2017年04月01日 追記
Please refer to the following article.
【Complete version】How to apply PS2251-07(2307) patch for Psychson(BadUSB)
以前、Phison 2251-07 (2307)でPsychsonのファームウェアを動かすことに成功したことを報告したが、実はその時点では新しいバージョンの2307チップにファームを書き込むことが完全にはできていなかった。(詳細は後述)
2016年07月08日 追記
日本国内では、Phisonチップを積んだUSBメモリとして「Toshiba TransMemory-MX USB 3.0 8GB/16GB」が安く手に入るが、この東芝製USBメモリには国内版と海外版(並行輸入品)の2つの製品がある。価格は国内版のほうが200~300円高く、搭載されているチップのIDとファームウェアのバージョンも異なっている。
[code title=”国内版”]
Action specified: GetInfo
Gathering information…
Reported chip type: 2307
Reported chip ID: 98-DE-98-92-72-50
Reported firmware version: 2.03.53
Mode: Firmware
[code title=”海外版(並行輸入品)”]
Action specified: GetInfo
Gathering information…
Reported chip type: 2307
Reported chip ID: 98-3A-98-A3-76-51
Reported firmware version: 2.15.55
Mode: Firmware
2307のUSBメモリにファームウェアを書き込む場合、まず http://www.usbdev.ru/files/phison/ps2307fw/ で公開されているバーナーイメージを実行させた後ファームウェア本体を書き込むが、1月時点で公開されていた最新のバーナー(BN07V106M.BIN)が国内版(98-DE-98-92-72-50)では動くが、海外版(98-3A-98-A3-76-51)では正しく動かなかった。
まず、BN07V502TAW.BINを国内版チップで実行し、 BN07V106M.BINで書き込んだファームウェアをダンプしてみたところ、やたらとエントロピーが高いデータが吐き出された。
(A) 暗号化の詳細な手順を突き止め、自前で暗号化したカスタムファームウェアをBN07V502TAW.BINで書き込む
(B) BN07V502TAW.BINを改造して暗号化を回避してファームウェアのダンプ・書き込みを出来るようにする
When you have some questions and want to get reply from us, you have to notify us the version of the chip and other important information.
Can someone translate this to english? even with google translate I cant make it through the first few steps. For example, which files are we meant to patch in the first part?
Don’t multi-post.
So how did you resolve the problem? Do we have to use the BN07V502TAW.BIN as a source for asm code implantation into firmware source? Which steps to take?
Check this article: https://vivibit.net/psychson2307/
> Do we have to use the BN07V502TAW.BIN as a source for asm code implantation into firmware source?
I add this information to the article: https://vivibit.net/psychson2307/
I have two questions where did you get the action SendFirmware07, did you write it? And why are you executing the action without a burner parameter?
I cant get this working even with the BN07V502TAW.BIN maybe I am missing something
>I have two questions where did you get the action SendFirmware07, did you write it? And why are you executing the action without a burner parameter?
“SendFirmware07” is equivalent to “SendFirmware” that patched https://vivibit.net/psychson2307/.
>I cant get this working even with the BN07V502TAW.BIN maybe I am missing something
The BN07V502TAW.BIN returns the encrypted data by the “Pseudo Random XOR scrambler” of the phison controller.
It is necessary to rewrite BN07V502TAW.BIN a few bytes if you want to bypass the encryption.
Please see the following for more information about the “Pseudo Random XOR scrambler”.
I have read the “Random XOR Scrambler Pseudo” page, but I am still unsure of how I need to rewrite BN07V502TAW.BIN.
The page says
-Scrambler mode. Clear bit 7 and set bits 3, 4 to bypass scrambler.
In BN07V502TAW.BIN, there is no value on 0038. Is this what I should edit? Or do I edit NANDCSOUT registers?
I am working with a Kingston DataTraveler 100 G3 8GB (2251-07) PS2307 Controller.
Drivecom has given me this so far:
C:\Psychson-master\tools>DriveCom /Drive=F /action=GetInfo
Action specified: GetInfo
Gathering information…
Reported chip type: 2307
Reported chip ID: 98-DE-88-A3-72-51
Reported firmware version: 1.02.55
Mode: Firmware
C:\Psychson-master>tools\drivecom /drive=F /action=GetInfo
Action specified: GetInfo
Gathering information…
Reported chip type: 2307
Reported chip ID: 98-DE-88-A3-72-51
Reported firmware version: 1.06.10
Mode: Burner
Notice how the reported firmware has been changed in the second GetInfo after I tried to sendfirmware. It is also in Burner mode. Not sure if this means anything.
Anyway, I just need help figuring how to rewrite the BN07v502TAW.BIN. Anything is appreciated, thank you for your time.
Wasn’t it successful with the BN07V106M.BIN? (BN07V106M.BIN does not encrypt(decrypt) the firmware)
Using Drivecom to send firmware BN07V106M.BIN gave me this:
Psychson-master>tools\drivecom /drive=f /action=SendFirmware /burner=Burner\BN07V106M.BIN /firmware=firmware\bin\fw.bin
Action specified: SendFirmware
Gathering information…
Reported chip type: 2307
Reported chip ID: 98-DE-88-A3-72-51
Reported firmware version: 1.06.10
Mode: Burner
Sending firmware…
FATAL: System.InvalidOperationException: Header not accepted
at DriveCom.PhisonDevice.TransferFile(Byte[] data, Byte header, Byte body) in c:\Users\User\Desktop\New folder\Psychson-master\DriveCom\DriveCom\PhisonDevice.cs:line 256
at DriveCom.Startup._RunFirmware(String fileName) in c:\Users\User\Desktop\New folder\Psychson-master\DriveCom\DriveCom\Startup.cs:line 427
at DriveCom.Startup._SendFirmware() in c:\Users\User\Desktop\New folder\Psychson-master\DriveCom\DriveCom\Startup.cs:line 378
at DriveCom.Startup.Main(String[] args) in c:\Users\User\Desktop\New folder\Psychson-master\DriveCom\DriveCom\Startup.cs:line 114
>In BN07V502TAW.BIN, there is no value on 0038. Is this what I should edit? Or do I edit NANDCSOUT registers?
It is “F638”, not “0038”.
See this comments: https://vivibit.net/psychson2307/#comment-5958.