When it comes to information security headlines, the rule of thumb is that reports of large-scale supply chain sabotage are usually false. That’s not to say that this kind of attack can’t happen. That is, they are complex, time-consuming, and risky to implement. It’s used when you run out of options. In most cases, it’s much easier to steal credentials or get someone to download a malicious file.
Earlier this week, a young entrepreneur suggested that an Ethernet-to-USB he purchased from China was preloaded with malware that “evades virtual machines,” “captures keystrokes,” and “uses Russian language elements.” It caused a stir on social media.
Yes, I didn’t say that.
The reveal racked up millions of views, but the details were pretty vague. The poster shared an ambiguous antivirus scan report from Crowdstrike Falcon, which appears to be a red herring. The binaries were self-extracting EXEs created using 7-Zip, a well-known open source archiver created by Igor Pavlov. The author’s nationality caused an eerie “Russian element”. Most of the rest was explained in the nature of the self-extracting archive that installs the driver. Finally, the contents of the archive match a signed, publicly available 2.0.7.0 driver for an RJ45-to-USB chip made by CoreChips Shenzhen (a company also referred to as Corechip Semiconductor in the included .inf file). It seemed like it.
Yeah, it’s pretty much supposed to do something like that.
This driver referenced a chip named SR9900. There’s little publicly available information about this chip or its manufacturer, but after some research, it appears to be a direct clone of the Realtek RTL8152B. The English product overview suggests that “SR” stands for “Supereal”. This brand name came up in the context of the counterfeit FTDI FT232RL chip that plagued the industry a while back.
Besides potential IP shenanigans, the original Realtek design is quite old, so the pedigree of the chip is important. This datasheet was released in 2013. The device supports 100BASE-TX and USB 2.0 and dates back to the days of Windows 7. This was a troubling time when CD-ROM drives were becoming obsolete, but not all computers were designed for them. To be permanently online. It makes sense that some gadgets exist as mass storage devices with their own drivers. Also, from a security perspective, it was no better or worse than other ad hoc methods of delivering files.
In other words, there was nothing particularly strange about the driver given the historical context.
That being said, the poster hints that there is more to this story. They shared a teardown photo and pointed out a sparsely populated PCB with a 25×40 type serial flash IC installed next to the aforementioned SR9900.
One of the original disassembly photos. From social media.
Why did the device need 512 KB of flash memory? Was it for firmware or where the stolen packets were stored?…That’s the right question . Malicious hardware has precedent and has been used by intelligence agencies and private penetration testers alike. A little over 10 years ago, I built an evil plasma glove for work. Still, we’re not here to discuss whether a malicious RJ45 to USB adapter can be made. The key question was whether, in this particular case, “the Chinese were at it again,” as the poster put it.
Unfortunately, the SR9900 and RTL8152B specifications are similarly vague about the purpose of the companion flash IC. I looked at the following architecture overview, but didn’t get any particular insight.
CoreChips SR9900 architecture, from product overview.
Image searches for schematics also proved to be a dead end. I found some designs that had the original Realtek chips, but they didn’t have anything connected to the serial pins.
I was ready to go to the dark web (amazon.com) and buy one of the dongles just to dump the contents of the memory chip. Operating the Serial Peripheral Interface (SPI) bus is easy. Essentially, you just provide a clock signal at any speed. Simply pressing the button with your hand is sufficient. On the rising edge of each clock cycle, the peripheral reads one bit on the “serial in” line and the host reads one “serial out” bit. There are no handshakes, headers, parity bits, or control flow.
The flash chip’s “application” protocol is similarly simple and common to nearly all serial memory ICs. To begin processing, the host sends a one-byte READ instruction (0x03) followed by three address bytes. The chip begins transmitting data immediately after receiving the entire 4-byte sequence and continues to stream bits as long as the host clock signal is provided.
Serial memory read protocol. From Microchip 25×40 specifications.
However, with the items in my cart, I had an epiphany. I visited the CoreChips website and used Google Translate to identify the original Chinese text for “SR9900 Series Chip Windows System Production Tools.” I searched for matching strings and found some old Chinese forum threads. One of them directed me to a password-protected and paywalled download called “SR9900(A)设计资charge1018.rar.” After paying about $2.99, I became the happy owner of an archive containing a very retro SR9900 production tool.
SR9900Efuse Tools.
It came with a 168 kB ISO 9660 (!) filesystem image containing self-extracting Windows drivers. The programming tool places the .iso file as is into the SPI flash. That’s right, the chip simply functions as a “software-defined” CD-ROM, a drop-in replacement for the physical media you’d traditionally get in such devices. You can download the disk image from here. The password is “rj45”.
As a side note, the CD-ROM image was created with “ULTRAISO V9.3 CD & DVD CREATOR, (C) EZB SYSTEMS”. This is also a decidedly retro piece from the days of Windows XP.
UltraISO action shot.
If you want to try it out, please note that you will need an Intel Pentium 166MHz or higher.
In support of our findings, the main archive also contained a document titled “SR9900(A)设计前 Must View.docx”. The document contained the following (automatically translated) sentences:
“If the SR9900 is used as a USB network card (consumer computer peripherals market), the SPI can be used as a virtual optical drive during Windows system driver installation (SPI flash pre-writes the SR9900 driver on the Windows system). ”
He also emphasized that the use of flash chips is voluntary.
That’s it! The predictable, anti-climactic conclusion is that weird isn’t necessarily bad. We didn’t need a hardware lab to get to that point. All it took was a little patience and Google-fu.
To be fair, the SR9900 IC itself contains two small microcontroller cores (USB and Ethernet), each running some internal code. I think it’s possible to look inside if a chipmaker feels they are complicit in some way. Realtek provides an open source Linux driver for the RTL8152 that provides in-memory firmware patching. To my eye, there doesn’t appear to be any encryption or signing going on.
Should you be concerned about the possibility of an evil USB dongle being sent to you from a faraway country? If you’re a scientist working on Iran’s nuclear program, you probably are. If you are a CISO of a strategically important private company, you should also take some precautions. You might have an intelligence analyst who has a spreadsheet of all the vendors, just in case.
But when it comes to home networking, it looks like it’s going to have another day.
If you liked this article, please subscribe! Unlike most other social media, Substack is not a walled garden or an addictive doomscrolling experience. It’s just a way to stay in touch with your favorite authors.
