Project

General

Profile

SATA adapters » History » Version 1

Karsten, 11/11/2014 03:27 PM

1 1 Karsten
h1. SATA adapters
2
3
USB sata bridges (small dongles up to small desktop boxes) can be expected to have upgradable firmware in general. By specification they are required to have 1 ctrl + 2 bulk endpoints.
4
5
h2. Controllers
6
7
*Notes Legend*
8
img: firmware image available
9
viaUSB: firmware update via usb bus (according to advertisement)
10
11
|_.Company  |_.Models                         |_.Notes          |
12
|JMicron    |JMS539,JSM559,JMS567,JMS551,...  |img 8051 viaUSB  |
13
|ASMedia    |1153                             |img 8051 viaUSB  |
14
|TI         |TUSB9 260                        |cortexM3 viaUSB  |
15
|Fujitsu    |MB86C30A                         |img ARM7 TDMI-S viaUSB|
16
|Prolific   |PL2571,PL2771,PL2773,PL2775      |img 8051 viaUSB  |
17
|VIA        |VL700,VL701                      |img 8051 viaUSB  |
18
|Genesys    |GL3310,GL3321G                   |?                |
19
|Norelsys   |NS1066                           |img 8051 viaUSB  |
20
|LucidPort  |USB300,USB302                    |?                |
21
22
h2. Disassembled devices
23
24
h3. LogiLink AU0028A
25
26
* ASMedia 1051e
27
* Windows firmware updater .exe available
28
* Extracting exe file with binwalk results in firmware binary
29
* Contains valid 8051 code with interrupt table and USB Descriptors
30
* => %{color:red}Most likely vulnerable%
31
32
h3. Buffalo HD-HXU3 
33
34
* Fujitsu MB86C30A USB 3.0 to SATA Storage Controller
35
* Google images shows SPI flash on PCB
36
* No leaked tools available but a user manual on Baidu mentions that the chip has a maintenance mode, which can probably be used for upgrading the firmware
37
* => %{color:red}Most likely vulnerable%
38
39
h3. Unitek Y-3322 
40
41
* JMicron JMS551 SuperSpeed USB to 2 ports SATA II 3.0G Bridge
42
* Leaked tools for JMS551 chip are available
43
* No PCB Photo found, it is unclear whether the device has an SPI Flash or not
44
* * => %{color:orange}Probably vulnerable%
45
46
h3. Unknown USB 2.0 to SATA Adapter [from lab, case already missing]
47
48
* JMicron JM20329 chip with ATML H820\n46d
49
* Support external NVRAM for vendor specific VID/PID of USB Device Controller
50
=> %{color:green}Most likely not vulnerable%
51
52
h3. LogiLink AU0006D USB IDE & SATA Adapter wit OTB function
53
54
* JM20337, no external flash/eeprom
55
* Chip supports external EEPROM for configuration only
56
=> %{color:green}Most likely not vulnerable%
57
58
h3. External 2.5 case USB + ESATA:
59
60
* Sunplus SPIF225A-HL239, second chip is just a voltage regulator for SATA 3.3V
61
* 8051 Controller with 32K ROM and 768B RAM
62
=> %{color:green}Most likely not vulnerable%
63
64
h3. ORICO 3 SATA HDD USB2.0 Adapter
65
66
* APM4435 (MOSFET)
67
* AX3121 (Step-Down Convertor)
68
* Pm25LD512 (64 KiB SPI Flash)
69
* JMB352U (USB Sata Bridge)
70
* 60MIPS 8051 with 64k-byte mask ROM
71
* Official datasheet says that external storage is used for configuration data
72
* But: http://www.jmicron.com/solution06.html
73
The first application of the JMB352U: a 1:1 HDD duplicator. The USB 2.0 port is utilized to update the JMB352U firmware only, while the eSATA port can be used to access the data in the two SATA devices
74
=> Firmware is upgradeable via USB
75
=> Could not find any leaked firmware files/tools but it is not too difficult to unsolder and read out the SPI flash
76
=> %{color:red}Most likely vulnerable%