Micro SD Card Analy...
 
Notifications
Clear all

Micro SD Card Analysing

GaryLittlemore
(@garylittlemore)
New Member

Hi all,

I'm looking for a little guidance please.

I've just been handed a 128gb Micro SD (Unbranded). A consumer bought the card believing it to be a 128gb, but it isn't.

What/where should I be looking for signs of the card being hacked/altered in anyway?

Any help would be greatly appreciated

Gary

Quote
Topic starter Posted : 30/06/2015 6:18 pm
jaclaz
(@jaclaz)
Community Legend

Hi all,

I'm looking for a little guidance please.

I've just been handed a 128gb Micro SD (Unbranded). A consumer bought the card believing it to be a 128gb, but it isn't.

What/where should I be looking for signs of the card being hacked/altered in anyway?

Any help would be greatly appreciated

Gary

Can you better describe the issue?

Your consumer most probably got a "fake" large capacity Micro SD (possibly buying it as an extremely convenient deal on e-bay or similar).

Typically a 4 or 8 or maybe 16 Gb SD card is formatted in such a way that it *seems* like a 128 Gb volume, and as soon as you hit the real capacity of the flash, the thingy starts to not work anymore/give errors.

What exactly are you wanting or expecting to find?
Here is a good, detailed experience
http//www.bunniestudios.com/blog/?page_id=1022

Or are you suspecting something more complex and serious *like* code execution form the firmware?
http//www.bunniestudios.com/blog/?p=3554

jaclaz

ReplyQuote
Posted : 30/06/2015 7:24 pm
mscotgrove
(@mscotgrove)
Senior Member

Unfortunately fake cards are rather common. It is always hard telling a customer that the 128GB - 8GB of data never actually existed, and so cannot be recovered. Because the directory is normally still intact, the user is not aware until too late.

ReplyQuote
Posted : 30/06/2015 8:32 pm
GaryLittlemore
(@garylittlemore)
New Member

Thanks all for your replies.

This is where I'm at at the moment.

The consumer bought the Micro SD believing it to be 128 GB from a trader on eBay in my area,

It displays in Windows as 128 GB. As it happens the consumer is tech savvy and has used a program called H2testw (http//translate.google.co.uk/translate?hl=en&sl=de&u=http//www.heise.de/download/h2testw.html) H2testw can be used to test if a memory card is fake, tests sizes etc. H2testw appears to write files to the card with a .h2w extension. I'm acquired the card with Encase 7.10.5. Encase is returning the following

262144000 sectors, 512 bytes per sector = 134217728000 bytes

The Consumer had run H2testw prior to handing the SD card over to myself, on acquiring the card I can see 125 .h2w files, 1.h2w to 124.h2w have a logical size of 1073741824 bytes and the last 125.h2w file has a logical size of 1067450368. On inspecting the .h2w files numbers 1.h2w to 8.h2w all have random hex values, then from 9.h2w to 125.h2w all the files have 00 hex (the files are empty) but have a logical value.

After watching the video on http//www.bunniestudios.com/blog/?p=3554 it appears that the trading is buying cards where the firmware chip has been flashed so an OS see the larger size.

At the moment I’ve formatted to card with exfat as that is the FS encase is showing the card had when I acquired it and I’m running H2testw to see for myself what the end result displays.

Anyone have any other input on what else I can try / test?

Gary

ReplyQuote
Topic starter Posted : 01/07/2015 9:15 pm
mscotgrove
(@mscotgrove)
Senior Member

As I mentioned earlier, the directory part of the chip is normally intact, so everything looks OK.

If you do a DD dump of the chip, I think you will see the same data appearing for the final 120G of the chip. Search for a 'unique' pattern and you see it keeps occurring. The size of the block, maybe a few MBs, or 100s of MB depending on how the chip has been faked.

Another test, if you want to write to the chip, is write a single sector near the end of the chip with a 'unique' string. You will probably find this sector being viewed many times on the chip.

ReplyQuote
Posted : 01/07/2015 10:06 pm
jaclaz
(@jaclaz)
Community Legend

This is where I'm at at the moment.

Good. )

Anyone have any other input on what else I can try / test?

I am still missing the scope of the tries/tests.
Identifying HOW the thingy has been made into a "fake"?

As said, normally what is used on these "fake" devices is simply a modified filesystem that appears to the OS as having a "full" capacity and not any particular firmware modification, if you prefer if you actually wipe it and reformat it, the "real" size is shown.

A slightly more complex "hack" is made by additionally faking the total number of sectors the device exposes (but still it is not really a firmware hack, only a small change to some data).

If you are on Windows use a dd-like tool, I suggest the dsfo from the DSFOK package
http//members.ozemail.com.au/~nulifetv/freezip/freeware/
and simply dd the whole physical device to NUL, with dsfo that would be
dsfo \\.\Physicaldriven 0 0 NUL

The bytes that the tool will show as transferred upon completion are the actual bytes present on the device (in the absence of a firmware modification).

On the other hand if the firmware has been modified, there are two ways it is usually done, one is to circularly loop over the same physical memory, i.e. say that the SD card is actually 8 Gb, if you dd-write to it the contents of a set of 1 Gb (1073741824 bytes) files, the first one filled with 1's, the second with 2's, etc. when you write the ninth 1 Gb file (filled with 9's) it will overwrite the first one, that would be
dsfi \\.\Physicaldriven 0 0 mynice1s.bin
dsfi \\.\Physicaldriven 1073741824 0 mynice2s.bin
….
dsfi \\.\Physicaldriven 8589934592 0 mynice9s.bin

the other one is to map non-existing memory, if this is the case the ninth 1 Gb file will be written to "NUL", i.e. you won't be able to retrieve it, seemingly this latter is what you have, judging from the description of the H2testw files you found.

And of course there is a (remote since the thingy actually comes from an e-bay deal) the possibility that the SD is actually a 128 Gb but that it is actually malfunctioning i.e. that somehow it did pass controls in manufacturing but that for *whatever reasons* part of the memory is not connected properly or is downright defective.

jaclaz

ReplyQuote
Posted : 01/07/2015 10:12 pm
Dmitri
(@dmitri)
New Member

I've just been handed a 128gb Micro SD (Unbranded). A consumer bought the card believing it to be a 128gb, but it isn't.

I must say I do not completely understand what exactly you're looking to achieve.

If you need to recover the data, then not much extra can be squeezed out, unfortunately, as writing process on such cards is usually looped.

If you're looking to re-use the card, some of them can be turned into a real capacity ones (I mean 4, 8 GB and so on), but the process will require additional research, so could be rather pointless, as reliability of such card can be low.

If you're looking to prosecute the seller, I think most likely he has no idea how these cards are made, he just sells them and makes his profit.

ReplyQuote
Posted : 06/08/2015 10:40 pm
PaulSanderson
(@paulsanderson)
Senior Member

Write an incrementing number to every sector on the disk in turn - then examine each sector to see where the number wraps.

ReplyQuote
Posted : 06/08/2015 10:55 pm
jhup
 jhup
(@jhup)
Community Legend

This is not new as mentioned earlier.

There are even websites that deal with nothing but fake micro- & SD cards, flash drives and such.

As asked before, what are you trying to achieve? What is your end goal?

ReplyQuote
Posted : 07/08/2015 6:30 pm
Share:
Share to...