Jump to content

how to turn any USB drive into a switchblade

Guest MaxDamage

Recommended Posts

  • Replies 94
  • Created
  • Last Reply

Top Posters In This Topic

Go for it. It looks like using something akin to drivelock will stop this, so we have a counter to it (my only concern about the project personally). As long as its known that its stopable, then I see no problems with your incredibly cool hack.

Link to comment
Share on other sites

No i actually havent seen it yet. I'm trying to track down the link right now. I know that it was released within the last week at a demoparty, but I'm not sure which one it was because Tom Merritt who mentioned it on Cnet BOL and it wasnt posted in the show notes. It was one of those things in passing but it's not really their thing so the other hosts didn't pick up on it. I assumed it was released at The Gathering but I'm not able to find it there.

Now the 7th bit on the first byte on the disk, how exactly are you supposed to find that in a hex editor? I havent checked because I'm only familiar with hex editors that allow you to open files... no full volumes.

Does it have to do with changing the device class from 0x08, or the bInterfaceSubClass?

Link to comment
Share on other sites

I don't remember which ones can do it but I have come across hex editors that can mess with the raw data on a volume... I'll have to do some digging later and see what I can find, this sounds like an interesting method.

Link to comment
Share on other sites

The removable media device setting is a flag contained within the SCSI Inquiry Data response to the SCSI Inquiry command. Bit 7 of byte 1 (indexed from 0) is the Removable Media Bit (RMB). A RMB set to zero indicates that the device is not a removable media device. A RMB of one indicates that the device is a removable media device. Drivers obtain this information by using the StorageDeviceProperty request.

Unconfirmed but may be of use.

Edit: Thanks for linkage Darren :)

Link to comment
Share on other sites

Yes but the question then becomes, if we can tell windows that the device is not removable, and it thinks its a cdrom, and it autoruns, are we then able to write to the device? or does it not think the device is a cdrom. does it consider the device a hard disk drive. and if so, does it then autorun?

I wont be able to test this until I get back to the studio this in about 6 or 7 hours, at which point i need to devote all of my human resources into editing, so really I wont be able to get this hack going until after the episode is done, in which case no way of "slipstreaming" this new info. And no, we're not going to issue a patch (.5).

So, I guess this is exactly what Dev5 was created for. Can we do it? It would be so perfect for the current topic of this episode. If we wait another month to do it, it may be old news. Gah.

I need more time.

Link to comment
Share on other sites

Well from what I've read so far, if it identifies as a CDROM device it's NOT writable, telling it that it's a HDD is hit and miss from my experience with fixed-disk autorun...

So how about partitioning it?

Partition however much we need for switchblade and define it as a CDROM device then have the remaining as a flash USB UMS device...

I don't know if this would screw with the device identification though, I'm not sure if it needs to be a physical device or if it can be a logical partition that you trick Windows in to thinking is a CDROM...

Link to comment
Share on other sites

It's a good idea and sounds like the perfect start for my trials. I'll pick up a couple small cheap USB flash disks on my way home from work today and try it out. Esentially what you've described is exactly what U3 is. In fact, the 1GB U3 drive I have is actually 6MB shy of 1GB on the FAT partition. The 6MB has been reallocated to the CDFS partition, so we might need to not only repartition the drive and edit the 7th bit to make it a "cdrom", but we may need to format it for CDFS... or do we?

MaxDamage, can you maybe shed some light on this?

Link to comment
Share on other sites

you may in fact be the first if i'm not able to find it. thanks for the report from the road. i'll add those keywords to my search criteria and hopefully have confirmation on this. either way i'll bet $20 that we'd be the first to use it in such a manner.

moonlit & vako, don't forget that your concerns have been heard and as such you should expect a whitehat segment or two on prevention, both for the user side and system side. i dont want you guys to think we've gone blackhat. it was supposed to be in this episode but the security companies that we've been talking to want, for some reason, to mail us their products rather than email it, so it's taking a bit longer to get them in the labs for testing (and setting the labs up as a proper testing environment, etc)

Link to comment
Share on other sites

I GOT IT TO WORK!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


heres what I did (I'm using linux btw):

First off, I used my partition editor (gparted) to put an 8MB partition at the beginnng of the drive. This was set to be unformatted, just empty space. The remaining space was formatted as FAT32.

Then I dl'd Max's Loader files (I used the cruzer, no reason, just did) I opened up the .iso file in ghex (hex editor) and changed the first byte to AB.

Then, (this is important) I made sure the disk was unmounted, and did

dd if=~/Desktop/cruzer-autorun.iso of=/dev/sdb1

Note that sdb was where my thumbdrive is. Unplug and replug the drive and it mounts the first part as a CDROM and the second part as a usbdrive! I looked in the CDROM, and there waws the loader!


edit: note also that you dont have to edit the actual disk, you just edit the iso and then dd it over to the blank space, effectivly making that partition CDFS.

EDIT PART 2: I'm having trouble on the windows side of it. The drive is recognised as a CD in linux, but not windows. I would RECCOMMEND AGAINST doing what I just posted until I can figure out why. I dont want to be responsible for bricking anyoe's drive! In other words, I'm working on it, if you try my method, and it doesnt work, dont kill me

Link to comment
Share on other sites

Windows won't see beyond the first partition on a USB stick. Thats why the u3 disks have special firmware/electronics/magic smoke, otherwise everyone would have done it.

As for the whitehat/blackhat thing. I know the forums aren't representitive of the show, but it seemed like all the work was being done to make the switchblade harder hitting. And no work was being done (in that thread) to make sure there was an effective counter to it, which with an exploit like this should be an aim. Glad to see there is work being done on it, and i have had my concerns put to rest. So its all kosher matey.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Create New...