1. Home
  2. Embedded Programming
  3. Cypress EZ-USB FX2 firmware downloading

Cypress EZ-USB FX2 firmware downloading

Hi,

I have a Cypress EZ-USB FX2 USB mass storage device. AFAIK firmware is only allowed to be downloaded to either the external EEPROM or internal RAM when the device either

1) Does not have an EEPROM, or 2) Has an empty EEPROM without any existing firmware

When this happens, the host PC will load the Cypress generic driver(Cypress FX2 - No EEPROM(0x8613) rather than the default USB Mass Storage driver.

However, I have heard a claim that it is possible to load firmware into the RAM using some Cypress SDK, overwriting the existing firmware, while the device is running in USB MSC mode. This is obviously a security risk since it allows hackers to overwrite the firmware and do possibly malicious things with the device. Is this possible?

Reply to
galapogos
Loading thread data ...

I think so, IMHO. But never tried and never seen the mass storage firmware.

But, according to the Technical reference manual "EZ-USB® Technical Reference Manual, Document # 001-13670", at page 61, you can read, at the paragraph "3.8 EZ-USB Vendor Request for Firmware Load":

"Note These upload and download requests are always handled by the EZ-USB, regardless of the state of the RENUM bit. The upload start address must be word-aligned (i.e. the start address must be evenly divisible by two)".

So, I suppose that even if you firmware sets RENUM bit to 1, meaning that it wants to handle vendor commands by itself, you can still replace your running firmware with something else at your pleasure.

I think this was to avoid the "brick" effect when you download a not-functioning firmware... but I agree this could be a problem, from a "security" point of view.

Surely, talking about security when your code resides on an external serial eeprom that you can read and change with a $10 gizmo, it's nonsense in any case.

Reply to
Antonio Pasini

Not only is it possible, it is unpreventable, and there are several web sites dedicated to the fun things one can do re-loading EZ-USB based devices.

Reply to
LittleAlex

Thanks. Can you provide some links to some of these web sites?

Reply to
galapogos

Reply to
LittleAlex

Thanks. I tried modifying the Cypress driver and was able to successfully re-flash the device by updating the USB MSC driver with the modified Cypress driver, hence making it visible to the Cypress control panel software. It works. I've also tried fxload on Linux and it seems to work too(vid/pid/manufacturer string changed when I used lsusb to view). So it does seem like it's possible.

Now onto the "unpreventable" part. Is there really no way at all to stop this from happening?

Reply to
galapogos

Get a part with mask programmed rom instead of one that depends on external or even internal flash.

That still might be exploitable, but only during a single power-on session.

To do anything lasting to something like that would seem to require ion-beam surgery or comparable.

Reply to
cs_posting

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.