SATA adapters » History » Version 1
Karsten, 11/11/2014 03:27 PM
| 1 | 1 | Karsten | h1. SATA adapters |
|---|---|---|---|
| 2 | |||
| 3 | USB sata bridges (small dongles up to small desktop boxes) can be expected to have upgradable firmware in general. By specification they are required to have 1 ctrl + 2 bulk endpoints. |
||
| 4 | |||
| 5 | h2. Controllers |
||
| 6 | |||
| 7 | *Notes Legend* |
||
| 8 | img: firmware image available |
||
| 9 | viaUSB: firmware update via usb bus (according to advertisement) |
||
| 10 | |||
| 11 | |_.Company |_.Models |_.Notes | |
||
| 12 | |JMicron |JMS539,JSM559,JMS567,JMS551,... |img 8051 viaUSB | |
||
| 13 | |ASMedia |1153 |img 8051 viaUSB | |
||
| 14 | |TI |TUSB9 260 |cortexM3 viaUSB | |
||
| 15 | |Fujitsu |MB86C30A |img ARM7 TDMI-S viaUSB| |
||
| 16 | |Prolific |PL2571,PL2771,PL2773,PL2775 |img 8051 viaUSB | |
||
| 17 | |VIA |VL700,VL701 |img 8051 viaUSB | |
||
| 18 | |Genesys |GL3310,GL3321G |? | |
||
| 19 | |Norelsys |NS1066 |img 8051 viaUSB | |
||
| 20 | |LucidPort |USB300,USB302 |? | |
||
| 21 | |||
| 22 | h2. Disassembled devices |
||
| 23 | |||
| 24 | h3. LogiLink AU0028A |
||
| 25 | |||
| 26 | * ASMedia 1051e |
||
| 27 | * Windows firmware updater .exe available |
||
| 28 | * Extracting exe file with binwalk results in firmware binary |
||
| 29 | * Contains valid 8051 code with interrupt table and USB Descriptors |
||
| 30 | * => %{color:red}Most likely vulnerable% |
||
| 31 | |||
| 32 | h3. Buffalo HD-HXU3 |
||
| 33 | |||
| 34 | * Fujitsu MB86C30A USB 3.0 to SATA Storage Controller |
||
| 35 | * Google images shows SPI flash on PCB |
||
| 36 | * No leaked tools available but a user manual on Baidu mentions that the chip has a maintenance mode, which can probably be used for upgrading the firmware |
||
| 37 | * => %{color:red}Most likely vulnerable% |
||
| 38 | |||
| 39 | h3. Unitek Y-3322 |
||
| 40 | |||
| 41 | * JMicron JMS551 SuperSpeed USB to 2 ports SATA II 3.0G Bridge |
||
| 42 | * Leaked tools for JMS551 chip are available |
||
| 43 | * No PCB Photo found, it is unclear whether the device has an SPI Flash or not |
||
| 44 | * * => %{color:orange}Probably vulnerable% |
||
| 45 | |||
| 46 | h3. Unknown USB 2.0 to SATA Adapter [from lab, case already missing] |
||
| 47 | |||
| 48 | * JMicron JM20329 chip with ATML H820\n46d |
||
| 49 | * Support external NVRAM for vendor specific VID/PID of USB Device Controller |
||
| 50 | => %{color:green}Most likely not vulnerable% |
||
| 51 | |||
| 52 | h3. LogiLink AU0006D USB IDE & SATA Adapter wit OTB function |
||
| 53 | |||
| 54 | * JM20337, no external flash/eeprom |
||
| 55 | * Chip supports external EEPROM for configuration only |
||
| 56 | => %{color:green}Most likely not vulnerable% |
||
| 57 | |||
| 58 | h3. External 2.5 case USB + ESATA: |
||
| 59 | |||
| 60 | * Sunplus SPIF225A-HL239, second chip is just a voltage regulator for SATA 3.3V |
||
| 61 | * 8051 Controller with 32K ROM and 768B RAM |
||
| 62 | => %{color:green}Most likely not vulnerable% |
||
| 63 | |||
| 64 | h3. ORICO 3 SATA HDD USB2.0 Adapter |
||
| 65 | |||
| 66 | * APM4435 (MOSFET) |
||
| 67 | * AX3121 (Step-Down Convertor) |
||
| 68 | * Pm25LD512 (64 KiB SPI Flash) |
||
| 69 | * JMB352U (USB Sata Bridge) |
||
| 70 | * 60MIPS 8051 with 64k-byte mask ROM |
||
| 71 | * Official datasheet says that external storage is used for configuration data |
||
| 72 | * But: http://www.jmicron.com/solution06.html |
||
| 73 | The first application of the JMB352U: a 1:1 HDD duplicator. The USB 2.0 port is utilized to update the JMB352U firmware only, while the eSATA port can be used to access the data in the two SATA devices |
||
| 74 | => Firmware is upgradeable via USB |
||
| 75 | => Could not find any leaked firmware files/tools but it is not too difficult to unsolder and read out the SPI flash |
||
| 76 | => %{color:red}Most likely vulnerable% |