PhisonTool - reverse engineering a toolkit | Dusty's Corner of the Internet

Phison is a taiwanese manufacturer of USB flash drive controllers - they are extremely simple for manufacturers to use, just wire up a NAND chip, flash the firmware, and off you go! This means you'll find this controller in most USB flash drives, cheap or not.

The controllers are capable of lots of things - most notably, emulating a CD reader. Sadly, using that functionality isn't that easy. Changing most of the properties with official tools require a full reflash, and finding firmware (which is unique to the NAND model used!) isn't easy. You can kinda use another tool call ModeConverter to change it, but it changes a lot of stuff in the process.

Note: This post is kinda rough. I blame the fact that my apartment has been 30 degrees celsius over the last two days.

So, where to start? Well, we should start by looking for information others have already gathered! Searching for a bit will reveal a couple key things:

A gist accompanying a talk at Shmoocon 2014, with links to slides that dive a bit into the internals.
usbdev.ru - Russian site containing a lot of guides, and, importantly, leaked versions of MPALL, which is the official vendor flashing software.
brandonlw/Psychson on Github - Repo with tools related to running custom firmware on a Phison controller to enable BadUSB attacks.

Skimming through these, you'll find out that it uses vendor specific SCSI commands, and using them I was able to start by implementing a command to dump:

An "unknown page" with 06 05 'R' 'D' 00 00...
"Vendor Info" with 06 05 00 00...
"Vendor Info 2" with 06 05 'I' 'N' 'F' 'O' 00 00...
"Flash Identification Block" with 06 56 00 00...

Additionally, I implemented a command to restore (or flash) "Vendor Info 2" with 06 06 01 00 00... I also added in Read/Write XData, although I haven't looked into it much.

Once I had my "virgin" dump safely copied away, I could fire up Wireshark with USBpcap, and start running tools while looking at the commands. Using ImHex, I could diff dumps of "Vendor Info 2" where most things seemed to happen, and document fields as I discover them in the pattern editor. To my surprise, several tools just trampled existing fields, but the firmware seemed to cope fine. Hence I restored that "Vendor Info 2" a lot.

Repeated restores, captures, and tool wrangling culminated in me successfully being able to manually write an ISO image, and then hex edit "Vendor Info 2" to flip it over to CD emulation mode.

What now?

The code is on Github, and I'll implement "Vendor Info 2" editing later. The biggest limit is a lack of dumps, so please, submit them - just get in touch.