Web、サーバ、ソフトウェア、バグ・脆弱性 などの情報を何人かで集まって書いていく IT/Web情報系ブログ

【Complete version】How to apply PS2251-07(2307) patch for Psychson(BadUSB)

投稿日:   最終更新日:2017/04/03  投稿者:xx2zz

I released a patch to run Psychson on PS2251-07(2307), but since the procedure was complicated and incomplete.
Because there are too many questions, I will revisit a simplified patch file and procedure again.

スポンサーリンク

Difference file

This file contains the following changes.

Note: This file is research material for the purpose of experiment to work Psychson’s custom firmware in PS2251-07(2307). It does not guarantee the operate. Please use it at your own risk.

“Psychson2307_diff_en” をダウンロード

Psychson2307_diff_20170401_en.zip – 10219 回のダウンロード – 4.53 KB

Operation confirmation device

I confirmed the operation with the following USB memory.

  • TOSHIBA TransMemory-MX TNU-B008GK
  • TOSHIBA TransMemory-MX V3SZK-016G

Other necessary items

Building CFW for 2307

  1. Download source code from brandonlw/Psychson and extract it
  2. Overwrite/Add the contents of “Psychson2307_diff_20170401.zip” to the Psychson folder expanded with step 1
  3. Apply differences with patch command (Movie)
  4. patch -p0 < firmware-firmware2307.diff
    patch -p0 < DriveCom-DriveCom2307.diff
    
  5. Extract “FW07FF01V10153M_20140116.bin” and “BN07V106M.BIN” from “firmware_ps225107.rar” and place it in “firmware” folder
  6. Execute “fire2db.pl” placed in “firmware” folder (Perl 5 required)
  7. Run build.bat

Embedding the payload

Embed the payload file as necessary in the firmware file (bin/fw.bin) created above.

Flashing CFW for 2307

  1. Build DriveCom after applying the patch with VS2012
  2. Extract “BN07V502TAW.BIN” from “firmware_ps225107.rar”
  3. Open “BN07V502TAW.BIN” with hex editor and change the values of offset 0x4D85, 0x4D86 to 00
  4. Flashing firmware with DriveCom.exe
  5. DriveCom.exe /drive=E /action=SendFirmware /burner=BN07V502TAW.BIN /firmware=fw.bin
    

- BadUSB , , ,

Comment

  1. xcmx より:

    Does your BN07V502TAW.BIN patch turn on scrambler only for write?
    How to patch this loader to enable scrambler for reading (to get clean firmware dump)?
    Thx!

  2. kawa より:

    By any chance do you know to fix this?

    Reported chip type: 2307
    Reported chip ID: 98-DE-88-A3-72-51
    Reported firmware version: 1.06.10
    Mode: Burner
    Rebooting…
    Sending firmware…
    FATAL: System.InvalidOperationException: Header not accepted
    en DriveCom.PhisonDevice.TransferFile(Byte[] data, Byte header, Byte body)
    en DriveCom.Startup._RunFirmware(String fileName)
    en DriveCom.Startup._SendFirmware()
    en DriveCom.Startup.Main(String[] args)

    • xx2zz より:

      Please tell me MD5 of BN07V502TAW.BIN and DriveCom.exe.

      • kawa より:

        Drivecom is : 20a9a597675825b0da6bdb8c499e9392

        Modified BN07V502TAW: 2cd5c54ef224ae1008dce63bcfbb504b

        no mod on BN07V502TAW: 98e58660ef305d2a7a5ad2c482a73722

        I was using a datatraveleres 100 g3 8gb , usb 3 , now is dead.

        Thanks

        • xx2zz より:

          Thanks for your reply.
          The modified BN07V502TAW seems to have no problem.
          It may not work with DataTraveler 100 G3.
          I’ll check it out if I get that device.

  3. sergey より:

    Hi! I have successfully reflashed Verbatim Store N Go having PS2251-07 controller. Used pin short for entering boot mode. Hello World payload working, but I have issue reflasing to new payload. I’ve injected new payload into initially builded fw.bin, burning is ok, but I have still old payload. Is any untrivial procedure to write new fw.bin after initial reflashing procedure?

  4. topflstrike より:

    I got this error, please tell me what is the reason, thank you.

    C:\WINDOWS\system32>c:\fw\Psychson-master\tools\DriveCom.exe /drive=I /action=SendFirmware /burner=c:\fw\fw_bn\BN07V502TAW.BIN /firmware=c:\fw\Psychson-master\firmware\bin\fw.bin
    Action specified: SendFirmware
    Gathering information…
    Reported chip type: 2307
    Reported chip ID: 98-3A-A8-92-76-50
    Reported firmware version: 2.03.53
    Mode: Firmware
    Switching to boot mode…
    FATAL: System.InvalidOperationException: DeviceIoControl failed: 048F
    at DriveCom.PhisonDevice._SendCommand(SafeFileHandle handle, Byte[] cmd, Byte[] data, Int32 bytesExpected) in C:\fw\Psychson-master\DriveCom\DriveCom\PhisonDevice.cs:line 365
    at DriveCom.PhisonDevice.SendCommand(Byte[] cmd, Byte[] data) in C:\fw\Psychson-master\DriveCom\DriveCom\PhisonDevice.cs:line 314
    at DriveCom.PhisonDevice.TransferFile(Byte[] data, Byte header, Byte body) in C:\fw\Psychson-master\DriveCom\DriveCom\PhisonDevice.cs:line 246
    at DriveCom.PhisonDevice.TransferFile(Byte[] data) in C:\fw\Psychson-master\DriveCom\DriveCom\PhisonDevice.cs:line 238
    at DriveCom.Startup._ExecuteImage(String fileName) in C:\fw\Psychson-master\DriveCom\DriveCom\Startup.cs:line 403
    at DriveCom.Startup._SendFirmware() in C:\fw\Psychson-master\DriveCom\DriveCom\Startup.cs:line 375
    at DriveCom.Startup.Main(String[] args) in C:\fw\Psychson-master\DriveCom\DriveCom\Startup.cs:line 114

  5. BRAINIFII より:

    Everything went successful bt when i plug my USB nothing happens…..

  6. Luis Torres より:

    D:\downloads\2307-badusb-master>DriveCom.exe /drive=F /action=SendFirmware /burner=DBN07V502TAW.BIN /firmware=fw.bin
    Action specified: SendFirmware
    Gathering information…
    Reported chip type: 2307
    Reported chip ID: AD-3A-18-03-00-50
    Reported firmware version: 5.02.41
    Mode: Burner
    Rebooting…
    Sending firmware…
    FATAL: System.InvalidOperationException: Header not accepted
    em DriveCom.PhisonDevice.TransferFile(Byte[] data, Byte header, Byte body)
    em DriveCom.Startup._RunFirmware(String fileName)
    em DriveCom.Startup._SendFirmware()
    em DriveCom.Startup.Main(String[] args)

  7. Luis Torres より:

    Volume: F:
    Controller: Phison PS2307
    Possible Memory Chip(s): Not available
    Flash ID: AD3A1803 0050
    Chip F/W: 08.03.50
    Firmware Date: 2018-05-11
    ID_BLK Ver.: 1.4.39.0
    MP Ver.: MPALL v5.35.39
    VID: 0951
    PID: 1666
    Manufacturer: Kingston
    Product: DataTraveler 3.0
    Query Vendor ID: Kingston
    Query Product ID: DataTraveler 3.0
    Query Product Revision: PMAP
    Physical Disk Capacity: 15502147584 Bytes
    Windows Disk Capacity: 15489662976 Bytes
    Internal Tags: 2Q6P-8X74
    File System: FAT32
    Relative Offset: 4032 KB
    USB Version: 3.00 in 2.00 port
    Declared Power: 300 mA
    ContMeas ID: 5862-15-00
    Microsoft Windows 10 x64 Build 18362
    ————————————

  8. hi, patching BN07V502TAW.BIN change the values of offset 4D1B, 4D1C to 00
    dont fully disabling encoding.
    On 0x600 offset 8168 bytes is encoding, than 1024 bytes encoding and again

Message

メールアドレスが公開されることはありません。 が付いている欄は必須項目です

関連記事