I was reading about magical Chinese drives. How would this be done? The post talks about a 'looped mode' and comments suggest having a different controller to lie to the OS.
I went and bought one of these devices, tried it and it worked as advertized (overwriting data when it was full), although when I formatted it, it started showing its 'true' capacity.
How is this achieved?
FAT32 has a master table with free space. You can hexedit that master table to show any amount of free space. I've had a floppy disc sized 3.7 GB for ages now.
The hardware is not modified - the file table is simply modified to fool the OS. During a format the file table gets wiped and thus the genuine capacity reading is restored.
You can get caught by these type of cheap fake flashdrive or even hard drives in China all the time if you go to a non-reputable seller.
Until I saw your message I was sure it was a different controller - using a modified controller, you can tell anything you like to the OS. But given that the format modifies this behaviour, it means that some kind of trickery took place in the file system level as well. This raises two options:
This is a modification of the controller that simply doesn't work after formatting because it depends on a file system modification (which still seems to me as more likely).
There is another way to do this without a hardware modification, e.g. by modifying a free blocks linked list to be circular (I am not familiar enough with the specifics of FAT32 to decide if this is possible - might check in a few days if no one else does first...).
EDIT: It is naive to assume FAT32 is being used, a much more likely scenario is that a different file system that inadvertently allows such circular free space management trickery is used (as long as that file system is also supported by the OS - it would be virtually invisible to the user). This makes looking at such a device much more interesting...
Here is how you create a 1,000,000,000,000 bytes (1 TB) disk on key (using Linux):
Create fake formatted 1 TB disk:
mkdosfs -C temp_file 1000000000
Check that it really happened
ls -lh temp_file
Connect your DoK and check how it was mounted:
mount
Find the device name, something like /dev/sdb1
(If you make a mistake here, you might ruin some other disk connected to the system, so be careful !)
Unmount it:
sudo umount /dev/sdb1
Find out the size of our FAT table:
ls -s temp_file
(The first number is the size in kilobytes)
Copy over to DoK
echo "head -c [size_from_above]K temp_file > /dev/sdb1" | sudo sh
Freak out your friend!You can mount it locally for playing around like this:
mkdir test
sudo mount temp_file test -o loop
Quite simple,
The flash chip controller contains some settings. Product ID, Vendor ID, and number & size of flashchips.
By taking an older device with a small chip, overwriting the firmware with an wrong number of flash chips, the total drive capacity will be larger than de number of installed flash.
Because the amount of adress lines has not changed, the chip will always be written to. For example, first 128 MB will be written, then the next chip is selected, then another 128 will be written.
Because there is only one chip, the select line is not connected and the second flashchip data overwrites the first chips data.
Because the controller reports the size of all the chips, including the not connected ones to the OS, the OS will happily format it the wrong size.
Two methods exist to do this:
Partition :exist several tools for modify and create a partition manually. For example, it is possible to select more cylinders that the real available. Is trivial to do that. Ex. partition magic and i think even fdisk can do that
Device Firmware :The other method is to modify the firmware of the device. Most devices (but not all), have their information (Plug&Play and other information) contained in the firmware.
For example, an usual trick is to use a firmware of a hard disk of more capacity in a device of less capacity and to "increase" the space.
Most common method is firmware 'hacking'. I deal with these cards and flash drives all the time and I have never seen this simplistic file system level hack. There's 2 things the 'hacker' needs to accomplish:
Hardware does not have to be changed. The reason we can do this is, is because all LBA addresses are 'virtual' anyway, we can map any LBA address to any physical address (PBA) we want at the firmware level. And probably all the 'hacker' would need is a piece of software the manufacturer himself uses to configure the firmware.
Most common M.O. for a fake flash drive is to simply drop writes after actual capacity. So let's assume a 256 GB fake drive with only 8 GB NAND installed then up to 8 GB all's well and it is in this area the file system stores most of it's meta data. Assuming some variant of FAT:
Boot sector | File Allocation Fable(s) | Root | DATA
The ROOT and subfolder created at this time can be created without issues.
ROOT
- SOME FOLDER
- SOME FOLDER
- FILE1
- FILE2
- FILE3
- FILE4
DATA
02 8A 00 28 A0 02 8A 00 28 A0 02 (FILE1)
8A 00 28 A0 02 8A 00 28 A0 02 8A
00 28 A0 02 8A 00 28 A0 02 8A 00 (FILE2)
28 A0 02 8A 00 28 A0 02 8A 00 28
A0 02 8A 00 28 A0 02 8A 00 28 A0 (FILE3)
02 8A 00 28 A0 02 8A 00 28 A0 02
-------------------------------- end real NAND
00 00 00 00 00 00 00 00 00 00 00 (FILE4)
00 00 00 00 00 00 00 00 00 00 00
As we save data 'real' NAND will gradually fill until we start writing to LBA sectors the firmware can not map to existing NAND. Usually this would get you an error but this is where the modified firmware starts fooling us.
Not only will it allow us to write to non existing NAND, it even allows us to read. And it's often at this point that user discovers something is wrong as he'll find such files to be corrupt.
While all meta data for FILE4 can be created as the directory structure and FAT are in real NAND memory, the file data will never actually be written anywhere.
We now immediately see why sometimes people catch the issue early when for example using a full NTFS format on their USB flash drive as this will try writing and verifying a backup boot sector towards the end and thus in non exiting NAND.
Since the 'hack' is at the firmware level, we can often undo it using so called mass-production tools (MPTools) that are normally used by the manufacturer to configure the firmware.
ChipGenius (the tool on the right) is used to determine the controller. With that we can find a MPTool to modify our firmware and restore the drive to it's real capacity:
BTW, one should wonder if it's wise to restore any such device to it's real capacity, IMO it's wiser to dispose of it.