Hardware virtualisation

The other day I got this little USB stick as a present. That evening walking to my car and reading the product specifications on the packaging I was surprised by the fingerprinting device included on it. The next day I the device by plugging it in my Windows laptop. Never before had I read a manual on using a memory stick, but this device was different. Upon insertion I had two new drives; a CD-ROM drive and a tiny 10MB storage device. An hour later I had finally managed to get the device to recognize all 10 my fingers and every once in a while I was able to unlock the device using nothing more than a finger print. The manual was correct, you need some exercise with the device to smoothly open it. Impressed by the workings of the device I proudly put it in my bag with my laptop.
Since that day every once in a while I'd grab for my bag to fingerprint myself to my private data. But last week was different. I needed my private data on my Linux desktop and off course the fingerprinting device refused to work on Linux, and no drivers were available. Sure, I could have decided to open the device on my laptop and simply copy it from there to my other machine but that was too easy so I decided to investigate the device, to eventually open it on my other machine.

"Easy!" That was my first thought. I searched the Internet for a USB sniffer application and found SnoopyPro which would do exactly the job I needed. SnoopyPro is a rather old application, but it does its job well. "Watch the magic" is stated in the manual, and indeed is seemed like magic. All data that went back an forth the device was instantly being logged. I analyzed the log. I analyzed the log again. Nothing!? Was this the right device being monitored. I took another look. Nothing! Opening, closing, even fingerprinting. No new data was being logged! After a while I realized that all data to and from the device was being logged up until that fingerprinting application had started. Somehow the application was able to disable my logging tool. I tried to fool the device drivers into leaving SnoopyPro alone but I didn't manage.
It was clear to me the device driver had something to hide, otherwise it wouldn't try so hard to obfuscate the data on the USB. The feeling of being able to crack the device was getting stronger, if only I was able to log the data on the bus. I sat back and thought for a while. Googling around a little it occurred to me that the magical answer was "virtualization". All I had to do was run a virtual Windows machine on top of Linux in VMware. Then configure the Linux kernel with USB debugging. Now the Windows device drivers had no longer any grip on the data stream as I was logging data directly on the USB hardware from the Linux kernel, and now it was very easy to identify the unlock commands in the data stream.

Thanks to plscsi for supplying the open source world with a tool to execute SCSI commands from the shell, and http://nshmyrev.narod.ru/myflash/adata-myflash-fp1.html for inspiring me (a lot, esp. for plscsi tool) with what appears to be a largely identical device.

For a full disclosure on how to open up the Transcend JetFlash 210, please read my security blog entry.