git Service des IN-Ulm e.V. Erkunden Hilfe
Anmelden
cbiedl
/
u3-tool
1
0
Fork 0
Dateien
Struktur: 957bed6bdd
Branches Tags
u3-tool
/
doc
/
commands.txt

commands.txt 14 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579 
  1. 

  2. ---
    3. 

  3. 

  4. >> 0x00
    5. 

  5. description:
    6. 

  6.  Read a page with some sort of device info
    7. 

  7. 

  8. type: request
    9. 

  9. 

  10. command:
    11. 

  11. 

  12.  CBWCB = 0xFF 0x00 0x00 0x03 0x00 0x27 0x00 0x00 0x00 0x00 0x00 0x00
    13. 

  13. 

  14.  byte	data		description
    15. 

  15.  ------------------------------------------------------------------------------
    16. 

  16.  0	0xFF		SCSI opcode
    17. 

  17.  1-2	0x0000		command
    18. 

  18.  3-4	0x0003		Page number
    19. 

  19.  5-6	0x27		Request data length
    20. 

  20.  9	0x0		??? sofware update tool also uses 0x01 here
    21. 

  21. 

  22.  valid page numbers according to bCSWStatus:
    23. 

  23.   verbatime: 0x3, 0x4, 0x6, 0x8, 0xa, 0xc, 0xe, 0x13, 0x14
    24. 

  24. 

  25. data:
    26. 

  26.  6+ bytes
    27. 

  27. 

  28.  0000  03 00 01 00 27 00                                 |....'.          |
    29. 

  29. 

  30.  byte	data		description
    31. 

  31.  ------------------------------------------------------------------------------
    32. 

  32.  0-1	0x0003		page number
    33. 

  33.  2-3	0x0001		??? mostly 0x01, once 0x03
    34. 

  34.  4-5	0x0027		total usefull data length (including 6 byte header)
    35. 

  35. 

  36. 

  37. page 0x03:
    38. 

  38. 

  39.  0000  03 00 01 00 27 00 77 00  00 00 03 81 07 06 54 30  |....'.w.......T0|
    40. 

  40.  0016  30 30 30 31 31 41 31 41  41 31 31 41 41 41 31 81  |00011A1AA11AAA1.|
    41. 

  41.  0032  07 06 54 91 4e 0f 00                              |..T.N..|
    42. 

  42. 

  43.  byte	data		description
    44. 

  44.  ------------------------------------------------------------------------------
    45. 

  45.  0-5			header(see above)
    46. 

  46.  6			Real size of full record...????
    47. 

  47.  7-11			??? same for both verbatime and sandisk
    48. 

  48.  11-14	0x54060781	??? same as @ byte 31 (actual value different on verbatim)
    49. 

  49.  15-30	"000011A1AA11AAA1"	Serial number
    50. 

  50.  31-34	0x54060781	??? same as @ byte 11
    51. 

  51.  35-38	0x000f4e91	Device size in 512-byte blocks
    52. 

  52. 

  53. page 0x0c:
    54. 

  54. 

  55.  0000  0c 00 01 00 0a 00 10 27  00 00                    |.......'..      |
    56. 

  56. 

  57.  byte	data		description
    58. 

  58.  ------------------------------------------------------------------------------
    59. 

  59.  0-5			header(see above)
    60. 

  60.  6-9	0x00002710	Maximum wrong password try for secure zone.
    61. 

  61. 

  62. ---
    63. 

  63. 

  64. >> 0x20
    65. 

  65. description:
    66. 

  66.  Round CD size to a value the device likes
    67. 

  67. 

  68. type: action
    69. 

  69. 

  70. command:
    71. 

  71.  CBWCB = 0xFF 0x20 0x00 0x02 0xFF 0x03 0x00 0x00 0x00 0x00 0x00 0x00
    72. 

  72. 

  73.  byte	data		description
    74. 

  74.  ------------------------------------------------------------------------------
    75. 

  75.  0	0xFF		scsi opcode
    76. 

  76.  1-2	0x0020		command
    77. 

  77.  3	0x02		??? can atleast be 0x02 and 0x03 but not 0, 1, 4, is
    78. 

  78. 			this some sort of domain id to select the partition,
    79. 

  79. 			like in 0x21, byte 3??? the verbatim is less picky and
    80. 

  80. 			accepts all values...
    81. 

  81.  4-7	0x3FF		Value to round (in 512-byte sectors)
    82. 

  82.  8	0x0		Direction to round(0x00 = down, 0x01 = up)
    83. 

  83. 

  84. data:
    85. 

  85.  4 bytes
    86. 

  86. 

  87.  0000  00 02 00 00                                      |....|
    88. 

  88. 

  89.  byte	data		description
    90. 

  90.  ------------------------------------------------------------------------------
    91. 

  91.  0-3	0x200		Rounded value
    92. 

  92. 

  93. ---
    94. 

  94. 

  95. >> 0x21
    96. 

  96. description:
    97. 

  97.  get information about the partition configuration
    98. 

  98. 

  99. type: request
    100. 

  100. 

  101. command:
    102. 

  102.  CBWCB = 0xFF 0x21 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
    103. 

  103. 

  104.  byte	data		description
    105. 

  105.  ------------------------------------------------------------------------------
    106. 

  106. 

  107. data:
    108. 

  108. 

  109.  0000  02 02 00 00 00 91 1e 0f  00 03 01 00 00 00 30 00  |..............0.|
    110. 

  110.  can be read in any multiple of 8 all dat beyond the above data is zero(0)
    111. 

  111. 

  112.  u3-remover uses the following data(IIRC), (0x0f4e91 == full drive size):
    113. 

  113.  0000  01 02 00 00 00 91 4e 0f  00                       |.........       |
    114. 

  114. 

  115. 

  116.  byte	data		description
    117. 

  117.  ------------------------------------------------------------------------------
    118. 

  118.  0	02		amount of available records, where 1 record = 8 byte???
    119. 

  119.  1	02		??? some sort of domain id???
    120. 

  120.  3-4	00 00 00	??
    121. 

  121.  5-8	0x000F1E91	size of data partition in 512-byte sectors
    122. 

  122.  9	0x03		?? some sort of domain id????
    123. 

  123.  10	0x01		?? WARNING: If set to 0 on Sandisk cruzer, cd drive
    124. 

  124. 			will show up as direct-access, but can't be used, also
    125. 

  125. 			drive doesn't react to command 0x00, page 3 and you
    126. 

  126. 			won't be able to re-partition device!!!!
    127. 

  127.  11-12	00 00		??
    128. 

  128.  13-15	0x003000	size of cdrom partitoin in 512-byte sectors
    129. 

  129. 

  130. ---
    131. 

  131. 

  132. >> 0x22
    133. 

  133. description:
    134. 

  134.  Repartition device
    135. 

  135. 

  136. type: action
    137. 

  137. 

  138. command:
    139. 

  139.  CBWCB = 0xFF 0x22 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
    140. 

  140. 

  141.  byte	data		description
    142. 

  142.  ------------------------------------------------------------------------------
    143. 

  143. 

  144. data:
    145. 

  145.  0000  02 02 00 00 00 91 1e 0f  00 03 01 00  00 00 30 00 |..............0.|
    146. 

  146.  0016  00                                                |.               |
    147. 

  147. 

  148. 

  149.  byte	data		description
    150. 

  150.  ------------------------------------------------------------------------------
    151. 

  151.  0	0x02		amount of dword of data(+1byte+1dword=packet_size)
    152. 

  152.  1-4	0x00000002	???
    153. 

  153.  5-8	0x000f1e91	Size of data partition in 512-byte sectors
    154. 

  154.  9-12	0x00000103	??? 0x0003 make's it a direct access partition.(but can't partition afterwards, and page 3 of command 0x0000 isn't accessible anymore...)
    155. 

  155.  13-16	0x00003000	Size of CD partition in 512-byte sectors
    156. 

  156. 

  157. ---
    158. 

  158. 

  159. >> 0x42
    160. 

  160. description:
    161. 

  161.  Write block of data to CD-rom partition
    162. 

  162. 

  163. type: action
    164. 

  164. 

  165. command:
    166. 

  166.  CBWCB = 0xFF 0x42 0x00 0x01 0x00 0x00 0x01 0x1D 0x00 0x00 0x00 0x01 
    167. 

  167. 

  168.  byte	data		description
    169. 

  169.  ------------------------------------------------------------------------------
    170. 

  170.  0	0xFF		scsi opcode
    171. 

  171.  1-2	0x42		command
    172. 

  172.  3	0x01		???
    173. 

  173.  4-7	0x0000011D	Block Address (Big Endian!!!!!!!)
    174. 

  174.  8-11	0x01		??? (Big Endian?)
    175. 

  175. 

  176. data:
    177. 

  177.  A 2048 byte block
    178. 

  178. 

  179. ---
    180. 

  180. 

  181. >> 0x61
    182. 

  182. description:
    183. 

  183.  read out hidden data/config storage. Looks the same as with mDrive.
    184. 

  184. 

  185. type: request
    186. 

  186. 

  187. command:
    188. 

  188.  CBWCB = 0xFF 0x61 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
    189. 

  189. 

  190.  byte	data		description
    191. 

  191.  ------------------------------------------------------------------------------
    192. 

  192. 

  193. data:
    194. 

  194. 

  195. 

  196.  byte	data		description
    197. 

  197.  ------------------------------------------------------------------------------
    198. 

  198. 

  199. ---
    200. 

  200. 

  201. >> 0x63
    202. 

  202. description:
    203. 

  203.  read out hidden data/config storage. Looks the similar as with mDrive.
    204. 

  204. 

  205. type: request
    206. 

  206. 

  207. command:
    208. 

  208.  CBWCB = 0xFF 0x63 0x00 0x00 0x00 0x55 0x33 0x49 0x4E 0x50 0x52 0x50
    209. 

  209. 

  210.  byte	data		description
    211. 

  211.  ------------------------------------------------------------------------------
    212. 

  212. 

  213. data:
    214. 

  214. 

  215. 

  216.  byte	data		description
    217. 

  217.  ------------------------------------------------------------------------------
    218. 

  218. 

  219. ---
    220. 

  220. 

  221. >> 0xA0
    222. 

  222. description:
    223. 

  223.  get some sort of data partition information
    224. 

  224. 

  225. type: request
    226. 

  226. 

  227. command:
    228. 

  228. 

  229.  CBWCB = 0xFF 0xA0 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
    230. 

  230. 

  231.  byte	data		description
    232. 

  232.  ------------------------------------------------------------------------------
    233. 

  233. 

  234. data:
    235. 

  235.  16 byte
    236. 

  236. 

  237.  0000  40 ab 1d 00 00 00 00 00  00 00 00 00 00 00 00 00  |@...............|
    238. 

  238. 

  239.  0000  40 ab 1d 00 40 ab 1d 00  01 00 00 00 00 00 00 00  |@...@...........| (secured)
    240. 

  240. 

  241. 

  242.  byte	data		description
    243. 

  243.  ------------------------------------------------------------------------------
    244. 

  244.  0-3	0x001dab40	Total data partition size
    245. 

  245.  4-7	0x001dab40	Amount of data partition encrypted????
    246. 

  246.  8-11	0x00000001	Lock(=0) or Unlocked(=1)
    247. 

  247.  12-15	0x00000000	Wrong password try counter
    248. 

  248. 

  249. ---
    250. 

  250. 

  251. >> 0xA1
    252. 

  252. description:
    253. 

  253.  FUZED
    254. 

  254. 

  255. type: Request?
    256. 

  256. 

  257. command:
    258. 

  258. 

  259.  CBWCB = 0xFF 0xA1 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
    260. 

  260. 

  261.  byte	data		description
    262. 

  262.  ------------------------------------------------------------------------------
    263. 

  263.  0			scsi opcode
    264. 

  264.  1-2			command
    265. 

  265.  3	0		Failes on Sandisk if != 0
    266. 

  266.  4-			changing these doesn't seem to have any effect
    267. 

  267. 

  268. data:
    269. 

  269. 

  270.  data is random, and changes due to executing commands
    271. 

  271. 

  272.  byte	data		description
    273. 

  273.  ------------------------------------------------------------------------------
    274. 

  274. 

  275. 

  276. ---
    277. 

  277. 

  278. >> 0xA2
    279. 

  279. description:
    280. 

  280.  Secure data partition
    281. 

  281. 

  282.  Password hash is a md5 sum of the unicode password including the terminating
    283. 

  283.  null. So for a password of 'a' the following byte stream is fead to the md5
    284. 

  284.  function: 0x61 0x00 0x00 0x00 == UNICODE "a\0"
    285. 

  285. 

  286.  It seems that if the whole of the data partition is made secure zone, then
    287. 

  287.  the data currently on the data partition is accessible in the secure zone.
    288. 

  288.  If only a part of the data partition is made secure zone than the first part
    289. 

  289.  of the data on the partition is retained and the rest isn't accessible. In
    290. 

  290.  this case the secure zone will contain garbage(the data on that was on that
    291. 

  291.  part of the data partition but decrypted with an other key).
    292. 

  292. 

  293.  If the device is already secured and this command is issued again, the current
    294. 

  294.  data on the device is lost(if secure zone == 100%).
    295. 

  295. 

  296. type: action
    297. 

  297. 

  298. command:
    299. 

  299. 

  300.  CBWCB = 0xFF 0xA2 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
    301. 

  301. 

  302.  byte	data		description
    303. 

  303.  ------------------------------------------------------------------------------
    304. 

  304. 

  305. data:
    306. 

  306.  20 byte
    307. 

  307. 

  308.  0000  40 ab 1d 00 33 2c e7 85  e9 73 57 4a 1c 5f da f3  |@...3,...sWJ._..|
    309. 

  309.  0016  ee e3 f0 83                                       |....|
    310. 

  310. 

  311. 

  312.  byte	data		description
    313. 

  313.  ------------------------------------------------------------------------------
    314. 

  314.  0-3	0x001dab40	Size of private zone????
    315. 

  315.  4-19	...		Password hash ( pass='a')
    316. 

  316. 

  317. 

  318. ---
    319. 

  319. 

  320. >> 0xA3
    321. 

  321. description:
    322. 

  322.  value rounding for data partition securing
    323. 

  323. 

  324. type: request
    325. 

  325. 

  326. command:
    327. 

  327.  CBWCB = 0xFF 0xA3 0x00 0x00 0x40 0xAB 0x1D 0x00 0x01 0x00 0x00 0x00
    328. 

  328. 

  329.  byte	data		description
    330. 

  330.  ------------------------------------------------------------------------------
    331. 

  331.  0	0xFF		scsi opcode
    332. 

  332.  1-2	0x00A3		Command
    333. 

  333.  3	0x00		???
    334. 

  334.  4-7	0x001DAB40	Value to round (in 512-byte sectors)
    335. 

  335.  8	0x01		Direction to round(0x00 = down, 0x01 = up)
    336. 

  336.  
    337. 

  337. 

  338. data:
    339. 

  339.  4 byte
    340. 

  340. 

  341.  0000  40 ab 1d 00                                      |@...|
    342. 

  342. 

  343.  byte	data		description
    344. 

  344.  ------------------------------------------------------------------------------
    345. 

  345.  0-3	0x001DAB40	Rounded value
    346. 

  346. 

  347. ---
    348. 

  348. 

  349. >> 0xA4
    350. 

  350. description:
    351. 

  351.  unlock device
    352. 

  352. 

  353.  Password hash is a md5 sum of the unicode password including the terminating
    354. 

  354.  null. So for a password of 'a' the following byte stream is fead to the md5
    355. 

  355.  function: 0x61 0x00 0x00 0x00 == UNICODE "a\0"
    356. 

  356. 

  357. type: action
    358. 

  358. 

  359. command:
    360. 

  360. 

  361.  CBWCB = 0xFF 0xA4 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
    362. 

  362. 

  363.  byte	data		description
    364. 

  364.  ------------------------------------------------------------------------------
    365. 

  365. 

  366. data:
    367. 

  367.  16 byte
    368. 

  368. 

  369.  0000  33 2c e7 85 e9 73 57 4a  1c 5f da f3 ee e3 f0 83  |3,...sWJ._......|
    370. 

  370. 

  371.  byte	data		description
    372. 

  372.  ------------------------------------------------------------------------------
    373. 

  373.  0-15	...		password hash (pass='a')
    374. 

  374. 

  375. ---
    376. 

  376. 

  377. >> 0xA6
    378. 

  378. description:
    379. 

  379.  change password
    380. 

  380. 

  381.  Password hash is a md5 sum of the unicode password including the terminating
    382. 

  382.  null. So for a password of 'a' the following byte stream is fead to the md5
    383. 

  383.  function: 0x61 0x00 0x00 0x00 == UNICODE "a\0"
    384. 

  384. 

  385. type: action
    386. 

  386. 

  387. command:
    388. 

  388. 

  389.  CBWCB = 0xFF 0xA6 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
    390. 

  390. 

  391.  byte	data		description
    392. 

  392.  ------------------------------------------------------------------------------
    393. 

  393. 

  394. data:
    395. 

  395. 

  396.  0000  33 2c e7 85 e9 73 57 4a  1c 5f da f3 ee e3 f0 83  |3,...sWJ._......|
    397. 

  397.  0016  c0 51 c1 bb 98 b7 1c cb  15 b0 cf 9c 67 d1 43 ee  |.Q..........g.C.|
    398. 

  398. 

  399.  byte	data		description
    400. 

  400.  ------------------------------------------------------------------------------
    401. 

  401.  0-15	...		Old password hash ( pass='a')
    402. 

  402.  16-31	...		New password hash ( pass='b')
    403. 

  403. 

  404. ---
    405. 

  405. 

  406. >> 0xA7
    407. 

  407. description:
    408. 

  408.  Remove security
    409. 

  409. 

  410.  Password hash is a md5 sum of the unicode password including the terminating
    411. 

  411.  null. So for a password of 'a' the following byte stream is fead to the md5
    412. 

  412.  function: 0x61 0x00 0x00 0x00 == UNICODE "a\0"
    413. 

  413. 

  414.  hmm... if security zone size != size of data partition, then this fails!!!
    415. 

  415.  it returns a failed status but doesn't increase the password try counter,
    416. 

  416.  even if password was incorrect.... to remove the secure zone if it doesn't
    417. 

  417.  fully occupy the data partition, recreate the secure zone with maximum size.
    418. 

  418.  > Possible cause: If this command is issued the secure zone becomes the public
    419. 

  419.  zone, and thus all data on the disk will be retained. It is suspected that all
    420. 

  420.  partitions/zones are stored encrypted on the flash device(Yes, even the public
    421. 

  421.  zone). So, if this command is issued the secure zone key is decrypted(if
    422. 

  422.  encrypted at all) and the zone is marked as public. Logically this would not
    423. 

  423.  work if there is a public and secure zone. Then you would end up with two
    424. 

  424.  public zone's with different encryptions keys.
    425. 

  425. 

  426.  Byte 3 of command does something... but still doesn't allow for removing half
    427. 

  427.  secure zones.
    428. 

  428. 

  429. type: action
    430. 

  430. 

  431. command:
    432. 

  432. 

  433.  CBWCB = 0xFF 0xA7 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
    434. 

  434. 

  435.  byte	data		description
    436. 

  436.  ------------------------------------------------------------------------------
    437. 

  437. 

  438. data:
    439. 

  439. 

  440.  0000  c0 51 c1 bb 98 b7 1c cb  15 b0 cf 9c 67 d1 43 ee  |.Q..........g.C.|
    441. 

  441. 

  442.  byte	data		description
    443. 

  443.  ------------------------------------------------------------------------------
    444. 

  444.  0-15	...		Password hash (in this case 'b')
    445. 

  445. 

  446. ---
    447. 

  447. 

  448. >> 0x100
    449. 

  449. description:
    450. 

  450.  seen used after a 0xA4(with some normal scsi stuff in between...).
    451. 

  451.  generate reset some sort of reset or insert condition on data disk. Linux old 2.4
    452. 

  452.  usb-storage sees it as a disconnect of the drive.
    453. 

  453. 

  454. type: 
    455. 

  455. 

  456. command:
    457. 

  457. 

  458.  CBWCB = 0xFF 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
    459. 

  459. 

  460.  byte	data		description
    461. 

  461.  ------------------------------------------------------------------------------
    462. 

  462. 

  463. data:
    464. 

  464.  No data....
    465. 

  465. 

  466. 

  467. ---
    468. 

  468. 

  469. >> 0x101
    470. 

  470. description:
    471. 

  471.  disconnect's and possibly reconnects device
    472. 

  472. 

  473. type: action
    474. 

  474. 

  475. command:
    476. 

  476. 

  477.  CBWCB = 0xFF 0x01 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 
    478. 

  478. 

  479.  byte	data		description
    480. 

  480.  ------------------------------------------------------------------------------
    481. 

  481. 

  482. data:
    483. 

  483.   12 bytes
    484. 

  484. 

  485.   0000  50 00 00 00 40 9c 00 00  01 00 00 00              |P...@.......|
    486. 

  486. 

  487.  byte	data		description
    488. 

  488.  ------------------------------------------------------------------------------
    489. 

  489.  8	0x01		If 1 reconnect after disconnect, else not
    490. 

  490.  all other byte's dont seem to have any effect...
    491. 

  491. 

  492. ---
    493. 

  493. 

  494. >> 0x103
    495. 

  495. description:
    496. 

  496. Get chip maker and version
    497. 

  497. 

  498. type: request
    499. 

  499. 

  500. command:
    501. 

  501. 

  502.  CBWCB = 0xFF 0x03 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
    503. 

  503. 

  504.  byte	data		description
    505. 

  505.  ------------------------------------------------------------------------------
    506. 

  506. 

  507. data:
    508. 

  508.  24 bytes
    509. 

  509. 

  510.  0000  33 2e 32 31 00 00 00 00  53 61 6e 44 69 73 6b 20  |3.21....SanDisk |
    511. 

  511.  0016  00 00 00 00 00 00 00 00                           |........|
    512. 

  512. 

  513.  byte	data		description
    514. 

  514.  ------------------------------------------------------------------------------
    515. 

  515.  0-7	"3.21"		Chip version
    516. 

  516.  8-23	"SanDisk"	Chip maker
    517. 

  517. 

  518. 

  519. 

  520. 

  521. 

  522. 

  523. 

  524. possible read commands:
    525. 

  525. 0x20
    526. 

  526. 0x21
    527. 

  527. 0x61
    528. 

  528. 0x63
    529. 

  529. 0x68
    530. 

  530. 0x6b 512?
    531. 

  531. 0x81 128-byte
    532. 

  532. 0x84 64-byte
    533. 

  533. 0x85 64-byte
    534. 

  534. 0x88 64-byte
    535. 

  535. 0xa1 4-byte
    536. 

  536. 0xc1
    537. 

  537. 0xe2 = read random?, 64-byte
    538. 

  538. 

  539. 0x102 512-byte
    540. 

  540. 

  541. Write:
    542. 

  542. 0x01 -> 0x1f
    543. 

  543. 0x22 -> 0x40
    544. 

  544. 0x42
    545. 

  545. 0x60
    546. 

  546. 0x62
    547. 

  547. 0x6a
    548. 

  548. 0x6c
    549. 

  549. 0x6d
    550. 

  550. 0x6e
    551. 

  551. 0x82 128 byte
    552. 

  552. 0x83 64 byte?
    553. 

  553. 0x86
    554. 

  554. 0x87
    555. 

  555. 0xc0
    556. 

  556. 0xc2
    557. 

  557. 

  558. 

  559. 

  560. 

  561. ---
    562. 

  562. 

  563. >>
    564. 

  564. description:
    565. 

  565. 

  566. type: 
    567. 

  567. 

  568. command:
    569. 

  569. 

  570.  byte	data		description
    571. 

  571.  ------------------------------------------------------------------------------
    572. 

  572. 

  573. data:
    574. 

  574. 

  575. 

  576.  byte	data		description
    577. 

  577.  ------------------------------------------------------------------------------
    578. 

  578. 

  579.