Hacking the SanDisk U3

by dohboy

Upon first installation of my new drive (SanDisk Cruzer Micro 2 GB), I found the application that was autoloaded, Launchpad, to be a bit clunky and cumbersome.  Of course, I was using an older machine at work which was at end of life cycle a year prior.  The graphical features were nice, and the concept was fantastic.  To me, it seemed to be an attempt at a portable operating system in that you could transport all of your applications given they remain on the drive.  This considered, the removal additional drive became necessary as my position required hopping from machine to machine.  Waiting for the drive to install each time meant wasting time.

While the scope of this article is not to be a tutorial about U3 removal, you can go to www.u3.com/uninstall/ to remove the U3 if that is your choosing.  To my knowledge, this will permanently remove the U3 with no way of reinstalling it at a later date.  Doing this will negate the remainder of this article.  Please note: in no way am I responsible for you breaking your drive as a result of the procedures below.

Basic Information

There are some basic things you should know about the U3 Smart Drive.  The U3 comes pre-partitioned.  Most of the device is a FAT partition with a hidden SYSTEM file.  SYSTEM is where all of your programs are stored.  The last four to six megabytes± are allocated to an ISO-9660 partition that emulates a CD-ROM drive.  Within the CD-ROM partition, there is an AUTORUN.INF which kicks the installation of the Launchpad.  The Launchpad is your main location for management of applications installed on the drive as well as file management and data encryption.  The U3 runs on (almost) any PC running Windows 2000 SP4+, XP, and Vista.

Some of the features of this include not needing admin rights to install new software and portability.  Some of the negative aspects of these drives are the need to two separate drive letters, sometimes trace files that are left on the host PC after improper removal, and the wait time needed for the initial installation of the U3 (in some cases, up to three minutes from personal experience).

The CD-ROM partition on the SanDisk Micro cannot be written to like a normal CD.  There is some amount of reverse-engineering involved, however, if you can run MagicISO, by the end of this short article, you should be able to re-write your U3.  I began looking for ways to remove the drive and found various other tools that I could use.

Tools Needed:

First, you will need to download the LPInstaller.  LPInstaller is required to write the CD-ROM partition: www.sandisk.com/Retail/Default.aspx?CatID=1411 or you can visit my site at here.

Second, you will need to write an ISO that the LPInstaller will use to "burn" to the U3's CD-ROM.  You can do this with the help of...

Third, MagicISO.  Even if you do not have the full version, the trial version allows you to create an image smaller than 400 MB.

That's it.

Re-Writing the U3

Some have tried to rewrite the U3 by craftily using Linux, some have attempted this using some fancy host file modification to mimic the SanDisk Webserver, but all you really have to do is save the image you have created as CRUZER-AUTORUN.ISO in the same directory as the LPInstaller.

Once the LPInstaller is run, it will grab the CRUZER-AUTORUN.ISO and use it since it believes this file has already been downloaded.  If this file is not in that location, as long as there is an Internet connection available, LPInstaller will go to the SanDisk website and download the most up to date version of the Launchpad.  You can see what Launchpad tries to connect to using Ethereal.  There is a limitation to the size of the image: 6.2 MB.  I have tried larger but only got errors.

Remember, the image must be named CRUZER-AUTORUN.ISO and be in the same directory as LPInstaller.  LPInstaller will write the ISO to the CD-ROM partition.  I probably don't have to mention it, but make sure the U3 is actually plugged into the computer before running LPInstaller.  In my line of work, I am used to working with the lowest common denominator.

Tips

In AUTORUN.INF:

[AutoRun] 
open = "program.exe"
icon = .\dohboy.ico,0

Save the above information changing PROGRAM.EXE with any globally executable application on the host machine or any application on the U3 partition.  For instance, if you have an application on the U3 called HAXOR.EXE in the root directory of the CD-ROM partition, you would reference it using .\HAXOR.EXE, etc.  Autorun will have to be in the root directory, just like with any Autorun file.

Visual Basic Script, albeit slower and uglier, is my code of choice.  These files are easy to create and can be launched as long as Wscript or Cscript are on the host machine.  If they are not, either can also be written to your partition, you are only losing 112 kB doing so.

Implementations

Thus far, I have written various scripts and applications for the U3 which make my job easier and my life more fun.  One such script will allow me to track my U3 if it is lost or stolen.  This was done using the script at the end of the article or on my website at www.dohboy.net.  This script will send me an email with the login, domain, local IP address, public IP address, registered owner, and other information.  This is only if the user is currently connected to the Internet and has no limitation on their ability to connect to my SMTP server.  I plan on developing a free service that would allow a user to track their U3 in the event that it was lost or stolen via my website.  It is a work in progress.

Scripts that would allow you to poll information and write them to a file located on the FAT partition.  How is that possible if the drive letter could be different from machine to machine?  Make the script search for a file from all possible drives and append information when found.  Various other scripts like this can be found on my site as well.

Another implementation of mine was a keylogger.  I used C++ to create an invisible application called "SQUID.EXE" (I might post this on my website) that logged keys.  The way it worked was to load upon launch and log keys.  Once the thumbdrive was plugged back into the machine, Squid would know that the drive was plugged in again, and would search for a specific file in the root of the FAT partition.  After the file was written, Squid would exit with garbage cleanup.  No files on the host computer would be created.

Rewrite the AUTORUN.INF to open a shutdown sequence for fun.  (Example: "shutdown -r -t 00")

Conclusion

While some of these implementations are fairly tame, there are potentially far more dangerous scripts and programs that can be written.  My Squid was a fairly slow application since I only wrote it to test what I could do.  While it performed as I had planned, it could have been optimized to be quite a bit faster and run without using as much system resource.

This article focused mainly on the SanDisk because of its vulnerability with LPInstaller; there is a possibility the partition on any U3 could be rewritten.  More information on hardware, specifically the HDK) could be obtained by emailing licensing@u3.org.  Have fun with your U3 and try not to get in trouble using it.

Above referenced VBScript: getInfo.vbs

Sample ISOs

All issues regarding this webpage can be sent to dohboy@dohboy.is-a-geek.com

Return to $2600 Index