123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579 |
- ---
- >> 0x00
- description:
- Read a page with some sort of device info
- type: request
- command:
- CBWCB = 0xFF 0x00 0x00 0x03 0x00 0x27 0x00 0x00 0x00 0x00 0x00 0x00
- byte data description
- ------------------------------------------------------------------------------
- 0 0xFF SCSI opcode
- 1-2 0x0000 command
- 3-4 0x0003 Page number
- 5-6 0x27 Request data length
- 9 0x0 ??? sofware update tool also uses 0x01 here
- valid page numbers according to bCSWStatus:
- verbatime: 0x3, 0x4, 0x6, 0x8, 0xa, 0xc, 0xe, 0x13, 0x14
- data:
- 6+ bytes
- 0000 03 00 01 00 27 00 |....'. |
- byte data description
- ------------------------------------------------------------------------------
- 0-1 0x0003 page number
- 2-3 0x0001 ??? mostly 0x01, once 0x03
- 4-5 0x0027 total usefull data length (including 6 byte header)
- page 0x03:
- 0000 03 00 01 00 27 00 77 00 00 00 03 81 07 06 54 30 |....'.w.......T0|
- 0016 30 30 30 31 31 41 31 41 41 31 31 41 41 41 31 81 |00011A1AA11AAA1.|
- 0032 07 06 54 91 4e 0f 00 |..T.N..|
- byte data description
- ------------------------------------------------------------------------------
- 0-5 header(see above)
- 6 Real size of full record...????
- 7-11 ??? same for both verbatime and sandisk
- 11-14 0x54060781 ??? same as @ byte 31 (actual value different on verbatim)
- 15-30 "000011A1AA11AAA1" Serial number
- 31-34 0x54060781 ??? same as @ byte 11
- 35-38 0x000f4e91 Device size in 512-byte blocks
- page 0x0c:
- 0000 0c 00 01 00 0a 00 10 27 00 00 |.......'.. |
- byte data description
- ------------------------------------------------------------------------------
- 0-5 header(see above)
- 6-9 0x00002710 Maximum wrong password try for secure zone.
- ---
- >> 0x20
- description:
- Round CD size to a value the device likes
- type: action
- command:
- CBWCB = 0xFF 0x20 0x00 0x02 0xFF 0x03 0x00 0x00 0x00 0x00 0x00 0x00
- byte data description
- ------------------------------------------------------------------------------
- 0 0xFF scsi opcode
- 1-2 0x0020 command
- 3 0x02 ??? can atleast be 0x02 and 0x03 but not 0, 1, 4, is
- this some sort of domain id to select the partition,
- like in 0x21, byte 3??? the verbatim is less picky and
- accepts all values...
- 4-7 0x3FF Value to round (in 512-byte sectors)
- 8 0x0 Direction to round(0x00 = down, 0x01 = up)
- data:
- 4 bytes
- 0000 00 02 00 00 |....|
- byte data description
- ------------------------------------------------------------------------------
- 0-3 0x200 Rounded value
- ---
- >> 0x21
- description:
- get information about the partition configuration
- type: request
- command:
- CBWCB = 0xFF 0x21 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
- byte data description
- ------------------------------------------------------------------------------
- data:
- 0000 02 02 00 00 00 91 1e 0f 00 03 01 00 00 00 30 00 |..............0.|
- can be read in any multiple of 8 all dat beyond the above data is zero(0)
- u3-remover uses the following data(IIRC), (0x0f4e91 == full drive size):
- 0000 01 02 00 00 00 91 4e 0f 00 |......... |
- byte data description
- ------------------------------------------------------------------------------
- 0 02 amount of available records, where 1 record = 8 byte???
- 1 02 ??? some sort of domain id???
- 3-4 00 00 00 ??
- 5-8 0x000F1E91 size of data partition in 512-byte sectors
- 9 0x03 ?? some sort of domain id????
- 10 0x01 ?? WARNING: If set to 0 on Sandisk cruzer, cd drive
- will show up as direct-access, but can't be used, also
- drive doesn't react to command 0x00, page 3 and you
- won't be able to re-partition device!!!!
- 11-12 00 00 ??
- 13-15 0x003000 size of cdrom partitoin in 512-byte sectors
- ---
- >> 0x22
- description:
- Repartition device
- type: action
- command:
- CBWCB = 0xFF 0x22 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
- byte data description
- ------------------------------------------------------------------------------
- data:
- 0000 02 02 00 00 00 91 1e 0f 00 03 01 00 00 00 30 00 |..............0.|
- 0016 00 |. |
- byte data description
- ------------------------------------------------------------------------------
- 0 0x02 amount of dword of data(+1byte+1dword=packet_size)
- 1-4 0x00000002 ???
- 5-8 0x000f1e91 Size of data partition in 512-byte sectors
- 9-12 0x00000103 ??? 0x0003 make's it a direct access partition.(but can't partition afterwards, and page 3 of command 0x0000 isn't accessible anymore...)
- 13-16 0x00003000 Size of CD partition in 512-byte sectors
- ---
- >> 0x42
- description:
- Write block of data to CD-rom partition
- type: action
- command:
- CBWCB = 0xFF 0x42 0x00 0x01 0x00 0x00 0x01 0x1D 0x00 0x00 0x00 0x01
- byte data description
- ------------------------------------------------------------------------------
- 0 0xFF scsi opcode
- 1-2 0x42 command
- 3 0x01 ???
- 4-7 0x0000011D Block Address (Big Endian!!!!!!!)
- 8-11 0x01 ??? (Big Endian?)
- data:
- A 2048 byte block
- ---
- >> 0x61
- description:
- read out hidden data/config storage. Looks the same as with mDrive.
- type: request
- command:
- CBWCB = 0xFF 0x61 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
- byte data description
- ------------------------------------------------------------------------------
- data:
- byte data description
- ------------------------------------------------------------------------------
- ---
- >> 0x63
- description:
- read out hidden data/config storage. Looks the similar as with mDrive.
- type: request
- command:
- CBWCB = 0xFF 0x63 0x00 0x00 0x00 0x55 0x33 0x49 0x4E 0x50 0x52 0x50
- byte data description
- ------------------------------------------------------------------------------
- data:
- byte data description
- ------------------------------------------------------------------------------
- ---
- >> 0xA0
- description:
- get some sort of data partition information
- type: request
- command:
- CBWCB = 0xFF 0xA0 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
- byte data description
- ------------------------------------------------------------------------------
- data:
- 16 byte
- 0000 40 ab 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 |@...............|
- 0000 40 ab 1d 00 40 ab 1d 00 01 00 00 00 00 00 00 00 |@...@...........| (secured)
- byte data description
- ------------------------------------------------------------------------------
- 0-3 0x001dab40 Total data partition size
- 4-7 0x001dab40 Amount of data partition encrypted????
- 8-11 0x00000001 Lock(=0) or Unlocked(=1)
- 12-15 0x00000000 Wrong password try counter
- ---
- >> 0xA1
- description:
- FUZED
- type: Request?
- command:
- CBWCB = 0xFF 0xA1 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
- byte data description
- ------------------------------------------------------------------------------
- 0 scsi opcode
- 1-2 command
- 3 0 Failes on Sandisk if != 0
- 4- changing these doesn't seem to have any effect
- data:
- data is random, and changes due to executing commands
- byte data description
- ------------------------------------------------------------------------------
- ---
- >> 0xA2
- description:
- Secure data partition
- Password hash is a md5 sum of the unicode password including the terminating
- null. So for a password of 'a' the following byte stream is fead to the md5
- function: 0x61 0x00 0x00 0x00 == UNICODE "a\0"
- It seems that if the whole of the data partition is made secure zone, then
- the data currently on the data partition is accessible in the secure zone.
- If only a part of the data partition is made secure zone than the first part
- of the data on the partition is retained and the rest isn't accessible. In
- this case the secure zone will contain garbage(the data on that was on that
- part of the data partition but decrypted with an other key).
- If the device is already secured and this command is issued again, the current
- data on the device is lost(if secure zone == 100%).
- type: action
- command:
- CBWCB = 0xFF 0xA2 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
- byte data description
- ------------------------------------------------------------------------------
- data:
- 20 byte
- 0000 40 ab 1d 00 33 2c e7 85 e9 73 57 4a 1c 5f da f3 |@...3,...sWJ._..|
- 0016 ee e3 f0 83 |....|
- byte data description
- ------------------------------------------------------------------------------
- 0-3 0x001dab40 Size of private zone????
- 4-19 ... Password hash ( pass='a')
- ---
- >> 0xA3
- description:
- value rounding for data partition securing
- type: request
- command:
- CBWCB = 0xFF 0xA3 0x00 0x00 0x40 0xAB 0x1D 0x00 0x01 0x00 0x00 0x00
- byte data description
- ------------------------------------------------------------------------------
- 0 0xFF scsi opcode
- 1-2 0x00A3 Command
- 3 0x00 ???
- 4-7 0x001DAB40 Value to round (in 512-byte sectors)
- 8 0x01 Direction to round(0x00 = down, 0x01 = up)
-
- data:
- 4 byte
- 0000 40 ab 1d 00 |@...|
- byte data description
- ------------------------------------------------------------------------------
- 0-3 0x001DAB40 Rounded value
- ---
- >> 0xA4
- description:
- unlock device
- Password hash is a md5 sum of the unicode password including the terminating
- null. So for a password of 'a' the following byte stream is fead to the md5
- function: 0x61 0x00 0x00 0x00 == UNICODE "a\0"
- type: action
- command:
- CBWCB = 0xFF 0xA4 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
- byte data description
- ------------------------------------------------------------------------------
- data:
- 16 byte
- 0000 33 2c e7 85 e9 73 57 4a 1c 5f da f3 ee e3 f0 83 |3,...sWJ._......|
- byte data description
- ------------------------------------------------------------------------------
- 0-15 ... password hash (pass='a')
- ---
- >> 0xA6
- description:
- change password
- Password hash is a md5 sum of the unicode password including the terminating
- null. So for a password of 'a' the following byte stream is fead to the md5
- function: 0x61 0x00 0x00 0x00 == UNICODE "a\0"
- type: action
- command:
- CBWCB = 0xFF 0xA6 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
- byte data description
- ------------------------------------------------------------------------------
- data:
- 0000 33 2c e7 85 e9 73 57 4a 1c 5f da f3 ee e3 f0 83 |3,...sWJ._......|
- 0016 c0 51 c1 bb 98 b7 1c cb 15 b0 cf 9c 67 d1 43 ee |.Q..........g.C.|
- byte data description
- ------------------------------------------------------------------------------
- 0-15 ... Old password hash ( pass='a')
- 16-31 ... New password hash ( pass='b')
- ---
- >> 0xA7
- description:
- Remove security
- Password hash is a md5 sum of the unicode password including the terminating
- null. So for a password of 'a' the following byte stream is fead to the md5
- function: 0x61 0x00 0x00 0x00 == UNICODE "a\0"
- hmm... if security zone size != size of data partition, then this fails!!!
- it returns a failed status but doesn't increase the password try counter,
- even if password was incorrect.... to remove the secure zone if it doesn't
- fully occupy the data partition, recreate the secure zone with maximum size.
- > Possible cause: If this command is issued the secure zone becomes the public
- zone, and thus all data on the disk will be retained. It is suspected that all
- partitions/zones are stored encrypted on the flash device(Yes, even the public
- zone). So, if this command is issued the secure zone key is decrypted(if
- encrypted at all) and the zone is marked as public. Logically this would not
- work if there is a public and secure zone. Then you would end up with two
- public zone's with different encryptions keys.
- Byte 3 of command does something... but still doesn't allow for removing half
- secure zones.
- type: action
- command:
- CBWCB = 0xFF 0xA7 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
- byte data description
- ------------------------------------------------------------------------------
- data:
- 0000 c0 51 c1 bb 98 b7 1c cb 15 b0 cf 9c 67 d1 43 ee |.Q..........g.C.|
- byte data description
- ------------------------------------------------------------------------------
- 0-15 ... Password hash (in this case 'b')
- ---
- >> 0x100
- description:
- seen used after a 0xA4(with some normal scsi stuff in between...).
- generate reset some sort of reset or insert condition on data disk. Linux old 2.4
- usb-storage sees it as a disconnect of the drive.
- type:
- command:
- CBWCB = 0xFF 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
- byte data description
- ------------------------------------------------------------------------------
- data:
- No data....
- ---
- >> 0x101
- description:
- disconnect's and possibly reconnects device
- type: action
- command:
- CBWCB = 0xFF 0x01 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
- byte data description
- ------------------------------------------------------------------------------
- data:
- 12 bytes
- 0000 50 00 00 00 40 9c 00 00 01 00 00 00 |P...@.......|
- byte data description
- ------------------------------------------------------------------------------
- 8 0x01 If 1 reconnect after disconnect, else not
- all other byte's dont seem to have any effect...
- ---
- >> 0x103
- description:
- Get chip maker and version
- type: request
- command:
- CBWCB = 0xFF 0x03 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
- byte data description
- ------------------------------------------------------------------------------
- data:
- 24 bytes
- 0000 33 2e 32 31 00 00 00 00 53 61 6e 44 69 73 6b 20 |3.21....SanDisk |
- 0016 00 00 00 00 00 00 00 00 |........|
- byte data description
- ------------------------------------------------------------------------------
- 0-7 "3.21" Chip version
- 8-23 "SanDisk" Chip maker
- possible read commands:
- 0x20
- 0x21
- 0x61
- 0x63
- 0x68
- 0x6b 512?
- 0x81 128-byte
- 0x84 64-byte
- 0x85 64-byte
- 0x88 64-byte
- 0xa1 4-byte
- 0xc1
- 0xe2 = read random?, 64-byte
- 0x102 512-byte
- Write:
- 0x01 -> 0x1f
- 0x22 -> 0x40
- 0x42
- 0x60
- 0x62
- 0x6a
- 0x6c
- 0x6d
- 0x6e
- 0x82 128 byte
- 0x83 64 byte?
- 0x86
- 0x87
- 0xc0
- 0xc2
- ---
- >>
- description:
- type:
- command:
- byte data description
- ------------------------------------------------------------------------------
- data:
- byte data description
- ------------------------------------------------------------------------------
|