EmbeddedRelated.com
Forums

Cypress EZ-USB FX2 firmware downloading

Started by galapogos September 19, 2008
Hi,

I have a Cypress EZ-USB FX2 USB mass storage device. AFAIK firmware is
only allowed to be downloaded to either the external EEPROM or
internal RAM when the device either
1) Does not have an EEPROM, or
2) Has an empty EEPROM without any existing firmware

When this happens, the host PC will load the Cypress generic
driver(Cypress FX2 - No EEPROM(0x8613) rather than the default USB
Mass Storage driver.

However, I have heard a claim that it is possible to load firmware
into the RAM using some Cypress SDK, overwriting the existing
firmware, while the device is running in USB MSC mode. This is
obviously a security risk since it allows hackers to overwrite the
firmware and do possibly malicious things with the device. Is this
possible?
> I have a Cypress EZ-USB FX2 USB mass storage device. AFAIK firmware is > only allowed to be downloaded to either the external EEPROM or > internal RAM when the device either > 1) Does not have an EEPROM, or > 2) Has an empty EEPROM without any existing firmware > > When this happens, the host PC will load the Cypress generic > driver(Cypress FX2 - No EEPROM(0x8613) rather than the default USB > Mass Storage driver. > > However, I have heard a claim that it is possible to load firmware > into the RAM using some Cypress SDK, overwriting the existing > firmware, while the device is running in USB MSC mode. This is > obviously a security risk since it allows hackers to overwrite the > firmware and do possibly malicious things with the device. Is this > possible?
I think so, IMHO. But never tried and never seen the mass storage firmware. But, according to the Technical reference manual "EZ-USB� Technical Reference Manual, Document # 001-13670", at page 61, you can read, at the paragraph "3.8 EZ-USB Vendor Request for Firmware Load": "Note These upload and download requests are always handled by the EZ-USB, regardless of the state of the RENUM bit. The upload start address must be word-aligned (i.e. the start address must be evenly divisible by two)". So, I suppose that even if you firmware sets RENUM bit to 1, meaning that it wants to handle vendor commands by itself, you can still replace your running firmware with something else at your pleasure. I think this was to avoid the "brick" effect when you download a not-functioning firmware... but I agree this could be a problem, from a "security" point of view. Surely, talking about security when your code resides on an external serial eeprom that you can read and change with a $10 gizmo, it's nonsense in any case.
On Sep 18, 11:30 pm, galapogos <gois...@gmail.com> wrote:
> This is > obviously a security risk since it allows hackers to overwrite the > firmware and do possibly malicious things with the device. Is this > possible?
Not only is it possible, it is unpreventable, and there are several web sites dedicated to the fun things one can do re-loading EZ-USB based devices.
On Sep 20, 3:16=A0am, LittleAlex <alex.lo...@email.com> wrote:
> On Sep 18, 11:30 pm, galapogos <gois...@gmail.com> wrote: > > > This is > > obviously a security risk since it allows hackers to overwrite the > > firmware and do possibly malicious things with the device. Is this > > possible? > > Not only is it possible, it is unpreventable, and there are several > web sites dedicated to the fun things one can do re-loading EZ-USB > based devices.
Thanks. Can you provide some links to some of these web sites?
On Sep 21, 7:27 pm, galapogos <gois...@gmail.com> wrote:
> On Sep 20, 3:16 am, LittleAlex <alex.lo...@email.com> wrote: > > > On Sep 18, 11:30 pm, galapogos <gois...@gmail.com> wrote: > > > > This is > > > obviously a security risk since it allows hackers to overwrite the > > > firmware and do possibly malicious things with the device. Is this > > > possible? > > > Not only is it possible, it is unpreventable, and there are several > > web sites dedicated to the fun things one can do re-loading EZ-USB > > based devices. > > Thanks. Can you provide some links to some of these web sites?
<http://www.google.com/search?q=ez-usb+hacking>
On Sep 22, 11:19=A0am, LittleAlex <alex.lo...@email.com> wrote:
> On Sep 21, 7:27 pm, galapogos <gois...@gmail.com> wrote: > > > On Sep 20, 3:16 am, LittleAlex <alex.lo...@email.com> wrote: > > > > On Sep 18, 11:30 pm, galapogos <gois...@gmail.com> wrote: > > > > > This is > > > > obviously a security risk since it allows hackers to overwrite the > > > > firmware and do possibly malicious things with the device. Is this > > > > possible? > > > > Not only is it possible, it is unpreventable, and there are several > > > web sites dedicated to the fun things one can do re-loading EZ-USB > > > based devices. > > > Thanks. Can you provide some links to some of these web sites? > > <http://www.google.com/search?q=3Dez-usb+hacking>
Thanks. I tried modifying the Cypress driver and was able to successfully re-flash the device by updating the USB MSC driver with the modified Cypress driver, hence making it visible to the Cypress control panel software. It works. I've also tried fxload on Linux and it seems to work too(vid/pid/manufacturer string changed when I used lsusb to view). So it does seem like it's possible. Now onto the "unpreventable" part. Is there really no way at all to stop this from happening?
On Sep 22, 1:11 am, galapogos <gois...@gmail.com> wrote:

> Now onto the "unpreventable" part. Is there really no way at all to > stop this from happening?
Get a part with mask programmed rom instead of one that depends on external or even internal flash. That still might be exploitable, but only during a single power-on session. To do anything lasting to something like that would seem to require ion-beam surgery or comparable.