- Hacking U3 USB Drives
Updates! (latest ones first)
May 29, 2011:
While this was the first information available on the public Internet regarding the modification of U3 drives, 5 years later, it isn’t exactly the freshest information on it. I just got this comment in my mail:
Hi
Please take the Hacking U3 USB Drives section offline or edit it, it’s full of crap (you only need the u3-tool.exe) – it wastes people’s time, moreover, you’re pointing to a trojan-containing website (hxxp://www.GuidoZ.com/U3/), and down below (!!!) the post there’s the warning…
Cheers,
Tomas
If you’re interested in modifying your U3 drive, Tomas is absolutely right, go with U3-tool. I don’t agree that this page is “crap” or “wastes people’s time”, though, and it will remain up, if for no other reason than to document how this was originally done.
As for the stuff in comments, I haven’t verified whether or not GuidoZ’s software contains trojans or not. Some say it does, and he claims that it doesn’t. To be on the safe side, I’ll remove the links, and folks can take a look at it if they want.
October 27th, 2006:
New for July 20th from an anonymous source:
U3 and the hardware sellers are trying to agree on how to keep the users’ data safe during manipulation, like perhaps enable locking of at least one partition from being messed with. Once agreed, they consider giving away a tool that will enable a limited set of smarter manipulations on the device.
The tools for full repartitioning are going to be kept in house for security reasons (so a plugged key cannot be scratched by malware on the host). Such tools are still only made available to vendors.
(My personal opinion as a computer guy has always been the same – security by obscurity never holds for too long…)
I have another report that after running U3-Uninstaller.exe,
the drive was no longer recognized by LPInstaller.exe. So please don’t
attempt this unless you’ve got a quick and easy way of getting a replacement,
or if you’re just experimenting before wiping out U3 anyway, or if you’re feeling
particularly adventurous. GrangerX verified that he was still able to install after
uninstalling and provided the following notes (also note the URL for the official U3
uninstaller, http://www.u3.com/uninstall):
The U3 Drive i'm using is: SanDisk Cruzer(R) Micro USB Flash Drive SDCZ6-512-A10 UPC: 6 19659 02536 6 (serial number censored) My OS is WinXP SP2, with all but the latest Windows Updates. The PC is a Via Chipset Athlon (Sempron?) Socket462 freebie from the weekly Fry's "buy a CPU, get a motherboard effectively free" deal. The utilities I used had the following MD5s: 352bca7784d8dc68503379ff8cf46700 *u3_uninstall.exe #u3 branded, from http://www.u3.com/uninstall 3f8ea63524f0c8339c34c6851f6ae8a6 *U3_Uninstaller.exe #geeksquad-branded, from ... someplace on the internet bc7c03b841864bb9ce30dd5429359cdd *cruzer-autorun.iso 36b872f94e88d9bbf266200c193e50f4 *LPInstaller.exe After running the uninstaller (and removal, re-insertion of the drive), the CD drive portion disappeared. The RemovableDisk partition size increased by the 6MB. After running the installer, which didn't seem to require re-insertion of the drive, the U3-CD-Partition reappeared, and the RemovableDisk was the normal (-6MB) Size.
GrangerX, grangerx@gmail.com, wrote in with the following very
helpful information:
…
The utility “LPInstaller.exe” seems to be able to download two
different ISOs, one with autorun, one without (at least the URLs were
in the file, so I went ahead and grabbed both). Also, if you put the
ISOs in the same directory as the LPInstaller.exe, it seems to use
them from there instead of trying to download them, which is faster,
and doesn’t require apache usage.There also exists a much harder to find executable, called
“U3-Uninstaller.exe”, that disables the CD “domain” (i think is U3′s internal
terminology for the different areas on the drive (I *wish* they’d
release the darn HDK)) by (apparently, at least) burning the
“dummy.iso” file into that domain, and then hiding/disabling the
domain entirely (free space before was: 506,683,392 ; free space after
was: 513,310,720 ). [Yes, several of their internal (debugging?)
messages in the EXE files and their SDK docs mention "Burning" the CD
ISO, so I guess it really *is* a burner, of sorts. :-p ]My end goal is to be able to use a larger-than-6MB iso, which
currently, I haven’t been able to do. But, I have verified that the
two utilities (“LPInstaller.exe” and “U3-Uninstaller.exe” are
repeatably usable to remove/re-add the U3 functionality, so it should
be safe for people to experiment with, if they have both utils (Note:
I’ve heard from others that this does not work, so be cautious). If
you try to trick it into using a larger ISO, both utilities fail, but
it doesn’t seem to cause trouble once you run the utility as they
intended. I can add or get rid of the U3 functionality as needed now,
at least.My hope is that there’s an offset in the LPInstaller.exe that one
could patch and it would create a differently-sized ISO area, which
could allow more clever things to be done with the devices.Anyway, thanks for getting things started. Hopefully they’ll release
at least the oft-referenced “U3 Tool” to allow users to modify their
drives, but until then, it’s fun to hack on.
So a lot of the steps I’ve outlined below are actually a bit more
complicated than you really need to do. The Sandisk installer looks in the
local directory for ISOs first, so you won’t have to spoof their website
anymore 
A spy came in from the cold to write this (completely unverified,
of course, but feels right):
:snip snip:…new controller at the hardware level, where it supports 24 more USB commands than the regular controllers, etc. apparently dividing it up to “memory domains” is dynamic and there are tools out there (windows only) for the manufacturers to resize the virtual CD and the main partition.:snip:
Introduction
U3 is a platform for developing applications that install to
and execute from USB flash drives. It provides these
applications a means to execute, read, write and clean up after
themselves once the drive is removed. I haven’t actually used
any U3 apps yet, but having bought a “U3 Smart” drive at
OfficeMax (the SanDisk Cruzer Micro 512M), I became interested
in the unique way these U3 drives present themselves as two
separate disks, so that the U3 software is write-protect and can
auto-run on Windows machines. This page documents my attempts
at changing the U3 drive to modify the write-protected partition
and control the autorun feature.
Disclaimer
This information is based on the U3 Smart SanDisk Cruzer Micro
512M, and while I’ve taken a lot of care in my procedures here
(I don’t want to buy another drive if I brick this one either!),
I can’t guarantee that it’ll work out so well for you. This
information is immediately applicable to the Cruzer Micro 512M,
and probably works for other Cruzer disks, but probably does not
work on other U3 Smart disks. It should get you looking in the
right direction though.
Two Drives in One!
The first thing you’ll notice when you plug in one of these
drives is that it shows up as two different disks: A USB CDROM
with the title “U3 System” that takes the first available drive
letter (E: in my case), and a USB Removable Disk that takes the
next drive letter (F:).
More detailed information can be found when you plug it in
under Linux and take a look at dmesg:
usb 1-1: new full speed USB device using uhci_hcd and address 6 usb 1-1: configuration #1 chosen from 1 choice scsi7 : SCSI emulation for USB Mass Storage devices usb-storage: device found at 6 usb-storage: waiting for device to settle before scanning Vendor: SanDisk Model: U3 Cruzer Micro Rev: 2.15 Type: Direct-Access ANSI SCSI revision: 02 SCSI device sdb: 990865 512-byte hdwr sectors (507 MB) sdb: Write Protect is off sdb: Mode Sense: 03 00 00 00 sdb: assuming drive cache: write through SCSI device sdb: 990865 512-byte hdwr sectors (507 MB) sdb: Write Protect is off sdb: Mode Sense: 03 00 00 00 sdb: assuming drive cache: write through sdb: sdb1 sd 7:0:0:0: Attached scsi removable disk sdb sd 7:0:0:0: Attached scsi generic sg1 type 0 Vendor: SanDisk Model: U3 Cruzer Micro Rev: 2.15 Type: CD-ROM ANSI SCSI revision: 02 sr0: scsi3-mmc drive: 8x/40x writer xa/form2 cdda tray sr 7:0:0:1: Attached scsi CD-ROM sr0 sr 7:0:0:1: Attached scsi generic sg2 type 5 usb-storage: device scan complete
Note that Linux seems to think the CD drive is a writer.
Working on the side of caution against hosing the drive, I have
not attempted to “burn” to this drive with cdrecord or k3b or
anything. This is doubly true now that I have found a safe way
of changing what’s on this part of the disk, but if you want to
give it a shot (and have a spare Cruzer to try it out on), email
me and let me know what happens . There’s a pretty good
possibility that it’s not identifying the drive correctly.
The CDROM that isn’t
When you mount the CD drive, there’s three files waiting for
you: LaunchPad.zip and LaunchU3.exe (containing the U3
software), and an autorun.inf that executes LaunchU3.exe
whenever you plug in the drive. Here’s the contents of the
autorun.inf after running the latest updates from SanDisk (More
on this later):
[AutoRun] open=LaunchU3.exe -a icon=LaunchU3.exe,0 [Definitions] Launchpad=LaunchPad.exe Vtype=1 [CopyFiles] FileNumber=1 File1=LaunchPad.zip [Update] URL=http://u3.sandisk.com/download/lp_installer.asp?custom=1.1.0.2&brand=cruzer [Comment] brand=cruzer
So, we see that it automatically runs LaunchU3.exe. There’s
a few other bits of information in this file that are handy too,
especially the [Update] section, which wasn’t there before the
built-in updating feature of U3 was executed…
Updating means that something can write to it at least
Let’s visit the SanDisk updating URL in Firefox:
Whups, heh, let’s view the source…
There we go. A URL for a stand-alone installer. When you
download this installer, you’ll notice that it’s only a megabyte
or so, while the CDROM drive is between 5 and 6 megabytes. This
is because the LPInstaller.exe downloads the new ISO file for
the CDROM from the SanDisk website. Let’s fire up Ethereal,
start sniffing, and run the installer to figure out where it’s
getting the ISO from:
From here, you can download the ISO with wget or a web browser
or anything. Mount the ISO and you’ll see the same files (or
potentially newer versions) as you would on the drive’s CDROM.
The Sting
Make your own ISO, keeping within size limitations. Regarding
this, although the ISO I downloaded from the SanDisk site was
5,752,832 bytes, the size of the CDROM images I get when I use
dd straight from the block device is always 6,291,456 bytes.
It appears the ISO is written into this 6,291,456 byte chunk,
with the remainder padded out with zeros.
Double-plus-make-sure that the ISO you create
is a bit less than 6,291,456 bytes. I don’t know what
will happen if you go over that amount, but there’s a
very good chance that it isn’t pleasant.
Some good ideas for what you could do with the fake CDROM
drive:
- Do away with the U3 software entirely
- Auto-run your own programs/scripts
-
sneakiness without an iPod - Store files that you want relatively strongly
write-protected
You can create ISO files using mkisofs from cdrtools, or any
burning software you would like to use.
Once you have an ISO created, you’ll need to set up a web server
to mimic the update site. Here, I’ve installed Apache onto the
windows machine running the installer, recreated the
directory structure leading up to the ISO, and placed the
custom ISO there with the correct name:
Next, change the c:Windowssystem32driversetchosts file
to point u3.sandisk.com to the correct ip address, in this case,
the local host:
127.0.0.1 localhost u3.sandisk.com
Now that everything’s set up, you can run the
LPInstaller.exe, and let it download and install the ISO you
want to the disk. If everything goes well, the next time you
mount the disk, it should be set up how you wanted it.
Taking it further
The above works for SanDisk Cruzers, so if you’re feeling
adventurous, you may be able to develop a similar procedure for
other U3 Smart disks. It would also be nice to figure out how
the installer is talking to the disk, so that a program could be
created to let us more directly manipulate the disk, without
aving to spoof a web server.
[...] are some good articles which describe how the U3 system works. It effectively emulates a cdrom drive being inserted into a [...]
Interesting, thank you! But there is no need to use a local web server.
- Download LPInstaller from http://www.sandisk.com/Retail/Default.aspx?CatID=1411
- Extract all files from LPInstaller.exe in a folder (using e.g. 7-Zip)
- Create a file named qa.ini within your new folder
The file must have two lines:
[QA]
LocalISOPath=H:\iso_images\xp_pro_sp3.iso
- Run extracted ‘LPInstaller.exe’ with parameter ‘local’
-> Start a command prompt window or click on “start” – “Run” and type the full program path:
H:\LPInstaller\LPInstaller.exe local
It does work at least with LPInstaller version 1.0.2.36, on a Sandisk micro cruzer U3 16GB and similar, but this program won’t work for other brands!
- And, of course, run launchpadremoval.exe to remove your .iso and start again…
Note: The LPInstaller.exe program tells you ’1 second remaining’ after 1 minute or so, but you will have to wait a little bit more for big images. Obviously, it doesn’t count the bytes to transfer, but is just evaluating the time it takes for a Sandisk “standard” image!
Thank you for the local usage, I have been running the host file fix and it is a pain. This worked 1st time
Regards
Richy
LaunchU3.exe sucks balls, i always remove that bullshit, its annoying, and besides, having autorun enabled isnt really smart to begin with.
I think you’re missing the point, Teddy.
I have a 7.12gb iso and i am trying Andre’s method from July 16th, but as soon as it starts the process, it seems like it ejects the virtual cd drive then remounts it and it causes the installation to fail. Any clues??
There’s a “universal customizer” that can modify the CD portion of U3 drives, I think you can get a version of it here:
http://gonzor228.com/download/
See if that works for you.
thanks for the info bt when I try to install the U3 LPinstaller I got an CRC error. I have download the software from the u3 website. and it’s not working. Anyone have a link to lp installer?
Thank you! I use win 7
Try downloading it again, or give the universal customizer that I linked above a try.
That one didn’t work either- and just in case i wasn’t clear, modifying the CD portion of the U3 drive is exactly what I am trying to do. I have done it successfully before with this 7.12GB file. Like an idiot, I formatted the drive, now I can’t get it back to rights. Has something about u# changed in the last year that I don’t know about?
Not that I am aware of, but I have heard of people having a hard time putting the U3 CD portion back on the drive after removing it. Did you just format the writeable portion?
I have formatted, reinstalled LP, removed, tried different versions of u3 customizer, used the LPInstaller methods, and I just cannot get this file back onto the drive- i CAN get other smaller files back on it. Obviously, it seems as simple as the file I am trying to load is too big, but like I’ve said, I have had this exact file loaded and operational before. I have a macbook- the optical drive fried and has been removed, so my only method of loading the installatoin disk is through U3 customization. But its just simply not working anymore.
OK, I am really at a loss here. I have tried every suggestion on this site and every other site I can find. NOTHING WORKS!!!! I find it so incredible that I had it working at one point and cannot get it back to save my life. It’s like I got lucky once. Any other suggestions are very much appreciated!
*bump*
U3Customizer (all versions that I can find)- “Failed to access your U3 smart drive”
GuidoZ- fails after about 7 seconds
Lpinstaller local- also fails quickly
Because I can load smaller files, around 700-800MB, I’m thinking possibly it’s because of the CDFS formatting of the U3 partition. Is there a way to force any of the above programs to format the U3 partition as UDF or is there something I am missing. Also, instead of being vague, the 7.12GB file I am trying to put onto the U3 partition is OS X 10.5. I successfully accomplished it about a year ago, so I know it WAS possible. Any help would be greatly appreciated.
I followed the instructions on this site in order to automount a TrueCrypt travelers disk partition on the U3 partition and it worked like a charm for me.
http://www.instructables.com/id/Using_U3_Technology_to_its_fullest_on_an_8G_Cruzer/
I was wondering: Do you have a link to a guide on how to use Ethereal (or WireShark, Ethereal’s successor) like you used it in this post, to monitor the network activity of a program? I am trying to see where another program downloads something from, and I can’t work out how to use the software…
Trying to bypass U3 security to see contents. How do I get past the door? Everyone says its secure, I don’t think anything is secure. I need to recover the password or bypass U3.
Any ideas?
Kingston, SanDisk and Verbatim USB Flash drives with AES 256-bit hardware encryption that supposedly meet the highest security standards FIPS 140-2 Level 2, have been hacked.
Cracking the drives is therefore quite simple. The SySS experts wrote a small tool for the active password entry program’s RAM which always made sure that the appropriate string was sent to the drive, irrespective of the password entered and as a result gained immediate access to all the data on the drive. The vulnerable devices include the Kingston DataTraveler BlackBox, the SanDisk Cruzer Enterprise FIPS Edition and the Verbatim Corporate Secure FIPS Edition.
http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html
try Process hacker to view working dir. and such. greez
i hope 4 more posts
Good analyse.
Actually I have first head of Universal Customizer for hacking u3 devices (thanks to hacking exposed 6).
I was looking for a solution under Linux, BSD or any other unix OS. If someone has a clue on how to make it, please tell me !
Davd, I don’t know if your solution works for a standard sandisk usb drive, but the idea must remain the same.
I think there should be a sort of key used to tell the device to accept writing, something like that. I’ve tried to “dd” a crafted iso file on it, dd process was in state of “bioswait”, meaning the hardware didn’t accept _my_ input data. It may accept the key and then any other data until it is not power supplied anymore. What do you think ?
There are tools on windows for monitoring input/outputs, maybe someone should try to experiment a bit with it, I don’t think anything will break up, if you screw up your partition, all you have to do is use the vendor software again.
Another question : Cannot one fake a u3 USB key ? I mean just formatting a usb drive in 2 partition and create a cd9660 filesystem on one of these two partitions. There should be a way to fool windows, isn’t it ?
[...] and in moments you will have a working USB Switchblade. This hack can be attributed to Andre. Share and [...]
hi all, has any one had any luck with the U3 customizer on win 7???
i couldnt get it to work, says only one sandisk at a time or somthing.
in the mean time i have put together a little program that does that same sort of thing by copying the files you choose to a folder, creating a iso out of them and then using lpinstaller with the local switch to install it.
im havng a few problems like trying to get lpinstaller running silently but it works
if anyones interested in it leave a msg here and ill email it
thanks
Hey GuidoZ, I have some Checkpoint Abra 4GB U3 disks that your app doesn’t appear to like.
Exception processing message c0000013 parameters 75b6bf7c 75b6bf7c 75b6bf7c
If I continue all the way through, it looks like it tries to do something then says hacking failed..
any ideas?
Glen.
GuidoZ, your hacker thing put a Trojan on my pc
[...] Back in October of 2006 McGrew Security posted this useful run down on replacing the ISO image that gets written to the U3 CD-ROM via Sandisk’s U3 activeX updater. I’m not sure if this method still works, but it’s worth noting. You can read up on it here: http://www.mcgrewsecurity.com/pub/hackingu3/ [...]
@GuidoZ:
I’ve visited your site and the .zip file was immediately picked up by my anti virus as malware.
Care to comment?
DO NOT USE LPINSTALLER TO WRITE A LOCAL ISO.
I just seem to of toasted my u3 drive and now when trying to re-write a iso it fails and just restores the old one.
I agree with previous posters:
GuidoZ contains some strange virus stuff, Avast reacted badly and Comodo Firewall detected some weird behaviour where the SW wanted to install but thankfully I had Comodo set in paranoid mode so could stop every each process and it’s not the ordinary stuff installer SW use to do, folks stay away from GuidoZ or use a virtual machine and test first to see for yourself!!!
—————————–
Anyway,
I found this page as I was browsing the net for how I can retrieve data on a locked U3 USB stick, I don’t need any special brute force hack, I just want to un-lock the password thing so I get 3 new attempts as I screwed it up when travelling but back home I have the correct password.
So the data is encrypted with 128 bit AES I think if I remember it correct and normally filerecovery program that can handle raw data would be fine, but the U3 volume is loaded as a CDFS (not FAT neither NTFS) and filerecovery SW’s I have tested can’t reach such volumes as CDSF and do the scan.
I was thinking if I could make an image and perhaps with some other SW decrypt the raw data with my password I have and should be able to retrieve the data.
Does anybody have any thoughts or suggestions on this?
***WARNING*** It appears that some of the files on the http://www.guidoz.com site have been compromised with malware. DO NOT DOWNLOAD!
Forget all that other crap, go to SOURCEFORGE and get the U3TOOL.
It lets you rremove the partitoion, resize it, and put whatever ISO you want!
EASY.
http://sourceforge.net/projects/u3-tool/files/
Has anyone found out how to create a U3 partition on a regular drive?
Thx!
Unfortunately, this isn’t possible. The U3 features rely on specific hardware inside of U3 drives.
Thanks Wesley!
Cheers
Did anyone find an answer for UZB’s issue as I am in the same boat…stupid capslock was on and wasn’t paying attention as I was speaking to someone and its locked the stupid key. I have 12gb’s of data on this thing and know the password but it won’t even allow me to enter it, as my three failed attempts has in essence locked me out permanently.
Anyone with clue on UZB & Navy? Me too have same problem. Got this stupid U3 drive locked without realizing Capslock was on. Now cant get password prompt to enter right password. Anyone help please!
What I really want to know is how to change the damn RMB(Removable Media Bit) off of these damn things… I have 4-5 Sandisk Cruze and Micros. I want to use them as a “fixed” HDD (with multi partitions) I don’t want to boot from either.
Some tell me how to get the RMB flipped!
If you’re still interesting about Hacking U3, check this out: http://bit.ly/oE82SN
(only polish version)
hello all.i think i have finalyl gathered enough tools so that anyone can create cdvfs on there flash drive… but i need help!
-non-hackers and or people with generic iq need not attempt-
a:: i need to bypass the “insert u3 drive” and “disk not detected”
in program s
LPInstaller
memorybar_H0513
the files mention in “GnU3zer”(torrent)::
magnet:?xt=urn:btih:pce2z2mtrwz3aia6ct3qs2damvyit37j&dn=GnU3zer%2BU3%2BLaunchPad%2Breplacement&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80
hers a minor directory path of my gathered works..
ÃÄÄÄ5221_files
ÃÄÄÄapplauncher
ÃÄÄÄchip genius
ÃÄÄÄChipGenius – reboot.pro_files
ÃÄÄÄgbu3hack instructs_files
³ ÀÄÄÄsb_records_data
ÃÄÄÄsearch_files
ÃÄÄÄSmithTechPortableMenu
³ ÀÄÄÄData
³ ÃÄÄÄIcons
³ ÃÄÄÄLocale
³ ÀÄÄÄTheme
³ ÃÄÄÄCherryWood
³ ³ ÃÄÄÄIconTheme
³ ³ ÀÄÄÄTheme
³ ÃÄÄÄDefault
³ ³ ÃÄÄÄIconTheme
³ ³ ÀÄÄÄTheme
³ ÀÄÄÄZarthWork SmithTech Edition
³ ÃÄÄÄIconTheme
³ ÀÄÄÄTheme
ÃÄÄÄsupport_files
ÃÄÄÄUniversal_Customizer
³ ÃÄÄÄBIN
³ ÃÄÄÄEULA
³ ÀÄÄÄU3CUSTOM
ÃÄÄÄUSB Drive AutoRun.inf Tweaking_files
³ ÀÄÄÄdiggthis_data
ÀÄÄÄUsbcd_files
if u would like me to provide a link to these files, say something i will host it up on a file server. ill frequent here . and then post a link ( if asked)
Is there a way to get U3 on a normal flash. i have been looking in to it and the CDFS partition contains the U3 code which emulates the CD drive, or is it hard ware as in another chip emulating the CD drive. i think it could be done from a normal flash chip it would just have to be reprogrammed. (would copying the drive by sector to another drive emulate the CD drive or would the flash chip have to be re imaged to put in another sector with emulation code?)
thanks any help would be greatly appreciate (need to recreate CD emulation on flash drives) if it is hardware is it possible to get a MSP430 to do it?
usbsniff /that is all