Project

General

Profile

SD card adapters » History » Version 1

Karsten, 11/11/2014 03:27 PM

1 1 Karsten
h1. SD card adapters
2
3
h2. Disassembled devices
4
5
h3. Cheap noname USB2.0 SD card reader
6
7
* AU6331 no flash chip, only voltage regulator, ROM only
8
* => %{color:green}Most likely not vulnerable%
9
10
h3. HAMA USB3 Cardreader all in one
11
12
* Genesys Logic GL3220 with pm25lv512 SPI Flash (512 Kbit / 64 KiB)
13
* SPI Flash is probably used for firmware
14
* 8051 Core with ROM (probably bootloader and/or default firmware) and RAM
15
* It supports ISP (In System Programming) for firmware upgrade from the external SPI Flash via USB port => Most likely vulnerable
16
* We could unsolder and read out the flash chip to dump the firmware
17
Firmware upgrades (including Windows tools) available, two different firmware images: Version TS22 and Version 551
18
  http://www.necacom.net/index.php/genesys/8243-genesys-logic-gl3220-usb-3-0-card-reader-firmware-551
19
  http://www.station-drivers.com/index.php/downloads/Drivers/Genesys-Logic/USB-3.0/
20
=> Contains binary firmware file 0551.bin with 64 KiB size => Heuristics indicate that the file is raw 8051 code mapped directly into the code address space of the 8051.
21
=> %{color:red}Most likely vulnerable%, practical reversing and firmware patching could start very quickly
22
23
h3. Unknown multi-card reader [from lab, case already missing]
24
25
* AU6477CL, no additional chips
26
* 30MHz 8051 CPU, ROM only
27
* Chip doesn't even support external SPI Flash
28
=> %{color:green}Most likely not vulnerable%
29
30
h3. Noname (yellow) USB 2.0 SD Card reader from lab
31
32
* AU6331
33
* Processor (unknown architecture) with ROM
34
=> %{color:green}Most likely not vulnerable%
35
36
h3. Hama USB3.0 SD/MicroSD Reader (Mediamarkt 20141106)
37
38
* RTS5306 with Pm25LD010 (128 KiB SPI Flash)
39
* Datasheet found on obscure Chinese site
40
With the external Serial flash interface, the control firmware could be easily re-configured through
41
USB link.
42
* External SPI Flash is optional according to datasheet, but the particular Hama card reader does contain a flash chip
43
=> %{color:red}Most likely vulnerable%
44
45
h3. RTS5111 (No physical device available)
46
47
* http://www.realtek.com.tw/products/productsView.aspx?Langid=1&PFid=25&Level=4&Conn=3&ProdID=48
48
* The RTS5111 has an internal ROM for MCU programs, and provides an external program flash memory interface for firmware update purposes. Firmware code can be downloaded through the USB interface to the RTS5111, and then be written into external flash memory automatically.
49
=> %{color:red}Most likely vulnerable%
50
51
h3. ISY USB 2.0 Universal card reader ICR 2100 (Mediamarkt 20141106)
52
53
* GL834, no external flash/eeprom
54
* 8051 Controller with integrated ROM
55
* http://www.usbdev.ru/cics/icgenesyslogic/
56
* Chip would support firmware upgrades with an external SPI flash, but this device doesn't have one
57
=> %{color:green}Most likely not vulnerable%
58
59
h3. CSL USB3.0 Cardreader, All-in-One, CSL-Nr 25048
60
61
* GL3233 with PM25LD010 (128 KiB SPI Flash)
62
* Contains 8051 core
63
* Supports ISP (In System Programming) for firmware upgrade into external SPI Flash via USB port.
64
* Leaked firmware upgrades are available
65
=> %{color:red}Most likely vulnerable%