1

I had read the source code of phison (about badusb, python file). But I cannot understand what command the program send to SCSI device. After reading about SCSI commands, I still cannot find opcode begin with "06h" (there exist a similar opcode which SET DEVICE ID) https://www.seagate.com/staticfiles/support/disc/manuals/scsi/100293068a.pdf the above is SCSI commands I find. Below are commands read and write:

```
def get_info(self):
        '''
        Performs a SCSI call to read version info from the device.
        Returns bool.

        The object's following attributes are set:
            data, version, run_mode, chip_type, date, f1f2
        '''
        self.data = self.SCSI_device.read('\x06\x05\x00\x00\x00\x00\x00\x00\x01',528)

        if not self.data or self.data[0x17A:0x17C]!='VR':
            return False

        self.version = struct.unpack('BBB', self.data[0x94:0x97])
        self.f1f2 = struct.unpack('BB', self.data[0x9A:0x9C])
        self.date = struct.unpack('BBB', self.data[0x97:0x9A])

        if self.data[0xA0:0xA8]==' PRAM   ':
            self.run_mode = 'BROM'  # BootROM
        elif self.data[0xA0:0xA8]==' FW BURN':
            self.run_mode = 'BN'        # firmware burner
        elif self.data[0xA0:0xA8]==' HV TEST':
            self.run_mode = 'HV'        # hardware verify
        else:
            self.run_mode = 'FW'        # firmware

        self.chip_type = struct.unpack('>H', self.data[0x17E:0x180])[0]

        data = self.SCSI_device.read('\x06\x56\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00',512)[0:6].encode('hex').upper()
        self.chip_id = '-'.join(data[i:i+2] for i in range(len(data))[::2])

        return True
def run_firmware(self, firmware):
        '''
        Loads firmware onto device.  Returns bool.
        '''
        # rebooting
        self.brom()
        sleep(2)

        # sending firmware
        self.load_file(firmware,'\x01','\x00')
        ret = self.SCSI_device.read('\x06\xEE\x01\x00\x00\x00\x00\x00\x00', 72)
        sleep(2)
        self.load_file(firmware,'\x03','\x02')
        self.SCSI_device.read('\x06\xEE\x01\x01\x00\x00\x00\x00\x00', 72)
        self.SCSI_device.read('\x06\xEE\x00\x00\x00\x00\x00\x00\x00', 72)
        self.SCSI_device.read('\x06\xEE\x00\x01\x00\x00\x00\x00\x00', 72)

        # executing
        self.brom()
        sleep(2)
        return True

def pram(self):
        '''
        Called to run a burner or firmware.  Returns int result.
        '''
        return self.SCSI_device.write('\x06\xB3\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00', '')

def brom(self):
        '''
        Sets device into boot mode from firmware mode.   Returns int result.
        '''
        return self.SCSI_device.write('\x06\xBF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00', '')
```
sfjac
  • 7,119
  • 5
  • 45
  • 69
Schweik7
  • 11
  • 1
  • 1
    I don't know anything about SCSI, but, from looking at the code [here](https://github.com/brandonlw/Psychson/blob/4522989aac27aada5f522675b33a2bde63a13b30/DriveCom/DriveCom/PhisonDevice.cs), most of the `SendCommand` usages have the first value set to `0x06`. Seems like it's probably a preamble of some form. – John Jones Nov 03 '17 at 00:20
  • 1
    Also, it seems like these are commands for the Phison chip that are being written with SCSI commands. – John Jones Nov 03 '17 at 00:25

2 Answers2

1

According to this it is vendor-specific.

Paul Cornelius
  • 9,245
  • 1
  • 15
  • 24
0

As Paul points out, it's a vendor-specific opcode. That means that it's not part of any SCSI standard. Vendors can do whatever they want with 0x06.

This page details how those SCSI CDB's work for BootROM:

https://bitbucket.org/flowswitch/phison/wiki/ScsiCommands

Mike Andrews
  • 3,045
  • 18
  • 28
  • Who is the author of that code and how can I contact him? I'm curious where did he get all that information from and whether he has a datasheet for the PS2251-03-Q controller, because I can't find any in the Web. – SasQ Dec 03 '19 at 08:29
  • OK nevermind, found the dude on [EEVblog forums](https://www.eevblog.com/forum/microcontrollers/bunnie-studio-on-hacking-microsd-cards/msg359094/#msg359094) ;) – SasQ Dec 03 '19 at 08:48