June 19th, 2006, 05:12 PM
i'll continue trying to find out somehow.
almost wish i hadn't _removed_ the whole partition, just overwritten it with whatever i wanted.
July 5th, 2006, 04:02 PM
I am on the same quest as you. I also wiped the U3 crap and am working on putting a CDFS partition back on, but with an autorun that will run my little AutoIt routine. I'd like for this to happen on simple insertion of the USB drive without user interaction being required. Just stick it in, count to five, and yank it.
I also came across this page you saw:
There, I learned about the LPInstaller.exe and the cruzer-autorun.iso files, and how to spoof my local server to appear as the U3 website so it will load in my own version of the iso file, theoretically then, being set to run whatever files I want it to...
I am still playing with the mkisofs.exe program, and not quite understanding how to do what I want it to do... this is new stuff to me. I DO believe that the LPInstaller.exe file creates the CDFS partition on the USB drive- but if you know differently for certain, let me know.
Since it seems we're both on the same quest, I'm happy to share whatever I find with you, and I'd like to ask if you would be able to do the same? I have a boatload of files and info that I've collected in this quest, which I'm trimming down to useful stuff. Here's another tidbit that may be useful:
This is from MicroSoft:
Q: What must I do to trigger Autorun on my USB storage device?
The Autorun capabilities are restricted to CD-ROM drives and fixed disk drives. If you need to make a USB storage device perform Autorun, the device must not be marked as a removable media device and the device must contain an Autorun.inf file and a startup application.
The removable media device setting is a flag contained within the SCSI Inquiry Data response to the SCSI Inquiry command. Bit 7 of byte 1 (indexed from 0) is the Removable Media Bit (RMB). A RMB set to zero indicates that the device is not a removable media device. A RMB of one indicates that the device is a removable media device. Drivers obtain this information by using the StorageDeviceProperty request.
Hmmm..... So the question is... How?
Anyway, hopefully between the two of us we can figure this out.
Also- if you have a good hex editor, you might find some interesting info in the .iso file as well as the LPInstaller.exe. I'm still poking around in there and see some potentials.
What can you tell me about mkisofs?
Thanks & good luck,
July 5th, 2006, 05:09 PM
sorry i didn't reply to your email sooner.
only thing i disagree with is the LPInstaller.exe. that just downloads the iso file i believe, and then burning the ISO image to the already created cd-rom "drive" on the usb stick.
as far as i know they haven't released a tool to re-create the cd-rom "drive" on the stick.
what you could do with mkisofs is gather all the files and executables you want, and make an image of them (ISO) and then have a program like LPInstaller download it and "burn" it on the so caled cdrom drive.
windows/usbdrive see that partition as a cd-rom drive so its able to burn that image onto the partition, which you normally wouldn't be able to do.
so since your cdrom "drive" is still there i believe? you could use mkisofs to make an image of your choice or whatever you want to autorun, and put it on a webserver, then edit your hosts file to spoof the sandisk site so it downloads your image instead of the real one on sandisks site.
it'd do what you want, autorun the file of your choice, just still we have no way of recreating the cd-drive.
only bad thing is you're limited to 6mb looks like, until someone or one of us finds out how to recreate that drive.
sorry if you already knew this or is no help, its what i know of now.
you're in a better position than i am though, i already used U3's utility to remove the cd-drive from mine, and they say its irreversible.
July 5th, 2006, 05:16 PM
Short of fire or running over by large vehicles, not too much is irreversible- at least with software changes!
I also had run the uninstaller, so we're both in the same boat. I'm going to try the installer on another thumb drive I have and see what happens. I'll let you know.
I KNOW this must be possible. I like that info about the Removable Media bit (0/1)... that may be a line to persue. If I can get the USB to answer the query with just that one bit changed, all of our troubles will magically melt away!
July 5th, 2006, 05:33 PM
yes but changing that i believe would require to edit the firmware.
someone else had the same idea, not much help though.
i'll keep looking on finding a way to edit that.
July 5th, 2006, 08:14 PM
Thanks for the link, interesting reading. I'll continue my investigations as well.
Besides creating a CDFS partition, or changing the RMB, can you think of any other way to create an autorun for our USB drives? Too bad there isn't something like "Hold the U key down when you insert the drive to autorun"!!!
I'll let you know if I find anything of value.
July 5th, 2006, 08:28 PM
there is one way that shows up a lot on google searches but it requires autorun software to be installed on the client machines you want it to autorun on, but having to install all that software on them kind of defeats the purpose.
after reading about the removable media device bit, that seems a little bit nicer than having to create a cd-rom partition, because you wouldn't be losing space on your usb drive (having 2 partitions).
i'll look into changing that bit or try to find a how-to.
July 6th, 2006, 12:02 AM
You're right about the "defeats the purpose" thought! Not so concerned about space savings... they make these things up to 4 or 6G now, so I can spare a few meg if I get the function... but that RM bit is really interesting. If it's not a hardcoded thing, it'd be really nice!
Still looking around, nothing useful yet.
July 6th, 2006, 12:39 AM
on msndn's page, it says this:
The STORAGE_DEVICE_DESCRIPTOR structure is used in conjunction with the IOCTL_STORAGE_QUERY_PROPERTY request to retrieve the storage device descriptor data for a device.
so, the STORAGE_DEVICE_DESCRIPTOR structure where the removable device bit is stored should be on the usb drive, is there a way you could open the usb stick in a hex editor or look at its firmware and grep for 'RemovableMedia' and set it to false?
i have no experience in dealing with device firmware.
July 6th, 2006, 12:46 AM
That's an interesting idea... but I also am not too familiar with Firmware manipulation on USB devices.
In the interim... here's what I AM looking at that seems promising- at least for using on XP machines:
ANd I quote:
The researchers found fault with the way Windows XP drivers handle USB autorun and USB raw sockets.
The Windows autorun feature of Plug and Play is interesting. By default, the Windows autorun driver works only with nonremovable media. However, the researchers played around with the idea and wondered whether they could create a faux USB device that would appear to Microsoft Windows to be a nonremovable DVD drive. Sure enough, they were able to do so by taking advantage of a flaw in which USB drivers handle raw sockets. Specifically, the researchers were able to fool Windows into thinking their faux USB device was a nonremovable drive by identifying themselves with the vendor ID and product ID for a known DVD drive.
With their faux USB device in hand, the researchers demonstrated how they could attach it to a Windows XP machine and force a Kernel Heap buffer overflow, which would then allow the machine to run their malicious code