Tiptoi pen as mass storage NAND flash drive

I plugged the Tiptoi pen into a free USB slot of my computer. It can then be used as a USB flash drive and you can put new game files and firmware update files on it.

The pen is used as mass storage device just as any other hard drive, CD, DVD or flash drive.

The pen under investigation is a Feature/Revision A4 (Date: 2010.3.26; PCB Revision: 1391A4). My version of the pen includes a Hynix HY27UF084G2B NAND Flash with a capacity of 512 MiB (512Mbit x 8). The package of the flash IC is a TSOP-48 with a pitch of 0.5 mm.

Listing my USB devices using lsbusb outputs:

Bus 002 Device 017: ID 2546:e301  
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0 
  bDeviceProtocol         6 
  bMaxPacketSize0        64
  idVendor           0x2546 
  idProduct          0xe301 
  bcdDevice            1.00
  iManufacturer           1 tiptoi
  iProduct                2 tiptoi
  iSerial                 3 USB 2.0
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           32
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xc0
      Self Powered
    MaxPower              400mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         8 Mass Storage
      bInterfaceSubClass      6 SCSI
      bInterfaceProtocol     80 Bulk-Only
      iInterface              1 tiptoi
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
Device Qualifier (for other device speed):
  bLength                10
  bDescriptorType         6
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0 
  bDeviceProtocol         6 
  bMaxPacketSize0        64
  bNumConfigurations      1
Device Status:     0x0006
  (Bus Powered)
  Remote Wakeup Enabled
  Test Mode

The USB Interface Class is defined as 8 (“Mass Storage”), the interface’s sub class is defined as 6 (“SCSI”), and the interface protocol is 80d = 0x50 (“Bulk-Only Transport”).

Running the dmesg command on my Linux machine outputs:

usb 2-1.2: new high-speed USB device number 12 using ehci-pci
usb 2-1.2: new high-speed USB device number 12 using ehci-pci
usb 2-1.2: new high-speed USB device number 13 using ehci-pci
usb 2-1.2: New USB device found, idVendor=2546, idProduct=e301
usb 2-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 2-1.2: Product: tiptoi
usb 2-1.2: Manufacturer: tiptoi
usb 2-1.2: SerialNumber: USB 2.0
usb-storage 2-1.2:1.0: USB Mass Storage device detected
scsi9 : usb-storage 2-1.2:1.0
scsi 9:0:0:0: Direct-Access     Tiptoi   ZC3201                PQ: 0 ANSI: 2
sd 9:0:0:0: Attached scsi generic sg2 type 0
sd 9:0:0:0: [sdb] 955904 512-byte logical blocks: (489 MB/466 MiB)
sd 9:0:0:0: [sdb] Write Protect is off
sd 9:0:0:0: [sdb] Mode Sense: 0b 00 00 08
sd 9:0:0:0: [sdb] No Caching mode page found
sd 9:0:0:0: [sdb] Assuming drive cache: write through
 sdb:
sd 9:0:0:0: [sdb] Attached SCSI removable disk
FAT-fs (sdb): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.

As 466 MiB out of 512 MiB are used for the mass storage (from a logical block addressing point of view), there is some space left for the actual firmware of the pen.

The output of /proc/scsi is:

Attached devices:
[...]
Host: scsi9 Channel: 00 Id: 00 Lun: 00
  Vendor: Tiptoi   Model: ZC3201           Rev:     
  Type:   Direct-Access                    ANSI  SCSI revision: 02

Using sg_inq an SCSI INQUIRY command is issued and the response is output and decoded:

$ sudo sg_inq /dev/sdb 
standard INQUIRY:
  PQual=0  Device_type=0  RMB=1  version=0x02  [SCSI-2]
  [AERC=0]  [TrmTsk=0]  NormACA=0  HiSUP=0  Resp_data_format=2
  SCCS=0  ACC=0  TPGS=0  3PC=0  Protect=0  [BQue=0]
  EncServ=0  MultiP=0  [MChngr=0]  [ACKREQQ=0]  Addr16=0
  [RelAdr=0]  WBus16=0  Sync=0  Linked=0  [TranDis=0]  CmdQue=0
    length=36 (0x24)   Peripheral device type: disk
 Vendor identification: Tiptoi
 Product identification: ZC3201
 Product revision level:

And the output of /proc/scsi/usb-storage/9 is:

   Host scsi9: usb-storage
       Vendor: tiptoi
      Product: tiptoi
Serial Number: USB 2.0
     Protocol: Transparent SCSI
    Transport: Bulk
       Quirks:

The following command can be used to extract the first 512 Byte of memory, known as the Master Boot Record (MBR). The data is stored in a binary file.

sudo dd if=/dev/sdb of=mbr.bin bs=512 count=1

The binary data in file can then be analyzed without affecting the real memory. This can be accomplished using hexdump or any other hex editor:

hexdump -C mbr.bin
 00000000 eb 58 90 4d 53 57 49 4e 34 2e 31 00 02 04 20 00 |.X.MSWIN4.1... .|
 00000010 02 00 00 00 00 f8 00 00 3f 00 ff 00 2b 2d e2 04 |........?...+-..|
 00000020 f0 95 0e 00 44 07 00 00 00 00 00 00 02 00 00 00 |....D...........|
 00000030 01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
 00000040 80 01 29 78 56 34 12 4e 4f 20 4e 41 4d 45 20 20 |..)xV4.NO NAME |
 00000050 20 20 46 41 54 33 32 20 20 20 33 c9 8e d1 bc f4 | FAT32 3.....|
 [...]
 00000170 4e 54 4c 44 52 20 20 20 20 20 20 00 00 00 00 00 |NTLDR .....|
 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
 *
 000001a0 00 00 00 00 00 00 00 00 00 00 00 00 0d 0a 52 65 |..............Re|
 000001b0 6d 6f 76 65 20 64 69 73 6b 73 20 6f 72 20 6f 74 |move disks or ot|
 000001c0 68 65 72 20 6d 65 00 00 00 00 ff 0d 0a 44 69 73 |her me.......Dis|
 000001d0 6b 20 65 72 72 6f 72 ff 0d 0a 50 72 65 73 73 20 |k error...Press |
 000001e0 61 6e 79 20 6b 65 79 20 74 6f 20 72 65 73 74 61 |any key to resta|
 000001f0 72 74 0d 0a 00 00 00 00 00 ac cb d8 00 00 55 aa |rt............U.|
 00000200

Furthermore the file command can be used as a help to determine the file type and additional info. Unfortunately it is not of too much help here:

$ file mbr.bin
mbr.bin: x86 boot sector

The MBR does not contain a valid partition table (starts at 0x1BE and can be up to 64 Bytes). At least the end matches the magic number 0x55 0xAA. How is the file system found?

The Gnome partition editor gparted seems to get it right:

gparted
/dev/sdb shown as fat32 filesystem in gparted

The output can also be seen without the use of a graphical UI, simply using the partition manipulation program parted:

$ sudo parted /dev/sdb print
Model: Tiptoi ZC3201 (scsi)
Disk /dev/sdb: 489MB
Sector size (logical/physical): 512B/512B
Partition Table: loop

Number  Start  End    Size   File system  Flags
 1      0.00B  489MB  489MB  fat32

The file system is automatically mounted on my system, check the mount command:

$ mount
 [...]
 /dev/sdb on /media/maehw/tiptoi type vfat (rw,nosuid,nodev,uid=1000,gid=1000,shortname=mixed,dmask=0077,utf8=1,showexec,flush,uhelper=udisks2)

As a consequence of the details listed above the tiptoi pen’s firmware must include:

  • code to interface between the controller and the NAND flash device (low-level media controller)
  • code to support access to the VFAT filesystem (e.g. the game files)
  • code to interface between the controller and a computer via USB to allow access to the NAND flash in a standard way (USB mass storage protocol, logical block addressing, SCSI command interface)
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s