On Mon, Dec 29, 2008 at 10:11 AM, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote: > On Mon, 29 Dec 2008, Andrew Hoog wrote: > >> Good morning, >> >> For some time, I've tried to figure out how to treat the virtual >> CD-ROM on a U3 drive as a direct-access device (SCSI type 0) instead >> of a read-only direct-access device (SCSI cd-rom, type 5) > > In theory this is possible. In practice, what makes you think the > device will work when you send it disk-type commands instead of the > CD-ROM-type commands it expects? I wanted to experiment with the approach but you are correct, this was a complete guess. > >> so that >> users can overwrite the data in that area and use as they wish. There >> is quite a bit of discussion on the web about this device however most >> centers around removing the "partition" or hiding it in Linux (the >> autorun and .exe on the CD-ROM are for Windows only). >> >> I've posted my analysis to date at >> http://chicago-ediscovery.com/computer-forensic-howtos/forensic-acquisition-analysis-u3-usb-drive.html >> which is focused on the forensics side. There is a U3 removal utility >> as well as a program (Universal Customizer) that will overwrite the >> iso9660 filesystem (in Windows) using a .dll supplied by the U3 group >> (u3dapi10.dll). However, I would like to be able to accomplish this >> in Linux using standard utilities. > > Your best bet is to reverse engineer the Universal Customizer program, > say by using a program like SnoopyPro to see what commands it sends to > the device. Then you can figure out how to send the equivalent data > yourself in Linux. Thanks, I took your advice and created a usbsnoop file (~50MB) when using the official re-install program by SansDisk. It will take me some time to understand and analyze and in case anyone else is interested, I have posted a .zip (~10MB) of the log at: http://chicago-ediscovery.com/computer-forensic-howtos/forensic-acquisition-analysis-u3-usb-drive.html/attachment/usbsnoop-u3-reinstall I will try to find the "write" commands in the log and figure out how to send the equivalent using Linux. I also uploaded the .iso the re-install program flashed the drive with in case that is helpful to: http://chicago-ediscovery.com/computer-forensic-howtos/forensic-acquisition-analysis-u3-usb-drive.html/attachment/bestbuy-autorun/ >> I've looked into udev rules but I cannot find a way to change the >> device driver. Also, I tried the sg3_utils but sg_dd on the generic >> device fails (device not ready (w)) as it still just sees a read-only >> CD-ROM. Does anyone have advise on how to change the device driver >> for the endpoint from "sr" to "sd"? > > The only way is to fool the kernel into thinking the device is Type 0 > instead of Type 5. You would have to hack the kernel, which probably > is not what you had in mind. > >> Is there a better work around? >> Thank you. > > If you don't like the reverse-engineering approach, you can use > programs like sg-utils to send your own WRITE commands to the device. > > Alan Stern I'll look into the sg-utils closer, especially after reviewing and understanding the usbsnoop log information. I will post any results I achieve on this forum and my website. Thanks for the pointers. Andrew Hoog Chicago Electronic Discovery http://chicago-ediscovery.com/ -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
