Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The piece of hardware being reverse engineering is the Sony Memory Stick. A few use cases include Aibo Robot Dogs, Magic Gate DRM and GPS devices. The whole purpose of this project was to simply preserve and understand history. For reverse engineer, there are 10 pins on the stick, with pin outs available at pinouts.ru.

To start the reverse engineering, they analyzed an old Sony CLIE PDA. From looking at the wiring the author knew this was a simple 1-bit transform mode. To make his life easier, PalmOS 4 binaries were built with almost all function names still intact and 68k is an easy to reverse engineer architecture. The author took a look at the interface with a logic analyzer to come to some results.

To send information about ready a 0xAA or 0x55 was sent on the line. If the given phase is over, it will toggle to the last bit of the phase to indicate it was done. The 1-bit mode had three wires: BS wire for bus signal state, CLK for the host to send the card a clock signal and SDI0 for the bidirectional data. In 4-bit mode, SDI0 become SDI0, SDI1, SDI2 & SDI3. Data lines are pulled down, the clock idles low and data is set on the rising clock edge.

When sending a transaction (TPC), the TPC is made up of 8 bits, where the first 4 bits are the inverse are the final 4 bits for determining errors. The top-most bit holds the operation: read or write. The data is always followed by a 16-bit CRC with with an initial value of 0 and a polynomial of 0x8005. The flow of information is as follows and is similar between host to card and card to host:

1. BS line goes high.
2. A bit with no meaning is sent to wait for everything to sync up properly.
3. 4 bits of a TPC are sent followed by the next 4 bits that are inverted. The FINAL bit is inverted with the BS line going low in order to indicate a phase change for the data mode.
4. Receive the data. The length is pre-configured.
5. CRC is sent. The least significant bit of the CRC has its bit flipped and the BS line goes high in order to indicate a phase change.
6. Send the data over the SDIO line and a CLK over the CLCK line.

There are several registers for configuring modes, accessible memory and other things. From reverse engineering the binaries, the author figured out what all of these registers means, including the type of stick being accessed and the INT register for showing errors. The commands and registers are completely different from the PRO and the original version of this.

The commands for the memory stick are raw NAND flash commands with a few extra steps. The NAND must handle flipped bits by using error correcting codes (ECC) and handle blocks that are no longer good with wear leveling. To allow blocks to go bad, 3.1255 of the devices raw capability are hidden for the remapping of blocks with wear.

When a Memory Stick is inserted, it must be mounted. The per-device management is stored within the Boot Block and the Backup Boot block, which are written at the factory. Both of these are marked as special sections in the out of band (OOB) and the block itself. The information in these structures pertains to memory mapping, sizes and many other things. To mount (after verification of everything), a mapping of physical to logical is made to read the OOB properly with the block faults and everything else.

To read from a logical sector, we need to divide the number by the logical block number. The remainder of this is the page within the sector. Using the table to convert from logical blocks to physical blocks, we can find the physical block number. Once we find this, we read the page (from the previous math) of this block. The write is fairly similar; none of them do block relocations when an error occurs.

The author wanted to see the MSIO (misc I/O) on the memory sticks as well. To find the functions associated with this, he wrote a value in the register category. If data can be read back, then it's a valid handler. Neat trick to figure out how things work! Every device that used this interface did it in a completely different way, making the reverse engineering even more fun to deal with.

The Pro had an entirely different set of commands and register information. The author claims it is easier to deal with, since more sane choices were made for it. Interesting article (as always from this guy) on reverse engineering complicated things!