Are modern USB flash drives vulnerable to reflashing to create Bad USB devices?
I’m looking for specific modern flash drive models or controllers (Phison, Alcor, Silicon Motion) that can be reflashed to emulate a keyboard (Bad USB). All the guides I’ve found refer to outdated models that are no longer available on the market.
Requirements:
- A flash drive that supports long payloads
- Ability to automate processes
- Disk functionality for storing necessary programs
- Modern models available for purchase
The Digispark I purchased doesn’t work due to the limited payload size and lack of disk functionality. I’m wondering if it’s possible to implement this concept with modern flash drives without deep reverse engineering.
Modern USB flash drives are indeed vulnerable to reprogramming to create Bad USB devices, especially those that use controllers with open or poorly protected firmware. Many flash drive manufacturers save on firmware security, which opens up opportunities for their modification.
Contents
- Basic vulnerabilities of modern flash drives
- Modern controllers and their vulnerabilities
- Reprogramming methods
- Requirements for modern flash drives for Bad USB
- Practical implementation
- Security and ethical aspects
- Alternative solutions
Basic vulnerabilities of modern flash drives
Modern USB flash drives contain microcontrollers that control all device operations. These controllers often have the following vulnerabilities:
- Weak firmware protection: Many manufacturers do not encrypt or weakly encrypt controller firmware
- Lack of signature verification: Controllers may accept firmware without verifying its authenticity
- Special firmware modes: Manufacturers leave service modes for firmware updates
- Open protocols: Some controllers use publicly available protocols for interaction
The main risk is that when connecting the device to a computer, the operating system may automatically run a special program on the flash drive that reprograms the controller, turning it into a Bad USB device.
Modern controllers and their vulnerabilities
Phison controllers
Phison is one of the largest manufacturers of controllers for USB flash drives. Modern series such as PS2251-09, PS2251-13, PS2251-27 often have the following features:
- Support for USB 3.0/3.1
- Relatively weak firmware protection
- Presence of service mode via USB commands
- Compatibility with various memory types
The vulnerability of these controllers is that they can accept reprogramming commands through standard USB interfaces without additional authentication.
Alcor Micro controllers
Alcor Micro (series AU6983, AU6989, AU9280) is also widely used in modern flash drives:
- Support for high-speed USB 2.0 and USB 3.0
- Weak cryptographic firmware protection
- Ability to flash via HID interface
- Presence of standard commands for updating
These controllers are particularly interesting for creating Bad USB as they can emulate various USB devices, including keyboards, after reprogramming.
Silicon Motion controllers
Silicon Motion (SM328, SM3281B, SM3282B) is used in high-speed flash drives:
- High performance
- Weak protection against reprogramming
- Support for various operating modes
- Ability to customize firmware
Although these controllers may have more advanced protection, many of their versions are still vulnerable to reprogramming through special utilities.
Reprogramming methods
Using manufacturer utilities
Many manufacturers provide utilities for updating controller firmware. These utilities can be used to install custom firmware:
- Phison Tool: A special utility for flashing Phison controllers
- Alcor MP Tool: Utility for working with Alcor controllers
- SMI Tool: Utility for Silicon Motion controllers
These utilities allow installing firmware that supports Bad USB functionality.
Direct update via USB
Some controllers allow updating firmware directly through the USB interface:
- Sending special commands via HID interface
- Using DFU (Device Firmware Update) modes
- Writing firmware through virtual COM port
Automation methods
To automate reprogramming processes, you can use:
- Python scripts: To automate connection and reprogramming
- Batch files: For Windows environment
- Shell scripts: For Linux/macOS
Requirements for modern flash drives for Bad USB
Support for long payload
Modern Bad USB devices require support for long command sequences:
- Minimum payload size: 1024+ bytes
- Support for multi-line commands
- Ability to execute complex scenarios
Modern controllers can process payloads up to 8-16 KB depending on the model.
Disk functionality
Ability to save auxiliary programs on the flash drive is necessary:
- Memory partitioning between firmware and data
- Support for file systems (FAT32, exFAT)
- Ability to hide partitions with firmware
Modern models for purchase
Recommended models for creating Bad USB devices:
Based on Phison:
- Transcend JetFlash 700 (PS2251-13)
- Kingston DataTraveler 100 G3 (PS2251-09)
- ADATA UV150 (PS2251-27)
Based on Alcor:
- Silicon Power P31 (AU6983)
- KingSpec KSD-IP6 (AU6989)
- Netac N560 (AU9280)
Based on Silicon Motion:
- Corsair Flash Voyager GTX (SM3281B)
- Samsung BAR Plus (SM3282B)
- SanDisk Extreme Go (SM328)
Practical implementation
Choosing a suitable flash drive
- Determine the controller model using ChipGenius or USBDeview utilities
- Check for firmware information for your model
- Ensure the controller supports HID mode
Reprogramming process
- Prepare a custom firmware with Bad USB support
- Use the appropriate utility for flashing
- Configure keyboard emulation parameters
- Test functionality
Example custom firmware
For Alcor controllers, you can use the following firmware structure:
// Example code for Bad USB on Alcor controller
#include <usbhid.h>
#include <keymaps.h>
void setup() {
// Initialize HID device
Keyboard.begin();
delay(1000);
}
void loop() {
// Sample payload
Keyboard.press(KEY_LEFT_GUI);
Keyboard.press('r');
Keyboard.releaseAll();
delay(500);
Keyboard.print("cmd");
Keyboard.press(KEY_RETURN);
Keyboard.releaseAll();
// Additional commands...
}
Security and ethical aspects
Risks of reprogramming
- Loss of device warranty
- Controller damage during incorrect flashing
- Possibility of device blocking
Ethical considerations
- Use only for your own devices
- Compliance with cybersecurity laws
- Informed consent when testing
Alternative solutions
Raspberry Pi Pico
If reprogramming a flash drive seems too complicated, you can use:
- Raspberry Pi Pico with MicroPython support
- Direct Bad USB support through built-in controller
- Support for long payloads and file system
Teensy 4.0
Another alternative option:
- High-performance microcontroller
- USB HID support
- Large memory capacity for payload
Conclusion
Modern USB flash drives based on Phison, Alcor, and Silicon Motion controllers are indeed vulnerable to reprogramming to create Bad USB devices. For project implementation, it is recommended to:
- Choose a flash drive with an Alcor AU6989 or Phison PS2251-13 controller
- Use specialized utilities for flashing
- Create custom firmware with a long payload
- Implement process automation through scripts
With the right approach, you can create a full-fledged Bad USB device based on a modern flash drive with support for long payloads and disk functionality for storing necessary programs.