How is the capacity of a harddisk faked?

FAT32 has a master table with free space. You can hexedit that master table to show any amount of free space. I've had a floppy disc sized 3.7 GB for ages now.


The hardware is not modified - the file table is simply modified to fool the OS. During a format the file table gets wiped and thus the genuine capacity reading is restored.

You can get caught by these type of cheap fake flashdrive or even hard drives in China all the time if you go to a non-reputable seller.


Until I saw your message I was sure it was a different controller - using a modified controller, you can tell anything you like to the OS. But given that the format modifies this behaviour, it means that some kind of trickery took place in the file system level as well. This raises two options:

  • This is a modification of the controller that simply doesn't work after formatting because it depends on a file system modification (which still seems to me as more likely).

  • There is another way to do this without a hardware modification, e.g. by modifying a free blocks linked list to be circular (I am not familiar enough with the specifics of FAT32 to decide if this is possible - might check in a few days if no one else does first...).

EDIT: It is naive to assume FAT32 is being used, a much more likely scenario is that a different file system that inadvertently allows such circular free space management trickery is used (as long as that file system is also supported by the OS - it would be virtually invisible to the user). This makes looking at such a device much more interesting...


Here is how you create a 1,000,000,000,000 bytes (1 TB) disk on key (using Linux):

  1. Create fake formatted 1 TB disk:

    mkdosfs -C  temp_file 1000000000
    
  2. Check that it really happened

    ls -lh temp_file
    
  3. Connect your DoK and check how it was mounted:

    mount
    
  4. Find the device name, something like /dev/sdb1 (If you make a mistake here, you might ruin some other disk connected to the system, so be careful !)

  5. Unmount it:

    sudo umount /dev/sdb1
    
  6. Find out the size of our FAT table:

    ls -s temp_file
    

(The first number is the size in kilobytes)

  1. Copy over to DoK

    echo "head -c [size_from_above]K temp_file > /dev/sdb1" | sudo sh
    
  2. Freak out your friend!You can mount it locally for playing around like this:

    mkdir test
    sudo mount temp_file test -o loop
    

Quite simple,

The flash chip controller contains some settings. Product ID, Vendor ID, and number & size of flashchips.

By taking an older device with a small chip, overwriting the firmware with an wrong number of flash chips, the total drive capacity will be larger than de number of installed flash.

Because the amount of adress lines has not changed, the chip will always be written to. For example, first 128 MB will be written, then the next chip is selected, then another 128 will be written.

Because there is only one chip, the select line is not connected and the second flashchip data overwrites the first chips data.

Because the controller reports the size of all the chips, including the not connected ones to the OS, the OS will happily format it the wrong size.