Some success with writeCID

legno75:
Can you explain how to? Please?

As i mentioned on my post, I did a lot of experiment and reverse engineering on manufacturers firmwares
It's not just sending CMD26 on SPI mode. You need to knock SD or MicroSD Card into firmware mode. Once done, They do accept CMD26 and Permanently accept new CID Values.

Hi DavidLE,
glad to read that you succeeded!
Please, could you tell exactly with which cards you were able to do that successfully?
You wrote 2 major manufacturers out of 4, but what exactly?
Were MMC or SD? (I guess SD and uSD)
What model exactly?
An interesting thing would be if you could provide original CID and CSD of the cards that you have been able to change, is it possible?
Knowing it would be possible to understand their manufacturer date and other useful parameters.
I know I asked for a lot of informations and I hope you will answer.
(Even if I'm pretty sure that your statements are based on something like this old document here

http://tinyurl.com/lncst9c

so actually your answer has to be interpreted academically rather than like a possible solution to the problem, being in the facts that in real life the things are far from being as you have described them.
Hence there will be no any reply.)
Anyway, you wrote that each controller needs different methods, I guess you mean working on different cards produced by different manufacturer's brands.
Once you can reach the target with a certain type of cards produced by a specific manufacturer, then surely you can repeat the job on others cards which are the same as model, brand and manufacturer.
You wrote that it is possible but very time consuming do the job since you will need to come up with different ways for different controllers and also creating something (Universal) that will work with every controller is almost impossible.
I partially agree.
I don't know what do you mean about the different ways for different controllers you wrote, but in my opinion I think with the right cards isn't too hard to achieve the goal.
I'm pretty sure I'd be able to do the job but unluckily I can't find the right SD/MMC.
So please, explain exactly with what kind of cards you were able to do the job possibly specifying their manufacturer, brand, type CSD and original CID (in order to know their manufacturer date).
Thanks in advance.

You also wrote that it's not just sending CMD26 on SPI mode and it's need to knock SD or MicroSD card into firmware mode, then once done, they do accept CMD26 and permanently accept new CID values.
That would not be a problem always working on the same type of cards.
Anyway I think it isn't so complex, the real trick is to have the right cards, IMHO

AR

Somebody has news about change of CID?
I found that CMD60 on SiliconMotion controlers transfers SD to the mode when the card doesn't respond to CMD26 to Error.

Hi Alexel,
sadly no new news for now.
Anyway, what do you mean by writing that you have found that CMD60 on SiliconMotion controlers transfers SD to the mode when the card doesn't respond to CMD26 to Error?
Thanks.

AR

Seems like you guys are on right path :slight_smile:
I can share limited info thru PM

Thanks

Hi DavidLE,
thank you for your kind support.
Honestly though, I can't see why for you it's not possible to provide informations here while instead it is possible thrugh PM.
Anyway meanwhile, if you want, you could start by answering the questions that I have made about the manufacturer, model, original CID and CSD of the cards you've modified successfully or at least confirm or deny that your statements are based on something like this old document here:

http://tinyurl.com/lncst9c

Thanks in advance!

AR

Hi guys, just wondering if any progress has been made on this... It looks like we have a lot of information to work with, but unfortunately, don't know which cards to target :frowning:

Alexel:
Somebody has news about change of CID?
I found that CMD60 on SiliconMotion controlers transfers SD to the mode when the card doesn't respond to CMD26 to Error.

Can you please elaborate on what argument did you use for the first command? Also, what brand of SDHC cards use this controller?

Thanks.

Hi yyzyyz,

yyzyyz:
Hi guys, just wondering if any progress has been made on this... It looks like we have a lot of information to work with, but unfortunately, don't know which cards to target :frowning:

That would be telling.
It's a secret!
Ok, I'm just kidding, apologize me.
I agree, you are right.
Actually it doesn't need anything else than to know what are the right cards because only those make the difference doing the trick.
Meanwhile I have purchased some cards from China, we'll see if those are the right ones or no.

yyzyyz:
Can you please elaborate on what argument did you use for the first command? Also, what brand of SDHC cards use this controller?

Not just talking about SiliconMotion controllers, not only CMD60 has that behaviour, even other have it.
Some cards have it, some don't.
In my opinion it isn't much a matter of controller type but rather of the kind of card.
Alexel didn't respond to my request for clarification, though.
So honestly I don't know exactly what he meant, sorry.

However for any doubt you can try with a PM, maybe you'll get the solution.

AR

I think it totally depends on the controller and the firmware running on it and as DavidLE has also mentioned, it's unique to each controller type. So what works on an SMI controller might not work on a Micron controller, for example. Although Alexel provided a good lead on the Silicon Motion controllers, he did not care to mention which card he was testing with. Similarly, DavidLE hasn't mentioned which brand of cards and specific controllers did he succeed with. I've sent them both a PM for more details but they haven't responded yet. Unfortunately, there's no easy way (that I know of) to determine which cards employ which controller by just interacting with the card firmware. I hope you have better luck with the Chinese cards; please do let us know how it goes.

Hi yyzyyz,

yyzyyz:
I think it totally depends on the controller and the firmware running on it and as DavidLE has also mentioned, it's unique to each controller type. So what works on an SMI controller might not work on a Micron controller, for example.

I don't think so.
Surely controller do its part but it acts based on what it is programmed for.
OK, the firmware is unique among the controllers so it isn't simple to put it on different ones, but even talking about a single type of cards it's possible find them able to do things that on other with the same controller are programmed different so them don't work the same way.
In my experience I handled some card which had the same controller for sure having I ripped them for looking inside, but totally them didn't behave in the same manner.
You need to keep in mind that cards, even with the same controller, can be purposely programmed different for specific purposes.
The controller may be unique, the firmware inside it no.
There are too many different types and kind of cards.

yyzyyz:
Although Alexel provided a good lead on the Silicon Motion controllers, he did not care to mention which card he was testing with. Similarly, DavidLE hasn't mentioned which brand of cards and specific controllers did he succeed with. I've sent them both a PM for more details but they haven't responded yet.

For me, based on what I just wrote above, the content of CID and CSD and possibly a few other registers, is sufficient to identify the right cards.
I saw many cards, even industrial version, which were the same type and model with the same brand and from the same manufacturer but parts inside were different although the cards were fully interchangeable among them.
Anyone can easily verify by self simply buying a little amount of cards and quering or even ripping them.
This is why I don't trust only on the controller.
DavidLE and Alexel approach is good, exactly like that in the document I provided.
Anyway my purposes may be different from those of others and this could influence the kind of the approach.
For instance I don't need to find a way so that I'm in the position to change the CID in all card over the whole world.
For my purpose it's enough find even one single piece where I can do the job.
No matter even the type of card, if MMC or SD or fake or counterfeit or unreliable to keep data, or so, it doesn't important for me.
That is.
However I hope that David and Alexiel sooner or later reply at you.

yyzyyz:
Unfortunately, there's no easy way (that I know of) to determine which cards employ which controller by just interacting with the card firmware. I hope you have better luck with the Chinese cards; please do let us know how it goes.

In the past I've contacted some manufacturer by asking for that kind of cards and they answered at me that they can provide them for sure.
The fact is that they always ask for a bunch of cards to be purchased and never they provide exactly specifications or the content of CID and CSD neither the opportunity to evaluate their products simply by purchasing few piece.
I'm talking of Chinese manufacturer/dealer/retailers.
Please pay attention that I am not blaming or accusing anyone, simply that is their way to run the business and customers must to accept it.
I think that people who live in Asia have an advantage in this type of search.

AR

Alexel:
I found that CMD60 on SiliconMotion controlers transfers SD to the mode when the card doesn't respond to CMD26 to Error.

Hi Alexel,
ok that's valid for Siliconmotion but exacly what type?
As I have already written there are a bunch of Siliconmotion's controllers.
For instance here you go the SM261A's behavior.

Siliconmotion SM261A (card=MMC, MDT=July 2004 / MultiMediaCard Protocol Version=6.00):

CMD60 = card is locked [R2]
CMD61 = illegal command [R1]
CMD62 = illegal command [R1]
CMD63 = illegal command [R1]

Then that it isn't only a matter of brand of the controller.
Here it follows the behavior of two other types of controllers.

ITE IT-1232A-53E (card=SD, MDT=April 2015 / Physical Layer Specification Version Number=2.00):

CMD60 = illegal command [R1]
CMD61 = illegal command [R1]
CMD62 = illegal command [R1]
CMD63 = illegal command [R1]

Unknow controller (card=SD, MDT=September 2013 / Physical Layer Specification Version Number=3.0X):

CMD60 = accepted [R2]
CMD61 = accepted [R1]
CMD62 = illegal command [R1]
CMD63 = illegal command [R1]

AR

I am going to be honest.

I broke my leg badly on a motorbike accident back in August 2015 and I am still recovering from the fracture.

There is a device called Exogen Bone Healing System, made by Bioventis.

This device is a ultrasound device that emmits ultrasound waves into the bones, making the recovery consideraly faster.

One problem, though: this thing costs 5 thousand US Dollars. It's beyound my financial possibilities. And it's getting even more distant as I haven't worked since August 2015 and I have literally no income at the moment.

This Exogen system has a mainboard with a Microchip PIC16C926. There's also a 32kx8 EEPROM and a diagnostic jack socket. According to my reading out there, the micro doesn't have non-volatile storage.

This device works 150 times, then it stops working. I have purchased a second hand device on eBay, which was a rip off as the seller sent it without an SD card, which apparently holds some information that allows the device to work. I have managed to get a second device for free with Bioventis, which came with the SD card and is working but I still have the second hand one, which doesn't work. The story with Bioventis was a nightmare and I had to threaten them a lot (legally speaking) in order to get a replacement. They said they were going to send me just the SD card but they ended up sending the whole thing.

Unsoldering the battery and soldering it back on makes the device reset and work again but as I have two devices and one SD card (and I have two fractures) I can't get it to work. I tried many cloning tools, even Linux's dd comand, HDD raw copy and a million other softwares without luck.

So I was hoping someone could help. It is already known that the device can be reset by simply removing the battery and soldering it back on and I really, really need this to work. I can't afford 5K being out of work without any income.

Would anyone be interested in helping? I plan to reset this machine and donate it to someone else who needs it when I'm back to normal... This Pharmaceutical industry really makes me sick. How can they charge so much for something that would get people to walk again?

If anyone is interested, this is a guy who posted a little "overview" of the Exogen:

http://jschneider.net/Exogen4000.html

Someone managed to change the CID ?

I Successfully did. Took me few months of hard work.

legno75:
Someone managed to change the CID ?

Please people, don't buy it!
Despite claims of someone here in the forum, arduino can't do the thing otherwise those same users would have already explained how.
Until now they didn't that push me to guess that people who claim to be able to do it having taken few months of hard work or things like that, they are hiding business intentions.
No way.
People who know wouldn't stay silent as for all other matters discussed here in the forum or elsewhere.
All them only claim to have succeeded but never they provide a single clue they are in the position to do the thing really.
Now me too I claim I can do it, anyone can and I'll prove it.
Simply over all the world are sellers who provide personalized cards, you don't need neither to do it yourself or rely on someone in the forum who runs his own business, just buy cards there from them.
Easy!
Why are you in the need to do the thing by yourself with an arduino or let do it someone else that you don't even know who he is and if he can really succeed?
Why are you in the need to send your cards at strangers and maybe even your money so that the same unknown can carry out the thing with don't know what results?
Those who claim to have succeeded on their own words they wrote that they couldn't do the thing on all cards on the market, so be careful!
Special kind of cards or not, don't waste your time and money, simply contact any seller you want and buy the cards you need from them who can for sure provide what you are looking for.
They can do the thing really, they don't use arduino in order to try it but more sofisticated devices, it's their business and at least you know in advance who they are, where they live and how much it is as cost.
Someone of them even provide samples in the need, so you can verify if they can or can't do the thing.
Please trust me, this is the better way.
Maybe even who claim to be able to do the thing actually let do the job at the sellers that I wrote putting as gain some additional expenses as for his own personal profit.
Educational purpose, arduino and all you want are important and good so no problem if someone want to reach the thing by himself, but please don't waste your time and money.
If even a single person who can do the thing really exist, be sure that he would have already explained how to do or at least clarified the issue, doesn't staying silent or even worse going turn around the thing in order to provide more doubts!

I changed the cid by PC (not arduino). I found source code from https://github.com/raburton/evoplus_cid and I compiled on Linux Ubuntu. This code is only for sd Samsung evolve plus 32Gb.
My pc have a sd-reader not usb.
On this video you can see how to do.
Come modificare CID scheda SD Samsung evo plus - Change CID's SD - clonare scheda SD - YouTube

With some modifications maybe you can modify to Arduino.

After many hours of reading and testing i managed to wire an SD-Reader with an Nano and was able to read CID information from SD-Cards using default Arduino SD lib. Calling the "readCID()" sub of the lib did the trick. The struct given as paramter is filled with all necessary information. Iterating through the struct with a byte-casted pointer will give me raw data of CID. I've crawled through the lib sources and found that CMD10 is issued therefore, which seems correct.

Now, at this point i'd like to write CID to an other SD. How is it done in general? As menetioned here, the SD must be put into firmware-mode, which means that the manufacturer is able to firstly program and to lately update the firmware of the containing microcontroller of the card.

I'm pretty shure that this task is different for every manufacturer. Somebody had managed to get this information for Samsung Evo cards (looked through the sources, this is heavy stuff, no something to guess or bruteforce), so this seems the only chance for now?

But when i had this type of card, what should i do to programm it? Could i simply send CMD26 with the structdata read from the other card? So maybe through a second SD-Slot with different CS?

Since recently there is a method of spoofing CID on the fly. There is this uSD to SD adapter that replaces the CID on the fly. It is available at spoofcid.co

I have a chinease cards that allows me to send cmd26, i send it , then get respond then send 16 byte cid thourgh data pin, card answers success, but cid didnt change. I doing it by CD MODE. So i think im missing some commands. According to the guys who changed cid in SAMSUNG EVOS cards, they do:
cmd62 0xEFAC62EC (enter vendor mode)
cmd62 0xEF50 (unlock the backdoor)
cmd17 0x00 (confirm Smart Report after reading Sector 1 at Address 0)
cmd26 0x00 0xFE [16bytes NEW CID] (WRITE_CID+single block write start TOKEN+16byte NEW CID)
cmd62 0x00DECCEE (exit vendor mode)

But i dont know, my card doesnt answer on cmd62 also the message seems strange, all cmds in SD card should be 6 bytes, and here its 5 or 2 bytes send.

JeezyWonder:
I have a chinease cards that allows me to send cmd26, i send it , then get respond then send 16 byte cid thourgh data pin, card answers success, but cid didnt change. I doing it by CD MODE. So i think im missing some commands. According to the guys who changed cid in SAMSUNG EVOS cards, they do:
cmd62 0xEFAC62EC (enter vendor mode)
cmd62 0xEF50 (unlock the backdoor)
cmd17 0x00 (confirm Smart Report after reading Sector 1 at Address 0)
cmd26 0x00 0xFE [16bytes NEW CID] (WRITE_CID+single block write start TOKEN+16byte NEW CID)
cmd62 0x00DECCEE (exit vendor mode)

But i dont know, my card doesnt answer on cmd62 also the message seems strange, all cmds in SD card should be 6 bytes, and here its 5 or 2 bytes send.

Hi,

Can you tell me what type of chinese card are you using?
Where did you bought them?
I would like to buy some card to test them too....