Project

General

Profile

Actions

SATA adapters

USB sata bridges (small dongles up to small desktop boxes) can be expected to have upgradable firmware in general. By specification they are required to have 1 ctrl + 2 bulk endpoints.

Controllers

Notes Legend
img: firmware image available
viaUSB: firmware update via usb bus (according to advertisement)

Company Models Notes
JMicron JMS539,JSM559,JMS567,JMS551,... img 8051 viaUSB
ASMedia 1153 img 8051 viaUSB
TI TUSB9 260 cortexM3 viaUSB
Fujitsu MB86C30A img ARM7 TDMI-S viaUSB
Prolific PL2571,PL2771,PL2773,PL2775 img 8051 viaUSB
VIA VL700,VL701 img 8051 viaUSB
Genesys GL3310,GL3321G ?
Norelsys NS1066 img 8051 viaUSB
LucidPort USB300,USB302 ?

Disassembled devices

LogiLink AU0028A

  • ASMedia 1051e
  • Windows firmware updater .exe available
  • Extracting exe file with binwalk results in firmware binary
  • Contains valid 8051 code with interrupt table and USB Descriptors
  • => Most likely vulnerable

Buffalo HD-HXU3

  • Fujitsu MB86C30A USB 3.0 to SATA Storage Controller
  • Google images shows SPI flash on PCB
  • No leaked tools available but a user manual on Baidu mentions that the chip has a maintenance mode, which can probably be used for upgrading the firmware
  • => Most likely vulnerable

Unitek Y-3322

  • JMicron JMS551 SuperSpeed USB to 2 ports SATA II 3.0G Bridge
  • Leaked tools for JMS551 chip are available
  • No PCB Photo found, it is unclear whether the device has an SPI Flash or not
  • * => Probably vulnerable

Unknown USB 2.0 to SATA Adapter [from lab, case already missing]

  • JMicron JM20329 chip with ATML H820\n46d
  • Support external NVRAM for vendor specific VID/PID of USB Device Controller
    => Most likely not vulnerable

LogiLink AU0006D USB IDE & SATA Adapter wit OTB function

  • JM20337, no external flash/eeprom
  • Chip supports external EEPROM for configuration only
    => Most likely not vulnerable

External 2.5 case USB + ESATA:

  • Sunplus SPIF225A-HL239, second chip is just a voltage regulator for SATA 3.3V
  • 8051 Controller with 32K ROM and 768B RAM
    => Most likely not vulnerable

ORICO 3 SATA HDD USB2.0 Adapter

  • APM4435 (MOSFET)
  • AX3121 (Step-Down Convertor)
  • Pm25LD512 (64 KiB SPI Flash)
  • JMB352U (USB Sata Bridge)
  • 60MIPS 8051 with 64k-byte mask ROM
  • Official datasheet says that external storage is used for configuration data
  • But: http://www.jmicron.com/solution06.html
    The first application of the JMB352U: a 1:1 HDD duplicator. The USB 2.0 port is utilized to update the JMB352U firmware only, while the eSATA port can be used to access the data in the two SATA devices
    => Firmware is upgradeable via USB
    => Could not find any leaked firmware files/tools but it is not too difficult to unsolder and read out the SPI flash
    => Most likely vulnerable

Updated by Karsten about 10 years ago · 1 revisions