CID change on SD card update (evoplus_cid)

IMG_20160731_172654

My recent post on how to change the CID on a Samsung Evo Plus SD card has generated some interest, but also a number of people who are having problems with it. I thought it was worth posting an update with some extra information. First off, I suspect some people who are struggling have fake cards – there are a lot out there and some of them look pretty convincing. Others have suggested different hardware / firmware revisions might be an issue – quite possible but I have no way of knowing (all my Evo Plus cards work, so I can’t can’t compare against ones that don’t). I can see no reason why different phones etc. would give different results – as long as it’s a proper SD controller (not a USB mass storage adapter) then sending the command should work just fine.

Fake cards
These are very common and if you google for fake Samsung cards you’ll find lots of info on how to spot them. A few tip I’ve picked up along the way:

  • Packaging quality – the image should be well printed, in high resolution and good bit depth on the colours (some fakes looks like they’ve been converted down to 256 colours). The gloss overlay over the printed areas should align with the printing below them, if it’s offset that’s a bad sign.
  • Packaging info – the product information should be correct and match the card. I had one fake that incorrectly stated a 32gb card was SDXC on the pack instead of SDHC, the card itself had SDHC printed on it. The correct size should also be printed on the packet. Look up the UPC from the barcode on the back and make sure that matches the product and size of your card.
  • Hologram, with scratch-to-reveal verification code. The real ones have them (recent ones at least), fakes might but probably don’t. All of mine have, but oddly enough when I tried to check one on the Samsung China website I didn’t get anywhere with the verification code, the site was in Chinese though so I might have been doing something wrong.
  • The card – lots of subtle details to check. Smooth back, not lumpy showing circuit parts beneath the surface. Black on the back, white on the edges. Slight bevel on the contact side, to help insertion. Correct info printed on the card. Correct font, especially for the capacity digits, some fakes don’t use the correct slim font. Text on the back is printed so it is read with the card contacts end pointing upward. Mine are made in the Philippines but this is probably not the only place so don’t get hung up on this.
  • Card CID – check it and compare to working ones. See below…

Card CID
An example of the CID on one of my cards: 1b 534d 3030303030 10 98625deb 0102 a1. Your card CID should be very similar. The manufacturer ID should be 1b, followed by an application/OEM ID of 534d. The product name is 3030303030 (5 x ASCII ‘0’). The product revision is 10 (1.0). The next 8 hex characters (98625deb) are the SD card serial number, yours will be different! The manufacturing date is next (0102, or 0 10 2), where the first digit is ignored, the next pair is the year in hex since 2000 and the last digit is the month in hex. So this is February (2) 2016 (2000 + 0x10). I also have March 2016 (0103) cards that work fine. Last is the checksum (a1) which will be different on your card. I doubt many of the fakes have properly set Samsung CIDs so hopefully this is an easy way to tell.

My cards / System
Samsung Evo Plus 32gb. UPC: 8806086928410. Model: MB-MC32D. Model code: MB-MC32D/CN. Purchased from this listing on AliExpress. I am not affiliated with the seller and get no referral commission from this link. I also cannot guarantee that you’ll get working or even genuine cards, but I have purchased on two occasions from this seller and the cards have been genuine and worked with evoplus_cid.

I have used evoplus_cid on a Samsung Galaxy Tab 2 (10 inch, wifi model, p5110). The tablet is running CyanogenMod 13 unofficial from here.

evoplus_cid
I’ve made a couple of updates to evoplus_cid. If you supply a full 32 digit CID (and don’t apply a serial number modifier) it will be written as is without recalculation of the checksum. This was requested by a user for cards that apparently always had a checksum of 00. Although, I’ve got a laptop that always displays 00 for the checksum when showing the CID, so I wonder now if his cards really did need that! I’ve fixed a bug when compiling on 64bit Linux that could prevent the CID being written. I’ve also fixed a bug causing the displayed CID to include some extra ‘FF’s.

Pictures

Changing the CID on an SD card – Working!

(tl;dr – skip to bottom for instructions, see also update post) The CID register on SD cards is supposed to be read-only, which means it can be used to lock devices to specific SD cards, preventing the user swapping them out, which is very annoying. This can result in you being stuck with a smaller card than you’d like in a device or not being able to use a backup in case of damage.

I’ve spent a while trying to work out how to change the ID on some cards. There is surprisingly little info out there about this, when it’s easy for other devices. For example, if you want to change the supposedly read-only ID on various kinds of RFID tag you can simply buy a special version from China that allows it (often referred to as gold or magic cards). There are rumours of cheap Chinese SD cards that don’t follow the official spec and allow you to change to them – I now haveĀ  large pile of cheap Chinese SD cards on my desk, but unfortunately none of them did allow it. The spec includes a command (CMD26) for writing the CID, but it’s only supposed to work once in the factory when the card is first assigned an ID. All the cards I got seemed to honour that restriction. However, there is probably some way to unlock them…

If you’ve found this page by looking for help on this topic you’ve probably already seen Bunnie Huang’s SD card hacking presentation, unfortunately I wasn’t able to track down any APPO AX211 based cards, which I thought would be my best bet.

In that presentation was mention of vendor commands for a Samsung eMMC used as the built-in storage on an Android phone. I’m not well enough versed on the technology to know quite what the difference between eMMC and SD cards are, aside from the way SD cards are packaged of course – although that might be all there is to it. Reading around they seem work in the same way and appear the same within Linux. Then I stumbled upon SamDunk, where Sean Beaupre had managed to unlock a Samsung phone (to developer mode) by reverse engineering some of the eMMC firmware on his device and finding commands that allowed the CID to be unlocked and rewritten.

So I started buying Samsung SD cards, hoping for one with the same moviNAND core as the eMMC in their phones. I now also have a stack of Samsung SD cards on my desk, but with the last different one I found I struck gold! (Collecting Samsung cards is more expensive than cheap Chinese ones and it takes some effort to avoid getting fakes.) The Samsung EVO Plus 32GB MicroSDHC card took the commands from SamDunk and let me change the CID.

I have taken the SamDunk code and reworked it a little to make it easier to use for SD cards, but all the credit really needs to go to the original author. To use you simply need a rooted Android device with an SD card slot. Copy the evoplus_cid binary to the device and put it somewhere with a proper Linux file system (not FAT), then apply execute permission to it. Run the tool and point it to the SD card device e.g. /dev/block/mmcblk1 (you almost certainly do not want to use mmcblk0, that is likely to be the built-in storage on your device). List the /dev/block folder and make sure the device you going to use appears and disappears as you insert and remove the SD card to be sure. Supply the new CID you want to set on the command line. If you only need to change the card serial number (part of the CID) you can supply the old CID and the new serial number and the new CID will be calculated for you. I suggest you make a note of the old CID first, in case you want to set it back later. This can be found in the file like /sys/class/mmc_host/mmc1/mmc1:0001/cid, but the path may vary, and again make sure you are looking at the right card by checking it disappears when you remove the card.

You can find the code here: https://github.com/raburton/evoplus_cid (compiled binary is in the lib folder). Use entirely at your own risk. Use only against genuine Samsung Evo Plus cards, anything else is unlikely to work and could be damaged. Even the right card could potentially be damaged!

To set a new completely new CID:

# Usage: ./evoplus_cid <device> <new cid>
./evoplus_cid /dev/block/mmcblk1 744a454e2f412020106c6d77470104c3

Or to just change the serial number part of the current CID:

# Usage: ./evoplus_cid <device> <currentcid> <new serial>
./evoplus_cid /dev/block/mmcblk1 1b534d30303030301098625deb0102a1 12345678