Amazing USB flash drive device Kingston DataTraveler DT6000 and recovery of information lost due to failure
Greetings dear Habrovchan. I am Artem Makarov aka Robin, a leading engineer at Hardmaster, for many years specializing in data recovery from a variety of media. Today I would like to share with you the history of file recovery from one very curious flash drive. I hope to get feedback on your blog in the comments.
In spite of the fact that there was a huge pile of devices, I had never encountered a task like the one described below.
So, Kingston DT6000 USB Flash Disk, declared by the manufacturer, as a reliable file storage, using the crypto-resistant algorithm AES256 FIPS140-2 Level 3.
Logically, the flash is arranged as follows: a section of 68 megabytes formatted in FAT16 is kind of bootable. When the device is connected to the PC, autorun is triggered (or the user is prompted to start the executable):
')
After that, the following window comes to the fore:
Enter the password, voila - mounted hidden section with carefully hidden photos and videos of known content.
But the user got into trouble one bad day, inserted a flash drive, and the “bootloader” was empty. With a password, it turned out that it was stupid not to be able to enter this password anywhere. Brought the disk to the diagnosis to us.
First of all, by connecting the drive to a test PC and opening WinHEX’s favorite hex editor, I went to the list of physical disks. So there are two volumes. The first one is empty, and, most importantly, in “read only” mode! Second unavailable. Removed the image from the first section, analyzed. Both copies of the FAT tables in normal form are missing.
That is, with the ability to get from the “boot partition” files with names and structure, you can say goodbye. “Draft recovery” or recovery from known file headers (it’s also raw recovery) managed to pull out a certain zip archive and pdf-ku. From the content of the latter, it became clear how everything was arranged, and what was missing on the boot partition.
Considering that the producer is locked to the partition, it was clear that there could be no random formatting by the user’s speech, in this case, the most likely reason for “nulling” the partition is a failure in the field of NAND processing translation tables, as a result part of the correct blocks was replaced by “alternative”.
This effect is called a “pseudo-logical problem with a flash drive” and looks like a glitch at the file system level, in fact being a malfunction, in fact, a hardware one. So, most likely, you will have to transfer the flash drive to the pathoanatomical table and subject it to an autopsy, in order to solder the memory chip (s) and try to collect something meaningful from the read images.
About encryption and how to collect dumps with encrypted content in general, at that time I didn’t bother with the head.
Problems are supposed to be solved as they appear, so the first thing you had to do was find DT6000_Launcher with the whole environment. On the manufacturer's website, the corresponding product download section was empty. It is logical - it makes sense to upload files if you are supposed to be unable to record them (see the locked record)? Threw a cry to colleagues. The necessary files have been sent. The next problem is to tell the launcher where we have encrypted.
Attempts to unlock the FAT16 partition on the flash drive itself with OS tools and write a launcher to it were not successful. Attempts to launch the launcher from another medium and set the studied flash drive on the same way were unsuccessful. Further hardware intervention in the interior of Date Traveler became inevitable.
After removing the outer plastic case, the investigator’s inquiring gaze revealed this:
With the exception of the USB connector, everything is filled with plastic. It was possible to remove it with the help of a thermoair soldering station, heating the region after the region to a temperature of about 150 ° C, after which the plastic began to slowly bend and break off in small pieces. Wielding dental hooks and a scalpel, feeling like an archaeologist, cleaned one side of the plastic. Saw the following:
ARM-controller LPC3131FET180, pliska 3s500e (it is PLISS, PLD is a programmable logic integrated circuit) from XILINX, ROSETTA crypto module from Spyrus and Atmelovskaya ROM-card 25DF081A. It is necessary to take up the second half, because the desired NAND memory has not yet been found.
I start to clean the second side. Something brilliant appears. Quartz? Does not look like it. Another pair of sweeping blows of a sledgehammer and a chisel, an optics - a card reader!
Looks crisis hit and Kingston. In order not to bother with the hardware implementation of a full-fledged flash drive, the eagles from the Kingston corporation purchased a batch of MicroSD from Uncle Liao at a reasonable price and hung up a cryptographic bar, richly filling everything with fast-setting plastic. So that no one guessed it. Given the impressive price list for which this DT6000 is being sold on the same YandexMarket, the manufacturer’s profit is obvious.
Vykupuvaem micro-sshku, everything is filled with plastic and glued on all sides. We clean the leftovers, except for the strapping there is nothing more to look at.
I insert the microSD plastic removed from the rubble into the card reader. A flash drive is defined for all its 16 gigs. From the zero sector, white noise is characteristic for encryption.
Approximately from the middle - zeros. I look down the drain. Oops - here comes our “boot” section! I determined the beginning and ending of the section, compared it with the previously removed image, when the rootless MicroSD was still thoroughbred Kingston DataTraveler - no differences were found.
In view of the additional circumstances that have opened up, the initial hypothesis of block substitution in the NAND translation table is assigned the status “untenable”, and the workplace is replaced with an assumption of a cryptographic code glitch, which is also the builder of the presentation of the logical markup micro-SD on the DT6000 USB interface.
I take a live 32-gigovy USB flash drive. I prescribe, for the purity of the experiment, in the same WinHack with its zeros from top to bottom. I start writing a previously bent section. On it I write down the hard-won launcher, dt6000.zip and manifest.xml. I start, enter the password, a message stating that the encrypted partition was not found or is damaged.
In the sector following the last sector of the “boot” partition I enter the image of the entire encrypted MicroSD in its entirety.
I launch the launcher, enter the password. Bingo! Encrypted partition found, mounted,
All user files in place - you can copy.
In spite of the fact that there was a huge pile of devices, I had never encountered a task like the one described below.
Preamble
So, Kingston DT6000 USB Flash Disk, declared by the manufacturer, as a reliable file storage, using the crypto-resistant algorithm AES256 FIPS140-2 Level 3.
Logically, the flash is arranged as follows: a section of 68 megabytes formatted in FAT16 is kind of bootable. When the device is connected to the PC, autorun is triggered (or the user is prompted to start the executable):
')
After that, the following window comes to the fore:
Enter the password, voila - mounted hidden section with carefully hidden photos and videos of known content.
But the user got into trouble one bad day, inserted a flash drive, and the “bootloader” was empty. With a password, it turned out that it was stupid not to be able to enter this password anywhere. Brought the disk to the diagnosis to us.
First of all, by connecting the drive to a test PC and opening WinHEX’s favorite hex editor, I went to the list of physical disks. So there are two volumes. The first one is empty, and, most importantly, in “read only” mode! Second unavailable. Removed the image from the first section, analyzed. Both copies of the FAT tables in normal form are missing.
That is, with the ability to get from the “boot partition” files with names and structure, you can say goodbye. “Draft recovery” or recovery from known file headers (it’s also raw recovery) managed to pull out a certain zip archive and pdf-ku. From the content of the latter, it became clear how everything was arranged, and what was missing on the boot partition.
Considering that the producer is locked to the partition, it was clear that there could be no random formatting by the user’s speech, in this case, the most likely reason for “nulling” the partition is a failure in the field of NAND processing translation tables, as a result part of the correct blocks was replaced by “alternative”.
This effect is called a “pseudo-logical problem with a flash drive” and looks like a glitch at the file system level, in fact being a malfunction, in fact, a hardware one. So, most likely, you will have to transfer the flash drive to the pathoanatomical table and subject it to an autopsy, in order to solder the memory chip (s) and try to collect something meaningful from the read images.
About encryption and how to collect dumps with encrypted content in general, at that time I didn’t bother with the head.
Problems are supposed to be solved as they appear, so the first thing you had to do was find DT6000_Launcher with the whole environment. On the manufacturer's website, the corresponding product download section was empty. It is logical - it makes sense to upload files if you are supposed to be unable to record them (see the locked record)? Threw a cry to colleagues. The necessary files have been sent. The next problem is to tell the launcher where we have encrypted.
Attempts to unlock the FAT16 partition on the flash drive itself with OS tools and write a launcher to it were not successful. Attempts to launch the launcher from another medium and set the studied flash drive on the same way were unsuccessful. Further hardware intervention in the interior of Date Traveler became inevitable.
“Well, today we will have several sensations ...” (c)
After removing the outer plastic case, the investigator’s inquiring gaze revealed this:
With the exception of the USB connector, everything is filled with plastic. It was possible to remove it with the help of a thermoair soldering station, heating the region after the region to a temperature of about 150 ° C, after which the plastic began to slowly bend and break off in small pieces. Wielding dental hooks and a scalpel, feeling like an archaeologist, cleaned one side of the plastic. Saw the following:
ARM-controller LPC3131FET180, pliska 3s500e (it is PLISS, PLD is a programmable logic integrated circuit) from XILINX, ROSETTA crypto module from Spyrus and Atmelovskaya ROM-card 25DF081A. It is necessary to take up the second half, because the desired NAND memory has not yet been found.
I start to clean the second side. Something brilliant appears. Quartz? Does not look like it. Another pair of sweeping blows of a sledgehammer and a chisel, an optics - a card reader!
Looks crisis hit and Kingston. In order not to bother with the hardware implementation of a full-fledged flash drive, the eagles from the Kingston corporation purchased a batch of MicroSD from Uncle Liao at a reasonable price and hung up a cryptographic bar, richly filling everything with fast-setting plastic. So that no one guessed it. Given the impressive price list for which this DT6000 is being sold on the same YandexMarket, the manufacturer’s profit is obvious.
Vykupuvaem micro-sshku, everything is filled with plastic and glued on all sides. We clean the leftovers, except for the strapping there is nothing more to look at.
Finish line
I insert the microSD plastic removed from the rubble into the card reader. A flash drive is defined for all its 16 gigs. From the zero sector, white noise is characteristic for encryption.
Approximately from the middle - zeros. I look down the drain. Oops - here comes our “boot” section! I determined the beginning and ending of the section, compared it with the previously removed image, when the rootless MicroSD was still thoroughbred Kingston DataTraveler - no differences were found.
In view of the additional circumstances that have opened up, the initial hypothesis of block substitution in the NAND translation table is assigned the status “untenable”, and the workplace is replaced with an assumption of a cryptographic code glitch, which is also the builder of the presentation of the logical markup micro-SD on the DT6000 USB interface.
I take a live 32-gigovy USB flash drive. I prescribe, for the purity of the experiment, in the same WinHack with its zeros from top to bottom. I start writing a previously bent section. On it I write down the hard-won launcher, dt6000.zip and manifest.xml. I start, enter the password, a message stating that the encrypted partition was not found or is damaged.
In the sector following the last sector of the “boot” partition I enter the image of the entire encrypted MicroSD in its entirety.
I launch the launcher, enter the password. Bingo! Encrypted partition found, mounted,
All user files in place - you can copy.
Source: https://habr.com/ru/post/250327/
All Articles