Phison Ps2251 03 V Datasheet Ic

在IC_FW栏,选择主控型号为PS2251-50,FC1-FC2 0XFF:01 在Flash Setting栏,勾选 自动侦测,可选低级格式化。 如果想量产U启动盘,需要在Partition Setting栏,将分区数量设置为2,并勾选分区1中的CD-ROM,在CD镜像处选择你的光盘ISO镜像文件。. PS2251-03: Introduction Phison PS2251-03, an ultra-high-speed USB 3.0-to-Flash micro-controller chip, supports 3X2X1X nm flash memory. The PHISONs PS2251-33 micro-controller supports USB 2.0 1.1 and interface to NAND Flash Memory. This chip is specially designed for portable storage device.

  1. Phison Ps2251 03 V Datasheet Icons
  2. Ps2251 07

This repository contains the following items:

  • DriveCom -- PC C# application to communicate with Phison drives.
  • EmbedPayload -- PC C# application to embed Rubber Ducky inject.bin key scripts into custom firmware for execution on the drive.
  • Injector -- PC C# application to extract addresses/equates from firmware as well as embed patching code into the firmware.
  • firmware -- this is 8051 custom firmware written in C.
  • patch -- this is a collection of 8051 patch code written in C.

Releases have the following items:

  • patch -- this is a collection of 8051 patch code written in C.
  • tools -- these are the compiled binaries of all the tools.
  • CFW.bin -- this is custom firmware set up to send an embedded HID payload.

Take note that the firmware patches have only been tested against PS2251-03 firmware version 1.03.53 (which is for an 8K eD3 NAND flash chip). They may work for others, but be careful.

As long as you are using the correct firmware image for your controller version and NAND chip, there is no harm in downgrading to an earlier version (such as from 1.10.53).

WARNING: This is experimental software. Use on unsupported devices, or even on supported devices, may cause loss of data, or even permananent damage to devices. Use at your own risk.

Getting Started

See Known Supported Devices for information on supported devices; use on an unsupported device may cause permanent damage to the device.

To get started, you'll need to obtain a burner image, which is the 8051 executable responsible for flashing firmware to the drive.

See Obtaining a Burner Image on the wiki for more information.

Build Environment

To patch or modify existing firmware, you must first set up a build environment. See Setting Up the Environment on the wiki for more information.

At a minimum, SDCC needs to be installed to C:Program FilesSDCC.

Dumping Firmware

Run DriveCom, passing in the drive letter representing the drive you want to flash, the path of the burner image you obtained, and the destination path for the firmware image:

where E is the drive letter, BN03V104M.BIN is the path to the burner image, and fw.bin is the resulting firmware dump.

Currently, only 200KB firmware images can be dumped (which is what the Patriot 8GB Supersonic Xpress drive uses).

Flashing Custom Firmware

Run DriveCom, passing in the drive letter representing the drive you want to flash, the path of the burner image you obtained, and the path of the firmware image you want to flash:

where E is the drive letter, BN03V104M.BIN is the path to the burner image, and fw.bin is the path to the firmware image.

Running Demo 1 (HID Payload)

Phison Ps2251 03 V Datasheet Icons

Create a key script in Rubber Ducky format, then use Duckencoder to create an inject.bin version of it:

where keys.txt is the path to your key script.

You may notice the delays are not quite the same between the Rubber Ducky and the drive -- you may need to adjust your scripts to compensate.

(These tools are available from https://code.google.com/p/ducky-decode/.)

Once you have an inject.bin file, embed it into the custom firmware with:

where inject.bin is the path to your inject.bin file, and hid.bin is the path to the HID payload custom firmware.

(Notice that the firmware image is copied, and the payload is embedded into the copy -- this is because the payload can only be embedded once, so the original CFW.bin must remain intact.)

You can now flash the firmware to your drive with:

where E is the drive letter representing your drive, BN03V104M.BIN is the path to your burner image, and hid.bin is the path to the HID payload custom firmware.

Huge thanks to the Hak5 team for their work on the excellent USB Rubber Ducky!

Running Demo 2 (Hidden Partition Patch)

First, determine the number of logical blocks (sectors) your drive has with the following command:

Go into the patch directory and modify base.c to disable all other patches, and enable the hidden partition patch:

Phison Ps2251 03 V Datasheet Ic

Then modify the NUM_LBAS define to the number of logical blocks on your drive:

Make sure you round down to an even number, and it couldn't hurt to subtract a few first, in case a few blocks go bad over time. (For example, if the number of LBAs was 0xE6C981, you might reduce it to 0xE6C940.)

Place the firmware image you want to patch into the patch directory and name it fw.bin.

Go to the patch directory and run build.bat. It will produce a file at patchbinfw.bin -- this is the modified firmware image.

Ps2251 07

You can now flash this file to your drive.

After flashing, Windows may be confused, as it now only sees half of the partition it once did -- it may ask you to format the first time you view either the public or hidden halves of the drive. This is normal.

Running Demo 3 (Password Patch)

Go into the patch directory and modify base.c to disable all other patches, and enable the password patch:

Place the firmware image you want to patch into the patch directory and name it fw.bin.

Go to the patch directory and run build.bat. It will produce a file at patchbinfw.bin -- this is the modified firmware image.

You can now flash this file to your drive.

Running No Boot Mode Patch

Go into the patch directory and modify base.c to disable all other patches, and enable the no boot patch:

Place the firmware image you want to patch into the patch directory and name it fw.bin.

Go to the patch directory and run build.bat. It will produce a file at patchbinfw.bin -- this is the modified firmware image.

You can now flash this file to your drive. Once flashed to your device, it will no longer act on the command to jump to boot mode. To update the firmware again will require shorting pins on the controller. To make it impossible* to update, after flashing this patch coat the device with epoxy.

  • Within reason; it may be possible to get to boot mode via an exploit or other non-standard method.

Converting to Mode 7

You can run the ModeConverterFF01.exe application (see Useful Links) to split the drive into public and secure partitions, or restore the original (mode 3) functionality.

After converting to mode 7, you should be able to set, change, or disable the secure partition password with the USB DISK Pro LOCK utility.

Building From Source

Modify the C files in the firmware directory for custom firmware, or the patch directory for the firmware patches, then run the build.bat file in the appropriate directory.

Once it has built successfully, use DriveCom to flash the resulting file (binfw.bin) to your drive:

...or...

Questions? Comments? Complaints?

Unfortunately this isn't the most straightforward process at the moment, so if you have questions, open an issue and we'll do our best to help (and update the readme/wiki).