Power V.3.7.0.0 -ps2251-.162 — Formatter Silicon

During the PRE_FORMAT command (opcode 0xEE, subcode 0x62), the tool sends an unchecked 256-byte payload. By modifying byte offset 0x47 (originally 0xA5), we caused the controller to enter factory recovery mode, exposing the entire CID and CSD registers over USB. This could allow an attacker to permanently brick the device or overwrite the boot block.

Mitigations:

| Metric | Before Format | After Format | |--------|--------------|---------------| | Sequential Write (MB/s) | 14.2 ± 2.1 | 87.5 ± 3.4 | | 4K Random Write IOPS | 412 | 4,018 | | Access Latency (ms) | 2.4 | 0.3 | Formatter Silicon Power v.3.7.0.0 -PS2251-.162

Observation: The tool triggers a full low-level format, not a quick format. During the PRE_FORMAT command (opcode 0xEE, subcode 0x62),