Unmasking Fake Flash Memory

Any customer in a bar who ordered a pint of beer would definitely complain to the barkeeper if their glass was only a quarter full. This kind of attempted fraud always fails in the real world because of the obvious lack of fluid in the glass, along with the high level of motivation of the consumer and the physical presence of the perpetrator.

Unfortunately, online buyers of flash storage media cannot hope for comparably favorable conditions, although their judgment is unlikely to be impaired by the effects of alcohol. Time and time again, you hear of buyers of USB flash drives and flash cards being duped by shady dealers on the Internet. It is not difficult to find media at surprisingly low prices where the storage capacity is wrongly stated, for example, on eBay [1, 2]. To protect themselves, sellers often make statements such as "the stick will store about 4GB of data."

In this article, I attempt to reveal these counterfeits by running the right tests. As test specimens, I use two Samsung Pro 128GB MicroSDXC memory cards (model MB-MG128) purchased in 2016 from two vendors on eBay.de. If you believe the label, they both should achieve up to 90MB/s read and 80MB/s write performance.

Look Closely

Starting with the original packaging shown in Figure 1, a visual inspection reveals interesting differences in the detail. In the case of the first card (shown on the right in Figure 1), the barcode sticker has a spelling mistake: The "o" in "Model" is missing (Figure 2). Also the (possibly fake) CE marking on the back of the first card – the second (shown on the left in Figure 1) does not have this marking – has for a long time been indicative of a fake [3].

Figure 1: Pictures of the two packaged memory cards I purchased: on the left what looks like the original product, on the right the potential forgery.

Figure 2: The barcode on the packaging contains a spelling error.

According to the manufacturer, the two cards must achieve speed class 3 (U3), but the label on the first card shows that it is two classes below this. For the second card, a search with the exact model designation, model MB-MG128EU/EU, returned almost 6,000 matches, including the Samsung page with extensive technical information and the EAN 8806088133560. The first card, model MB-MG128D/EU, returned only one match on the website of a Polish vendor.

Reading the Registers

The memory card's metadata provides additional hints, for example, the model, manufacturer, version (revision), and serial number. Linux users can access these data using hwinfo disc, unless you are using a USB card reader – in this case, you will only see the reader's metadata.

This unfortunately also applies to the card register, in particular the card-specific data (CSD) register and card identification data (CID) register of SD cards. You can only read these with a direct SD interface.

Peripheral Component Interconnect Express (PCIe) connected card readers in laptops have this (e.g., the Realtek RTS5229 card reader). Or you can retrofit one as a PCIe card (DeLOCK 91485 or mini-PCIe cards from various Chinese eBay sellers).

If you have such a device, the contents of the register are found below /sys/block/mmcblk0/device/cid and .../csd. In the case of the suspected fake card, the content is:

00048d55534220441100001603010301
400e00327b590003e7ff7f800a404001

The other card returned different values:

1b534d303030303010a3385d7e010901
400e00325b590003b9df7f800a404001

If you are investigating a suspicious SSD card, you can also run hdparm and smartctl to reveal the manufacturer, product, serial number, hours of operation, and interface speed.

Forgers whose engineering expertise is just as great as their criminal energy, reproduce all the values stored in the registers of the original products in a deceptively genuine-looking way. For honest consumers, the task is therefore to look for a reliable strategy to detect tampering. You will find this in a sequential write and read of the whole data storage device without a filesystem using virtually incompressible test data.

To conceal the fake size, flash counterfeiters often manipulate the addressing mechanism of their goods. This gives users the impression that they can address the promised number of blocks and actually own a regular disk. In reality, however, the accessible data blocks are just repeated multiple times. That's why a test with a single test pattern, such as 0xaa, may not work; instead you will want to test with large and random patterns.

This kind of testing tool is also useful for detecting incipient defects, because even authentic disks can develop faults: The isolation layer of a flash memory cell degenerates on each delete action. In the case of multilevel cell (MLC) NANDs, the original shelf life of about 10 years decreases to about a year after 3,000 erase/write cycles.

Bad Blocks vs. Bad People

The following call implements the outlined procedures and tests for faults and bandwidth at the same time:

device=mmcblk0
time badblocks -wsv -c 65536 -t random -o log_$device_`date +%F_%T`.txt /dev/$device 2>&1 | tee logg_$device_`date +%F_%T`.txt

The time command measures the duration of the test (see Figure 3). The test candidate was a microSD card in the laptop's internal reader (mmcblk0). The badblocks test tool, included in the e2fsprogs package, performs the write/read test (-w) with a logfile for the numbers of faulty blocks (-o <file name>).

Figure 3: A badblocks run looking for media defects or manipulation. The time command measures the time.

It works with a random data pattern (-t **random) the size of 65536x1024 bytes (-c 65536), with a progress indicator (-s) and verbose messaging (-v). tee sends the screen output to a second logfile. To help organize the logfiles, the file names contain both the device name ($device) and the date and time (date +%F_%T).

If you want to run this test on a data carrier that is already in use, you can use dd (or ddrescue or dd_rescue) to save the contents to a safe place first and write them back after the test. The disk should not be mounted during copying. Because such a test reliably overwrites all previously stored data, it is also useful as a deletion mechanism for old data. (USB sticks are often manufactured with used flash ICs and contain old data, which could include such undesirable information as child porn, top-secret files, and terrorism plans. The write-read test overwrites all old data so that undelete programs cannot recover them, keeping you out of trouble with the authorities.)

To make testing for bad blocks fun, it is important to choose the right target device. Otherwise, the test could overwrite the data on a different disk. I wrote a script that avoids such mistakes: disktest1.sh [4]. The only parameter it expects is the name of the data carrier to be tested; in the example above, that's mmcblk0, but it's sde in the example in Listing 1. The script also works in a Cygwin environment, thus opening up a test option for Windows users. Linux users should run it as root; on Windows, you need to run Cygwin with administrator rights.