
10 years ago To understand how other controllers work, you're going to have to disassemble the 8051 firmware and study how it interacts with its hardware.
raif7
commented
10 years ago So, what tools do I use to disassemble the 8051 firmware?
lkos
commented
10 years ago I don't feel very much competent but I would say there are at least two options:
I would prefer the second option :).
brandonlw
commented
10 years ago Seeing as how it's very unlikely this will ever support the USB 2.0 PS2251-67 controller, I'm closing this issue.
B00sterman
commented
9 years ago Hopefully there will be support for 2207 in the future :/ I can't for the love of god work out how I'd need to change the firmware...
DataDrug
commented
8 years ago I've been scavenging all the web and local stores for 2251-03 and nothing found so far.
Is there any other IC compatible ?
Docs are missing clarity. I builded everything and almost ready to flash my payload, but I don't get one thing: what is a "custom firmware" wiki talks about?
I have an original FW (downloaded elsewhere, same version, as my drive has now) and a burner for my 2251-67 (2267). I've generated a hello world payload. Next step? ...
I guess I need to rename my FW file, put it somewhere and run the
buit.bat- seems it compiles stuff, checks my FW, patches it and then I can inject my payload?