Down The Road of Fake Flash Drives

This is great. I needed to transfer some files from my brother’s computer to mine. He runs Windows XP, I have a dual boot (XP and Ubuntu) but I booted with Ubuntu, and there’s no way I’m going to use Samba right now to allow file sharing between the two machines (Ubuntu & XP). Plus the files are too large to transfer over the network had I booted with XP.

I don’t want to upload them so I picked a flash drive (flash disk, thumb drive, pendrive, you name it) .. I plugged it and … nothing.

I picked another flash drive, plugged it and … Nothing. I know for fact that the USB port works fine (because I plugged another thing that works).

So the problem must lie in those flash drives… Which is probably the reason why they were sitting there…

So, knowing that some stuff just doesn’t work properly on Windows and does work fine on stuff with an X at the end of their name.. I plug the flash drive in my machine (running Ubuntu) .. Nothing.. I plug the other one, and then … Nothing.

Something is shady.

Now here’s the interesting stuff…

One of the flash drives is a ADATA C906, black color, 4GB. The other is a Kingston DataTraveler 1GB.

The Kingston picture is almost identical to the flash drive I have in hand, except that the one I’m holding has the Kingston logo on it..

So … In order to explain this, one must know what VID/PID is. Well, before you hit Ctrl+K and search for it in your Google bar .. VID stands for Vendor ID, and PID stands for Product ID.

Say I’m a manufacturer. The USB organization issues me a unique number, VID. When I build a new USB device, this device has its own drivers. I issue a PID for this new model so it’s fully identified with the pair VID:PID and when someone plugs it in a computer, this computer “knows” which driver to load, a driver that is unique to that Model from that Manufacturer…

So each USB device has a pair VID:PID.

I have another flash drive, which is an ADATA C802

Why I’m telling you this ?

Okay, let’s open the Terminal. (Ctrl+Alt+T)

The following command:

lsusb

gives this:

jugurtha@Jugurtha-Box:~$ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 018: ID 125f:c82a A-DATA Technology Co., Ltd.

Here’s a screenshot if you prefer:

Notice the last line:

Bus 001 Device 018: ID 125f:c82a A-DATA Technology Co., Ltd.

The VID:PID is 125f:C82a. You can clearly see A-DATA Technology Co. , Ltd..

Chances are, this thing is genuine. I said “chances are”.

Let’s plug in the Kingston DataTraveler which doesn’t work.. And unplug mine, the one which works.

jugurtha@Jugurtha-Box:~$ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 026: ID 2000:2008

Hmmm ? Interesting.

Let’s unplug that, and plug the other A-DATA..

jugurtha@Jugurtha-Box:~$ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 019: ID 048d:1167 Integrated Technology Express, Inc.

This doesn’t make sense. It ‘should’ talk about A-DATA. But it doesn’t. Plus it doesn’t work.

A quick search on Google on 048d:1167 and 2000:2008 brings a great deal of awesomeness: Fake Flash Drives. These things are known and documented.

I opened the Kingston (because it does open without breaking, unlinke the A-DATA which is “welded”)

It contains a 12MHz quartz (oscillator). The memory reference has been erased, but it’s just one block.

The controller is a MXT6208A (Google returns lots of results about it. It seems known in those circles) .. The whole reference is, for memo:

MXT6208A 428021 09HT0901

Now .. The interesting stuff..

Apparently, there are a bunch of guys who repair this kind of devices..

One website is often referred to : http://flashboot.ru/

It’s in Russian, so Google Translate will come in handy.

Another good one is http://fixfakeflash.wordpress.com/

There is this one too: http://www.myblog.bloggybloggy.com/category/fake-usb-key/

So, key stuff: VID:PID 2000:2008, Controller Reference MXT6208A and the other 428021 09HT0901 to know exactly what to use.

Here’s someone detailing the operation:

I’ll try to do this on my brother’s computer and will report back…

Unfortunately, I spent some hours with that. These devices I think is beyond repair as even the proper tools failed. There were many errors. The devices were detected.

With the A-DATA drive, I had an error of “Too many bad blocks” and a size of 0.

With the other one, I had a “Make flash” and then an error 337,68 or something.

Anyway, maybe I’ll try some other time .. I must mention that I’m also interested in sniffing packets from USB ports .. That’s how I learned about the VID:PID thing in the first place.

Any comment, suggestion, advice .. Feel free.