Hacking memory sticks

Published On April 19, 2012
Into the unknown...


About a year ago, Humberside police were handing out free memory sticks, at our uni's fresher's fare. Great! I thought i'll have one of them. 1GB stick for nothing, can't go wrong...


So, I got it home, plugged it in, boom, fullscreen power point slideshow on how to protect your property...... borderline adaware! Into the draw the usb went and lived. Another fresher fare came and went and I got another 2 of these usbs, 3gb total, which I couldn't use without being shafted a load of adverts every time I plugged them in.

These 'promo' sticks worked by having 2 partitions, a CDFS partition (for the adverts) and a normal FAT32 partition (for files). As the name suggests the CDFS partition is derived from cds, with cds being read only, windows will not allow you to modify the partition; to the extent you cannot format the partition to kill it off. Another ghastly feature of CDFS is the autorun ability, which it's only use is to spread malware, in the form of Sony's spyware that appeared on a number legitimate cd's in 2005, to more recent appearing of household virus' spread via usb's.


For the purpose of promotion, this ugly feature was used to autorun the power point presentation.



Opening up...

So I sought to look onto how to remove the partition once and for all, grabbing a screwdriver I pried open the usb to get a look at the manufacture of this nobranded usb.



Captured using a life cam HD


We can see the manufacture is 'chipsbank' with a model code of 'CBM2091' digging around Google, I came across many forum posts asking how to get rid of the promo. 


I eventually stumbled across the manufacture tool that's given to companies to flash their promo material onto the sticks.


Fixing the unfixable...


This is called UMP Tool, not sure of the acronym, but never-the-less, I managed to obtain a copy for my chip (2091), simply by googling UMP tool 2091, which lead me to to a Russian site and finally the program itself (UMP TOOL V1.9.5). The current version of UMP tool goes to 4.1, however each version is specific to the version of the flash chip (so you'll need to open each usb, to get the chip version, to get the correct flasher).


Started the baby up, and being unflattered by the initial layout of the program, I went into the settings, and was quite blown away with the diversity of options:

 



As you can see, you can do quite allot, from making a password protected usb (which normally adds £5/£10 to the price of a retail stick) right up to tinkering the flash rate of the usb when its being read.


Excitedly, I flashed my first 'home brand' usb, which destroyed the evil promotional partition and gave me full access to the disk. Success! It worked. I could format it again burning an ISO as a CDFS partition, quite exciting stuff. 


But. not as exciting as when I got to my 2nd and 3rd usb....


Hidden Secret...


During formatting, I noticed it had 2048 blocks, and it would show the number of blocks as being corrupt/unusable.
Fine I thought, flash memory is prone to having a certain %age of corrupt/bad blocks.
 The manufacture had to compensate for this, had installed 2048 blocks (2GB). This allowed for a 50% corruption rate and still maintain the advertised 1GB to the consumer.

Now, here comes the fun part, by flashing using the UMP tool, It gave me access every single block that wasn't corrupt! Making my 1GB stick's grow to 1.46GB and 1.86GB!
(having about 25% and 8% bad blocks)


Quite a daunting realization occurred; people pay for the 2GB chip, but are only allowed 1GB of it, making a theoretical loss of 50% on their purchase.

 A consumer con? 


Well... due to the high volatility of flash memory, I can see why manufactures would rather guarantee 1GB than give consumers room to complain about their random amount of memory between 1GB and 2GB, after all it is at the customers expense. 


But I'm left with a thought, how much unused & hidden memory is in your shiny stick?
At this ratio, could a 8gb stick secretly contain a 16gb chip?



If you find out let me know!


 



Don't trust what's on the tin, after all you paid for what's on the inside.


Stick on the left now is enjoying life as a music usb for my car stereo, with it formatting to the largest size.


Sources:


UMPTOOL 1.95 For chip Version 2091:


http://flashboot.ru/old/index.php?name=Files&op=view_file&lid=81


UMPTOOL 4.02 (Not sure if backwards compatable with 2091)



http://www.filecrop.com/v4.02.rar-umptool.html

I also got a 2093 version for the v2.0 stick on the left from rapidshare.
I'm unsure on the legality of these tools, so I'm unable to host them myself, but a quick google for "UMPTool" and your CB number should point you where you need. 


You can also check out the flashboot.ru directory for a flasher if you have another other brand of USB:


http://flashboot.ru/iflash/
Tutorials
Back