90
15
I was reading about magical Chinese drives. How would this be done? The post talks about a 'looped mode' and comments suggest having a different controller to lie to the OS.
I went and bought one of these devices, tried it and it worked as advertized (overwriting data when it was full), although when I formatted it, it started showing its 'true' capacity.
How is this achieved?
Rohan Monga
Posted 2011-04-13T05:23:52.680
Reputation: 913
59
FAT32 has a master table with free space. You can hexedit that master table to show any amount of free space. I've had a floppy disc sized 3.7 GB for ages now.
Barfieldmv
Posted 2011-04-13T05:23:52.680
Reputation: 660
4Yes, you can tamper with the FAT, but there are also ways to tinker with the micro-controller to lie to the OS. Windows will indeed repeatedly format the disk incorrectly identifying it as much larger than it actually is. Usually they have some sort of built-in algorithm to loop the flash chip in such a way that the OS actually is able to create a valid (looking) master-table. – TheCompWiz – 2011-04-13T17:53:08.850
as i start to poke around and mess with the master table and the controller, I expect more questions to follow this :) – Rohan Monga – 2011-04-14T06:05:00.603
2Care to elaborate on where to find the master table or how to edit it? – Ivo Flipse – 2011-04-19T19:02:09.547
2
I'd love to see some documentation on this, I've tried replicating this with programming and have been unable to fool the OS into seing the size. see this thread here to see what I tried http://stackoverflow.com/questions/7482920/modifying-usb-drives-information
– cromestant – 2011-09-22T08:13:26.130I've had a magazine using Norton Commander and hexedit to change the reported partition size. Too bad I've lost the magazine. – Barfieldmv – 2011-09-22T13:24:23.357
19
The hardware is not modified - the file table is simply modified to fool the OS. During a format the file table gets wiped and thus the genuine capacity reading is restored.
You can get caught by these type of cheap fake flashdrive or even hard drives in China all the time if you go to a non-reputable seller.
KoKo
Posted 2011-04-13T05:23:52.680
Reputation: 1 498
11Last year I bought a supposedly 64Gb memory stick from China on Ebay for £15. I should have known that capacity wouldn't be available for the price. In fact it was 4Gb with a fake leading "6" etched on the label. The way the file system was scrambled meant you wouldn't notice a problem until more than 4Gb was copied onto the device, at which point new files just started overwriting portions of existing ones. I was never able to reformat the thing so I could at least use it as a 4Gb stick. – FumbleFingers – 2011-04-13T13:33:19.707
7
@FumbleFingers, Yes, it is common for the sellers to screw up the chip info, so you can not format directly, but you have to do this: 1. use ChipGenius software+mass production tool to fix the chip info. 2. use a low level formatting tool to perform the actual format. Here's a guide: http://agnipulse.com/2010/04/how-i-fixed-a-fake-64gb-usb-drive/
– KoKo – 2011-04-13T13:43:21.677Thanks! Maybe I can get a bit of value out of it after all (if I haven't already chucked it in the bin in frustration). – FumbleFingers – 2011-04-13T13:57:15.733
6
Until I saw your message I was sure it was a different controller - using a modified controller, you can tell anything you like to the OS. But given that the format modifies this behaviour, it means that some kind of trickery took place in the file system level as well. This raises two options:
This is a modification of the controller that simply doesn't work after formatting because it depends on a file system modification (which still seems to me as more likely).
There is another way to do this without a hardware modification, e.g. by modifying a free blocks linked list to be circular (I am not familiar enough with the specifics of FAT32 to decide if this is possible - might check in a few days if no one else does first...).
EDIT: It is naive to assume FAT32 is being used, a much more likely scenario is that a different file system that inadvertently allows such circular free space management trickery is used (as long as that file system is also supported by the OS - it would be virtually invisible to the user). This makes looking at such a device much more interesting...
Ofir
Posted 2011-04-13T05:23:52.680
Reputation: 1 434
2It's a file system thing, I'm sure of it. These drives aren't modified physically. – crasic – 2011-04-13T05:44:44.090
4i would however buy such smaller thing.. for testing purpose :) – Greenleader – 2011-04-13T05:49:15.390
1If you're going to the effort of using a custom or modified controller then you lose the price savings of bulk buying cheap controllers. Thus it seems far more likely to me that it is purely done at the file system level - a raw write with dd is quick, cheap and easy compared to replacing/modifying hardware. – WheresAlice – 2011-04-19T13:02:39.200
6
Here is how you create a 1,000,000,000,000 bytes (1 TB) disk on key (using Linux):
Create fake formatted 1 TB disk:
mkdosfs -C temp_file 1000000000
Check that it really happened
ls -lh temp_file
Connect your DoK and check how it was mounted:
mount
Find the device name, something like /dev/sdb1
(If you make a mistake here, you might ruin some other disk connected to the system, so be careful !)
Unmount it:
sudo umount /dev/sdb1
Find out the size of our FAT table:
ls -s temp_file
(The first number is the size in kilobytes)
Copy over to DoK
echo "head -c [size_from_above]K temp_file > /dev/sdb1" | sudo sh
Freak out your friend!You can mount it locally for playing around like this:
mkdir test
sudo mount temp_file test -o loop
Boris
Posted 2011-04-13T05:23:52.680
Reputation: 161
5
Quite simple,
The flash chip controller contains some settings. Product ID, Vendor ID, and number & size of flashchips.
By taking an older device with a small chip, overwriting the firmware with an wrong number of flash chips, the total drive capacity will be larger than de number of installed flash.
Because the amount of adress lines has not changed, the chip will always be written to. For example, first 128 MB will be written, then the next chip is selected, then another 128 will be written.
Because there is only one chip, the select line is not connected and the second flashchip data overwrites the first chips data.
Because the controller reports the size of all the chips, including the not connected ones to the OS, the OS will happily format it the wrong size.
Progger
Posted 2011-04-13T05:23:52.680
Reputation: 51
3The problem here is that if it is done this way in hardware newer data would also overwrite the FAT32 file allocation table and root directory near the beginning of the drive, thus making the drive unusable until it is reformatted. The fact that this doesn't happen suggests that it is a filesystem hack that makes it work. – Mokubai – 2011-04-14T07:44:50.957
yup, ingenious as it is, this would get caught very quickly. – Rohan Monga – 2011-04-14T07:46:06.080
1
Two methods exist to do this:
Partition :exist several tools for modify and create a partition manually. For example, it is possible to select more cylinders that the real available. Is trivial to do that. Ex. partition magic and i think even fdisk can do that
Device Firmware :The other method is to modify the firmware of the device. Most devices (but not all), have their information (Plug&Play and other information) contained in the firmware.
For example, an usual trick is to use a firmware of a hard disk of more capacity in a device of less capacity and to "increase" the space.
magallanes
Posted 2011-04-13T05:23:52.680
Reputation: 461
6Interesting discussion about this on Hacker News – Ivo Flipse – 2011-04-13T12:01:40.647
14I think the question would be better titled "How is the capacity of flash memory faked" since it is actually about faking the amount of storage on a flash drive, not a magnetic hard disk. – Joseph Earl – 2011-04-13T12:12:24.630
I want one of those Chinese magic drives, but I am not flying to China to get one!, would make a great geek gag gift. – Moab – 2011-04-13T15:23:57.443
+1. I had never heard of this before seeing this question "rocket to the top of the charts" in the Hot Questions view. – jprete – 2011-04-13T23:05:37.410
heh.. thanks :) I wasn't expecting this kind of a response when i got curious about a 'harddisk' with 2 giant nut-bolts in the case – Rohan Monga – 2011-04-14T05:46:50.690