90

I was reading about magical Chinese drives. How would this be done? The post talks about a 'looped mode' and comments suggest having a different controller to lie to the OS.

I went and bought one of these devices, tried it and it worked as advertized (overwriting data when it was full), although when I formatted it, it started showing its 'true' capacity.

How is this achieved?

wonea
  • 1,817
  • 1
  • 23
  • 42
Rohan Monga
  • 913
  • 1
  • 6
  • 13
  • 6
    [Interesting discussion about this on Hacker News](http://news.ycombinator.com/item?id=2418837) – Ivo Flipse Apr 13 '11 at 12:01
  • 14
    I think the question would be better titled "How is the capacity of flash memory faked" since it is actually about faking the amount of storage on a flash drive, not a magnetic hard disk. – Joseph Earl Apr 13 '11 at 12:12
  • I want one of those Chinese magic drives, but I am not flying to China to get one!, would make a great geek gag gift. – Moab Apr 13 '11 at 15:23
  • +1. I had never heard of this before seeing this question "rocket to the top of the charts" in the Hot Questions view. – jprete Apr 13 '11 at 23:05
  • heh.. thanks :) I wasn't expecting this kind of a response when i got curious about a 'harddisk' with 2 giant nut-bolts in the case – Rohan Monga Apr 14 '11 at 05:46

6 Answers6

58

FAT32 has a master table with free space. You can hexedit that master table to show any amount of free space. I've had a floppy disc sized 3.7 GB for ages now.

Peter Mortensen
  • 12,090
  • 23
  • 70
  • 90
Barfieldmv
  • 650
  • 5
  • 8
  • 4
    Yes, you can tamper with the FAT, but there are also ways to tinker with the micro-controller to lie to the OS. Windows will indeed repeatedly format the disk incorrectly identifying it as much larger than it actually is. Usually they have some sort of built-in algorithm to loop the flash chip in such a way that the OS actually is able to create a valid (looking) master-table. – TheCompWiz Apr 13 '11 at 17:53
  • as i start to poke around and mess with the master table and the controller, I expect more questions to follow this :) – Rohan Monga Apr 14 '11 at 06:05
  • 2
    Care to elaborate on where to find the master table or how to edit it? – Ivo Flipse Apr 19 '11 at 19:02
  • 2
    I'd love to see some documentation on this, I've tried replicating this with programming and have been unable to fool the OS into seing the size. see this thread here to see what I tried http://stackoverflow.com/questions/7482920/modifying-usb-drives-information – cromestant Sep 22 '11 at 08:13
  • I've had a magazine using Norton Commander and hexedit to change the reported partition size. Too bad I've lost the magazine. – Barfieldmv Sep 22 '11 at 13:24
19

The hardware is not modified - the file table is simply modified to fool the OS. During a format the file table gets wiped and thus the genuine capacity reading is restored.

You can get caught by these type of cheap fake flashdrive or even hard drives in China all the time if you go to a non-reputable seller.

Gaff
  • 18,569
  • 15
  • 57
  • 68
KoKo
  • 1,646
  • 2
  • 14
  • 24
  • 11
    Last year I bought a supposedly 64Gb memory stick from China on Ebay for £15. I should have known that capacity wouldn't be available for the price. In fact it was 4Gb with a fake leading "6" etched on the label. The way the file system was scrambled meant you wouldn't notice a problem until *more than* 4Gb was copied onto the device, at which point new files just started overwriting portions of existing ones. I was never able to reformat the thing so I could at least use it as a 4Gb stick. – FumbleFingers Apr 13 '11 at 13:33
  • 7
    @FumbleFingers, Yes, it is common for the sellers to screw up the chip info, so you can not format directly, but you have to do this: 1. use ChipGenius software+mass production tool to fix the chip info. 2. use a low level formatting tool to perform the actual format. Here's a guide: http://agnipulse.com/2010/04/how-i-fixed-a-fake-64gb-usb-drive/ – KoKo Apr 13 '11 at 13:43
  • Thanks! Maybe I can get a bit of value out of it after all (if I haven't already chucked it in the bin in frustration). – FumbleFingers Apr 13 '11 at 13:57
  • `The hardware is not modified` - sometimes the firmware is modified to lie, so even a reformat/partition table wipe won't reveal the truth. for example [This fake-capacity drive](https://www.aliexpress.com/item/1005004071924874.html?spm=a2g0o.order_list.0.0.21ef1802RbQFI8) comes with a lying firmware (where, after writing roughly 46GB, the data is written to GB #2 + , corrupting whatever was using GB #2 previously) – hanshenrik Jun 24 '22 at 11:47
6

Until I saw your message I was sure it was a different controller - using a modified controller, you can tell anything you like to the OS. But given that the format modifies this behaviour, it means that some kind of trickery took place in the file system level as well. This raises two options:

  • This is a modification of the controller that simply doesn't work after formatting because it depends on a file system modification (which still seems to me as more likely).

  • There is another way to do this without a hardware modification, e.g. by modifying a free blocks linked list to be circular (I am not familiar enough with the specifics of FAT32 to decide if this is possible - might check in a few days if no one else does first...).

EDIT: It is naive to assume FAT32 is being used, a much more likely scenario is that a different file system that inadvertently allows such circular free space management trickery is used (as long as that file system is also supported by the OS - it would be virtually invisible to the user). This makes looking at such a device much more interesting...

Ofir
  • 1,474
  • 1
  • 9
  • 15
  • 2
    It's a file system thing, I'm sure of it. These drives aren't modified physically. – crasic Apr 13 '11 at 05:44
  • 4
    i would however buy such smaller thing.. for testing purpose :) – Greenleader Apr 13 '11 at 05:49
  • 1
    If you're going to the effort of using a custom or modified controller then you lose the price savings of bulk buying cheap controllers. Thus it seems far more likely to me that it is purely done at the file system level - a raw write with dd is quick, cheap and easy compared to replacing/modifying hardware. – WheresAlice Apr 19 '11 at 13:02
6

Here is how you create a 1,000,000,000,000 bytes (1 TB) disk on key (using Linux):

  1. Create fake formatted 1 TB disk:

    mkdosfs -C  temp_file 1000000000

  2. Check that it really happened

    ls -lh temp_file

  3. Connect your DoK and check how it was mounted:

    mount

  4. Find the device name, something like /dev/sdb1 (If you make a mistake here, you might ruin some other disk connected to the system, so be careful !)

  5. Unmount it:

    sudo umount /dev/sdb1

  6. Find out the size of our FAT table:

    ls -s temp_file

(The first number is the size in kilobytes)

  1. Copy over to DoK

    echo "head -c [size_from_above]K temp_file > /dev/sdb1" | sudo sh

  2. Freak out your friend!You can mount it locally for playing around like this:

    mkdir test
sudo mount temp_file test -o loop
Giacomo1968
  • 53,069
  • 19
  • 162
  • 212
Boris
  • 161
  • 3
5

Quite simple,

The flash chip controller contains some settings. Product ID, Vendor ID, and number & size of flashchips.

By taking an older device with a small chip, overwriting the firmware with an wrong number of flash chips, the total drive capacity will be larger than de number of installed flash.

Because the amount of adress lines has not changed, the chip will always be written to. For example, first 128 MB will be written, then the next chip is selected, then another 128 will be written.

Because there is only one chip, the select line is not connected and the second flashchip data overwrites the first chips data.

Because the controller reports the size of all the chips, including the not connected ones to the OS, the OS will happily format it the wrong size.

Peter Mortensen
  • 12,090
  • 23
  • 70
  • 90
Progger
  • 51
  • 1
  • 3
    The problem here is that if it is done this way in hardware newer data would also overwrite the FAT32 file allocation table and root directory near the beginning of the drive, thus making the drive unusable until it is reformatted. The fact that this doesn't happen suggests that it is a filesystem hack that makes it work. – Mokubai Apr 14 '11 at 07:44
  • yup, ingenious as it is, this would get caught very quickly. – Rohan Monga Apr 14 '11 at 07:46
2

Two methods exist to do this:

  1. Partition :exist several tools for modify and create a partition manually. For example, it is possible to select more cylinders that the real available. Is trivial to do that. Ex. partition magic and i think even fdisk can do that

  2. Device Firmware :The other method is to modify the firmware of the device. Most devices (but not all), have their information (Plug&Play and other information) contained in the firmware.

For example, an usual trick is to use a firmware of a hard disk of more capacity in a device of less capacity and to "increase" the space.

studiohack
  • 13,468
  • 19
  • 88
  • 118
magallanes
  • 551
  • 5
  • 6