BadUSB 2014/10/23 [email protected] 1 

2 2014/10/6 Gigazine Karsten Nohl Jakob Lell Adam Caudill Brandon Wilson URL 

3 SRLabs'Template'v12' BadUSB'—'On'accessories'that'turn'evil ' Karsten'Nohl' ' ' Sascha'Krißler' ' Jakob'Lell' ' Karsten Nohl Jakob Lell ࢿྉ#4 URL 

4 Agenda' 3' !  USB$background$ !  Reprogramming'peripherals' !  USB'aLack'scenarios' !  Defenses'and'next'steps' 

5 USB'devices'include'a'microOcontroller,'hidden'from'the'user' 4' 8051'CPU' Bootloader' USB$controller$ Controller' firmware' Mass'storage' Flash$ The'only'part'' visible'to'the'user' 

6 USB'devices'are'iden[fied'' 5' USB$devices$ Connectors$+$hubs$ Host$ Root' hub' Examples$ USB'thumb'drive' 8'–'Mass'Storage' AA627090820000000702' 0'–'Control' 1'–'Data'transfers' Interface'class' End'points' Iden&fier$ a.  1'''–'Audio' b.  14'–'Video' Webcam' Serial'number' 0258A350' 0'–'Control' 1'–'Video'transfers' 6'–'Audio'transfers' 7'–'Video'interrupts' 

7 USB'devices'are'ini[alized'in'several'steps' 6' Devices$can$have$ several$iden&&es$ !  A'device'indicates' its'capabili[es' through'a' descriptor'' !  A'device'can'have' several' descriptors'if'it' supports'mul[ple' device'classes;'like' webcam'+' microphone' !  Device'can' deregister'and' register'again'as'a' different'device' PowerEon$+$ Firmware$init$ Load$driver$ Register' Set'address' Send'descriptor' Set'configura[on' Normal'opera[on' Register$again$…$ Op[onal:'deregister' Load$another$ driver$ USB$device$ USB$plugEandEplay$ 

8 Agenda' 7' !  USB'background' !  Reprogramming$peripherals$ !  USB'aLack'scenarios' !  Defenses'and'next'steps' 

9 Reversing'and'patching'USB'firmware'took'less'than'2'months'' 8' 1.  Find'leaked'firmware'and' flash'tool'on'the'net' 2.  Sniff'update' communica[on'using' Wireshark' 3.  Replay'custom'SCSI' commands'used'for' updates' 4.  (Reset'bricked'devices' through'shortOcircui[ng' Flash'pins)' Document$firmware$$ update$process$ Patch$firmware$ ReverseEengineer$firmware$ 1.  Load'into'disassembler' (complica[on:'MMUOlike' memory'banking)' 2.  Apply'heuris[cs' –  Count'matches'between' func[on'start'and'call' instruc[ons'for'different' memory'loca[ons' –  Find'known'USB'bit' fields'such'as'descriptors ' 3.  Apply'standard'solware' reversing'to'find'hooking' points' 1.  Add'hooks'to'firmware'to' add/change'func[onality' 2.  Custom'linker'script'compiles' C'and'assembly'code'and' injects'it'into'unused'areas'of' original'firmware' Other$possible$targets$ We'focused'on'USB's[cks,' but'the'same'approach' should'work'for:' !  External'HDDs' !  Webcams,'keyboards' !  Probably'many'more'…' A$ B$ C$ 

10 Bad USB - ݱঢ়ͰͷڴҖ - ɾݱঢ়ͰHack͞Ε͍ͯΔͷ͸PhisonͷίϯτϩʔϥνοϓʢUSB3.0ରԠ൛ʣͷΈͰ͋Δɻ ɹˠੈͷதͷීٴ཰͸Ͳͷ͘Β͍ʁͱ͍͏࿩͸ޙ΄Ͳɻ ɾUSBઃܭͦͷ΋ͷͷ੬ऑੑͱ͍͏ͷ͸ݴ͍ա͗(Gigazine)Ͱ͋Δɻ ɾରࡦ͕೉͍͠ɺ·ͨ͸ɺΠϯύΫτ͕େ͖͍ɻ ࠓޙͷՄೳੑͱ͍͏࿩ͱͯ͠ɺ ɾޙ͔ΒΞοϓσʔτͰ͖ΔҎ্ɺॻ͖׵͑ΒΕΔϦεΫ͕͋Δɻ ɾUSBϝϞϦ͚ͩʹݶΒͳ͍ɻ ·ͱΊ 

11 Agenda' 9' !  USB'background' !  Reprogramming'peripherals' !  USB$aLack$scenarios$ !  Defenses'and'next'steps' 

12 Keyboard'emula[on'is'enough'for'infec[on'and'privilege'escala[on' ' (w/o'need'for'solware'vulnerability)' 11' Challenge$–$Linux'malware'runs'with'limited'user'privileges,'but'needs' 'root'privileges'to'infect'further's[cks$ Approach$–$Steal'sudo'password'in'screensaver$ Restart'screensaver' (or'policykit)'with' password'stealer' added'via'an' LD_PRELOAD'library'' !  User'enters'password'to' unlock'screen' !  Malware'intercepts' password'and'gains'root' privileges'using'sudo- Privilege'escala[on' module'will'be' submiLed'to'Metasploit' 

13 Network'traffic'can'be'diverted'by'“DHCP'on'USB”' 13' ALack$steps$ 1.  USB's[ck'spoofs' Ethernet'adapter' 2.  Replies'to'DHCP'query' with'DNS'server'on'the' Internet,'but'without' default'gateway' Result$ 3.  Internet'traffic'is's[ll'routed' through'the'normal'WiOFi' connec[on' 4.  However,'DNS'queries'are'sent'to' the'USBOsupplied'server,'enabling' redirec[on'aLacks' DNS$assignment$in' DHCP'over'spoofed' USBEEthernet$ adapter' All'DNS' queries'go'to' aLacker’s'DNS' server' 

14 “Can'I'charge'my'phone'on'your'laptop?”'–'' Android'phones'are'the'simplest'USB'aLack'plaworm' 16' Prepara&on$–$Android'comes'with'an'EthernetO overOUSB'emula[on'needing'liLle'configura[on' ALack$–$Phone'supplies'default'route'over'USB,' effec[vely'intercep[ng'all'Internet'traffic' DHCP'overrides' default$gateway$ over'USBEEthernet$ Computer'sends'all' Internet'traffic' through'phone$ Hacked$by$the$second$factor?$ Using'keyboard'emula[on,'a' virusOinfected'smartphone' could'hack'into'the'USBO connected'computer.' This'compromises'the' “second'factor”'security' model'of'online'banking.'' ProofOofOconcept' released'at:' srlabs.de/badusb$ 

15 BootOsector'virus,'USB'style' 17' Hide$rootkit$from$OS/AV.$ When'an'OS'accesses'the' s[ck,'only'the'USB' content'is'shown' Infect$machine$when$ boo&ng.$ When'the'BIOS'accesses' the's[ck,'a'secret'Linux'is' shown,'boo[ng'a'root'kit,' infec[ng'the'machine,' and'then'boo[ng'from' the'USB'content' Fingerprint$$ OS/BIOS.$ Patched/'USB' s[ck'firmware' can'dis[nguish' Win,'Mac,' Linux,'and'the' BIOS'based'on' their'USB' behavior' USB'content,' for'example' Linux'install' image ' Secret'Linux' image ' 

16 Family'of'possible'USB'aLacks'is'large' 18' More$aLack$ideas$ Effect$ !  External'storage'can'choose'to'hide'files' instead'of'dele[ng'them' !  Viruses'can'be'added'to'files'added'to'storage' !  First'access'by'virus'scanner'sees'original'file,' later'access'sees'virus' !  Emulate'a'keyboard'during'boot'and'install'a' new'BIOS'from'a'file'in'a'secret'storage'area' on'a'USB's[ck' !  Emulate'a'USB'display'to'access'security' informa[on'such'as'Captchas'and'randomly' arranged'PIN'pads' ALacks$shown$ Emulate$ keyboard$ Hide$data$on$ s&ck$or$HDD$ Rewrite$data$ inEflight$ Update$PC$ BIOS$ Spoof$display$ Spoof$ network$ card$ “USB$bootE$ sector”$virus $ 

17 Agenda' 19' !  USB'background' !  Reprogramming'peripherals' !  USB'aLack'scenarios' !  Defenses$and$next$steps$ 

18 No'effec[ve'defenses'from'USB'aLacks'exist' 20' Protec&on$idea$ !  USB'devices'do'not'always'have'a'unique'serial'number' !  OS’s'don’t'(yet)'have'whitelist'mechanisms' Limita&on$ !  The'firmware'of'a'USB'device'can'typically'only'be'read'back' with'the'help'of'that'firmware'(if'at'all):'A'malicious'firmware' can'spoof'a'legi[mate'one' Block$cri&cal$device$ classes,$block$USB$ completely$$ !  Obvious'usability'impact' !  Very'basic'device'classes'can'be'used'for'abuse;'not'much'is' lel'of'USB'when'these'are'blocked' !  Implementa[on'errors'may's[ll'allow'installing'unauthorized' firmware'upgrades' !  Secure'cryptography'is'hard'to'implement'on'small' microcontrollers' !  Billions'of'exis[ng'devices'stay'vulnerable' Whitelist$USB$devices$ Scan$peripheral$ firmware$for$malware$ Use$code$signing$for$ firmware$updates$ Disable$firmware$ updates$in$hardware$ !  Simple$and$effec&ve$ 

19 C o n t r o l l i n g U S B F l a s h D r i v e C o n t r o l l e r s : E x p o s é o f h i d d e n f e a t u r e s R i c h a r d H a r ma n S h mo o c o n 2 0 1 4 URL 

20 ● S a n D i s k ● K i n g s t o n D i g i t a l ● L e x a r ● P N Y ● H P ● S o n y ● T D K C o n s u me r F l a s h D r i v e V e n d o r s ● P a t r i o t ● A D A T A ● S i l i c o n P o we r ● T r a n s c e n d ● V e r b a t i m ● T o s h i b a ● L e n o v o 

21 O E M F l a s h C o n t r o l l e r V e n d o r s ● P h i s o n ● A L C O R ● I n n o s t o r ● S k y me d i ● S i l i c o n Mi c r o ● S o l i d S t a t e S y s t e m ● U S B e s t ● A me c o ● C h i p s B a n k ● E f o r t u n e ● I c r e a t e ● N e t a c ● O T I ● P r o l i f i c 

22 Wh o u s e s wh a t ? ? 

23 P h i s o n I n n o s t o r A l c o r S k y me d i S o l i d S t a t e S y s t e m ( S S S ) S i l i c o n Mo t i o n ( S MI ) C o n s u me r V e n d o r x 1 x 1 x 1 x 1 x 1 x 1 

24 P h i s o n I n n o s t o r A l c o r S k y me d i S o l i d S t a t e S y s t e m ( S S S ) S i l i c o n Mo t i o n ( S MI ) V e r b a t i m x 1 URL 

25 P h i s o n I n n o s t o r A l c o r S k y me d i S o l i d S t a t e S y s t e m ( S S S ) S i l i c o n Mo t i o n ( S MI ) I n t e l x 2 

26 P h i s o n I n n o s t o r A l c o r S k y me d i S o l i d S t a t e S y s t e m ( S S S ) S i l i c o n Mo t i o n ( S MI ) T D K x 3 

27 P h i s o n I n n o s t o r A l c o r S k y me d i S o l i d S t a t e S y s t e m ( S S S ) S i l i c o n Mo t i o n ( S MI ) L e n o v o x 1 x 3 

28 P h i s o n I n n o s t o r A l c o r S k y me d i S o l i d S t a t e S y s t e m ( S S S ) S i l i c o n Mo t i o n ( S MI ) S o n y x 1 x 3 x 1 

29 P h i s o n I n n o s t o r A l c o r S k y me d i S o l i d S t a t e S y s t e m ( S S S ) S i l i c o n Mo t i o n ( S MI ) C o r s a i r x 2 x 1 x 3 

30 x 2 P h i s o n x 3 I n n o s t o r A l c o r S k y me d i S o l i d S t a t e S y s t e m ( S S S ) S i l i c o n Mo t i o n ( S MI ) T o s h i b a x 1 x 1 

31 x 3 P h i s o n x 3 I n n o s t o r A l c o r S k y me d i S o l i d S t a t e S y s t e m ( S S S ) S i l i c o n Mo t i o n ( S MI ) T r e n d Mi c r o x 2 x 1 x 1 

32 x 4 P h i s o n x 3 I n n o s t o r A l c o r S k y me d i S o l i d S t a t e S y s t e m ( S S S ) S i l i c o n Mo t i o n ( S MI ) A D A T A x 2 x 1 x 2 

33 P h i s o n x 4 I n n o s t o r A l c o r S k y me d i S o l i d S t a t e S y s t e m ( S S S ) S i l i c o n Mo t i o n ( S MI ) S i l i c o n P o we r x 5 x 3 x 1 x 3 

34 P h i s o n x 5 I n n o s t o r A l c o r S k y me d i S o l i d S t a t e S y s t e m ( S S S ) S i l i c o n Mo t i o n ( S MI ) K i n g s t o n x 6 x 4 x 2 x 4 x 1 

35 C h i p E a s y 

36 C h i p E a s y 

37 Bad USB - sample code - Adam Caudill Brandon Wilson URL 

38 Bad USB - sample code - URL 

URL Bad USB device 

40 Bad USB device ෦඼ ܕ൪ Controller TOSHIBA TC58NC2303G5T FLASH TC58TEG7T2JTA00 

41 Bad USB device SCSIίϚϯυͰ͸ͳ͘HardతʹىಈϞʔυΛมߋ͢Δํ๏ ʢPin2-3ͷγϣʔτʣ 

Demo 

43 Bad USB - sample code - folder ݴޠ ༻్ DriveCom C# SCSIίϚϯυʹΑΔFW dump, modeมߋ, FWॻ͖׵͑ ౳ EmbedPayload C# USB Rubber duckyεΫϦϓτΛFW΁ΠϯδΣΫγϣϯ Injector C# Binary Patchπʔϧ firmware C Phison 2251-03༻FW (HID + MSCҰ෦) patch C Binary Patch༻௥Ճίʔυ template bin Binary Patch֬ೝ༻ͷμϛʔFW tool bin ։ൃ༻πʔϧ (hex2bin, sfk) ϑΥϧμߏ੒ URL 

44 Bad USB - sample code (HID Payload) - ֓ཁ ɾMSCͱHIDͷෳ߹σόΠεͰ͋Δ ɾMSC͸Կ΋͍ͯ͠ͳ͍ʢ΄ͱΜͲະ࣮૷ʣɻΧʔυϦʔμͷϝσΟΞ͕͍ࢗͬͯ͞ͳ͍ঢ়ଶΛฦ͍ͯ͠Δɻ ɾHID͸͋Β͔͡ΊܾΊΒΕͨΩʔίʔυΛউखʹૹ৴͢Δɻ ɹʢ͜ͷ෦෼ΛΧελϚΠζ͠΍͍͢Α͏ʹUSB Rubber DuckyΛར༻ʣ ɾOSʹΑͬͯɺMSC΍HID͕σόΠεͱͯ͠ಈ࡞͸͢Δͷʹݟ͑ͳ͔ͬͨΓ͢ΔɻΘ͟ͱͦ͏͍͏ઃఆʹͯ͠ ͍Δͷ͔͸ṖɻʢMSCͱHIDͰEP൪߸͕ॏෳ͍ͯ͠Δʣ 

45 Bad USB - sample code (HID Payload) - # ࡞ۀ ࢖༻πʔϧ 1 ࠩ͠ସ͑༻FWΛϏϧυ SDCC 2 templateͷFWʹ෦෼ίϐʔ sfk partcopy 3 injection༻εΫϦϓτΛهड़ Կ͔͠ΒText Editor 4 ಉεΫϦϓτΛΤϯίʔυ duchencode.jar 5 ಉεΫϦϓτΛFW΁ΠϯδΣΫγϣϯ embedPayload inject.bin fw.bin 6 FWॻ͖׵͑ DriveCom /action=SendFirmware खॱ 

46 #1 ࠩ͠ସ͑༻FWΛϏϧυ URL firmware/build.bat URL SDCC - Small Device C Compiler Bad USB - sample code (HID Payload) - 

47 #2 templateͷFWʹ෦෼ίϐʔ URL sfk sfk (Swiss File Knife) == busybox URL firmware/build.bat Bad USB - sample code (HID Payload) - 

48 #3 injection༻εΫϦϓτΛهड़ #4 ಉεΫϦϓτΛΤϯίʔυ USB Rubber Ducky ͷར༻ Bad USB - sample code (HID Payload) - 

49 USB Rubber Ducky URL 

50 USB Rubber Ducky URL 

51 USB Rubber Ducky Script Example URL 

52 USB Rubber Ducky Encode java -jar duckencode.jar -i inject.txt -o inject.bin input = script output = keycode binary URL 

53 USB Rubber Ducky Encoder.java (duckencode.jar) URL 

54 USB Rubber Ducky On line encode URL 

55 Hello World Windows Screen rotation hack Deny Net Access EICAR AV test Hide CMD Window Powershell Wget + Execute RunEXE from SD Download mimikatz, grab passwords and Netcat-FTP- download-and- mimikatz payload Run Java from SD Wallpaper Prank MobileTabs OSX Root Backdoor YOU GOT QUACKED! Create Wireless Network Association OSX User Backdoor Reverse Shell Retrieve SAM and SYSTEM from a live OSX Local DNS Poisoning Fork Bomb Ugly Rolled Prank OSX Youtube Blaster Utilman Exploit XMAS OSX Ascii Prank WiFi Backdoor Pineapple Assocation (VERY FAST) OSX Grab Minecraft Account Password and Non-Malicious Auto Defacer WiFun v1.1 OS X Wget and Execute Lock Your Computer Message MissDirection OSX Passwordless SSH access (ssh keys) Ducky Downloader Remotely Possible MrGray's Rubber Hacks Ducky Phisher Batch Wiper/Drive Eraser Copy File to Desktop FTP Download / Upload Generic Batch Youtube Roll Restart Prank Paint Hack Disable AVG 2012 Silly Mouse, Windows is for Kids Local DNS Poisoning Disable AVG 2013 USB Rubber Ducky Payload Wiki (GitHub) URL 

56 #5 ಉεΫϦϓτΛFW΁ΠϯδΣΫγϣϯ URL EmbedPayload/EmbedPayload/Startup.cs Bad USB - sample code (HID Payload) - Magic code 

57 #5 ಉεΫϦϓτΛFW΁ΠϯδΣΫγϣϯ URL firmware/main.c Bad USB - sample code (HID Payload) - 

58 #6 FWॻ͖׵͑ URL DriveCom/DriveCom/Startup.cs Bad USB - sample code (HID Payload) - 

59 #6 FWॻ͖׵͑ URL DriveCom/DriveCom/PhisonDevice.cs Bad USB - sample code (HID Payload) - 

60 #6 FWॻ͖׵͑ URL DriveCom/DriveCom/PhisonDevice.cs Bad USB - sample code (HID Payload) - 

61 #6 FWॻ͖׵͑ URL DriveCom/DriveCom/Startup.cs Bad USB - sample code (HID Payload) - 

62 #6 FWॻ͖׵͑ URL DriveCom/DriveCom/PhisonDevice.cs Bad USB - sample code (HID Payload) - 

63 #6 FWॻ͖׵͑ URL DriveCom/DriveCom/PhisonDevice.cs 0x06, 0xBF / 0x06, 0xB3 / 0x06, 0xB1 / 0x06, 0xB0 ͱ͸ʁ →֦ுSCSIίϚϯυ URL Phison : Vendor-specific SCSI commands Bad USB - sample code (HID Payload) - 

64 # ࡞ۀ ࢖༻πʔϧ 1 ࠩ͠ସ͑༻FWΛϏϧυ SDCC 2 templateͷFWʹ෦෼ίϐʔ sfk partcopy 3 injection༻εΫϦϓτΛهड़ Կ͔͠ΒText Editor 4 ಉεΫϦϓτΛΤϯίʔυ duchencode.jar 5 ಉεΫϦϓτΛFW΁ΠϯδΣΫγϣϯ embedPayload inject.bin fw.bin 6 FWॻ͖׵͑ DriveCom /action=SendFirmware खॱ͓͞Β͍ Bad USB - sample code (HID Payload) - 

65 Bad USB - sample code (Hidden Partition Patch) - ֓ཁ ɾΦϦδφϧFW΁खΛՃ͑ͯɺσΟεΫ༰ྔΛ൒෼ʹݟͤͯ࢒Γ൒෼ΛHiddenྖҬͱͯ͠ར༻ɻ ɾΦϦδφϧFWΛൈ͖ग़͠ɺόΠφϦύονΛ͋ͯͨޙɺ࠶౓ॻࠐΉɻ 

66 # ࡞ۀ ࢖༻πʔϧ 1 FWٵ͍ग़͠ DriveCom /action=DumpFirmware 2 Device͔ΒLBA਺ͷऔಘ DriveCom /action=GetNumLBAs 3 ٵ͍ग़ͨ͠FW͔Β.hΛ࡞੒ injector /action=GenerateHFile 4 ௥ՃίʔυͷϏϧυ SDCC 5 ٵ͍ग़ͨ͠FW͔Βۭ͖ྖҬΛݕࡧ injector /action=FindFreeBlock 6 ௥ՃίʔυͷΠϯδΣΫγϣϯ injector /action=ApplyPatches 7 FWॻ͖׵͑ DriveCom /action=SendFirmware Bad USB - sample code (Hidden Partition Patch) - खॱ 

67 #1 FWٵ͍ग़͠ URL DriveCom/DriveCom/Startup.cs Bad USB - sample code (Hidden Partition Patch) - 

68 #2 Device͔ΒLBA਺ͷऔಘ URL DriveCom/DriveCom/PhisonDevice.cs 0x25 == SCSI_READ_CAPACITY URL SCSI command (Wikipedia) Bad USB - sample code (Hidden Partition Patch) - 

69 #2 Device͔ΒLBA਺ͷऔಘ URL patch/base.c base.c ͷNUM_LBASΛॻ͖׵͑ Bad USB - sample code (Hidden Partition Patch) - 

70 #3 ٵ͍ग़ͨ͠FW͔Β.hΛ࡞੒ URL Injector/Injector/Startup.cs Bad USB - sample code (Hidden Partition Patch) - 

71 Intel 8051 (MCS51) A51 Assembler / A251 Assembler 195 † New features in the A251 assembler and the MCS 251 architecture A 8051 Microcontroller Instructions Binary Mode 0 1 2 3 4 5 6 - 7 8 - F Source Mode 0 1 2 3 4 5 A5x6- A5x7 A5x8-A5xF 0 NOP AJMP adr11 LJMP ADR16 RR A INC A INC dir INC @Ri INC Rn 1 JBC bit,rel ACALL adr11 LCALL adr16 RRC A DEC A DEC dir DEC @Ri DEC Rn 2 JB bit,rel AJMP adr11 RET RL A ADD A,#data ADD A,dir ADD A,@Ri ADD A,Rn 3 JNB bit,rel ACALL adr11 RETI RLC A ADDC A,#data ADDC A,dir ADDC A,@Ri ADDC A,Rn 4 JC rel AJMP adr11 ORL dir,A ORL dir,#data ORL A,#data ORL A,dir ORL A,@Ri ORL A,Rn 5 JNC rel ACALL adr11 ANL dir,A ANL dir,#data ANL A,#data ANL A,dir ANL A,@Ri ANL A,Rn 6 JZ rel AJMP adr11 XRL dir,A XRL dir,#data XRL A,#data XRL A,dir XRL A,@Ri XRL A,Rn 7 JNZ rel ACALL adr11 ORL c,bit JMP @A+DPTR MOV A,#data MOV dir,#data MOV @Ri,#data MOV Rn,#data 8 SJMP rel AJMP adr11 ANL C,bit MOVC A,@A+DPTR DIV AB MOV dir,dir MOV dir,@Ri MOV dir,Rn 9 MOV DPTR,#d16 ACALL adr11 MOV bit,c MOVC A,@A+DPTR SUBB A,#data SUBB A,dir SUBB A,@Ri SUBB A,Rn A ORL C,/bit AJMP adr11 MOV C,bit INC DPTR MUL AB ESC MOV @Ri,dir MOV Rn,dir B ANL C,/bit ACALL adr11 CPL bit CPL C CJNE A,#d8,rel CJNE A,dir,rel CJNE @Ri,#d8,rel CJNE Rn,#d8,rel C PUSH dir AJMP adr11 CLR bit CLR C SWAP A XCH A,dir XCH A,@Ri XCH A,Rn D POP dir ACALL adr11 SETB bit SETB C DA A DJNZ dir,rel XCHD A,@Ri DJNZ Rn,rel E MOVX A,@DPTR AJMP adr11 MOVX A,@Ri CLR A MOV A,dir MOV A,@Ri MOV A,Rn F MOV @DPTR,A ACALL adr11 MOVX @Ri,A CPL A MOV dir,A MOV @Ri,A MOV Rn,A URL A51 Assembler 

72 Phison PS2303 (PS2251-03) URL Phison PS2303 (PS2251-03) flowswitch OFFSET 080-087 Some USB bus IRQ status bits 0B8-0BF SETUPDAT EP0 SETUP data buffer 1C0-1FF EP0 Endpoint 0 register block 200-23F EP1 Endpoint 1 register block 240-27F EP2 Endpoint 2 register block 280-2BF EP3 Endpoint 3 register block 2C0-2FF EP4 Endpoint 4 register block PS2303USB 

73 #3 ٵ͍ग़ͨ͠FW͔Β.hΛ࡞੒ URL Phison PS2303 (PS2251-03) flowswitch / PS2303USB OFFSET 200-23F EP1 Endpoint 1 register block +1C FIFO port Bad USB - sample code (Hidden Partition Patch) - USB Capture Data 0x55, 0x53, 0x42, 0x53 = “USBS” 

74 #3 ٵ͍ग़ͨ͠FW͔Β.hΛ࡞੒ Bad USB - sample code (Hidden Partition Patch) - TOSHIBA USBϝϞϦͷΦϦδφϧFW͔Βൈ͖ग़͞Εͨ equates.h 

75 #4 ௥ՃίʔυͷϏϧυ URL patch/base.c Bad USB - sample code (Hidden Partition Patch) - 

76 #4 ௥ՃίʔυͷϏϧυ URL patch/base.c Bad USB - sample code (Hidden Partition Patch) - 

77 #4 ௥ՃίʔυͷϏϧυ URL patch/base.c Bad USB - sample code (Hidden Partition Patch) - 

78 #5 ٵ͍ग़ͨ͠FW͔Βۭ͖ྖҬΛݕࡧ URL Injector/Injector/FirmwareImage.cs Bad USB - sample code (Hidden Partition Patch) - 

79 #5 ٵ͍ग़ͨ͠FW͔Βۭ͖ྖҬΛݕࡧ URL patch/build.bat Bad USB - sample code (Hidden Partition Patch) - 

80 #6 ௥ՃίʔυͷΠϯδΣΫγϣϯ URL patch/build.bat Bad USB - sample code (Hidden Partition Patch) - 

81 #6 ௥ՃίʔυͷΠϯδΣΫγϣϯ URL Injector/Injector/Startup.cs 0x02 == ljmp adr16 Bad USB - sample code (Hidden Partition Patch) - 0x28 == READ (SCSI Command) 

82 #7 FWॻ͖׵͑ sample1ͱಉ༷ Bad USB - sample code (Hidden Partition Patch) - 

83 # ࡞ۀ ࢖༻πʔϧ 1 FWٵ͍ग़͠ DriveCom /action=DumpFirmware 2 Device͔ΒLBA਺ͷऔಘ DriveCom /action=GetNumLBAs 3 ٵ͍ग़ͨ͠FW͔Β.hΛ࡞੒ injector /action=GenerateHFile 4 ௥ՃίʔυͷϏϧυ SDCC 5 ٵ͍ग़ͨ͠FW͔Βۭ͖ྖҬΛݕࡧ injector /action=FindFreeBlock 6 ௥ՃίʔυͷΠϯδΣΫγϣϯ injector /action=ApplyPatches 7 FWॻ͖׵͑ DriveCom /action=SendFirmware Bad USB - sample code (Hidden Partition Patch) - खॱ͓͞Β͍ 

84 Bad USB - sample code ͔Βͷൃల - ྫ͑͹ɺɺ ɾ࣌ʑHIDΛؚΜͩϚϧνσόΠεͱͯ͠΋ݟ͑ΔUSBϝϞϦ ɾHID͸ίϚϯυϓϩϯϓτΛىಈ͠ɺࣗݾ૿৩༻ͷεΫϦϓτΛӅ͠ϑΥϧμʹ࡞੒ͯ͠ελʔτΞοϓ΋ ͘͠͸ϨδετϦʹొ࿥ɻ ɾࣗݾ૿৩༻εΫϦϓτ ɹɾυϥΠϒͷ઀ଓΛ؂ࢹ͢Δ ɹɾ઀ଓ͞ΕͨΒࣗݾ૿৩ՄೳͳσόΠε͔൑அ͠ɺFWΛಡΈऔΓɺύονΛ͋ͯͯॻ͖໭͢ɻ ɾύον͞ΕͨFWڍಈ ɹɾ௨ৗ͸ී௨ͷMassStrageʹݟ͑Δɻ ɹɾॻࠐΈσʔλΛ؂ࢹ͠ɺඞཁʹԠͯ͡Ӆ͠ྖҬʹอଘɻ ɾUSBϝϞϦͷճऩɺ·ͨ͸ɺHIDεΫϦϓτʹΑΓωοτܦ༝ͰͲ͔͜΁ૹ৴ɻ ͱ͔ͱ͔ɻ݁ߏ͋Ϳͳ͍ɻ 

85 Q & A