Web、サーバ、ソフトウェア、バグ・脆弱性 などの情報を何人かで集まって書いていく IT/Web情報系ブログ

【Complete version】How to apply PS2251-07(2307) patch for Psychson(BadUSB)

投稿日:   最終更新日:2017/04/03  投稿者:xx2zz

I released a patch to run Psychson on PS2251-07(2307), but since the procedure was complicated and incomplete.
Because there are too many questions, I will revisit a simplified patch file and procedure again.

スポンサーリンク

Difference file

This file contains the following changes.

Note: This file is research material for the purpose of experiment to work Psychson’s custom firmware in PS2251-07(2307). It does not guarantee the operate. Please use it at your own risk.

“Psychson2307_diff_en” をダウンロード Psychson2307_diff_20170401_en.zip – 72 回のダウンロード – 5 KB

Operation confirmation device

I confirmed the operation with the following USB memory.

  • TOSHIBA TransMemory-MX TNU-B008GK
  • TOSHIBA TransMemory-MX V3SZK-016G

Other necessary items

Building CFW for 2307

  1. Download source code from brandonlw/Psychson and extract it
  2. Overwrite/Add the contents of “Psychson2307_diff_20170401.zip” to the Psychson folder expanded with step 1
  3. Apply differences with patch command (Movie)
  4. patch -p0 < firmware-firmware2307.diff
    patch -p0 < DriveCom-DriveCom2307.diff
    
  5. Extract “FW07FF01V10153M_20140116.bin” and “BN07V106M.BIN” from “firmware_ps225107.rar” and place it in “firmware” folder
  6. Execute “fire2db.pl” placed in “firmware” folder (Perl 5 required)
  7. Run build.bat

Embedding the payload

Embed the payload file as necessary in the firmware file (bin/fw.bin) created above.

Flashing CFW for 2307

  1. Build DriveCom after applying the patch with VS2012
  2. Extract “BN07V502TAW.BIN” from “firmware_ps225107.rar”
  3. Open “BN07V502TAW.BIN” with hex editor and change the values of offset 0x4D85, 0x4D86 to 00
  4. Flashing firmware with DriveCom.exe
  5. DriveCom.exe /drive=E /action=SendFirmware /burner=BN07V502TAW.BIN /firmware=fw.bin
    

- BadUSB , , ,

Comment

  1. xcmx より:

    Does your BN07V502TAW.BIN patch turn on scrambler only for write?
    How to patch this loader to enable scrambler for reading (to get clean firmware dump)?
    Thx!

  2. kawa より:

    By any chance do you know to fix this?

    Reported chip type: 2307
    Reported chip ID: 98-DE-88-A3-72-51
    Reported firmware version: 1.06.10
    Mode: Burner
    Rebooting…
    Sending firmware…
    FATAL: System.InvalidOperationException: Header not accepted
    en DriveCom.PhisonDevice.TransferFile(Byte[] data, Byte header, Byte body)
    en DriveCom.Startup._RunFirmware(String fileName)
    en DriveCom.Startup._SendFirmware()
    en DriveCom.Startup.Main(String[] args)

    • xx2zz より:

      Please tell me MD5 of BN07V502TAW.BIN and DriveCom.exe.

      • kawa より:

        Drivecom is : 20a9a597675825b0da6bdb8c499e9392

        Modified BN07V502TAW: 2cd5c54ef224ae1008dce63bcfbb504b

        no mod on BN07V502TAW: 98e58660ef305d2a7a5ad2c482a73722

        I was using a datatraveleres 100 g3 8gb , usb 3 , now is dead.

        Thanks

        • xx2zz より:

          Thanks for your reply.
          The modified BN07V502TAW seems to have no problem.
          It may not work with DataTraveler 100 G3.
          I’ll check it out if I get that device.

Message

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です

関連記事