Announcement

Collapse
No announcement yet.

Bizarre Thumb Drive partitioning and formats

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Bizarre Thumb Drive partitioning and formats

    We bought a car a couple weeks ago and is the way these days, the dealership scans and keeps the signed paperwork and gives you a thumb drive with a the scanned docs on it. I plugged it in this morning to copy the docs to my server for storage, no problems.

    The first odd thing I noticed is it showed up in Dolphin as a 123 MiB fat16 partition. The size struck me as odd. Then I noticed at mounted as SDI (whole device), not SDI1 (a partition)

    Now I'm curious, so I dug in.

    From dmesg:
    Code:
    [FONT=monospace][COLOR=#18B218][Mon Jul 13 08:45:58 2020] [/COLOR][COLOR=#B26818]usb 1-6.3[/COLOR][COLOR=#000000]: new high-speed USB device number 11 using xhci_hcd[/COLOR]
[COLOR=#18B218][Mon Jul 13 08:45:58 2020] [/COLOR][COLOR=#B26818]usb 1-6.3[/COLOR][COLOR=#000000]: New USB device found, idVendor=1221, idProduct=3234, bcdDevice= 0.00[/COLOR]
[COLOR=#18B218][Mon Jul 13 08:45:58 2020] [/COLOR][COLOR=#B26818]usb 1-6.3[/COLOR][COLOR=#000000]: New USB device strings: Mfr=1, Product=2, SerialNumber=3[/COLOR]
[COLOR=#18B218][Mon Jul 13 08:45:58 2020] [/COLOR][COLOR=#B26818]usb 1-6.3[/COLOR][COLOR=#000000]: Product: Flash Disk[/COLOR]
[COLOR=#18B218][Mon Jul 13 08:45:58 2020] [/COLOR][COLOR=#B26818]usb 1-6.3[/COLOR][COLOR=#000000]: Manufacturer: USB2.0[/COLOR]
[COLOR=#18B218][Mon Jul 13 08:45:58 2020] [/COLOR][COLOR=#B26818]usb 1-6.3[/COLOR][COLOR=#000000]: SerialNumber: 2007062017300531[/COLOR]
[COLOR=#18B218][Mon Jul 13 08:45:58 2020] [/COLOR][COLOR=#B26818]usb-storage 1-6.3:1.0[/COLOR][COLOR=#000000]: USB Mass Storage device detected[/COLOR]
[COLOR=#18B218][Mon Jul 13 08:45:58 2020] [/COLOR][COLOR=#B26818]scsi host7[/COLOR][COLOR=#000000]: usb-storage 1-6.3:1.0[/COLOR]
[COLOR=#18B218][Mon Jul 13 08:45:59 2020] [/COLOR][COLOR=#B26818]scsi 7:0:0:0[/COLOR][COLOR=#000000]: Direct-Access     USB2.0   Flash Disk       2.60 PQ: 0 ANSI: 2[/COLOR]
[COLOR=#18B218][Mon Jul 13 08:45:59 2020] [/COLOR][COLOR=#B26818]sd 7:0:0:0[/COLOR][COLOR=#000000]: Attached scsi generic sg9 type 0[/COLOR]
[COLOR=#18B218][Mon Jul 13 08:45:59 2020] [/COLOR][COLOR=#B26818]sd 7:0:0:0[/COLOR][COLOR=#000000]: [sdi] 251904 512-byte logical blocks: (129 MB/123 MiB)[/COLOR]
[COLOR=#18B218][Mon Jul 13 08:45:59 2020] [/COLOR][COLOR=#B26818]sd 7:0:0:0[/COLOR][COLOR=#000000]: [sdi] Write Protect is off[/COLOR]
[COLOR=#18B218][Mon Jul 13 08:45:59 2020] [/COLOR][COLOR=#B26818]sd 7:0:0:0[/COLOR][COLOR=#000000]: [sdi] Mode Sense: 0b 00 00 08[/COLOR]
[COLOR=#18B218][Mon Jul 13 08:45:59 2020] [/COLOR][COLOR=#B26818]sd 7:0:0:0[/COLOR][COLOR=#B21818]: [sdi] No Caching mode page found[/COLOR]
[COLOR=#18B218][Mon Jul 13 08:45:59 2020] [/COLOR][COLOR=#B26818]sd 7:0:0:0[/COLOR][COLOR=#B21818]: [sdi] Assuming drive cache: write through                                                                                                           [/COLOR]
[COLOR=#18B218][Mon Jul 13 08:45:59 2020] [/COLOR][COLOR=#000000] sdi:[/COLOR]
[COLOR=#18B218][Mon Jul 13 08:45:59 2020] [/COLOR][COLOR=#B26818]sd 7:0:0:0[/COLOR][COLOR=#000000]: [sdi] Attached SCSI removable disk[/COLOR]
[/FONT]
    Opened the drive with Partition manager. and it gets really odd:
    • 4 partitions, out of order, separated by 3 sections of unallocated space
    • The 4 partitions show their mount points as /run
    • The 4 partitions show as "Unformatted"



    From Partition Manager, in disk order:

    2018;538988360 Unallocated - 257.01 GiB
    538988361;1077964648; sdi3 - 257.0 GiB
    1077964649;1,394,614,303; Unallocated 150.99 GiB
    1394614304;1394635640; sdi4 - 10.42 MiB
    1394635641;1684955423; Unallocated - 138.44 GiB
    1684955424;3386954047; sdi1 - 811.58 GiB
    1998616933;2542722764; sdi2 - 259.45 GiB

    The partition types are all "unknown" but fdisk shows them as:
    1; 6c
    2; 6e
    3; 79
    4; 53


    The only thing I can think of is it's some sort of encryption scheme but it didn't need a password or anything to access the folder and files. I was able to rename the folder, create a new folder, and copy the files off of it.

    Odd.

    I suspect the sizes are phony and it's not a 2 TiB drive - LOL

    I will eventually wipe it (if I can) an use it as a throw away, but I was curious if anyone had any insight into what was going on before I destroy it.
    Last edited by oshunluvr; Jul 13, 2020, 07:36 AM.

    Please Read Me
    Tags: None
    • Top
    • Bottom
    #2
    SOme USB drives come from teh maker with some crappy program that auto installs in windows on first installation. They are configured to like an autorun cd-rom from the old days.

    Just copy the files off to another device, and verify their integrity. Once that is done, destroy the partition table on the device.
    • Top
    • Bottom

    Comment

      #3
      Yeah, that was the plan. I'd never seen such a wacky setup before so the post was just out of curiosity.

      BTW, I see you have the same affliction I have - "Trailing Pinky Shift Syndrome". It where you capitalize the first TWO letters of a sentence instead of just the first! ROFL

      and yes, I made that up.

      Please Read Me
      • Top
      • Bottom

      Comment

        #4
        Several years ago I saw an ad on Amazon for a set of 3 USB 2.0 16GB memory sticks for $5. I suspected that they were phony but ... When I looked at them with gparted they listed as 16GB. They had a partition setup that was as weird as what you noticed. But, I used a verification program that writes then reads 16Kb at a time till the stick doesn't read back what it just wrote. The three sticks were actually 256Mb

        When I see stuff like that my first thought is that hidden in all that garbage is malware.
        "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
        – John F. Kennedy, February 26, 1962.
        • Top
        • Bottom

        Comment

          #5
          Originally posted by GreyGeek View Post
          Several years ago I saw an ad on Amazon for a set of 3 USB 2.0 16GB memory sticks for $5. I suspected that they were phony but ... When I looked at them with gparted they listed as 16GB. They had a partition setup that was as weird as what you noticed. But, I used a verification program that writes then reads 16Kb at a time till the stick doesn't read back what it just wrote. The three sticks were actually 256Mb

          When I see stuff like that my first thought is that hidden in all that garbage is malware.
          Yeah me too. Had a similar phoney-size experience with a MicroSD card. Seems we "suspended" the "...no free lunch..." adage, right? I thought about that in this case, but what's the point since the car dealership isn't selling thumb drives - no reason to obfuscate the actual size of the drive.

          Malware is possible, but if so it isn't very well hidden - at least not from someone with my amazing skill set, LOL. I did decide right away that I'm not plugging it into a Windows install. Maybe I will to a VM just for fun and see what happens.

          Please Read Me
          • Top
          • Bottom

          Comment

          Previous template Next
          Working...
          X