View topic - SSD firmware hacking. https://forum.hddguru.com/viewtopic.php?

f=13&t=31127

FAQ Search

Login Register

HDDGURU FILES

Search: Unanswered | Active

Main » Forums home » Research and development All times are UTC - 5 hours [ DST ]

Forum rules
Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data
from dust...

SSD firmware hacking.

Page 1 of 2 [ 33 posts ] Go to page 1, 2 Next

Previous topic | Next topic

Author Message

HaQue Post subject: SSD firmware hacking. Posted: May 6th, 2015, 1:47

I've been Looking into some SSD firmware as this seems to be a good place to start research. Samsung firmware is encoded by a rather silly method. I really wonder why
they bothered.?. I have coded up a small python script to decode Samsung firmware and the associated file that accompanies a firmware update. I am using Python 3.4.3

Code:

# python Script to decode samsung SSD Firmware .enc files

# by HaQue 06-May-2015

# NO ERROR CHECKING IS DONE!

Joined: December 4th, 2012,
1:35
Posts: 3779
Location: Adelaide, Australia
# Input file should be an encoded .enc file.
# Output file will be input filename appended with ".decoded".
# USEAGE: python dsssd.py xxxxx.enc
# Example: python samsung_ssd_decode.py test.enc
import sys
lookup = [0x0f,0x00,0x0e,0x01,0x0d,0x02,0x0c,0x03,0x0b,0x04,0x0a,0x05,0x09,0x06,0x08,0x07]
decFile = open(sys.argv[1] + '.decoded', 'wb')

b = bytearray(open(sys.argv[1], 'rb').read())
for i in range(len(b)):
b[i] = (lookup[b[i] >> 0x04 & 0x0F] << 0x04) | (b[i] & 0x0F)
open(sys.argv[1] + '.decoded', 'wb').write(b)

This script supports current firmware:

840 EVO EXT0DB6Q

840 PRO DXM06B0Q
840 DXT09B0Q
830 Series CXM03B1Q
470 Series AXM09B1Q

http://www.samsung.com/global/business/semiconductor/minisite/SSD/global/html/support/downloads.html

For firmware update ISO's, you can strip out the relevant DSRD.enc update info file and, for example, "DXM06B0Q.enc" firmware files in a number of ways.
here are a few steps that work:

1 .Right-click and choose extract using 7-zip.

2. Open the extracted folder, then navigate to the appropriate disk image that holds the firmware. it will be called something like "Bootable_2.88M.img". Depending on the
ISO, if it is a DOS or Linux based boot, the files will be in various places, not hard to find. Interestingly there is also mac trash files and deleted firmware, looks rather
sloppy TBH.

3. Extract the files from this image, you can use winhex to parse the image, probably even R-Studio or GetDataBack..or whatever. many ways to do this.

4. find the firmware files. DSRD.enc and DXM06B0Q.enc are examples.

5. copy "samsung_ssd_decode.py" to the same folder and run it.

Attachment:

dos.jpg [ 59.2 KiB | Viewed 68384 times ]

here is before and after screenshot, but the actual firmware file is probably WAY more interesting

Attachment:

1 de 6 22/6/2023, 2:09
View topic - SSD firmware hacking. https://forum.hddguru.com/viewtopic.php?f=13&t=31127

dec.jpg [ 185.69 KiB | Viewed 68384 times ]

I have some other stuff I am working on, hopefully I can get something interesting to share out of it.

Attachments:

samsung_ssd_decode.zip [565 Bytes]

Downloaded 3061 times

Top

fzabkar Post subject: Re: SSD firmware hacking. Posted: May 6th, 2015, 3:55

Thanks very much for that. I don't know any Python, but your code is easily understandable.

_________________
A backup a day keeps DR away.

Joined: September 8th,

2009, 18:21
Posts: 14899
Location: Australia

Top

Spildit Post subject: Re: SSD firmware hacking. Posted: May 6th, 2015, 5:08

Thanks for sharing !

Nice !

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Joined: December 19th,

2006, 8:49
Posts: 11038
Location: Portugal

Top

Agrail Post subject: Re: SSD firmware hacking. Posted: May 12th, 2015, 9:44

Very interesting solution!

I selected another way. I have used 256 bytes XOR values array.
Joined: May 12th, 2015, If use your notations then my solution written in pseudo-Pascal looks like this:
5:37
Posts: 27
Location: Russia Code:

lookup: array[0..15] of array[0..15] of BYTE =

[0xF0, ..., 0xF0]
[0x10, ..., 0x10]
[0xC0, ..., 0xC0]
[0x20, ..., 0x20]
[0x90, ..., 0x90]
[0x70, ..., 0x70]
[0xA0, ..., 0xA0]
[0x40, ..., 0x40]
[0x30, ..., 0x30]
[0xD0, ..., 0xD0]
[0x00, ..., 0x00]
[0xE0, ..., 0xE0]
[0x50, ..., 0x50]
[0xB0, ..., 0xB0]
[0x60, ..., 0x60]
[0x80, ..., 0x80];
b: array of BYTE;
i: Integer;

for i := 0 to Length(b)-1 do
b[i] := b[i] xor lookup[b[i]];

I think your solution is more elegant, but my solution is more general.

Since it allows to use any array of XOR values and abandon a nibble division.

What deals with unpacking of firmware from previous drives like MLC SSD (VBM18C1Q, VBM19C1Q, VBM1AD1Q,...)?

2 de 6 22/6/2023, 2:09
View topic - SSD firmware hacking. https://forum.hddguru.com/viewtopic.php?f=13&t=31127

By the way question of dumb procedure recedes given firmware protection.

Did you start research of check sums of microcode? You can see whatever ranging from CRC16 to Elliptic Curve DSA (ECDSA).
And firmware is protected by several control sums concurrently.
Seems like Samsung developers don't like if somebody modifies the firmware of their SSD.
There is idea that if they read this topic then they will change encryption algorithm.

Top

HaQue Post subject: Re: SSD firmware hacking. Posted: May 12th, 2015, 16:25

Nice to see another way of doing it, thanks

I don't have any other firmware a currently so I am not sure how they are obfuscated

Actually I haven't really started looking at the firmware itself in great detail

I was starting to look at the update mechanism itself and was attempting to reverse the flasher utility

Joined: December 4th, 2012,
1:35
Posts: 3779
Location: Adelaide, Australia
I never really got into reversing DOS 16-bit programs and certainly haven't much experience in DOS extenders. The usual tools puke at this and to make it worse the
stubbed exe is also packed... As far as I know there never has been any interest in anyone unpacking it
The firmware itself should be just a mixture of arm and thumb code and may or may not be worth looking at
Thanks for the checksum info!

Top

Agrail Post subject: Re: SSD firmware hacking. Posted: May 14th, 2015, 11:23

Can you explain, how did you know about this algorithm of microprogram unpacking? I have spend a lot of time for analysis of packed firmwares for XOR detection...
I seen the flasher, there is nothing interesting in it. It doesn't contain a tech key - only 92h command and a few of simple tests inside it.
Joined: May 12th, 2015,
5:37
Posts: 27
Location: Russia

Firmware has a special block structure and consist of ARM and Thumb codes. That's why before you will upload it into disassemble, try to find which blocks and by which
addresses are uploading on SSD RAM. Also, please don't forget that controller have three CPU cores.

Also, here is a couple advice:

1. You are choose Samsung 840 series SSD - its very complicated for research works. Better to use 830 series.
2. All Samsung SSD drives have COM-Port, but it is turned-off in main firmware.
3. Drives have a special mode for working under MASK ROM control.
4. Drives have a small number of technological commands.
5. On many drives you can disable senior memory banks for the purpose of repair. Actually, these SSD is quite repairable. Much more complicated task is data recovery...

If you will have some interesting information about the Samsung SSD, please write me a private message. In exchange I can tell you what I know about these drives or to
offer something more interesting for you

Top

albanytech Post subject: Re: SSD firmware hacking. Posted: August 4th, 2015, 12:09

I will preface this by saying I have mostly VBA coding experience and am just learning Python.

Joined: August 4th, 2015, That said, I have a need to encode the *.enc file. I have been using the samsung_ssd_decode.py with great success. Now, I would like to make a change and encode to
11:11
Posts: 2 test a firmware package. While the code is straight forward, I'm having difficulty with the same process in reverse. Any help is appreciated.
Location: Here or there

Since I'm a new member, I tried to PM but the system said I needed more activity. So, I'm now being active.

Top

fzabkar Post subject: Re: SSD firmware hacking. Posted: August 4th, 2015, 14:17

albanytech wrote:

Now, I would like to make a change and encode to test a firmware package. While the code is straight forward, I'm having difficulty with the same process in reverse.

I haven't tested it, but I think this should work:

Code:

import sys
Joined: September 8th, lookup = [0x01,0x03,0x05,0x07,0x09,0x0B,0x0D,0x0F,0x0E,0x0C,0x0A,0x08,0x06,0x04,0x02,0x00]
2009, 18:21
Posts: 14899 decFile = open(sys.argv[1] + '.encoded', 'wb')
Location: Australia

b = bytearray(open(sys.argv[1], 'rb').read())
for i in range(len(b)):
b[i] = (lookup[b[i] >> 0x04 & 0x0F] << 0x04) | (b[i] & 0x0F)
open(sys.argv[1] + '.encoded', 'wb').write(b)

I would test it by encoding and then decoding a test file. The result should be identical to the original file.

_________________
A backup a day keeps DR away.

Top

3 de 6 22/6/2023, 2:09
View topic - SSD firmware hacking. https://forum.hddguru.com/viewtopic.php?f=13&t=31127

albanytech Post subject: Re: SSD firmware hacking. Posted: August 4th, 2015, 15:03

That worked perfectly, fzabkar, thanks!

Joined: August 4th, 2015,

11:11
Posts: 2
Location: Here or there

Top

chrisfoster Post subject: Re: SSD firmware hacking. Posted: August 17th, 2015, 22:04

I think you will find the Zheino CHN-25PATA01 range of drives, likely to be the most hack-able as they are specifically designed to be utilized in a wide range of industrial
machinery. They respond to email and I think you would be able to communicate directly with the engineering group
Joined: August 17th, 2015,
21:40
Posts: 39 Available on Amazon or from Ali Express here:http://goo.gl/VYdv5a
Location: Adelaide, South
Australia
Cheers

Top

HaQue Post subject: Re: SSD firmware hacking. Posted: August 17th, 2015, 22:29

Thanks a lot, will have a look at those for sure. nice to someone else in SA even knows what an SSD is, let alone hacking one!

edit:
looking them up, I got a chuckle at the Lost in Translation.. couldn't resist, hope no-one is easily offended:

Attachment:

Joined: December 4th, 2012,

1:35
Posts: 3779
Location: Adelaide, Australia

giggitty.jpg [ 77.6 KiB | Viewed 67279 times ]

Top

HaQue Post subject: Re: SSD firmware hacking. Posted: August 17th, 2015, 22:46

Why is their whole support page just an image and link to http://www.baidu.com/ ? same with the News Page..
forum looks dodgy:

Code:

Forum Threads Posts Last Post

Joined: December 4th, 2012,
1:35
Posts: 3779
Location: Adelaide, Australia
AAAAAAAA
aaaaaaaaaaaaa
Moderators:xiong,Raziel 8 11 vcxcvcx
12 months ago | By Raziel
BBBBBBBBB
bbbbbbbbb
Moderators:Myles 5 4 d
383 years ago | By xiong
Servicing, repair, faults and reliability
Ask question about servicing, repairs, faults and reliability.
Moderators:Donavan 0 0

CCCCCCCCCCCC
ccccccccc
Moderators:xiong 1 0 enter topicfdsfsdfs
12 months ago | By Raziel

I wouldn't be sending a cent over paypal to these guys

Top

chrisfoster Post subject: Re: SSD firmware hacking. Posted: August 17th, 2015, 22:51

If you go through a checkout process and pay via Paypal, as a buyer you cannot lose. I know from the perspective of an eBay seller for 14 years, the buyer always wins
and in some cases keeps the goods as well
Joined: August 17th, 2015,
21:40
Posts: 39 Edit: I just bought one off eBay Australia (Australian stock) @ $82 and I have no fear of losing money
Location: Adelaide, South
Australia
http://www.ebay.com.au/itm/171110782702

4 de 6 22/6/2023, 2:09
View topic - SSD firmware hacking. https://forum.hddguru.com/viewtopic.php?f=13&t=31127

Top

Serdyuk Post subject: Re: SSD firmware hacking. Posted: August 26th, 2015, 7:21

Sorry for my stupid question, but i can't find any .enc files. There are only four files in iso image: btdsk.img, isolinux.bin, isolinux.cfg, memdisc.

Joined: August 26th, 2015,

7:14
Posts: 3
Location: mircwood

Top

HaQue Post subject: Re: SSD firmware hacking. Posted: August 26th, 2015, 8:40

Serdyuk wrote:

Sorry for my stupid question, but i can't find any .enc files. There are only four files in iso image: btdsk.img, isolinux.bin, isolinux.cfg, memdisc.

not stupid at all. This stuff gets easier the more you play around with it.

after you extract files from the ISO, you will be left with a few files... You then have to further extract from one of these files.

Joined: December 4th, 2012, You will notice btdsk.img is about 2,880kb, and being the largest file you can be certain this one contains the firmware. So extract this file... with z-zip, "extract here"
1:35
Posts: 3779 then look in folder "btdsk\Samsung\DSRD\FW\DXT09B0Q" for example
Location: Adelaide, Australia

if you read number 2. and 3. where I explained it above, it should make sense.

Top

Serdyuk Post subject: Re: SSD firmware hacking. Posted: October 2nd, 2015, 11:37

HaQue, thnx

Joined: August 26th, 2015, I disassembled this firmware and now i'm trying to understand this code.
7:14
Posts: 3 How can i find port addresses?
Location: mircwood

Top

naonao5321 Post subject: Re: SSD firmware hacking. Posted: August 4th, 2016, 11:50

@HaQue
I want to edit "dsrd.enc",so I use "samsung_ssd_decode.py" to change it ,but how to change "dsrd.enc.decoded" to "dsrd.enc" ? and can't use
Joined: August 4th, 2016, "samsung_ssd_decode.py" to change "CXM03B1Q.enc".
10:41
Posts: 1
Location: China
Attachments:

1.png [ 108.6 KiB | Viewed 64572 times ]

Top

fzabkar Post subject: Re: SSD firmware hacking. Posted: December 25th, 2017, 17:15

Some alternative code/projects ...

Samsung SSD firmware encoder/decoder (Zibri's Blog):

http://www.zibri.org/2015/05/samsung-ssd-firmware-encoderdecoder.html

Samsung SSD Firmware Deobfuscation Utility:

https://github.com/ddcc/drive_firmware
https://github.com/ddcc/drive_firmware/blob/master/samsung/samsung.c
https://www.reddit.com/r/ReverseEngineering/comments/2uwhls/samsung_ssd_firmware_deobfuscation_utility/
Joined: September 8th,
2009, 18:21
Posts: 14899 _________________
Location: Australia A backup a day keeps DR away.

Top

Agrail Post subject: Re: SSD firmware hacking. Posted: January 9th, 2018, 5:28

New firmwares is packed using another algorithm.

As an example, you can consider firmware EXM04B6Q.
Joined: May 12th, 2015, http://downloadcenter.samsung.com/conte ... 6Q_Win.iso
5:37
Posts: 27 So the above methods are already outdated.
Location: Russia

Top

omeric4c Post subject: Re: SSD firmware hacking. Posted: February 27th, 2018, 7:00

5 de 6 22/6/2023, 2:09
View topic - SSD firmware hacking. https://forum.hddguru.com/viewtopic.php?f=13&t=31127

a question,when I got firmware files. DSRD.enc and DXM06B0Q.enc ,and decoded it ,how to write back to ssd?

Joined: March 19th, 2017,

9:16
Posts: 13
Location: hdlaing

Top

Display posts from previous: All posts Sort by Post time Ascending Go

Page 1 of 2 [ 33 posts ] Go to page 1, 2 Next

Main » Forums home » Research and development All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 4 guests

You cannot post new topics in this forum

You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: Go Jump to: Research and development Go

Switch to mobile style

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group

6 de 6 22/6/2023, 2:09