Original URL: http://www.bunniestudios.com/blog/?p=3554
On the dark side, code execution on the memory card enables a class of MITM (man-in-the-middle) attacks, where the card seems to be behaving one way, but in fact it does something else.
On the light side, it also enables the possibility for hardware enthusiasts to gain access to a very cheap and ubiquitous source of microcontrollers.
In order to explain the hack, itâ€™s necessary to understand the structure of an SD card. The information here applies to the whole family of â€œmanaged flashâ€ devices, including microSD, SD, MMC as well as the eMMC and iNAND devices typically soldered onto the mainboards of smartphones and used to store the OS and other private user data. We also note that similar classes of vulnerabilities exist in related devices, such as USB flash drives and SSDs.
In our talk at 30C3, we report our findings exploring a particular microcontroller brand, namely, Appotech and its AX211 and AX215 offerings. We discover a simple â€œknockâ€ sequence transmitted over manufacturer-reserved commands (namely, CMD63 followed by â€˜Aâ€™,'Pâ€™,'Pâ€™,'Oâ€™) that drop the controller into a firmware loading mode. At this point, the card will accept the next 512 bytes and run it as code.
From the DIY and hacker perspective, our findings indicate a potentially interesting source of cheap and powerful microcontrollers for use in simple projects. An Arduino, with its 8-bit 16 MHz microcontroller, will set you back around $20. A microSD card with several gigabytes of memory and a microcontroller with several times the performance could be purchased for a fraction of the price. While SD cards are admittedly I/O-limited, some clever hacking of the microcontroller in an SD card could make for a very economical and compact data logging solution for I2C or SPI-based sensors.
I'm not sure this is actually cool or a real problem.