Phison drive mode configuration

README.md

Phison PS2251-xx USB flash drive controller mode configuration

Overview

Phison based flash drives have various modes that dictate how they operate;

1. as a regular flash drive (mode 3)
2. as a dual-volume flash drive (mode 7)
3. as a single volume flash drive + cdrom (mode 21)

For more details, please look at the ( video | slides ) from my shmoocon presentation.

Preparing for dumping the drive's current configuration

Assuming you're doing this under Linux, insert your flash drive and look at your kernel messages. You're looking for the 'scsi generic' device:

Jun 07 21:48:32 darkstar kernel: usb 2-1.4: new high-speed USB device number 28 using ehci-pci
Jun 07 21:48:32 darkstar kernel: usb 2-1.4: New USB device found, idVendor=13fe, idProduct=5500
Jun 07 21:48:32 darkstar kernel: usb 2-1.4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Jun 07 21:48:32 darkstar kernel: usb 2-1.4: Product:                 
Jun 07 21:48:32 darkstar kernel: usb 2-1.4: Manufacturer:         
Jun 07 21:48:32 darkstar kernel: usb 2-1.4: SerialNumber: 070A8433D0485364
Jun 07 21:48:32 darkstar kernel: usb-storage 2-1.4:1.0: USB Mass Storage device detected
Jun 07 21:48:32 darkstar kernel: scsi host8: usb-storage 2-1.4:1.0
Jun 07 21:48:33 darkstar kernel: scsi 8:0:0:0: Direct-Access   PMAP PQ: 0 ANSI: 6
Jun 07 21:48:33 darkstar kernel: sd 8:0:0:0: Attached scsi generic sg5 type 0
Jun 07 21:48:33 darkstar kernel: sd 8:0:0:0: [sdd] 15482880 512-byte logical blocks: (7.93 GB/7.38 GiB)
Jun 07 21:48:33 darkstar kernel: sd 8:0:0:0: [sdd] Write Protect is off
Jun 07 21:48:33 darkstar kernel: sd 8:0:0:0: [sdd] Mode Sense: 23 00 00 00
Jun 07 21:48:33 darkstar kernel: sd 8:0:0:0: [sdd] No Caching mode page found
Jun 07 21:48:33 darkstar kernel: sd 8:0:0:0: [sdd] Assuming drive cache: write through
Jun 07 21:48:33 darkstar kernel:  sdd: sdd1
Jun 07 21:48:33 darkstar kernel: sd 8:0:0:0: [sdd] Attached SCSI removable disk

In this case, our scsi generic device is /dev/sg5.

Run sg_raw from sg3_utils to dump the configuration. You're going to need to be root to do this.

sg_raw -r 1k -v /dev/sg5 06 05 00 00 00 00 00 00 80 00 00 00

You should get something back similar to this:

[root@darksatr 8g]# sg_raw -r 1k -v /dev/sg5 06 05 00 00 00 00 00 00 80 00 00 00
    cdb to send: 06 05 00 00 00 00 00 00 80 00 00 00 
SCSI Status: Good 

Received 528 bytes of data:
 00     12 01 00 02 00 00 00 40  fe 13 00 55 00 01 01 02    .......@...U....
 10     03 01 04 03 09 04 00 00  00 00 00 00 00 00 00 00    ................
 20     00 00 00 00 00 00 00 00  00 00 00 00 12 03 20 20    ..............  
 30     20 20 20 20 20 20 00 00  00 00 00 00 00 00 00 00          ..........
 40     00 00 00 00 00 00 22 03  20 20 20 20 20 20 20 20    ......".        
 50     20 20 20 20 20 20 20 20  00 00 00 00 00 00 00 00            ........
 60     22 03 30 35 37 33 30 36  41 34 38 30 34 30 33 30    ".057306A4804030
 70     33 30 44 30 30 30 34 30  38 30 30 30 30 30 30 30    30D0004080000000
 80     30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30    0000000000000000
 90     30 30 30 30 05 06 10 11  0c 1d ff 01 20 20 20 20    0000........    
 a0     20 20 20 20 20 20 20 20  20 20 20 20 de 01 00 00                ....
 b0     20 20 20 20 20 20 20 20  50 4d 41 50 31 00 00 00            PMAP1...
 c0     0c ff ff ff 50 68 49 73  4f 6e 00 ff 01 06 07 ff    ....PhIsOn......
 d0     ff ff ff ff 00 00 00 00  00 00 00 00 00 00 00 00    ................
 e0     00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ................
 f0     00 00 00 00 00 22 ff ff  ff ff ff ff ff ff ff ff    ....."..........
 100    ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff    ................
 110    ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff    ................
 120    ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff    ................
 130    ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff    ................
 140    ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff    ................
 150    ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff    ................
 160    ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff    ................
 170    01 00 00 00 ff ff ff ff  ff ff 56 52 93 10 23 07    ..........VR..#.
 180    00 00 ff 20 07 69 03 ff  ff 49 53 50 96 2b ff ff    ... .i...ISP.+..
 190    ff ff ff ff ff ff ff ff  ff ff ff ff 00 ff ff ff    ................
 1a0    ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff    ................
 1b0    ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff    ................
 1c0    ff ff ca fe 01 22 67 01  00 00 ff ff ff ff ff ff    ....."g.........
 1d0    ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff    ................
 1e0    ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff    ................
 1f0    ff ff ff ff 54 ff ff ff  ff ff ff ff 00 00 00 00    ....T...........
 200    49 46 00 00 00 00 00 00  00 00 00 00 00 00 00 00    IF..............
No errors
[root@darksatr 8g]# 

If you don't see something on the screen like the above, either you picked the wrong scsi generic device, or your flash drive isn't based on a Phison USB flash drive controller.

BTW: 0x17E-0x17F (0x2307) is the phison chip ID (this drive is a PS2307, aka PS2251-07).

You may want to save this off to a file in case you need to restore it later (not certain on how to do that just yet):

sg_raw -r 1k -v -o info.bin /dev/sg5 06 05 00 00 00 00 00 00 80 00 00 00

If you do see the above, we can proceed! Look at offset 0x200 -- you see 0x4946. I don't really know what this configuration page is for (aside from what appears to be the serial number and some other settings), but the 0x49 and 0x46 are necessary for dumping the actual configuration of how the drive is configured. I mention 0x49 and 0x46 because those bytes are used in dumping the correct "page"(?) of the flash drive's configuration, but .. when I fuzzed 0x00-0xFF for the places 0x49 and 0x46 go in the following command, I only had a few (less than 5) that returned different data.

sg_raw -r 1k -v -o configuration.bin /dev/sg5 06 05 49 4e 46 4f 00 00 80 00 00 00

This should create configuration.bin, which will contain the binary seen in the hex dump above. To make it easy to modify and be sent back to the drive, I liek to use xxd and xxd -r.

xxd configuration.bin > configuration.txt

Your configuration may be something similar to this:

00000000: 1201 0002 0000 0040 fe13 0055 0001 0102  .......@...U....
00000010: 0301 0403 0904 0000 0000 0000 0000 0000  ................
00000020: 0000 0000 0000 0000 0000 0000 1203 2020  ..............
00000030: 2020 2020 2020 0000 0000 0000 0000 0000        ..........
00000040: 0000 0000 0000 2203 2020 2020 2020 2020  ......".
00000050: 2020 2020 2020 2020 0000 0000 0000 0000          ........
00000060: 2203 3035 3733 3036 4134 3830 3430 3330  ".057306A4804030
00000070: 3330 4430 3030 3430 3830 3030 3030 3030  30D0004080000000
00000080: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000090: 3030 3030 0000 0000 0000 0000 2020 2020  0000........
000000a0: 2020 2020 2020 2020 2020 2020 0300 000a              ....
000000b0: 2020 2020 2020 2020 504d 4150 3100 0000          PMAP1...
000000c0: 0cff ffff 5068 4973 4f6e 0007 0000 0000  ....PhIsOn......
000000d0: 0000 0000 0000 0000 0000 000d 0b11 0503  ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000f0: 0000 0000 0000 0000 0000 0000 003f 964b  .............?.K
00000100: 6432 0fd0 0000 0000 0000 0002 a0a0 0000  d2..............
00000110: 0000 0000 0000 0000 00d3 ee64 00a5 0000  ...........d....
00000120: ec00 0000 0000 0000 0000 0000 0000 00ff  ................
00000130: a0a0 0000 0000 0000 0000 0000 0000 0000  ................
00000140: 0000 0000 0000 0000 0000 c000 0005 110b  ................
00000150: 0104 2300 0000 0000 aa00 0000 0000 0000  ..#.............
00000160: 0000 0000 1124 906d 0000 0000 0000 0000  .....$.m........
00000170: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000180: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000190: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000200: 4946 0000 0000 0000 0000 0000 0000 0000  IF..............

1. Go edit configuration.txt in your favorite text editor.
2. Go to offset 0x0AC, and change 0x03 above to 0x07 (or vice versa) to flip between modes on the drive.
3. Remove the line for offset 0x200 entirely, if it exists. We're only going to send 512 bytes to the drive.
4. Modify offset 0x1FC through 0x1FF. This value (in modes other than mode 3) is the size of one of the volumes, in 512 byte sectors.
5. Write the configuration back to the drive with the following command: xxd -r configuration.txt | sg_raw -v -s 512 /dev/sg5 06 06 01 00 00 00 00 00 00 00 00 00
6. Remove the drive
7. Re-insert the drive

Your drive should now be operating with a new configuration! Happy hacking!

Mode 21 (0x15) stuffs:

Set your drive into mode 0x07, set your split based on your ISO9660 image size, and set the configuration (above xxd -r | sg_raw command). Unplug and reconnect your flash drive. dd over your ISO9660 image to the second LUN. Now that your ISO image has been dumped to the flash drive, reconfigure it to mode 21 (0x15). Unplug and reconnect your drive. You should now see two devices, an emulated cdrom, and a flash drive.

Its possible change "5511.755408] sd 4:0:0:0: [sdc] Write Protect is on" to "Write Protect is off" by this hacking or I must download Phison drive (on Windows). Sorry my english

@sunbqto I don't know what turns on and off read-only mode on a Phison based USB flash drive, sorry. You should try Phison utilities under windows from sites like usbdev.ru, flashboot.ru, and upan.cc

Thanks a lot (I'll try on windows)

Thanks for this! I got some fantastic USB 3 drives that were configured to be read-only to be (mostly) writable.

thanks a lot!
I was almost giving up on sandisk ultra 3.0 64gb after fiddling with mpall tools from phison trying many versions and firmwares. i needed two partitions on my usb flash drive, first bootable fat32 partition for hiren, second ntfs partition for ghost image storage. and then i found your quite straight forward instructions and finally got two partitions i needed.
but one question;
"Modify offset 0x1FC through 0x1FF. This value (in modes other than mode 3) is the size of one of the volumes, in 512 byte sectors."
can you make it a bit clearer how to calculate this volume size. I used try and error way and left the first partition to 8GB. but i would like to know exactly how to set these offsets.

@canstb 8GB in bytes is 8589934592 (8*1024*1024*1024). So to turn that into a number of 512 byte sectors, divide 8589934592 by 512. That's 16777216. 16777216 in hex is 0x1000000.

So in the above example

000001f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................

becomes

000001f0: 0000 0000 0000 0000 0000 0000 0100 0000  ................

It's been years since I played with these drives, all I remember is this value is the split point, where the entire flash is divided into two regions. I don't remember if the split point is from the low or high side of the entire flash, so your 64G flash drive might have an 8g, or 56g first logical volume.

Also! Some flash drives use 4K sectors, so you might need to use 0x200000 rather than 0x1000000 for an 8g split point.