All times are UTC - 5 hours [ DST ]

Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: Samsung SSD EVO830, Persistent Rootkit and JTAGGING...
PostPosted: November 27th, 2018, 17:11 
User avatar

Joined: November 27th, 2018, 16:42
Posts: 5
Location: Greece, Amaliada
I have some really strange issues: A completely remote-controlled System even after re-partitioning and complete re-install of latest Windows. And yes, I installed without any internet connected, blocked all Ports in Windows firewall, connected Network and the system got high-jacked again. Never seen something like this before.
It is not a random virus from the internet but a targeted attack! So maybe someone spend lot of money to do it like this. They are very good in hiding and even deleting footsteps. For example when saving logfiles to an USB flashdrive and connect the USBSTICK again (WHEN OFFLINE) I was able to see how the the logfiles on the usbstick were deleted by "system".

I even re-flashed my BIOS (using external hardware-programmer). This happened several times and brought me near a heart-attack.
So one Idea is, someone messed with the firmware of my SSDs. There are not a lot other options left....

It looks like they are able to move my complete system in a virtual machine without any known virus-scanners finding anything. They are also able to change the setup because sometimes "GMER" finds hooks (and crashes immediately to BSOD) - but sometimes it does not find anything!
Those guys are REALLY GOOD! They even broke my Mikrotik firewall as well as the router. But I guess they did by hidden terminal when already logged on to my system (there should be no access through WAN to the mikrotik)

I would really love to reverse-engineer this stuff.

Having tow harddrive affected: One Samsung 830 with S4LJ204X01 3-Core ARM9 based MCX Controller
and one Kingston 512 GB with Sandforce Controller (which I do not know anything about). There is an official Firmware-Upgrade for the Kingston but the tool refuses to write at the 0x92-ATA Command (upload microcode). This really indicates there must be something damn wrong with it....

I guess it is more simple to dump the Samsung Controller.
I found a JTAG-Port with unfortunately 4 PINS only (TCK, TMS, TDI, TDO but no sRst) but having trouble to connect it to OpenOCD (using Raspberry Bitbanging as the Interface).

IDCODE says 0x025966f0f (unknown) which is pretty stable but two more devices in chain which are unstable. I am not able yet to "HALT" the Controller (maybe this needs an sRST?).

so well - I am stuck here.... I found a lot stuff in the internet about the Samsung 850 which is a cortext_m4 based controller. This does not really help.
Im stuck, here.....
Any ideas?

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group