SSD firmware hacking.

[sourcerer]

You have to either sign the firmware correctly and then send it into the SSD with hdparm or Samsung Magician. Or you can upload it with JTAG.

[omeric4c]

here I have a samsung firmware update software , the modle almost same,but it for a fixed DELL model number(s) MZ7LM120HCFD00D3, who can modifiy it for all MZ7LM120HCFD00XX SSD?
software Download link is https://downloads.dell.com/FOLDER037232 ... 38_A00.EXE

[fzabkar]

ISTM that the firmware payload file is "RI_PM863_GA38.fwh". This file appears to be a 1MiB firmware image preceded by an 0x200 byte header. I would guess that you could strip the header and then download the 1MiB image with hdparm. The results may be catastrophic, though. Your choice ...

[omeric4c]

yes ,the file has a header, maybe not 0x200 byte ,only 0x1B0 byte for header

[sourcerer]

The whole 1MiB file has to be decrypted and sent to the SSD (the Samsung tools are doing both decryption and sending). If you only send the rest, not the first 200 bytes, the signature check on the firmware inside the SSD will prevent loading broken firmware.
The Samsung tools also check whether the firmware actually fits the SSD. If you use hdparm instead of the Samsung tools, this check is circumvented and you have to make sure that it is compatible yourself.

[fzabkar]

The whole 1MiB file has to be decrypted and sent to the SSD (the Samsung tools are doing both decryption and sending). If you only send the rest, not the first 200 bytes, the signature check on the firmware inside the SSD will prevent loading broken firmware.

The file does not appear to be encrypted, nor are they Samsung's tools, AFAICT.

[gautam.dotcom]

Thanks for sharing !
Nice !

I am created a account in hdd oracle with the name gautam.dotcom. But it not accepting password. Please help.

[Spildit]

Thanks for sharing !
Nice !

I am created a account in hdd oracle with the name gautam.dotcom. But it not accepting password. Please help.

Off topic. This thread is about SSD firmware hacking ....

At any rate i can't see any user on my forum with the mentioned name. Please do register again.

[Corsari]

Hi

and what about the SandForce nightmare?

[ultimateu]

I've a question:

I have a device that reads a cfast2.0 since those are more expensive, I used a adapter with an SSD.
Once the adapter is plugged in, the device reads the SSD ID and since it does not match gives me an error that the "media is not certified"

Basically I want to fool the device changing the name ID of the SSD to avoid this message.

How can I customize the name ID of my Samsung SSD?

I would love your help with this.

[fzabkar]

This free tool decrypts some later Samsung SSD firmware, eg 850 Pro, version EXM04B6Q:

https://github.com/chrivers/samsung-firmware-magic (decryption tool)

https://semiconductor.samsung.com/consumer-storage/support/tools/ (Samsung firmware)

The 860 Evo (ver RVT04B6Q) is an even newer format which isn't supported by the tool.

[fzabkar]

The decoded payload has a 0x200-byte header which incorporates a table of modules at offset 0x100. The table consists of several sections. The first dword is the number of modules in that section. Each module is then described by 4 dwords which include its offset relative to the end of the 0x200-byte header, and its size. All parameter values are little-endian.

Code:

Offset(h) 00       04       08       0C

00000000  53414D53 554E475F 5353445F 42494E00  SAMSUNG_SSD_BIN.
00000010  302E3031 53544830 30303031 4F454D5F  0.01STH00001OEM_
00000020  47454E00 00000000 00000000 32303135  GEN.........2015
00000030  30333237 31383A33 35000000 00020000  032718:35.......
00000040  00001000 00001000 00000000 04000000
00000050  00000000 00270315 06000000 01010042
00000060  00000000 00000000 00000000 00000000
00000070  00000000 00000000 00000000 00000000
00000080  00000000 00000000 00000000 00000000
00000090  00000000 00000000 00000000 00000000
000000A0  00000000 00000000 00000000 00000000
000000B0  00000000 00000000 00000000 00000000
000000C0  00000000 00000000 00000000 00000000
000000D0  00000000 00000000 00000000 00000000
000000E0  00000000 00000000 00000000 00000000
000000F0  00000000 00000000 00000000 00000000
00000100  01000000 00000000 00000000 003E0100  <-- start of table of modules
          ^^^^^^^^ -------- -------- --------
          1 module 1st mod  start    size

00000110  00608100 03000000 01000000 003E0100
          -------- ^^^^^^^^ -------- --------
          ???      3 mods   1st mod  start

00000120  00000200 00000040 01000000 003E0300
          -------- -------- ======== ========
          size     ???      2nd mod  start

00000130  00800000 00808040 01000000 00BE0300
          ======== ======== ++++++++ ++++++++
          size     ???      3rd mod  start

00000140  00000300 00020080 03000000 02000000
          ++++++++ ++++++++
          size     ???

00000150  00BE0600 00000200 00000041 02000000
00000160  00BE0800 00400000 00108041 02000000
00000170  00FE0800 00400200 00000480 03000000
00000180  03000000 003E0B00 00000200 00000042
00000190  03000000 003E0D00 00400000 00108042
000001A0  03000000 007E0D00 00400200 00000880
000001B0  00000000 00000000 00000000 00000000
000001C0  00000000 00000000 00000000 00000000
000001D0  00000000 00000000 00000000 00000000
000001E0  00000000 00000000 00000000 00000000
000001F0  00000000 00000000 00000000 92BEC20D
                                     ^^^^^^^^  checksum / CRC

Structure of one section in the table

Code:

03000000   number of modules to follow

section# start    size     ???
-------- -------- -------- --------
02000000 00BE0600 00000200 00000041  1st module
02000000 00BE0800 00400000 00108041  2nd module
02000000 00FE0800 00400200 00000480  3rd module

Attachments

EXT0DB6Q.enc.decoded.7z

(306.01 KiB) Downloaded 262 times

[fzabkar]

The 32-bit CRC is calculated over the preceding 0x1FC bytes.

In HxD (freeware hex editor) one would select Analysis -> Checksums -> CRC-32.