Some success with writeCID

Seems like you guys are on right path :) I can share limited info thru PM

Thanks

Hi DavidLE, thank you for your kind support. Honestly though, I can't see why for you it's not possible to provide informations here while instead it is possible thrugh PM. Anyway meanwhile, if you want, you could start by answering the questions that I have made about the manufacturer, model, original CID and CSD of the cards you've modified successfully or at least confirm or deny that your statements are based on something like this old document here:

http://tinyurl.com/lncst9c

Thanks in advance!

AR

Hi guys, just wondering if any progress has been made on this... It looks like we have a lot of information to work with, but unfortunately, don't know which cards to target :(

Alexel: Somebody has news about change of CID? I found that CMD60 on SiliconMotion controlers transfers SD to the mode when the card doesn't respond to CMD26 to Error.

Can you please elaborate on what argument did you use for the first command? Also, what brand of SDHC cards use this controller?

Thanks.

Hi yyzyyz,

yyzyyz:
Hi guys, just wondering if any progress has been made on this… It looks like we have a lot of information to work with, but unfortunately, don’t know which cards to target :frowning:

That would be telling.
It’s a secret!
Ok, I’m just kidding, apologize me.
I agree, you are right.
Actually it doesn’t need anything else than to know what are the right cards because only those make the difference doing the trick.
Meanwhile I have purchased some cards from China, we’ll see if those are the right ones or no.

yyzyyz:
Can you please elaborate on what argument did you use for the first command? Also, what brand of SDHC cards use this controller?

Not just talking about SiliconMotion controllers, not only CMD60 has that behaviour, even other have it.
Some cards have it, some don’t.
In my opinion it isn’t much a matter of controller type but rather of the kind of card.
Alexel didn’t respond to my request for clarification, though.
So honestly I don’t know exactly what he meant, sorry.

However for any doubt you can try with a PM, maybe you’ll get the solution.

AR

I think it totally depends on the controller and the firmware running on it and as DavidLE has also mentioned, it's unique to each controller type. So what works on an SMI controller might not work on a Micron controller, for example. Although Alexel provided a good lead on the Silicon Motion controllers, he did not care to mention which card he was testing with. Similarly, DavidLE hasn't mentioned which brand of cards and specific controllers did he succeed with. I've sent them both a PM for more details but they haven't responded yet. Unfortunately, there's no easy way (that I know of) to determine which cards employ which controller by just interacting with the card firmware. I hope you have better luck with the Chinese cards; please do let us know how it goes.

Hi yyzyyz,

yyzyyz: I think it totally depends on the controller and the firmware running on it and as DavidLE has also mentioned, it's unique to each controller type. So what works on an SMI controller might not work on a Micron controller, for example.

I don't think so. Surely controller do its part but it acts based on what it is programmed for. OK, the firmware is unique among the controllers so it isn't simple to put it on different ones, but even talking about a single type of cards it's possible find them able to do things that on other with the same controller are programmed different so them don't work the same way. In my experience I handled some card which had the same controller for sure having I ripped them for looking inside, but totally them didn't behave in the same manner. You need to keep in mind that cards, even with the same controller, can be purposely programmed different for specific purposes. The controller may be unique, the firmware inside it no. There are too many different types and kind of cards.

yyzyyz: Although Alexel provided a good lead on the Silicon Motion controllers, he did not care to mention which card he was testing with. Similarly, DavidLE hasn't mentioned which brand of cards and specific controllers did he succeed with. I've sent them both a PM for more details but they haven't responded yet.

For me, based on what I just wrote above, the content of CID and CSD and possibly a few other registers, is sufficient to identify the right cards. I saw many cards, even industrial version, which were the same type and model with the same brand and from the same manufacturer but parts inside were different although the cards were fully interchangeable among them. Anyone can easily verify by self simply buying a little amount of cards and quering or even ripping them. This is why I don't trust only on the controller. DavidLE and Alexel approach is good, exactly like that in the document I provided. Anyway my purposes may be different from those of others and this could influence the kind of the approach. For instance I don't need to find a way so that I'm in the position to change the CID in all card over the whole world. For my purpose it's enough find even one single piece where I can do the job. No matter even the type of card, if MMC or SD or fake or counterfeit or unreliable to keep data, or so, it doesn't important for me. That is. However I hope that David and Alexiel sooner or later reply at you.

yyzyyz: Unfortunately, there's no easy way (that I know of) to determine which cards employ which controller by just interacting with the card firmware. I hope you have better luck with the Chinese cards; please do let us know how it goes.

In the past I've contacted some manufacturer by asking for that kind of cards and they answered at me that they can provide them for sure. The fact is that they always ask for a bunch of cards to be purchased and never they provide exactly specifications or the content of CID and CSD neither the opportunity to evaluate their products simply by purchasing few piece. I'm talking of Chinese manufacturer/dealer/retailers. Please pay attention that I am not blaming or accusing anyone, simply that is their way to run the business and customers must to accept it. I think that people who live in Asia have an advantage in this type of search.

AR

Alexel: I found that CMD60 on SiliconMotion controlers transfers SD to the mode when the card doesn't respond to CMD26 to Error.

Hi Alexel, ok that's valid for Siliconmotion but exacly what type? As I have already written there are a bunch of Siliconmotion's controllers. For instance here you go the SM261A's behavior.

Siliconmotion SM261A (card=MMC, MDT=July 2004 / MultiMediaCard Protocol Version=6.00):

CMD60 = card is locked [R2] CMD61 = illegal command [R1] CMD62 = illegal command [R1] CMD63 = illegal command [R1]

Then that it isn't only a matter of brand of the controller. Here it follows the behavior of two other types of controllers.

ITE IT-1232A-53E (card=SD, MDT=April 2015 / Physical Layer Specification Version Number=2.00):

CMD60 = illegal command [R1] CMD61 = illegal command [R1] CMD62 = illegal command [R1] CMD63 = illegal command [R1]

Unknow controller (card=SD, MDT=September 2013 / Physical Layer Specification Version Number=3.0X):

CMD60 = accepted [R2] CMD61 = accepted [R1] CMD62 = illegal command [R1] CMD63 = illegal command [R1]

AR

I am going to be honest.

I broke my leg badly on a motorbike accident back in August 2015 and I am still recovering from the fracture.

There is a device called Exogen Bone Healing System, made by Bioventis.

This device is a ultrasound device that emmits ultrasound waves into the bones, making the recovery consideraly faster.

One problem, though: this thing costs 5 thousand US Dollars. It's beyound my financial possibilities. And it's getting even more distant as I haven't worked since August 2015 and I have literally no income at the moment.

This Exogen system has a mainboard with a Microchip PIC16C926. There's also a 32kx8 EEPROM and a diagnostic jack socket. According to my reading out there, the micro doesn't have non-volatile storage.

This device works 150 times, then it stops working. I have purchased a second hand device on eBay, which was a rip off as the seller sent it without an SD card, which apparently holds some information that allows the device to work. I have managed to get a second device for free with Bioventis, which came with the SD card and is working but I still have the second hand one, which doesn't work. The story with Bioventis was a nightmare and I had to threaten them a lot (legally speaking) in order to get a replacement. They said they were going to send me just the SD card but they ended up sending the whole thing.

Unsoldering the battery and soldering it back on makes the device reset and work again but as I have two devices and one SD card (and I have two fractures) I can't get it to work. I tried many cloning tools, even Linux's dd comand, HDD raw copy and a million other softwares without luck.

So I was hoping someone could help. It is already known that the device can be reset by simply removing the battery and soldering it back on and I really, really need this to work. I can't afford 5K being out of work without any income.

Would anyone be interested in helping? I plan to reset this machine and donate it to someone else who needs it when I'm back to normal... This Pharmaceutical industry really makes me sick. How can they charge so much for something that would get people to walk again?

If anyone is interested, this is a guy who posted a little "overview" of the Exogen:

http://jschneider.net/Exogen4000.html

Someone managed to change the CID ?

I Successfully did. Took me few months of hard work.

legno75: Someone managed to change the CID ?

Please people, don't buy it! Despite claims of someone here in the forum, arduino can't do the thing otherwise those same users would have already explained how. Until now they didn't that push me to guess that people who claim to be able to do it having taken few months of hard work or things like that, they are hiding business intentions. No way. People who know wouldn't stay silent as for all other matters discussed here in the forum or elsewhere. All them only claim to have succeeded but never they provide a single clue they are in the position to do the thing really. Now me too I claim I can do it, anyone can and I'll prove it. Simply over all the world are sellers who provide personalized cards, you don't need neither to do it yourself or rely on someone in the forum who runs his own business, just buy cards there from them. Easy! Why are you in the need to do the thing by yourself with an arduino or let do it someone else that you don't even know who he is and if he can really succeed? Why are you in the need to send your cards at strangers and maybe even your money so that the same unknown can carry out the thing with don't know what results? Those who claim to have succeeded on their own words they wrote that they couldn't do the thing on all cards on the market, so be careful! Special kind of cards or not, don't waste your time and money, simply contact any seller you want and buy the cards you need from them who can for sure provide what you are looking for. They can do the thing really, they don't use arduino in order to try it but more sofisticated devices, it's their business and at least you know in advance who they are, where they live and how much it is as cost. Someone of them even provide samples in the need, so you can verify if they can or can't do the thing. Please trust me, this is the better way. Maybe even who claim to be able to do the thing actually let do the job at the sellers that I wrote putting as gain some additional expenses as for his own personal profit. Educational purpose, arduino and all you want are important and good so no problem if someone want to reach the thing by himself, but please don't waste your time and money. If even a single person who can do the thing really exist, be sure that he would have already explained how to do or at least clarified the issue, doesn't staying silent or even worse going turn around the thing in order to provide more doubts!

I changed the cid by PC (not arduino). I found source code from https://github.com/raburton/evoplus_cid and I compiled on Linux Ubuntu. This code is only for sd Samsung evolve plus 32Gb. My pc have a sd-reader not usb. On this video you can see how to do. https://youtu.be/mRSprQBsQ6w

With some modifications maybe you can modify to Arduino.

After many hours of reading and testing i managed to wire an SD-Reader with an Nano and was able to read CID information from SD-Cards using default Arduino SD lib. Calling the "readCID()" sub of the lib did the trick. The struct given as paramter is filled with all necessary information. Iterating through the struct with a byte-casted pointer will give me raw data of CID. I've crawled through the lib sources and found that CMD10 is issued therefore, which seems correct.

Now, at this point i'd like to write CID to an other SD. How is it done in general? As menetioned here, the SD must be put into firmware-mode, which means that the manufacturer is able to firstly program and to lately update the firmware of the containing microcontroller of the card.

I'm pretty shure that this task is different for every manufacturer. Somebody had managed to get this information for Samsung Evo cards (looked through the sources, this is heavy stuff, no something to guess or bruteforce), so this seems the only chance for now?

But when i had this type of card, what should i do to programm it? Could i simply send CMD26 with the structdata read from the other card? So maybe through a second SD-Slot with different CS?

Since recently there is a method of spoofing CID on the fly. There is this uSD to SD adapter that replaces the CID on the fly. It is available at spoofcid.co

I have a chinease cards that allows me to send cmd26, i send it , then get respond then send 16 byte cid thourgh data pin, card answers success, but cid didnt change. I doing it by CD MODE. So i think im missing some commands. According to the guys who changed cid in SAMSUNG EVOS cards, they do: cmd62 0xEFAC62EC (enter vendor mode) cmd62 0xEF50 (unlock the backdoor) cmd17 0x00 (confirm Smart Report after reading Sector 1 at Address 0) cmd26 0x00 0xFE 16bytes NEW CID cmd62 0x00DECCEE (exit vendor mode)

But i dont know, my card doesnt answer on cmd62 also the message seems strange, all cmds in SD card should be 6 bytes, and here its 5 or 2 bytes send.

JeezyWonder: I have a chinease cards that allows me to send cmd26, i send it , then get respond then send 16 byte cid thourgh data pin, card answers success, but cid didnt change. I doing it by CD MODE. So i think im missing some commands. According to the guys who changed cid in SAMSUNG EVOS cards, they do: cmd62 0xEFAC62EC (enter vendor mode) cmd62 0xEF50 (unlock the backdoor) cmd17 0x00 (confirm Smart Report after reading Sector 1 at Address 0) cmd26 0x00 0xFE 16bytes NEW CID cmd62 0x00DECCEE (exit vendor mode)

But i dont know, my card doesnt answer on cmd62 also the message seems strange, all cmds in SD card should be 6 bytes, and here its 5 or 2 bytes send.

Hi,

Can you tell me what type of chinese card are you using? Where did you bought them? I would like to buy some card to test them too....

FInally guys after few month, i found a company that selling writeble cid sd cards, but their are sellling them only with the device which can write cid. , if you wants some contact me on pm here or mail me - jeezywoods@gmail.com

Hello folks, I'm working hard to make this work:

cmd62 0xEFAC62EC (enter vendor mode) cmd62 0xEF50 (unlock the backdoor) cmd17 0x00 (confirm Smart Report after reading Sector 1 at Address 0) cmd26 0x00 0xFE 16bytes NEW CID cmd62 0x00DECCEE (exit vendor mode)

but no joy, it doesn't work for me. :( I have the right cards, I'm sure because with this https://github.com/raburton/evoplus_cid I'm able to change the cid on them all, where am I wrong? Maybe there is a some sort of typo somewhere in the commands' sequence written by JeezyWonder. Is there anyone who tried those commands with Arduino, mine is a MEGA 2560, and can confirm that it works? Cards I own allows answer on cmd62 but then the thing abort with error 04hex (illegal command) while performing cmd26. >:(

J_3: Hello folks, I'm working hard to make this work:

cmd62 0xEFAC62EC (enter vendor mode) cmd62 0xEF50 (unlock the backdoor) cmd17 0x00 (confirm Smart Report after reading Sector 1 at Address 0) cmd26 0x00 0xFE 16bytes NEW CID cmd62 0x00DECCEE (exit vendor mode)

but no joy, it doesn't work for me. :( I have the right cards, I'm sure because with this https://github.com/raburton/evoplus_cid I'm able to change the cid on them all, where am I wrong? Maybe there is a some sort of typo somewhere in the commands' sequence written by JeezyWonder. Is there anyone who tried those commands with Arduino, mine is a MEGA 2560, and can confirm that it works? Cards I own allows answer on cmd62 but then the thing abort with error 04hex (illegal command) while performing cmd26. >:(

Contact me through PM, bro

I doubt that arduino can do the job, but this would seem to partially succeed on it: https://www.youtube.com/watch?v=ZAe61GZ-52Y If it's not a joke and it really works, the whole thing can check if the card under test allows the back door or not. This is interesting because it means that with small changes it would be possible to automate the modification of the cid. I don't want to be a devil's advocate, but I think it's actually a hoax and it will not work. Ok this is an arm cortex m3 @72MHz, not a uno or mega, but in my opinion the back door is only usable via sd mode, not spi, and the sd mode protocol in addition to not being documented requires the payment of royalties for its use, it isn't free and documented as the well-known protocol spi. It's not just a matter of hardware capability, if it supports the sd mode protocol or not, it's that even if the target could be reached then the code couldn't be freely distributed. For this reason I believe that in reality the thing will not work as shown in the video, but even if it weren't so, the code could not be easily distributed due to the issue of royalties. I repeat, educational purpose, arduino and all you want are important and good so no problem if someone want to reach the thing by himself, but please don't waste your time and money. If even a single person who can do the thing really exist, be sure that he would have already explained how to do or at least clarified the issue, doesn't staying silent or even worse going turn around the thing in order to provide more doubts!