Posted: Tue Apr 22, 2008 11:52 Post subject: Запароленная флешка
Есть полностью рабочая, запароленная флешка.
Модели пока нет, но когда клиент привезет - узнаю. Клиент забыл пароль.
У меня один только вопрос.
Если выпаять и считать - данные будут доступны?
Помогите советом. Может кто-то сталкивался с такой проблемой?
Флешка закрыта программой NTI Ninja
It identifies itself on bus as 0x1307:0x1169. I say unfortunately because it doesn't work under linux. How does it work under Windows: After plug two disks are visible. One is read-only usb disk, one is CDROM - they have similar contents. There is located Windows binary that automatically started and enable user to scan finger or enter
master password. After password is checked, read-only usb disk disappears and read-write disk that may be used appears.
I've succeeded to enable write-protected disk with the following simple script. You need to install Plscsi program that makes scsi access from the shell easier. No need to check password, you can just run the command under root. It seems that "protection" is not protection at all, ADATA is very unprofessional here. After that
unmount flash and run the following:
#!/bin/sh
# First we need to unmount devices, then mount them again, note
# that actual device may be different, it can be sdc or sda depending
# on the number of you SCSI disks.
Important: /dev/sdb is specific to your hardware setup, it can be sdc or sda if you have another usb or scsi device.
Ludek Finstrle (ludek dot finstrle at pzkagis dot cz) reported that in similar way you can enable write protection under Windows. It needs administrator rights (to access the PLSCSI device):
set PLSCSI=\\.\PHYSICALDRIVE1
- the number could change in same way as sda, sdb, ...
This command change read/write (even on small 4MB partition).
Please note that with F1 you can rewrite contents of read-only small USB partition, but I suggest you avoid it, since it's dangerous.
I have digged this device with USB sniffer, and here goes all info I've collected currently. Of course we can support additional functionality like scanning on this device but it requires some effort.
I blame ADATA since they rejected all my suggestions and haven't provided any useful information.
Here are the commands that are used in SCSI bulk requests:
00 TEST_UNIT_READY
03 REQUEST SENSE
12 INQUIRY
1A MODE SENSE
1E ALLOW MEDIUM REMOVAL
25 READ_CAPACITY
28 READ_10
2A WRITE_10
CF ---- ???
F1 ---- Change read/write (even on small USB partition)
F6 ---- ???
FC ---- Switch partitions (0 - small, 1 - big)
FD ---- ???
Command format:
/* command block wrapper */
struct bulk_cb_wrap {
__le32 Signature; /* contains 'USBC' */
__u32 Tag; /* unique per command id */
__le32 DataTransferLength; /* size of data */
__u8 Flags; /* direction in bit 0 */
__u8 Lun; /* LUN normally 0 */
__u8 Length; /* of of the CDB */
__u8 CDB[16]; /* max command */
};
--------------------------------------------------------------------------
Scanning the finger
002098: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:31.8045088 +0.0
Pipe Handle: 0x812734bc (Endpoint Address: 0x1)
Send 0x2800 bytes to the device:
5A 41 52 44 00 00 00 00 00 00 00 00 00 00 00 00 ZARD............
................................. Here goes the data
about passwords encrypted
with hash like in passwd
002099: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:31.8045088 +0.0
Pipe Handle: 0x812734dc (Endpoint Address: 0x82)
Get 0xd bytes from the device:
55 53 42 53 08 70 BD FB 00 00 00 00 00 USBS.p?u.....
Now we know that the following enables write access:
004109: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:42.5800032 +0.0
Pipe Handle: 0x812734bc (Endpoint Address: 0x1)
Send 0x1f bytes to the device:
55 53 42 43 D8 31 4F FC 00 00 00 00 00 00 0A FC USBCO1Ou.......u
00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ...............
004110: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:42.5800032 +0.0
Pipe Handle: 0x812734dc (Endpoint Address: 0x82)
Get 0xd bytes from the device:
004100: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:42.5800032 +0.0
Pipe Handle: 0x812734dc (Endpoint Address: 0x82)
Get 0x4 bytes from the device:
00 00 66 00
004101: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:42.5800032 +0.0
Pipe Handle: 0x812734dc (Endpoint Address: 0x82)
Get 0xd bytes from the device:
55 53 42 53 D8 31 4F FC 00 00 00 00 00 USBSO1Ou.....
