All times are UTC - 5 hours [ DST ]


Forum rules


Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...



Post new topic Reply to topic  [ 17 posts ] 
Author Message
 Post subject: SSD firmware hacking.
PostPosted: May 6th, 2015, 1:47 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2768
Location: Adelaide, Australia
I've been Looking into some SSD firmware as this seems to be a good place to start research. Samsung firmware is encoded by a rather silly method. I really wonder why they bothered.?. I have coded up a small python script to decode Samsung firmware and the associated file that accompanies a firmware update. I am using Python 3.4.3
Code:
# python Script to decode samsung SSD Firmware .enc files
# by HaQue 06-May-2015

# NO ERROR CHECKING IS DONE!
# Input file should be an encoded .enc file.
# Output file will be input filename appended with ".decoded".

# USEAGE: python dsssd.py xxxxx.enc
# Example: python samsung_ssd_decode.py test.enc
import sys
lookup = [0x0f,0x00,0x0e,0x01,0x0d,0x02,0x0c,0x03,0x0b,0x04,0x0a,0x05,0x09,0x06,0x08,0x07]
decFile = open(sys.argv[1] + '.decoded', 'wb')

b = bytearray(open(sys.argv[1], 'rb').read())
for i in range(len(b)):
    b[i] = (lookup[b[i] >> 0x04 & 0x0F] << 0x04) | (b[i] & 0x0F)
open(sys.argv[1] + '.decoded', 'wb').write(b)

This script supports current firmware:

840 EVO EXT0DB6Q
840 PRO DXM06B0Q
840 DXT09B0Q
830 Series CXM03B1Q
470 Series AXM09B1Q

http://www.samsung.com/global/business/semiconductor/minisite/SSD/global/html/support/downloads.html

For firmware update ISO's, you can strip out the relevant DSRD.enc update info file and, for example, "DXM06B0Q.enc" firmware files in a number of ways.
here are a few steps that work:

1 .Right-click and choose extract using 7-zip.

2. Open the extracted folder, then navigate to the appropriate disk image that holds the firmware. it will be called something like "Bootable_2.88M.img". Depending on the ISO, if it is a DOS or Linux based boot, the files will be in various places, not hard to find. Interestingly there is also mac trash files and deleted firmware, looks rather sloppy TBH.

3. Extract the files from this image, you can use winhex to parse the image, probably even R-Studio or GetDataBack..or whatever. many ways to do this.

4. find the firmware files. DSRD.enc and DXM06B0Q.enc are examples.

5. copy "samsung_ssd_decode.py" to the same folder and run it.
Attachment:
dos.jpg
dos.jpg [ 59.2 KiB | Viewed 7532 times ]


here is before and after screenshot, but the actual firmware file is probably WAY more interesting ;)
Attachment:
dec.jpg
dec.jpg [ 185.69 KiB | Viewed 7532 times ]


I have some other stuff I am working on, hopefully I can get something interesting to share out of it.


Attachments:
samsung_ssd_decode.zip [565 Bytes]
Downloaded 420 times
Top
 Profile  
 
 Post subject: Re: SSD firmware hacking.
PostPosted: May 6th, 2015, 3:55 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9155
Location: Australia
Thanks very much for that. I don't know any Python, but your code is easily understandable.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: SSD firmware hacking.
PostPosted: May 6th, 2015, 5:08 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 7539
Location: Portugal
Thanks for sharing !
Nice !

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: SSD firmware hacking.
PostPosted: May 12th, 2015, 9:44 
Offline

Joined: May 12th, 2015, 5:37
Posts: 5
Location: Rostov-on-Don, Russia
Very interesting solution!
I selected another way. I have used 256 bytes XOR values array.
If use your notations then my solution written in pseudo-Pascal looks like this:
Code:
lookup: array[0..15] of array[0..15] of BYTE =
   [0xF0, ..., 0xF0]
   [0x10, ..., 0x10]
   [0xC0, ..., 0xC0]
   [0x20, ..., 0x20]
   [0x90, ..., 0x90]
   [0x70, ..., 0x70]
   [0xA0, ..., 0xA0]
   [0x40, ..., 0x40]      
   [0x30, ..., 0x30]
   [0xD0, ..., 0xD0]
   [0x00, ..., 0x00]
   [0xE0, ..., 0xE0]
   [0x50, ..., 0x50]
   [0xB0, ..., 0xB0]
   [0x60, ..., 0x60]
   [0x80, ..., 0x80];
b: array of BYTE;
i: Integer;

for i := 0 to Length(b)-1 do
   b[i] := b[i] xor lookup[b[i]];   

I think your solution is more elegant, but my solution is more general.
Since it allows to use any array of XOR values and abandon a nibble division.

What deals with unpacking of firmware from previous drives like MLC SSD (VBM18C1Q, VBM19C1Q, VBM1AD1Q,...)?

By the way question of dumb procedure recedes given firmware protection.
Did you start research of check sums of microcode? You can see whatever ranging from CRC16 to Elliptic Curve DSA (ECDSA).
And firmware is protected by several control sums concurrently.
Seems like Samsung developers don't like if somebody modifies the firmware of their SSD.
There is idea that if they read this topic then they will change encryption algorithm.


Top
 Profile  
 
 Post subject: Re: SSD firmware hacking.
PostPosted: May 12th, 2015, 16:25 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2768
Location: Adelaide, Australia
Nice to see another way of doing it, thanks
I don't have any other firmware a currently so I am not sure how they are obfuscated

Actually I haven't really started looking at the firmware itself in great detail

I was starting to look at the update mechanism itself and was attempting to reverse the flasher utility

I never really got into reversing DOS 16-bit programs and certainly haven't much experience in DOS extenders. The usual tools puke at this and to make it worse the stubbed exe is also packed... As far as I know there never has been any interest in anyone unpacking it
The firmware itself should be just a mixture of arm and thumb code and may or may not be worth looking at
Thanks for the checksum info!


Top
 Profile  
 
 Post subject: Re: SSD firmware hacking.
PostPosted: May 14th, 2015, 11:23 
Offline

Joined: May 12th, 2015, 5:37
Posts: 5
Location: Rostov-on-Don, Russia
Can you explain, how did you know about this algorithm of microprogram unpacking? I have spend a lot of time for analysis of packed firmwares for XOR detection...
I seen the flasher, there is nothing interesting in it. It doesn't contain a tech key - only 92h command and a few of simple tests inside it.
Firmware has a special block structure and consist of ARM and Thumb codes. That's why before you will upload it into disassemble, try to find which blocks and by which addresses are uploading on SSD RAM. Also, please don't forget that controller have three CPU cores.

Also, here is a couple advice:
1. You are choose Samsung 840 series SSD - its very complicated for research works. Better to use 830 series.
2. All Samsung SSD drives have COM-Port, but it is turned-off in main firmware.
3. Drives have a special mode for working under MASK ROM control.
4. Drives have a small number of technological commands.
5. On many drives you can disable senior memory banks for the purpose of repair. Actually, these SSD is quite repairable. Much more complicated task is data recovery...

If you will have some interesting information about the Samsung SSD, please write me a private message. In exchange I can tell you what I know about these drives or to offer something more interesting for you ;)


Top
 Profile  
 
 Post subject: Re: SSD firmware hacking.
PostPosted: August 4th, 2015, 12:09 
Offline

Joined: August 4th, 2015, 11:11
Posts: 2
Location: Here or there
I will preface this by saying I have mostly VBA coding experience and am just learning Python.

That said, I have a need to encode the *.enc file. I have been using the samsung_ssd_decode.py with great success. Now, I would like to make a change and encode to test a firmware package. While the code is straight forward, I'm having difficulty with the same process in reverse. Any help is appreciated.

Since I'm a new member, I tried to PM but the system said I needed more activity. So, I'm now being active. :)


Top
 Profile  
 
 Post subject: Re: SSD firmware hacking.
PostPosted: August 4th, 2015, 14:17 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9155
Location: Australia
albanytech wrote:
Now, I would like to make a change and encode to test a firmware package. While the code is straight forward, I'm having difficulty with the same process in reverse.

I haven't tested it, but I think this should work:
Code:
import sys
lookup = [0x01,0x03,0x05,0x07,0x09,0x0B,0x0D,0x0F,0x0E,0x0C,0x0A,0x08,0x06,0x04,0x02,0x00]
decFile = open(sys.argv[1] + '.encoded', 'wb')

b = bytearray(open(sys.argv[1], 'rb').read())
for i in range(len(b)):
    b[i] = (lookup[b[i] >> 0x04 & 0x0F] << 0x04) | (b[i] & 0x0F)
open(sys.argv[1] + '.encoded', 'wb').write(b)

I would test it by encoding and then decoding a test file. The result should be identical to the original file.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: SSD firmware hacking.
PostPosted: August 4th, 2015, 15:03 
Offline

Joined: August 4th, 2015, 11:11
Posts: 2
Location: Here or there
That worked perfectly, fzabkar, thanks!


Top
 Profile  
 
 Post subject: Re: SSD firmware hacking.
PostPosted: August 17th, 2015, 22:04 
Offline

Joined: August 17th, 2015, 21:40
Posts: 3
Location: Adelaide, South Australia
I think you will find the Zheino CHN-25PATA01 range of drives, likely to be the most hack-able as they are specifically designed to be utilized in a wide range of industrial machinery. They respond to email and I think you would be able to communicate directly with the engineering group

Available on Amazon or from Ali Express here:http://goo.gl/VYdv5a

Cheers


Top
 Profile  
 
 Post subject: Re: SSD firmware hacking.
PostPosted: August 17th, 2015, 22:29 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2768
Location: Adelaide, Australia
Thanks a lot, will have a look at those for sure. nice to someone else in SA even knows what an SSD is, let alone hacking one! ;-)

edit:
looking them up, I got a chuckle at the Lost in Translation.. couldn't resist, hope no-one is easily offended:

Attachment:
giggitty.jpg
giggitty.jpg [ 77.6 KiB | Viewed 6427 times ]


Top
 Profile  
 
 Post subject: Re: SSD firmware hacking.
PostPosted: August 17th, 2015, 22:46 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2768
Location: Adelaide, Australia
Why is their whole support page just an image and link to http://www.baidu.com/ ? same with the News Page..
forum looks dodgy:
Code:
Forum Threads Posts Last Post
AAAAAAAA
aaaaaaaaaaaaa
Moderators:xiong,Raziel 8 11 vcxcvcx
12 months ago | By Raziel

BBBBBBBBB
bbbbbbbbb
Moderators:Myles 5 4 d
383 years ago | By xiong
Servicing, repair, faults and reliability
Ask question about servicing, repairs, faults and reliability.
Moderators:Donavan 0 0 

CCCCCCCCCCCC
ccccccccc
Moderators:xiong 1 0 enter topicfdsfsdfs
12 months ago | By Raziel


I wouldn't be sending a cent over paypal to these guys ;)


Top
 Profile  
 
 Post subject: Re: SSD firmware hacking.
PostPosted: August 17th, 2015, 22:51 
Offline

Joined: August 17th, 2015, 21:40
Posts: 3
Location: Adelaide, South Australia
If you go through a checkout process and pay via Paypal, as a buyer you cannot lose. I know from the perspective of an eBay seller for 14 years, the buyer always wins and in some cases keeps the goods as well :(

Edit: I just bought one off eBay Australia (Australian stock) @ $82 and I have no fear of losing money ;)

http://www.ebay.com.au/itm/171110782702


Top
 Profile  
 
 Post subject: Re: SSD firmware hacking.
PostPosted: August 26th, 2015, 7:21 
Offline

Joined: August 26th, 2015, 7:14
Posts: 3
Location: mircwood
Sorry for my stupid question, but i can't find any .enc files. There are only four files in iso image: btdsk.img, isolinux.bin, isolinux.cfg, memdisc.


Top
 Profile  
 
 Post subject: Re: SSD firmware hacking.
PostPosted: August 26th, 2015, 8:40 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 2768
Location: Adelaide, Australia
Serdyuk wrote:
Sorry for my stupid question, but i can't find any .enc files. There are only four files in iso image: btdsk.img, isolinux.bin, isolinux.cfg, memdisc.

not stupid at all. This stuff gets easier the more you play around with it.

after you extract files from the ISO, you will be left with a few files... You then have to further extract from one of these files.

You will notice btdsk.img is about 2,880kb, and being the largest file you can be certain this one contains the firmware. So extract this file... with z-zip, "extract here" then look in folder "btdsk\Samsung\DSRD\FW\DXT09B0Q" for example

if you read number 2. and 3. where I explained it above, it should make sense.


Top
 Profile  
 
 Post subject: Re: SSD firmware hacking.
PostPosted: October 2nd, 2015, 11:37 
Offline

Joined: August 26th, 2015, 7:14
Posts: 3
Location: mircwood
HaQue, thnx

I disassembled this firmware and now i'm trying to understand this code.
How can i find port addresses?


Top
 Profile  
 
 Post subject: Re: SSD firmware hacking.
PostPosted: August 4th, 2016, 11:50 
Offline

Joined: August 4th, 2016, 10:41
Posts: 1
Location: China
@HaQue
I want to edit "dsrd.enc",so I use "samsung_ssd_decode.py" to change it ,but how to change "dsrd.enc.decoded" to "dsrd.enc" ? and can't use
"samsung_ssd_decode.py" to change "CXM03B1Q.enc".


Attachments:
1.png
1.png [ 108.6 KiB | Viewed 3720 times ]
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 17 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group