Read NAND flash serial number

[TakeTwo]

Is it possible to read the serial numbers of the individual NAND chips attached to flash storage (like USB, SSD, NVME) from the operating system or do you need access on the firmware level? Can any of the commercial tools do that?
Or is this not possible in general without poking the individual chips directly?

[Arch Stanton]

ChipGenius can get flash ID for UFD's

[TakeTwo]

Yeah, I used ChipGenius quite a while ago and iirc I saw something related.
So I guess this is possible in general? Or is there any reason why it should not be possible on an NVME or SSD disk?
Is it possible to write the NAND serial?

[Arch Stanton]

No idea, probably the UFD controller/firmware allows for getting NAND ID. If firmware prevents it you can not get to it. Why on earth you want to change the NAND ID?

[sourcerer]

ChipGenius does the NAND identification through Vendor-Specific-Commands on the USB bus, most pendrives offer commands that let it retrieve the NAND IDs. But each pendrive vendor has different commands, so ChipGenius has to try a lot of commands to see which one works. Usually each vendor has one method in it's firmware and keeps it that way for all it's chips. ChipGenius seems to be the only tool on the market that can identify about 99% of the NANDs. But I also had a few ones it could not identify.

[TakeTwo]

Any reason why this should not work in principle for NVME/SSD devices?
Is it possible to change the serial number of NAND flash through software or is it really OTP?

[sourcerer]

I would say the serial number is changeable in theory, but you need good software with firmware level access.

[Arthur]

ChipGenius does the NAND identification through...

Do you know where I can get a virus free version of ChipGenius?

[Arch Stanton]

SoftPedia.

[Arthur]

SoftPedia.

Thanks!

[fzabkar]

SoftPedia.

How do people decide whether an antivirus scan is producing false positives?

"14 security vendors and no sandboxes flagged this file as malicious" (ChipGenius_v4_19_0319_softpedia.zip from SoftPedia)

https://www.virustotal.com/gui/file/ac0a542f0998dd9906c0f8e3fd3d874833dbbe69a0b012b120fe270f56efe5bf

If I unpack FlashMaster.exe with UPX, the resultant file generates 28 AV hits:

https://www.virustotal.com/gui/file/db750ec3fcc075805939a0c1d14cc2e55bf1884519ec8a503ed65ae85cbb5661

[Arch Stanton]

SoftPedia.

How do people decide whether an antivirus scan is producing false positives?

"14 security vendors and no sandboxes flagged this file as malicious" (ChipGenius_v4_19_0319_softpedia.zip from SoftPedia)

https://www.virustotal.com/gui/file/ac0a542f0998dd9906c0f8e3fd3d874833dbbe69a0b012b120fe270f56efe5bf

If I unpack FlashMaster.exe with UPX, the resultant file generates 28 AV hits:

https://www.virustotal.com/gui/file/db750ec3fcc075805939a0c1d14cc2e55bf1884519ec8a503ed65ae85cbb5661

They're all results from heuristic engines, some AV vendors even make A.I. claims. For a file that has been around for a while, and ALL detections being 'heuristic' there's a good chance it is false positive. These heuristics scans are dead stupid and annoying.

[fzabkar]

They're all results from heuristic engines, some AV vendors even make A.I. claims. For a file that has been around for a while, and ALL detections being 'heuristic' there's a good chance it is false positive. These heuristics scans are dead stupid and annoying.

I guess "heuristics" is really the only way you can anticipate new viruses, so AV vendors will continue to make use of these engines.

One potentially disturbing implication of my scan results is that real malware can be hidden in an EXE file simply by packing it with UPX. This means that a sandbox would be the only way to expose it.

BTW, there is a second EXE in the same package. It has PK0 and PK1 components, and these also appear to be packed, but not with UPX.

[Arch Stanton]

Anyways, to avoid the often sketchy ChipGenius downloads you can also use https://www.antspec.com/usbflashinfo/.

[Arch Stanton]

One potentially disturbing implication of my scan results is that real malware can be hidden in an EXE file simply by packing it with UPX.

Which is why UPX packed executable or DLL is a heuristic 'trigger' putting in enough weight by itself to cause an alert.

[fzabkar]

I uploaded several Windows 10 EXEs, and they all fell foul of one or more AV scanners. Even my FreeBASIC source code files are flagged.

[Arch Stanton]

I uploaded several Windows 10 EXEs, and they all fell foul of one or more AV scanners. Even my FreeBASIC source code files are flagged.

Yup, I have seen experiments before from people creating totally harmless exe's getting detected by multiple of the heuristic and 'crowd wisdom' driven scans. I have same problem that each time I release an update there's always at least one that 'detects' it as potentially harmful. I got a list of emails which you can use to report false positives and before I release I always spam them, all of them. Unfortunately there's those (Chinese ones often) that don't even offer the option for reporting false positives.

IMO virustotal should ban half of those they're listing due to demonstrable crapiness.