Monday, May 12, 2008

Booting The Heron from a U3

Well, one day last week, I got bored and decided to tinker with my Sandisk Cruzer Titanium 4GB with U3. Normally, when you jam one of these in your USB port, it shows up as a 6MB CD-ROM drive and the rest of the space as a USB Mass Storage Device (USB Harddrive).

Now, here's the neat thing: It does this all in hardware.
The chipset inside registers as two distinct devices, a CD-ROM with autoplay software for windows with the fancy U3 launchpad, and the actual flash drive. Windows Device Manager shows two devices, and jamming it in my Ubuntu 8.04 installation also displays as two drives. So, thinking about this, I walked over to a friend's PC, rammed it in the front panel USB, hit the power button, and whacked F12 to show the boot drive selection menu.

Imagine my surprise when even the BIOS recognized it as two distinct devices...
So, I started tooling around google, and discovered the "U3 Universal Customizer".
Normally, people would use this to patch in a new ISO under 6MB to replace the existing one.

I began screwing around with some of the other software from the Hak5 site, and poked around with the USB Switchblade & USB Hacksaw software...

Basically, what they are, is a replacement for the 6MB portion of the drive that contains some 'malware' that will bleed a windows system dry -- swipes all the passwords, sets up an encrypted stunnel, and emails it all off to an address of your choice. Interesting, but not terribly useful unless you're a vengeful 14 year old intent on swiping some other kiddie's myspace passwords for fun and pr0fit. Big deal. Since I run Ubuntu primarily now, it wouldn't affect me, even with WINE installed, due to the very nice "This disc has autoplay, do you want to execute it?" dialog.

So I tinkered around with it some more... And then I found out by trial and error that the U3 Universal Customizer can change the domain size of the CD side of the device! The first time I tried this was with a 10MB ISO containing Process Explorer and some other bits including DiskTrix's Ultimate Defrag. From everything I read, I was told this would brick the unit, but I tried anyway. It worked!

So then I figured, hey, wait a minute. If I can shoehorn 10MB on there, what about 700MB?
Well, first try, it didn't work... but LPUninstaller managed to unbork my drive and LPInstaller got me back to the standard U3 Launchpad.

Then I thought... Hey, what if there's a signature stuck on the ISO somewhere that the U3 bits are looking for?

I dug up a copy of MagicISO, which can normally remaster ISOs, opened up cruzer-autorun.iso, deleted everything but the autorun.inf, dropped process explorer in there, edited the autorun.inf, opened up my Ubuntu 8.04 ISO, saved the bootsector to a BIF file, copied all of the files out of the ISO to C:\Ubu804, loaded the bootsector.bif into the cruzer-autorun.iso, and dropped all the files in C:\Ubu804 in there, and ran U3 Universal Customizer...

*45* minutes later, SUCCESS!

So I jammed the drive into my friend's PC, hit the power button, whacked F12 to get to the boot menu, and selected the U3 Titanium CDROM device...

And bricked my pants as Ubuntu's CD Bootloader came up. Hit enter twice, and about 45 seconds later, I'm staring at the Ubuntu 8.04 desktop, grinning my ass off like an idiot. Plus you can use the rest of the Mass Storage side for "persistant" mode! Now if I could just figure out how to get "toram" working again, and dump openoffice from casper, I'd be one happy camper!

To sum it all up:

Edit the existing cruzer-autorun.iso with MagicISO instead of creating a new ISO.
"Burn" the ISO onto the Cruzer with U3 Universal Customizer.

This should work with just about any bootable ISO that doesn't rely on things expecting hard coded ISO9660 LBA addresses.

(And it should even work on an UBCD4Win / BartPE / OpenSolaris Indiana or Nevada /Nexenta ISO under 4096MB!)

The only thing you need is unrestricted access to a Windows NT5.x (Windows 2000 / Windows XP) machine for about an hour.

Good luck, beware of bricking your $50 keychain bootable CD-ROM!