Investigating an "evil" RJ45 dongle
Reverse-engineering hardware can be difficult -- but sometimes, all you need is a comfy armchair and some Google Translate.
When it comes to information security headlines, a good rule of thumb is that claims about about widespread supply-chain sabotage are usually false. It’s not that attacks of this sort can’t happen; it’s that they’re complicated, time-consuming, and risky to pull off. It’s what you use when you’re out of options. Most of the time, it’s much simpler to steal credentials or get someone to download a malicious file.
Earlier this week, a young entrepreneur caused stir on social media by suggesting that an Ethernet-to-USB they purchased from China was preloaded with malware that “evaded virtual machines”, “captured keystrokes”, and “used Russian-language elements”.
The revelations have gotten millions of views, but details were quite hazy. The poster shared an ambiguous antivirus scan report from Crowdstrike Falcon, but that seemed to be a red herring: the binary was a self-extracting EXE created using 7-Zip, a well-known open-source archiver authored by Ivan Pavlov. The author’s nationality accounted for the ominous “Russian-language elements”; the nature of self-extracting archives that install drivers explained most of the rest. Finally, the contents of the archive seemed to match a signed, publicly-available 2.0.7.0 driver for an RJ45-to-USB chip made by CoreChips Shenzhen — a company that also calls itself Corechip Semiconductor in the accompanying .inf file.
The driver referenced a chip named SR9900; virtually no publicly-available info is available about the chip or its maker, but after some sleuthing, I believe it’s a direct clone of Realtek RTL8152B. The English-language product brief implies that “SR” stands for “Supereal”; that brand name comes up in the context of counterfeit FTDI FT232RL chips that plagued the industry some time ago.
Other than the potential for IP tomfoolery, the lineage of the chip is important because the original Realtek design is pretty old; the datasheet was released in 2013. The devices support 100BASE-TX and USB 2.0, and hearken back to the era of Windows 7. This was an awkward period when CD-ROM drives were going out of fashion, but not every computer could be assumed to be permanently online. It made sense for some gadgets to present themselves as mass storage devices containing their own drivers — and from the security standpoint, it wasn’t better or worse than any other ad-hoc way to deliver the file.
In other words, given the historical context, nothing about the driver seemed particularly odd.
That said, the poster implied there’s more to the story: they shared teardown photos and pointed to a sparsely-populated PCB with a 25x40-type serial flash IC mounted next to the aforementioned SR9900:
Why did the device need 512 kB of flash memory? Was this for firmware, or was it where they kept our stolen packets?… It’s not wrong to ask! Malicious hardware has precedent: it’s been used by intelligence agencies and private pentesters alike. Heck, a bit over a decade ago, I built an evil plasma globe for work. Still, we weren’t here to debate whether a malicious RJ45-to-USB adapter could be made. The important question was whether in this particular instance — as the poster put it — “the Chinese were at it again”.
Unfortunately, the specs for SR9900 and RTL8152B are equally vague about the purpose of the companion flash IC. I dug up the following architectural outline, but it didn’t offer any special insights:
Image search for schematics proved to be another dead end; I found several designs featuring the original Realtek chip, but there was nothing hooked up to the serial pins:
I was ready to head over to the Dark Web (amazon.com) and purchase one of the dongles just to dump the contents of the memory chip. The Serial Peripheral Interface (SPI) bus is trivial to work with: in essence, you supply a clock signal at any speed you like; pressing a button by hand would do. At the rising edge of every clock cycle, the peripheral reads one bit on the “serial in” line, while the host reads one “serial out” bit back. There are no handshakes, headers, parity bits, or control flow.
The “application” protocol of the flash chip equally simple and is common to almost all serial memory ICs. To get things going, the host sends a 1-byte READ instruction (0x03), followed by three address bytes. The chip starts sending data immediately after receiving the entire four-byte sequence, and keeps streaming bits for as long as the host clock signal is supplied:
But then, with the item in my cart, I had an epiphany: I went to the website of CoreChips and used Google Translate to pinpoint the original Chinese text for the “SR9900 series chip Windows system mass production tool”. I searched for the matching string and found a couple of old Chinese-language forum threads; one of them led me to a password-protected and paywalled download named “SR9900(A)设计资料1018.rar” . Some $2.99 later, I was the happy owner of an archive containing a very retro-looking SR9900 production tool:
With it, came a 168 kB ISO 9660 (!) filesystem image containing a self-extracting Windows driver; the programming tool puts the .iso file verbatim onto the SPI flash. Yep: the chip just acts as a “software-defined” CD-ROM, a drop-in replacement for the physical media you’d have gotten with such gear before. You can download the disk image here; the password is “rj45”.
As an aside, the CD-ROM image was created with “ULTRAISO V9.3 CD & DVD CREATOR, (C) EZB SYSTEMS” — another decidedly retro piece straight from the days of Windows XP:
If you want to try it, be aware that it requires Intel Pentium 166MHz or above.
Corroborating the findings, the main archive also included a document titled “SR9900(A)设计前必看.docx”. The doc contained the following (auto-translated) passage:
“When SR9900 is used as a USB network card (consumer computer peripheral market), the SPI can be used as a virtual optical drive when installing the windows system driver (SPI-flash will pre-burn the SR9900 driver under the windows system)”
It also underscored that the use of the flash chip was optional.
So there you have it; the predictable, anticlimactic conclusion is that weird is not always bad. To get to that point, we didn’t need a hardware lab; a bit of patience and Google-fu was enough.
To be fair, we’re leaving one stone unturned: the SR9900 IC itself contains two small microcontroller cores — USB and Ethernet — each running some internal code. If we felt the chip maker was somehow complicit, I think it would be possible to peek inside. Realtek provides an open-source Linux driver for RTL8152 that does some in-memory patching of the firmware; to my eye, there doesn’t appear to be any encryption or signing going on.
Should you be worried about the possibility of being sent an evil USB dongle from faraway lands? If you’re a scientist working on the Iranian nuclear program, probably! If you’re a CISO of a strategically important civilian business, some caution would be advised too: there might be an intelligence analyst with a spreadsheet of all your vendors, just in case.
But for home networking, it seems that we get to live another day.
If you liked this article, please subscribe! Unlike most other social media, Substack is not a walled garden and not an addictive doomscrolling experience. It’s just a way to stay in touch with the writers you like.
s/RJ45/Ethernet/
This is great fact-checking