从调试数据分析USB通信协议——USB存储介质【U盘】(二)
————使用BusHound抓包分析
下面是我以闪迪CZ80型号U盘经过FAT32格式化后插入时,通过Bus Hound抓取的USB通信数据[之所以经过格式化,是为了更清楚的看到跟u盘自身相关的通信内容及文件系统的引导内容,而用老美的U盘来测试,是因为小编认为协议方面,老美的U盘应该会做的标准一点,前面其实小编也用过同事的国产山寨U盘,里面的产品信息等内容一片混乱,最后实在分析不下去了,现在只记得那个U盘是循SPC-2协议的,传输最大长度为512字节],以下截选自书籍《圈圈教你玩USB》。
Bus Hound 6.01 capture on Windows Vista (x64). Complements of www.perisoft
Device - Device ID (followed by the endpoint for USB devices)
(16) USB Mass Storage Device
(17) SanDisk Extreme [ROM=0001]
Phase - Phase Type
ATA ATA task file command RESET bus reset
CMD SCSI/ATAPI command SSTS SCSI request block status
CTL USB control transfer USTS USB status
IN Data in transfer ok command complete
OUT Data out transfer
Data - Hex dump of the data transferred
Descr - Description of the phase
Cmd... - Position in the captured data
//注意以下数据包中PID部分数据已经被剔除了,如IN的令牌包的PID值为01101001b,通常令牌和位填充,以及NRZI都由IC自动实现
//紧跟在PID后的是标准设备请求的数据结构,其中bmRequestType占一个字节,如下面的80,表示请求特性为主机到设备,请求类型为标准,请求接收者为设备。
//bRequest请求码占一个字节,如下表所示:
//需要注意的是以上wValue,wIndex,wLength都是两个字节长度,且都是低字节在前,高字节在后。
Device Phase Data Description Cmd.Phase.Ofs(rep)
------ ----- -------------------------------------------------- ---------------- ------------------
16.0 CTL 80 06 00 01 00 00 12 00 GET DESCRIPTOR 1.1.0 //80 06 00 01获取设备描述符,长度为0x12=18个字节
//主机发送令牌包请求设备描述符以后,设备就会返回相应的设备描述符数据,具体数据内容如上表所示。因此如下返回的IN数据包指示了如下信息:(1)USB协议版本采用的是BCD编码,此处为0x0300(低字节在前,即3.00).(2)所使用的类代码,子类代码,协议均为0x00.(3)端点0最大包长为9(0x09)字节.(4)厂商ID为0x0781.(5)产品ID为0x5580.(6)设备版本号为0x0010,若采用的是BCD编码,即为0.10.(7)厂商字符串索引,产品字符串索引,产品序列号索引依次为1,2,3(8)该设备可能的配置只有1种配置
16.0 IN 12 01 00 03 00 00 00 09 81 07 80 55 10 00 01 02 ...........U.... 1.2.0
03 01 .. 1.2.16
16.0 CTL 80 06 00 02 00 00 09 00 GET DESCRIPTOR 2.1.0 //80 06 00 02获取配置描述符,获取的长度为9个字节
//主机发送令牌包请求配置描述符以后,设备就会返回相应的配置描述符数据,具体数据内容如上表所示。因此如下返回的IN数据包指示了如下信息:(1)配置描述符的集合总长度为0x002c,即44字节长度.(2)该配置仅支持一个接口.(3)该配置的值为1.(4)描述该配置的字符串索引值取0,即表示没有字符串.(5)设备的属性为0x80,即表示设备是总线供电的.(6)设备所需的电流为0x32*2=100mA
16.0 IN 09 02 2c 00 01 01 00 80 32 ..,.....2 2.2.0
16.0 CTL 80 06 00 02 00 00 2c 00 GET DESCRIPTOR 3.1.0 //根据配置描述符集合总长度再一次获取完整的描述符集合信息
关于以上bInterval,作者我也是醉了,居然让我参看USB2.0协议,好吧,我打开【官方文档\usb官方协议文档\usb_20.pdf】文件的第269页默默看到如下内容:
由于是USB3.0的超速端点,作者我又查了一下【官方文档\usb官方协议文档\USB 3 0 (11132008)-final.pdf】文件的9-45有如下内容:
//主机再次发送令牌包来请求完整的配置描述符集合信息,根据如下返回的IN数据包指示了如下信息:【1】接口描述符信息:(1)当前接口编号为0,接口的备用编号也为0.(2)该接口使用两个端点.(3)该接口所使用的类为0x08[大容量存储设备类],子类为0x06[SCSI通明命令集],协议为0x50[仅批量传输协议].(4)该接口没有使用字符串来描述.【2】端点描述符1:(1)该端点为输入端点,且端点地址为0x01.(2)该端点采用的是批量传输.(3)端点所支持的最大包长度为0x0400,即1024字节.(4)根据以上官方协议文档,所以这里的0x00,意思是该超速端点不会返回NAK.【3】端点1的超速端点附加信息:(1)长度为0x06,即6个字节.(2)超速端点标识码为固定的0x30.(3)端点单次可以接收的突发包个数为0x0f,即16个包.(4)由于端点为批量bulk传输端点,因此这里表示端点没有定义支持的最大数据流数.(4)由于这个字段只有周期端点有效,因此我们这里填0.【4】端点描述符2:(1)该端点为输出端点,且端点地址为0x02.(2)该端点采用的是批量传输.(3)端点所支持的最大包长度为0x0400,即1024字节.(4)这里0x00意思是该超速端点不会返回NAK.【5】端点2的超速端点附加信息:(1)长度为0x06,即6个字节.(2)超速端点标识码为固定的0x30.(3)端点单次可以发送的突发包个数为0x0f,即16个包.(4)由于端点为批量bulk传输端点,因此这里表示端点没有定义支持的最大数据流数.(4)由于这个字段只有周期端点有效,因此我们这里填0.
16.0 IN 09 02 2c 00 01 01 00 80 32 09 04 00 00 02 08 06 ..,.....2....... 3.2.0
50 00 07 05 81 02 00 04 00 06 30 0f 00 00 00 07 P.........0..... 3.2.16
05 02 02 00 04 00 06 30 0f 00 00 00 .......0.... 3.2.32
//关于USB字符串描述符可以参考博文【USB经典博文\USB字符串描述符- Tracy Mcgrady的专栏- CSDN博客,地址http://blog.csdn/mcgrady_tracy/article/details/8164587】,这里我们注意到80 06 00 03中,0x03为字符串描述符标识,而索引值为0x00,前面我们已经知道厂商字符串,产品字符串,产品序列号的字符串描述符索引依次为1/2/3,而这里0则表示获取语言ID,首先我们尝试性的获取了一下语言ID信息,并得知该信息数据包共占4个字节,然后我们再次发送此令牌包,重新获取完整的语言ID信息。美式英语的语言ID值为0x0409,而此处我们获得的语言ID正是美式英语。[毕竟老美的U盘,怎么可能不是0x0409呢]
16.0 CTL 80 06 00 03 00 00 02 00 GET DESCRIPTOR 4.1.0//80 06 00 03尝试获取含语言ID信息的字符串描述符
16.0 IN 04 03 .. 4.2.0
16.0 CTL 80 06 00 03 00 00 04 00 GET DESCRIPTOR 5.1.0//80 06 00 03再次获取完整的含语言ID信息的字符串描述符
16.0 IN 04 03 09 04 .... 5.2.0 //所用语言为美式英语
//接下来我们尝试获取索引值为0x03的字符串描述符【即产品序列号】,而后面的09 04指示的正是前面我们获知的语言类型【即美式英语】
//尝试获取以后,我们就再次发送来获取完整的信息,由于是Unicode编码,因此此处的产品序列号即AA010314151502060195.
16.0 CTL 80 06 03 03 09 04 02 00 GET DESCRIPTOR 6.1.0
16.0 IN 2a 03 *. 6.2.0
16.0 CTL 80 06 03 03 09 04 2a 00 GET DESCRIPTOR 7.1.0
16.0 IN 2a 03 41 00 41 00 30 00 31 00 30 00 33 00 31 00 *.A.A.0.1.0.3.1. 7.2.0
34 00 31 00 35 00 31 00 35 00 30 00 32 00 30 00 4.1.5.1.5.0.2.0. 7.2.16
36 00 30 00 31 00 39 00 35 00 6.0.1.9.5. 7.2.32
//接下来我们要选择激活一种配置,小编我在usb_20.pdf文档中第257页找到以下说明
16.0 CTL 00 09 01 00 00 00 00 00 SET CONFIG 8.1.0//00 09 01 00设置配置 ,配置值为1,即第一种配置
//接下来选择接口
16.0 CTL 01 0b 00 00 00 00 00 00 SET INTERFACE 9.1.0 //01 0b 00 00设置接口 ,为接口0指定默认配置
//[a1 fe]根据前面介绍设备描述符时对USB标准设备请求的字段解释,这里表示的是主机向设备的接口0请求类输入数据[因此后续数据传输方向是设备到主机], 请求的数据长度为256个字节.
16.0 CTL a1 fe 00 00 00 00 01 00 GET MAX LUN 10.1.0
//返回0表示该U盘只有一个逻辑单元
16.0 IN 00 . 10.2.0
//很明显USBC的ASCII码,因此这里就是CBW结构无疑了,而这里CBW的标签就是[10 00 d5 2b],即0x2bd50010,需要在数据阶段传输数据的字节数即0x00000024,共36字节。接下来是CBW的数据传输方向标志,这里是0x80,即输入数据,传输的目标逻辑单元编号为0[这里只有一个逻辑单元],CBWCB的长度为6字节。后面跟的16字节实际上是一段SCSI命令,既然提到了SCSI命令集,不展开来讲讲看来是无法理解后面的部分了。这里小编从书里面截取了很大一部分概念来说明后面的内容。
16.2 OUT 55 53 42 43 10 00 d5 2b 24 00 00 00 80 00 06 12 USBC...+$....... 11.1.0
00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 ...$........... 11.1.16
\\这里小编我要提一下,上面表格中的RAM是书中打印错误,应该是RMB,盗版书?书审校不过关?
//结合上面这一段关于UFI查询命令INQUIRY的说明,我们回过头来再看看上面一段输出数据的后16字节,很明显操作码为0x12,恰是查询命令操作码,但是这里我要说一下了,上面这本书是比较老的,USB关于这一部分更新了很多个版本,从UFI到SPC到SPC-2,一直到现在的SPC-4,中间更新了一些内容了,如果继续按照上面的字段来进行分析是不对的了,我在分析这个地方的时候也是一直发现有问题,直到我查看最新的SPC-4协议,才能正确的理解该U盘这部分的字段和返回的数据,参考文件【官方文档\spc4r25.pdf】的第256页,有如下内容:
从以上SPC-4的协议中,我们首先可以看出,在上面的CBW命令中,EVPD为0,页码也为0,返回数据分配的存储空间长度为36字节。跟INQUIRY的说明是完全吻合的,接下来我们再来看下下面的响应数据。
\\首先外设类型为直接寻址设备,且连接到了逻辑单元,且是可移除的存储媒介,然后version这个段是只有在SPC-4以上版本里面才会取6这个值的,这也是我之前一直觉得有问题的地方,因为我之前看的是老协议,通过查看SPC-4协议的说明,很明显这里我们取的是this standard(当前这个标准,这里指代的就是SPC-4),而响应数据格式为0x12,即hisup为1[使用分层地址模型],response data format为2,附加数据长度为91+4+1=96字节。厂商信息为SanDisk,产品信息为Extreme,修订版本号为0001.
16.1 IN 00 80 06 12 5b 00 00 00 53 61 6e 44 69 73 6b 20 ....[...SanDisk 12.1.0
45 78 74 72 65 6d 65 20 20 20 20 20 20 20 20 20 Extreme 12.1.16
30 30 30 31 0001 12.1.32
//同理USBS的ASCII码,因此这里就是CSW结构无疑了,而这里CSW的标签也是[10 00 d5 2b],即0x2bd50010,跟前面的CBW命令的标签是一致的,表示回应之前CBW命令的执行情况,命令完成时的剩余字节数为0,CSW即返回的状态命令,最后一个字节为0,即表示之前获取的CBW命令成功执行。
16.1 IN 55 53 42 53 10 00 d5 2b 00 00 00 00 00 USBS...+..... 13.1.0
//USBC的ASCII码,又一个CBW指令,这里CBW的标签是[d0 a1 20 2d],需要在数据阶段传输的字节数为96字节。传输方向为输入数据,传输的目标逻辑单元编号为0[只有一个逻辑单元],CBWCB的长度为6字节。后面跟的16字节依然是INQUIRY命令,给返回数据分配的空间也是96字节,没毛病,而返回的CBW数据信息前半部分与之前无异。这里我们继续来看看后半部分,参照SPC-4协议,Vendor specific没有什么特殊信息,我们重点看看版本描述符表,里面支持的协议版本有0x1730,0x0080,0x04c0,0x0460,0x1ee0,0x1623,我仅将这些版本列在了下面的截图中,由于版本太多,其他的请去查【官方文档\spc4r25.pdf】文件第262页,至于返回的CSW状态命令除了标签跟着CBW指令变化了以外,其他也没什么可说的。
16.2 OUT 55 53 42 43 d0 a1 20 2d 60 00 00 00 80 00 06 12 USBC.. -`....... 14.1.0
00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 ...`........... 14.1.16
16.1 IN 00 80 06 12 5b 00 00 00 53 61 6e 44 69 73 6b 20 ....[...SanDisk 15.1.0
45 78 74 72 65 6d 65 20 20 20 20 20 20 20 20 20 Extreme 15.1.16
30 30 30 31 00 00 00 00 00 00 00 00 00 00 00 00 0001............ 15.1.32
00 00 00 00 00 00 00 00 00 00 17 30 00 80 04 c0 ...........0.... 15.1.48
04 60 1e e0 16 23 00 00 00 00 00 00 00 00 00 00 .`...#.......... 15.1.64
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 15.1.80
16.1 IN 55 53 42 53 d0 a1 20 2d 00 00 00 00 00 USBS.. -..... 16.1.0
//USBC,CBW指令,CBW的标签是[10 90 8c 2f ],需要在数据阶段传输的字节数为0字节。传输方向为输出数据,传输的目标逻辑单元编号为0[只有一个逻辑单元],CBWCB的长度为12字节。后面跟的16字节是安全协议命令[参看SPC-4命令说明中第363页],如上:
16.2 OUT 55 53 42 43 10 90 8c 2f 00 00 00 00 00 00 0c a2 USBC.../........ 17.1.0
00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 ............... 17.1.16
16.1 USTS c0000004 stall pid 18.1.0
16.1 RESET 19.1.0
//但是闪迪的U盘似乎并不支持以上指令,从CSW状态指令看出,这里重试很多次失败以后,就放弃执行该指令,转去执行其他内容了
16.1 IN 55 53 42 53 10 90 8c 2f 00 00 00 00 01 USBS.../..... 20.1.0
16.2 OUT 55 53 42 43 60 17 f6 2b 00 00 00 00 00 00 0c a2 USBC`..+........ 21.1.0
00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 ............... 21.1.16
16.1 USTS c0000004 stall pid 22.1.0
16.1 RESET 23.1.0
16.1 IN 55 53 42 53 60 17 f6 2b 00 00 00 00 01 USBS`..+..... 24.1.0
16.2 OUT 55 53 42 43 10 60 e7 2e 00 00 00 00 00 00 0c a2 USBC.`.......... 25.1.0
00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 ............... 25.1.16
16.1 USTS c0000004 stall pid 26.1.0
16.1 RESET 27.1.0
16.1 IN 55 53 42 53 10 60 e7 2e 00 00 00 00 01 USBS.`....... 28.1.0
16.2 OUT 55 53 42 43 10 30 70 2f 00 00 00 00 00 00 0c a2 USBC.0p/........ 29.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 29.1.16
16.1 USTS c0000004 stall pid 30.1.0
16.1 RESET 31.1.0
16.1 IN 55 53 42 53 10 30 70 2f 00 00 00 00 01 USBS.0p/..... 32.1.0
16.2 OUT 55 53 42 43 d0 a1 20 2d 00 00 00 00 00 00 0c a2 USBC.. -........ 33.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 33.1.16
16.1 USTS c0000004 stall pid 34.1.0
16.1 RESET 35.1.0
16.1 IN 55 53 42 53 d0 a1 20 2d 00 00 00 00 01 USBS.. -..... 36.1.0
16.2 OUT 55 53 42 43 10 00 d5 2b 00 00 00 00 00 00 0c a2 USBC...+........ 37.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 37.1.16
16.1 USTS c0000004 stall pid 38.1.0
16.1 RESET 39.1.0
16.1 IN 55 53 42 53 10 00 d5 2b 00 00 00 00 01 USBS...+..... 40.1.0
//USBC,CBW指令,CBW的标签是[10 90 8c 2f],需要在数据阶段传输的字节数为36字节。传输方向为输入数据,传输的目标逻辑单元编号为0,CBWCB的长度为6字节。后面跟的16字节是INQUIRY命令,EVPD为0,页码为0,分配的存储空间长度为36字节。返回的内容跟前面的INQUIRY命令是一样的,这里我就不重复细说了。
16.2 OUT 55 53 42 43 10 90 8c 2f 24 00 00 00 80 00 06 12 USBC.../$....... 41.1.0
00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 ...$........... 41.1.16
16.1 IN 00 80 06 12 5b 00 00 00 53 61 6e 44 69 73 6b 20 ....[...SanDisk 42.1.0
45 78 74 72 65 6d 65 20 20 20 20 20 20 20 20 20 Extreme 42.1.16
30 30 30 31 0001 42.1.32
16.1 IN 55 53 42 53 10 90 8c 2f 00 00 00 00 00 USBS.../..... 43.1.0
//USBC,CBW指令,CBW的标签是[60 17 f6 2b],需要在数据阶段传输的字节数为252字节。传输方向为输入,传输的目标逻辑单元编号为0,CBWCB的长度为10字节。后面跟的16字节是READ FORMAT CAPACITIES命令,关于这个命令小编得普及一下。从下面的内容可以看出,操作码为0x23,没毛病,逻辑单元号是0x00[我们这个U盘只有一个逻辑单元]。接下来是分配的缓冲区长度,这里是0x00fc,即252个字节。
16.2 OUT 55 53 42 43 60 17 f6 2b fc 00 00 00 80 00 0a23 USBC`..+.......# 44.1.0
00 00 00 00 00 00 00 fc 00 00 00 00 00 00 00 ............... 44.1.16
//【圈圈教你玩USB】这本书在上面的返回数据上讲的并不是很清楚,因此小编又从【官方文档\UFI.pdf】说明中第33页找来了更详细的说明。
//【官方文档\UFI.pdf】说明中关于这部分讲的就比较详细了,通读上面的说明,我们可以来分析以下返回数据了,首先前4字节为Capacity List Header,从中我们知道共有0x10[16]字节的Capacity描述符跟在这个头的后面,由于每个Capacity描述符占用8个字节,因此这里有2个Capacity描述符。第一个Capacity描述符表示当前U盘共有0x03a71947个块,且当前块已被格式化,每块字节数为512字节,第二个Capacity描述符指示可格式化的块共有0x03a71947个,每块字节数也为512字节。这里0x03a71947*512字节数约为29GB的空间,小编的U盘是32GB的。
16.1 IN 00 00 00 10 03 a7 19 47 02 00 02 00 03 a7 19 47 .......G.......G 45.1.0
00 00 02 00 .... 45.1.16
16.1 USTS c0000004 stall pid 46.1.0
16.1 RESET 47.1.0
16.1 IN 55 53 42 53 60 17 f6 2b e8 00 00 00 00 USBS`..+..... 48.1.0
//USBC,CBW指令,CBW的标签是[10 60 e7 2e],需要在数据阶段传输的字节数为255字节。传输方向为输入,传输的目标逻辑单元编号为0,CBWCB的长度为6字节。后面跟的16字节是INQUIRY命令,EVPD为1,表示要查询的是重要的产品数据页,其页码为0x80,分配的存储空间长度为255字节。关于EVPD在SPC-4协议文件第256页中有如下描述:
很明显,说明中提到关于重要的数据页信息是放在7.8章节来介绍的,这里我们翻到第567页,有如下内容。
//通过以上内容我们不难看出第0x80页,存放的内容是Unit Serial Number,即单元序列号。
16.2 OUT 55 53 42 43 10 60 e7 2e ff 00 00 00 80 00 06 12 USBC.`.......... 49.1.0
01 80 00 ff 00 00 00 00 00 00 00 00 00 00 00 ............... 49.1.16
//那么以上就是查询VPD页返回数据的格式了,所以我们据此来分析下面的返回数据,第一个0x00表示外设类型为直接寻址设备,0x80为页码,本页内容的长度为0x0014+3+1=24字节。接下来是页内容,即序列号值为0475f65e4.随后CSW返回执行成功指令。
16.1 IN 00 80 00 14 30 34 37 35 66 36 35 65 34 20 20 20 ....0475f65e4 50.1.0
20 20 20 20 20 20 20 20 50.1.16
16.1 USTS c0000004 stall pid 51.1.0
16.1 RESET 52.1.0
16.1 IN 55 53 42 53 10 60 e7 2e e7 00 00 00 00 USBS.`....... 53.1.0
//如下Bus Hound中的CMD/ATA/SSTS命令是怎么在USB传输线上传输的,还是说这些是Bus Hound捕获的仅在系统驱动层内的操作,小编确实不得而知,但是关于CMD/ATA/SSTS,小编在Bus Hound的帮助文档中找到如下解释,此外,这几条CMD/ATA/SSTS命令在最后小编将要提到的WireShark来抓USB包做进一步的分析中,是看不到的。仅下面的CBW命令块在WireShark中是有捕获到的。因此,小编认为这些命令反映的应当并不是USB线上的传输操作,而是系统内部完成的一些操作。这里为避免CMD命令造成阅读混乱,后续类似重复的CMD命令小编会直接删除。
//INQUIRY查询命令,返回的信息跟之前是相同的。
17 CMD 12 00 00 00 24 00 INQUIRY 54.1.0
17 IN 00 80 06 12 5b 00 00 00 53 61 6e 44 69 73 6b 20 ....[...SanDisk 54.2.0
45 78 74 72 65 6d 65 20 20 20 20 20 20 20 20 20 Extreme 54.2.16
30 30 30 31 0001 54.2.32
17 CMD 25 00 00 00 00 00 00 00 00 00 READ CAPACITY 55.1.0
//上面的这条READ CAPACITY命令及其在下面的返回信息且放一放不说,先看看同样是执行READ CAPACITY命令的这个CBW块命令,CBW的标签是[b0 f9 39 2d],需要在数据阶段传输的字节数为8字节。传输方向为输入,传输的目标逻辑单元编号为0,CBWCB的长度为10字节。后面跟的16字节是READ CAPACITY命令,操作的逻辑单元号为0,逻辑块地址为0.
16.2 OUT 55 53 42 43 b0 f9 39 2d 08 00 00 00 80 00 0a 25 USBC..9-.......% 56.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 56.1.16
//首先小编要说一下,上面的返回数据格式表中,最后逻辑块地址是打印错误,应该是最大逻辑块地址,接下来,我们看看以下READ CAPACITY命令的返回数据,我们看到最大逻辑块地址为0x03a71946,单个块字节数为512,因此我们这里U盘的容量为0x03a71946*512字节,约为29GB.
16.1 IN 03 a7 19 46 00 00 02 00 ...F.... 57.1.0
16.1 IN 55 53 42 53 b0 f9 39 2d 00 00 00 00 00 USBS..9-..... 58.1.0
17 IN 03 a7 19 46 00 00 02 00 ...F.... 55.2.0
17 ATA 00 00 00 4f c2 a0 ec IDENTIFY 59.1.0
17 SSTS 04 check condition 59.2.0
//CBW命令,CBW的标签是[70 f4 0c 2b],需要在数据阶段传输的字节数为192字节。传输方向为输入,传输的目标逻辑单元编号为0,CBWCB的长度为6字节。后面跟的16字节是Mode Sense(6)命令【请参看SPC-4协议文档第287页及449页说明】,从这里开始,后面我也就不再做详细的截图了,只是说明一下该命令我们是去mode参数页集的Informational Exceptions Control (0x1c)这个页中查当前值信息。
16.2 OUT 55 53 42 43 70 f4 0c 2b c0 00 00 00 80 00 06 1a USBCp..+........ 61.1.0
00 1c 00 c0 00 00 00 00 00 00 00 00 00 00 00 ............... 61.1.16
//到了这个位置,后面的很多内容基本都是一些查询U盘的基础信息,或者去之前提到的VPD页查找,或者去Mode pages里面查找,由于前面U盘主要的一些枚举过程已经介绍完毕,后面这些辅助信息小编我这里就只是简述了,具体的内容读者们有兴趣可以自己去查,或者参考WireShark抓包信息浏览一下就可以了。
16.1 IN 13 00 00 08 03 a7 19 47 00 00 02 00 1c 06 00 06 .......G........ 62.1.0
00 00 00 00 .... 62.1.16
16.1 USTS c0000004 stall pid 63.1.0
16.1 RESET 64.1.0
16.1 IN 55 53 42 53 70 f4 0c 2b ac 00 00 00 00 USBSp..+..... 66.1.0
17 SSTS 12 data overrun 60.3.0
//Inquiry LUN: 0x00 Supported Vital Product Data Pages
16.2 OUT 55 53 42 43 10 20 0d 2b ff 00 00 00 80 00 06 12 USBC. .+........ 67.1.0
01 00 00 ff 00 00 00 00 00 00 00 00 00 00 00 ............... 67.1.16
16.1 IN 00 00 00 04 00 80 83 b0 ........ 68.1.0
16.1 USTS c0000004 stall pid 69.1.0
16.1 RESET 70.1.0
16.1 IN 55 53 42 53 10 20 0d 2b f7 00 00 00 00 USBS. .+..... 71.1.0
17 SSTS 12 data overrun 65.3.0
//Inquiry LUN: 0x00 Block Limits Page
16.2 OUT 55 53 42 43 f0 6a 90 2f ff 00 00 00 80 00 06 12 USBC.j./........ 73.1.0
01 b0 00 ff 00 00 00 00 00 00 00 00 00 00 00 ............... 73.1.16
16.1 IN 00 b0 00 10 00 00 00 00 00 7f ff ff 00 7f ff ff ................ 74.1.0
00 00 00 00 .... 74.1.16
16.1 USTS c0000004 stall pid 75.1.0
16.1 RESET 76.1.0
16.1 IN 55 53 42 53 f0 6a 90 2f eb 00 00 00 00 USBS.j./..... 77.1.0
17 SSTS 12 data overrun 72.3.0
//SCSI: Data In LUN: 0x00 (Mode Sense(6)) [Page Control: Current Values (0);SBC-2 Page Code: Caching (0x08)]【查缓存】
16.2 OUT 55 53 42 43 b0 f9 39 2d c0 00 00 00 80 00 06 1a USBC..9-........ 79.1.0
00 08 00 c0 00 00 00 00 00 00 00 00 00 00 00 ............... 79.1.16
16.1 IN 1f 00 00 08 03 a7 19 47 00 00 02 00 08 12 00 00 .......G........ 80.1.0
00 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 ........ ....... 80.1.16
16.1 USTS c0000004 stall pid 81.1.0
16.1 RESET 82.1.0
16.1 IN 55 53 42 53 b0 f9 39 2d a0 00 00 00 00 USBS..9-..... 83.1.0
17 SSTS 12 data overrun 78.3.0
//SCSI: Synchronize Cache(10) LUN: 0x00 (LBA: 0x00000000, Len: 0)【同步缓存】,在SCSI-2中第199页有如下指令定义如下:
16.2 OUT 55 53 42 43 f0 aa f2 2b 00 00 00 00 00 00 0a 35 USBC...+.......5 85.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 85.1.16
16.1 IN 55 53 42 53 f0 aa f2 2b 00 00 00 00 00 USBS...+..... 86.1.0
17 ok 84.2.0
//SCSI: Data In LUN: 0x00 (Mode Sense(6)) [Page Control: Current Values (0);SBC-2 Page Code: Caching (0x08)]【再次查缓存,返回信息都一样的】
16.2 OUT 55 53 42 43 b0 f9 39 2d c0 00 00 00 80 00 06 1a USBC..9-........ 88.1.0(2)
00 08 00 c0 00 00 00 00 00 00 00 00 00 00 00 ............... 88.1.16
16.1 IN 1f 00 00 08 03 a7 19 47 00 00 02 00 08 12 00 00 .......G........ 89.1.0(2)
00 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 ........ ....... 89.1.16
16.1 USTS c0000004 stall pid 90.1.0(2)
16.1 RESET 91.1.0(2)
16.1 IN 55 53 42 53 b0 f9 39 2d a0 00 00 00 00 USBS..9-..... 92.1.0(2)
17 SSTS 12 data overrun 87.3.0
//SCSI: Read Capacity(10) LUN: 0x00 【读容量,返回为:LBA: 61282630 (29 GB);Block size in bytes: 512】
16.2 OUT 55 53 42 43 d0 a1 20 2d 08 00 00 00 80 00 0a 25 USBC.. -.......% 100.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 100.1.16
16.1 IN 03 a7 19 46 00 00 02 00 ...F.... 101.1.0
16.1 IN 55 53 42 53 d0 a1 20 2d 00 00 00 00 00 USBS.. -..... 102.1.0
//SCSI: Inquiry LUN: 0x00【标准查询指令,返回跟之前是相同的】
16.2 OUT 55 53 42 43 10 00 cd 2a 24 00 00 00 80 00 06 12 USBC...*$....... 104.1.0
00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 ...$........... 104.1.16
16.1 IN 00 80 06 12 5b 00 00 00 53 61 6e 44 69 73 6b 20 ....[...SanDisk 105.1.0
45 78 74 72 65 6d 65 20 20 20 20 20 20 20 20 20 Extreme 105.1.16
30 30 30 31 0001 105.1.32
16.1 IN 55 53 42 53 10 00 cd 2a 00 00 00 00 00 USBS...*..... 106.1.0
//SCSI: Inquiry LUN: 0x00【标准查询指令,查询完整内容,返回跟之前仍是相同的】
16.2 OUT 55 53 42 43 10 00 d5 2b 60 00 00 00 80 00 06 12 USBC...+`....... 108.1.0
00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 ...`........... 108.1.16
16.1 IN 00 80 06 12 5b 00 00 00 53 61 6e 44 69 73 6b 20 ....[...SanDisk 109.1.0
45 78 74 72 65 6d 65 20 20 20 20 20 20 20 20 20 Extreme 109.1.16
30 30 30 31 00 00 00 00 00 00 00 00 00 00 00 00 0001............ 109.1.32
00 00 00 00 00 00 00 00 00 00 17 30 00 80 04 c0 ...........0.... 109.1.48
04 60 1e e0 16 23 00 00 00 00 00 00 00 00 00 00 .`...#.......... 109.1.64
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 109.1.80
16.1 IN 55 53 42 53 10 00 d5 2b 00 00 00 00 00 USBS...+..... 110.1.0
//SCSI: Service Action In(16) LUN: 0x00 READCAPACITY16
16.2 OUT 55 53 42 43 10 90 8c 2f 20 00 00 00 80 00 10 9e USBC.../ ....... 112.1.0
10 00 00 00 00 00 00 00 00 00 00 00 20 00 00 ............ .. 112.1.16
16.1 IN 00 00 00 00 03 a7 19 46 00 00 02 00 00 00 00 00 .......F........ 113.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 113.1.16
16.1 IN 55 53 42 53 10 90 8c 2f 00 00 00 00 00 USBS.../..... 114.1.0
//Inquiry LUN: 0x00 Block Limits Page
16.2 OUT 55 53 42 43 f0 aa f2 2b ff 00 00 00 80 00 06 12 USBC...+........ 116.1.0
01 b0 00 ff 00 00 00 00 00 00 00 00 00 00 00 ............... 116.1.16
16.1 IN 00 b0 00 10 00 00 00 00 00 7f ff ff 00 7f ff ff ................ 117.1.0
00 00 00 00 .... 117.1.16
16.1 USTS c0000004 stall pid 118.1.0
16.1 RESET 119.1.0
16.1 IN 55 53 42 53 f0 aa f2 2b eb 00 00 00 00 USBS...+..... 120.1.0
17 SSTS 12 data overrun 115.3.0
//SCSI: Read Capacity(10) LUN: 0x00 【读容量,返回为:LBA: 61282630 (29 GB);Block size in bytes: 512】
16.2 OUT 55 53 42 43 b0 f9 39 2d 08 00 00 00 80 00 0a 25 USBC..9-.......% 122.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 122.1.16
16.1 IN 03 a7 19 46 00 00 02 00 ...F.... 123.1.0
16.1 IN 55 53 42 53 b0 f9 39 2d 00 00 00 00 00 USBS..9-..... 124.1.0
//SCSI: Read(10) LUN: 0x00 (LBA: 0x00000000, Len: 1)
//下面的命令我要重点讲一下了,因为这个命令在文件传输的时候也是大量用到的。通过查阅SCSI-2说明中的第181页,就有如下内容:
//这里实际上从逻辑块地址0开始,连续读取了第一个逻辑块的所有512字节内容过来。而这个块中存放的实际就是FAT32文件系统的MBR(Main Boot Record 主引导记录区)和DPT(Disk Partition Table硬盘分区表)。这里小编找到一篇图文并茂的博文【FAT文件系统\FAT文件系统原理.pdf】,关于MBR这段程序所做的事情,请参考博文【FAT文件系统\[原创]FAT32简介(mbr_ebr_dpt_bpb_fat_fdt)-『软件逆向』-看雪安全论坛,地址:https://bbs.pediy/thread-176156.htm】,什么?你告诉我程序跟下面这段不一样,看的还比较仔细啊。OK,这里关于这段程序的分析,小编我这里不仔细去分析了,既然上篇博文中的作者对MBR机器码进行了反汇编的分析,小编我就提供一个反汇编的工具给各位读者吧,有兴趣的可以自己去分析。关于这类代码的分析,小编我只分析过操作系统的引导程序及任务切换机制的汇编,这里小编我重点介绍的是USB,为节约时间,就不跑题太远了。
16.2 OUT 55 53 42 43 b0 f9 39 2d 00 02 00 00 80 00 0a 28 USBC..9-.......( 126.1.0
00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ............... 126.1.16
16.1 IN eb 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .^.............. 127.1.0
02 00 00 00 00 00 00 00 3f 00 ff 00 00 00 00 00 ........?....... 127.1.16
00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 ................ 127.1.32
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 127.1.48
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 127.1.64
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 127.1.80
31 db 8e db 89 dd 8e d3 bc 00 7c 06 57 b8 00 02 1...........W... 127.1.96
8e c0 40 b9 01 00 89 ce 30 f6 e8 1a 01 e8 6e 00 ..@.....0.....n. 127.1.112
8b 3e ae 21 60 68 20 02 80 3e ad 21 80 73 1f b4 .>.!`h ..>.!.s.. 127.1.128
41 bb aa 55 cd 13 72 16 81 eb 55 aa 75 10 f6 c1 A..U..r...U.u... 127.1.144
01 74 0b 58 8e c0 e8 7a 00 61 fe ce eb 1e 07 61 .t.X...z.a.....a 127.1.160
fe c6 e8 e2 00 50 e8 24 00 a2 b0 21 58 86 ee e8 .....P.$...!X... 127.1.176
d5 00 e8 18 00 f6 36 b0 21 a2 b1 21 c6 06 09 21 ......6.!..!...! 127.1.192
3c a1 b2 21 40 e8 41 00 ea 9e 23 00 00 a1 fe 23 <..!@.A...#....# 127.1.208
3d 55 aa 75 06 e8 06 00 a1 ae 23 29 f8 c3 26 81 =U.u......#)..&. 127.1.224
3e b4 01 46 42 75 4f c3 60 31 c0 cd 13 61 3c 07 >..FBuO.`1...a<. 127.1.240
76 04 b0 07 eb 06 3c 01 76 a5 b0 01 80 fe ff 75 v.....<.v......u 127.1.256
03 88 44 02 a2 ad 21 eb 6d 29 f8 83 dd 00 80 fe ..D...!.m)...... 127.1.272
ff 75 26 89 c1 56 31 c0 50 50 55 51 06 53 a0 ad .u&..V1.PPUQ.S.. 127.1.288
21 39 f0 76 02 89 f0 50 6a 10 89 e6 b4 42 e8 45 !9.v...Pj....B.E 127.1.304
00 83 c4 10 5e c3 f4 eb fd 52 89 ea 89 c1 a0 b0 ....^....R...... 127.1.320
21 f6 26 b1 21 91 f7 f1 89 c1 89 d0 f6 36 b0 21 !.&.!........6.! 127.1.336
5a 88 c6 c0 e5 06 08 e5 86 cd 0f b6 06 b0 21 28 Z.............!( 127.1.352
c8 24 3f 3a 06 ad 21 76 03 a0 ad 21 39 f0 76 02 .$?:..!v...!9.v. 127.1.368
89 f0 b4 02 fe c1 e8 07 00 0f 82 6b ff 30 e4 c3 ...........k.0.. 127.1.384
60 f9 cd 13 fb 61 c3 e8 f6 ff 72 aa c3 00 00 00 `....a....r..... 127.1.400
00 00 00 00 00 00 00 00 00 00 00 00 00 3f 00 00 .............?.. 127.1.416
3f ff 3f 00 46 42 42 46 85 88 b7 31 00 0080 1e ?.?.FBBF...1.... 127.1.432
18 47 0c fe ff ff 00 6f 11 00 47 aa 95 03 00 00 .G.....o..G..... 127.1.448
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 127.1.464
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 127.1.480
00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa ..............U. 127.1.496
//接下来讲讲如何反汇编上面一段机器码,首先当然是复制如上一段文本,然后我们粘贴到UltraEdit软件中,利用列模式删掉左边的空格和右边的Ansi字符和注释。然后复制并粘贴到Winhex软件新建的空白文件中,粘贴时弹出如下对话框。
//粘贴时注意选择如下选项,按16进制复制
//接下来我们删去多余的0,得到如下所示的内容
//然后我们将文件保存,打开w32dsm89_ha软件,选择该文件进行反汇编,就可以得到如下的反汇编信息,然后关于MBR这段程序的分析,有兴趣的读者可以自行展开了。这里小编就直接跳过这部分来重点分析DPT了。
//看过【FAT文件系统\FAT文件系统原理.pdf】后,相信你已经知道,MBR这段代码是存放在0柱面0磁头1扇区的前446字节,而后面的64字节存放的就是DPT,这里就对照该博文分析如下DPT吧,当然你也可以对照【FAT文件系统\fat协议.doc】官方文档来分析。
80 1e 18 47 0c fe ff ff 00 6f 11 00 47 aa 95 03
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
//由以上我们可以获取如下信息,该分区为活动分区,且只有一个分区,开始磁头为1e,开始扇区为18,开始柱面为47,系统ID为0x0c[即Win95 FAT32],结束磁头为fe,结束扇区为3f,结束柱面为3ff,该分区的相对扇区偏移量为0x00116f00[这里即是DBR存放的位置],总扇区数为0x0395AA47个。
16.1 IN 55 53 42 53 b0 f9 39 2d 00 00 00 00 00 USBS..9-..... 128.1.0
16.2 OUT 55 53 42 43 b0 f9 39 2d 08 00 00 00 80 00 0a 25 USBC..9-.......% 130.1.0(2)
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 130.1.16
16.1 IN 03 a7 19 46 00 00 02 00 ...F.... 131.1.0(2)
16.1 IN 55 53 42 53 b0 f9 39 2d 00 00 00 00 00 USBS..9-..... 132.1.0(2)
//又从逻辑块地址0开始,连续读取了第一个逻辑块的所有512字节内容过来,这里小编也不知道为什么要读取两次。
16.2 OUT 55 53 42 43 b0 f9 39 2d 00 02 00 00 80 00 0a 28 USBC..9-.......( 138.1.0
00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ............... 138.1.16
16.1 IN eb 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .^.............. 139.1.0
02 00 00 00 00 00 00 00 3f 00 ff 00 00 00 00 00 ........?....... 139.1.16
00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 ................ 139.1.32
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 139.1.48
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 139.1.64
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 139.1.80
31 db 8e db 89 dd 8e d3 bc 00 7c 06 57 b8 00 02 1...........W... 139.1.96
8e c0 40 b9 01 00 89 ce 30 f6 e8 1a 01 e8 6e 00 ..@.....0.....n. 139.1.112
8b 3e ae 21 60 68 20 02 80 3e ad 21 80 73 1f b4 .>.!`h ..>.!.s.. 139.1.128
41 bb aa 55 cd 13 72 16 81 eb 55 aa 75 10 f6 c1 A..U..r...U.u... 139.1.144
01 74 0b 58 8e c0 e8 7a 00 61 fe ce eb 1e 07 61 .t.X...z.a.....a 139.1.160
fe c6 e8 e2 00 50 e8 24 00 a2 b0 21 58 86 ee e8 .....P.$...!X... 139.1.176
d5 00 e8 18 00 f6 36 b0 21 a2 b1 21 c6 06 09 21 ......6.!..!...! 139.1.192
3c a1 b2 21 40 e8 41 00 ea 9e 23 00 00 a1 fe 23 <..!@.A...#....# 139.1.208
3d 55 aa 75 06 e8 06 00 a1 ae 23 29 f8 c3 26 81 =U.u......#)..&. 139.1.224
3e b4 01 46 42 75 4f c3 60 31 c0 cd 13 61 3c 07 >..FBuO.`1...a<. 139.1.240
76 04 b0 07 eb 06 3c 01 76 a5 b0 01 80 fe ff 75 v.....<.v......u 139.1.256
03 88 44 02 a2 ad 21 eb 6d 29 f8 83 dd 00 80 fe ..D...!.m)...... 139.1.272
ff 75 26 89 c1 56 31 c0 50 50 55 51 06 53 a0 ad .u&..V1.PPUQ.S.. 139.1.288
21 39 f0 76 02 89 f0 50 6a 10 89 e6 b4 42 e8 45 !9.v...Pj....B.E 139.1.304
00 83 c4 10 5e c3 f4 eb fd 52 89 ea 89 c1 a0 b0 ....^....R...... 139.1.320
21 f6 26 b1 21 91 f7 f1 89 c1 89 d0 f6 36 b0 21 !.&.!........6.! 139.1.336
5a 88 c6 c0 e5 06 08 e5 86 cd 0f b6 06 b0 21 28 Z.............!( 139.1.352
c8 24 3f 3a 06 ad 21 76 03 a0 ad 21 39 f0 76 02 .$?:..!v...!9.v. 139.1.368
89 f0 b4 02 fe c1 e8 07 00 0f 82 6b ff 30 e4 c3 ...........k.0.. 139.1.384
60 f9 cd 13 fb 61 c3 e8 f6 ff 72 aa c3 00 00 00 `....a....r..... 139.1.400
00 00 00 00 00 00 00 00 00 00 00 00 00 3f 00 00 .............?.. 139.1.416
3f ff 3f 00 46 42 42 46 85 88 b7 31 00 00 80 1e ?.?.FBBF...1.... 139.1.432
18 47 0c fe ff ff 00 6f 11 00 47 aa 95 03 00 00 .G.....o..G..... 139.1.448
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 139.1.464
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 139.1.480
00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa ..............U. 139.1.496
16.1 IN 55 53 42 53 b0 f9 39 2d 00 00 00 00 00 USBS..9-..... 140.1.0
16.2 OUT 55 53 42 43 b0 f9 39 2d 08 00 00 00 80 00 0a 25 USBC..9-.......% 142.1.0(3)
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 142.1.16
16.1 IN 03 a7 19 46 00 00 02 00 ...F.... 143.1.0(3)
16.1 IN 55 53 42 53 b0 f9 39 2d 00 00 00 00 00 USBS..9-..... 144.1.0(3)
//从逻辑块地址2开始,连续读取了所有512字节内容过来,这里你会发现MBR部分与之前逻辑块地址0处前面大部分完全相同。
16.2 OUT 55 53 42 43 b0 f9 39 2d 00 02 00 00 80 00 0a 28 USBC..9-.......( 154.1.0
00 00 00 00 02 00 00 01 00 00 00 00 00 00 00 ............... 154.1.16
16.1 IN eb 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .^.............. 155.1.0
02 00 00 00 00 00 00 00 3f 00 ff 00 00 00 00 00 ........?....... 155.1.16
00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 ................ 155.1.32
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 155.1.48
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 155.1.64
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 155.1.80
31 db 8e db 89 dd 8e d3 bc 00 7c 06 57 b8 00 02 1...........W... 155.1.96
8e c0 40 b9 01 00 89 ce 30 f6 e8 1a 01 e8 6e 00 ..@.....0.....n. 155.1.112
8b 3e ae 21 60 68 20 02 80 3e ad 21 80 73 1f b4 .>.!`h ..>.!.s.. 155.1.128
41 bb aa 55 cd 13 72 16 81 eb 55 aa 75 10 f6 c1 A..U..r...U.u... 155.1.144
01 74 0b 58 8e c0 e8 7a 00 61 fe ce eb 1e 07 61 .t.X...z.a.....a 155.1.160
fe c6 e8 e2 00 50 e8 24 00 a2 b0 21 58 86 ee e8 .....P.$...!X... 155.1.176
d5 00 e8 18 00 f6 36 b0 21 a2 b1 21 c6 06 09 21 ......6.!..!...! 155.1.192
3c a1 b2 21 40 e8 41 00 ea 9e 23 00 00 a1 fe 23 <..!@.A...#....# 155.1.208
3d 55 aa 75 06 e8 06 00 a1 ae 23 29 f8 c3 26 81 =U.u......#)..&. 155.1.224
3e b4 01 46 42 75 4f c3 60 31 c0 cd 13 61 3c 07 >..FBuO.`1...a<. 155.1.240
76 04 b0 07 eb 06 3c 01 76 a5 b0 01 80 fe ff 75 v.....<.v......u 155.1.256
03 88 44 02 a2 ad 21 eb 6d 29 f8 83 dd 00 80 fe ..D...!.m)...... 155.1.272
ff 75 26 89 c1 56 31 c0 50 50 55 51 06 53 a0 ad .u&..V1.PPUQ.S.. 155.1.288
21 39 f0 76 02 89 f0 50 6a 10 89 e6 b4 42 e8 45 !9.v...Pj....B.E 155.1.304
00 83 c4 10 5e c3 f4 eb fd 52 89 ea 89 c1 a0 b0 ....^....R...... 155.1.320
21 f6 26 b1 21 91 f7 f1 89 c1 89 d0 f6 36 b0 21 !.&.!........6.! 155.1.336
5a 88 c6 c0 e5 06 08 e5 86 cd 0f b6 06 b0 21 28 Z.............!( 155.1.352
c8 24 3f 3a 06 ad 21 76 03 a0 ad 21 39 f0 76 02 .$?:..!v...!9.v. 155.1.368
89 f0 b4 02 fe c1 e8 07 00 0f 82 6b ff 30 e4 c3 ...........k.0.. 155.1.384
60 f9 cd 13 fb 61 c3 e8 f6 ff 72 aa c3 00 00 00 `....a....r..... 155.1.400
00 00 00 00 00 00 00 00 00 00 00 00 00 3f 02 00 .............?.. 155.1.416
3f ff 3f 00 46 42 42 46 00 00 00 00 00 00 80 1e ?.?.FBBF........ 155.1.432
16 47 0c aa 89 e6 fe 6e 11 00 47 aa 95 03 00 00 .G.....n..G..... 155.1.448
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 155.1.464
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 155.1.480
00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa ..............U. 155.1.496
//由以上DPT我们可以获取如下信息,该分区为活动分区,且只有一个分区,开始磁头为1e,开始扇区为16,开始柱面为47,系统ID为0x0c[即Win95 FAT32],结束磁头为aa,结束扇区为09,结束柱面为2e6,该分区的相对扇区偏移量为0x00116efe,总扇区数为0x0395AA47个。这里小编也没有去深入研究这个位置的MBR块,可能是第一个MBR的备选块吧。
16.1 IN 55 53 42 53 b0 f9 39 2d 00 00 00 00 00 USBS..9-..... 156.1.0
16.2 OUT 55 53 42 43 b0 f9 39 2d 08 00 00 00 80 00 0a 25 USBC..9-.......% 158.1.0(2)
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 158.1.16
16.1 IN 03 a7 19 46 00 00 02 00 ...F.... 159.1.0(2)
16.1 IN 55 53 42 53 b0 f9 39 2d 00 00 00 00 00 USBS..9-..... 160.1.0(2)
//又从逻辑块地址0开始,连续读取了第一个逻辑块的所有512字节内容过来。
16.2 OUT 55 53 42 43 b0 f9 39 2d 00 02 00 00 80 00 0a 28 USBC..9-.......( 166.1.0
00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ............... 166.1.16
16.1 IN eb 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .^.............. 167.1.0
02 00 00 00 00 00 00 00 3f 00 ff 00 00 00 00 00 ........?....... 167.1.16
00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 ................ 167.1.32
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 167.1.48
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 167.1.64
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 167.1.80
31 db 8e db 89 dd 8e d3 bc 00 7c 06 57 b8 00 02 1...........W... 167.1.96
8e c0 40 b9 01 00 89 ce 30 f6 e8 1a 01 e8 6e 00 ..@.....0.....n. 167.1.112
8b 3e ae 21 60 68 20 02 80 3e ad 21 80 73 1f b4 .>.!`h ..>.!.s.. 167.1.128
41 bb aa 55 cd 13 72 16 81 eb 55 aa 75 10 f6 c1 A..U..r...U.u... 167.1.144
01 74 0b 58 8e c0 e8 7a 00 61 fe ce eb 1e 07 61 .t.X...z.a.....a 167.1.160
fe c6 e8 e2 00 50 e8 24 00 a2 b0 21 58 86 ee e8 .....P.$...!X... 167.1.176
d5 00 e8 18 00 f6 36 b0 21 a2 b1 21 c6 06 09 21 ......6.!..!...! 167.1.192
3c a1 b2 21 40 e8 41 00 ea 9e 23 00 00 a1 fe 23 <..!@.A...#....# 167.1.208
3d 55 aa 75 06 e8 06 00 a1 ae 23 29 f8 c3 26 81 =U.u......#)..&. 167.1.224
3e b4 01 46 42 75 4f c3 60 31 c0 cd 13 61 3c 07 >..FBuO.`1...a<. 167.1.240
76 04 b0 07 eb 06 3c 01 76 a5 b0 01 80 fe ff 75 v.....<.v......u 167.1.256
03 88 44 02 a2 ad 21 eb 6d 29 f8 83 dd 00 80 fe ..D...!.m)...... 167.1.272
ff 75 26 89 c1 56 31 c0 50 50 55 51 06 53 a0 ad .u&..V1.PPUQ.S.. 167.1.288
21 39 f0 76 02 89 f0 50 6a 10 89 e6 b4 42 e8 45 !9.v...Pj....B.E 167.1.304
00 83 c4 10 5e c3 f4 eb fd 52 89 ea 89 c1 a0 b0 ....^....R...... 167.1.320
21 f6 26 b1 21 91 f7 f1 89 c1 89 d0 f6 36 b0 21 !.&.!........6.! 167.1.336
5a 88 c6 c0 e5 06 08 e5 86 cd 0f b6 06 b0 21 28 Z.............!( 167.1.352
c8 24 3f 3a 06 ad 21 76 03 a0 ad 21 39 f0 76 02 .$?:..!v...!9.v. 167.1.368
89 f0 b4 02 fe c1 e8 07 00 0f 82 6b ff 30 e4 c3 ...........k.0.. 167.1.384
60 f9 cd 13 fb 61 c3 e8 f6 ff 72 aa c3 00 00 00 `....a....r..... 167.1.400
00 00 00 00 00 00 00 00 00 00 00 00 00 3f 00 00 .............?.. 167.1.416
3f ff 3f 00 46 42 42 46 85 88 b7 31 00 00 80 1e ?.?.FBBF...1.... 167.1.432
18 47 0c fe ff ff 00 6f 11 00 47 aa 95 03 00 00 .G.....o..G..... 167.1.448
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 167.1.464
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 167.1.480
00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa ..............U. 167.1.496
16.1 IN 55 53 42 53 b0 f9 39 2d 00 00 00 00 00 USBS..9-..... 168.1.0
16.2 OUT 55 53 42 43 b0 f9 39 2d 00 02 00 00 80 00 0a 28 USBC..9-.......( 170.1.0
00 00 11 6f 00 00 00 01 00 00 00 00 00 00 00 ...o........... 170.1.16
//通过从逻辑块地址0中获取的DPT信息,这里我们从逻辑快地址0x00116f00连续读取了512字节内容过来。而这里所存放的即是FAT中的DBR信息了。对照前面的【FAT文件系统\FAT文件系统原理.pdf】中关于DBR的内容来分析,跳转指令eb的跳转地址为58+2=5A[跳转指令本身占2个字节,这里是相对短跳转指令,具体指令说明请去百度]。厂商标志和OS版本号为MSDOS5.0,接下来53字节为BPB[BIOS Parameter Block],在BPB中,扇区字节数为0x0200,即512字节。每簇扇区数为0x40,即64.保留扇区数为0x06a8,即1704.FAT副本数为2.后面的0xF8表示当前使用的是硬盘,其实是U盘,该位置是用来标识软盘与硬盘的。隐藏扇区数为0x00116f00,总扇区数为0x0395aa47,每FAT扇区数为0x1cac,计算机利用这个数和FAT数以及隐藏扇区数(本表中所描述的)来决定根目录从哪里开始。卷序号为0xda8deef8,卷标为NO NAME的ASCII码,文件系统类型为FAT32的ASCII码。再接下来跟着的就是引导程序代码了,想进行反汇编深入研究的读者,可以参照之前的方法进行反汇编了。
16.1 IN eb 58 90 4d 53 44 4f 53 35 2e 30 00 02 40 a8 06 .X.MSDOS5.0..@.. 171.1.0
02 00 00 00 00 f8 00 00 3f 00 ff 00 00 6f 11 00 ........?....o.. 171.1.16
47 aa 95 03 ac 1c 00 00 00 00 00 00 02 00 00 00 G............... 171.1.32
01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 171.1.48
80 00 29 f8 ee 8d da 4e 4f 20 4e 41 4d 45 20 20 ..)....NO NAME 171.1.64
20 20 46 41 54 33 32 20 20 20 33 c9 8e d1 bc f4 FAT32 3..... 171.1.80
7b 8e c1 8e d9 bd 00 7c 88 56 40 88 4e 02 8a 56 .........V@.N..V 171.1.96
40 b4 41 bb aa 55 cd 13 72 10 81 fb 55 aa 75 0a @.A..U..r...U.u. 171.1.112
f6 c1 01 74 05 fe 46 02 eb 2d 8a 56 40 b4 08 cd ...t..F..-.V@... 171.1.128
13 73 05 b9 ff ff 8a f1 66 0f b6 c6 40 66 0f b6 .s......f...@f.. 171.1.144
d1 80 e2 3f f7 e2 86 cd c0 ed 06 41 66 0f b7 c9 ...?.......Af... 171.1.160
66 f7 e1 66 89 46 f8 83 7e 16 00 75 39 83 7e 2a f..f.F.....u9..* 171.1.176
00 77 33 66 8b 46 1c 66 83 c0 0c bb 00 80 b9 01 .w3f.F.f........ 171.1.192
00 e8 2c 00 e9 a8 03 a1 f8 7d 80 c4 7c 8b f0 ac ..,............. 171.1.208
84 c0 74 17 3c ff 74 09 b4 0e bb 07 00 cd 10 eb ..t.<.t......... 171.1.224
ee a1 fa 7d eb e4 a1 7d 80 eb df 98 cd 16 cd 19 ................ 171.1.240
66 60 80 7e 02 00 0f 84 20 00 66 6a 00 66 50 06 f`...... .fj.fP. 171.1.256
53 66 68 10 00 01 00 b4 42 8a 56 40 8b f4 cd 13 Sfh.....B.V@.... 171.1.272
66 58 66 58 66 58 66 58 eb 33 66 3b 46 f8 72 03 fXfXfXfX.3f;F.r. 171.1.288
f9 eb 2a 66 33 d2 66 0f b7 4e 18 66 f7 f1 fe c2 ..*f3.f..N.f.... 171.1.304
8a ca 66 8b d0 66 c1 ea 10 f7 76 1a 86 d6 8a 56 ..f..f....v....V 171.1.320
40 8a e8 c0 e4 06 0a cc b8 01 02 cd 13 66 61 0f @............fa. 171.1.336
82 74 ff 81 c3 00 02 66 40 49 75 94 c3 42 4f 4f .t.....f@Iu..BOO 171.1.352
54 4d 47 52 20 20 20 20 00 00 00 00 00 00 00 00 TMGR ........ 171.1.368
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 171.1.384
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 171.1.400
00 00 00 00 00 00 00 00 00 00 00 00 0d 0a 44 69 ..............Di 171.1.416
73 6b 20 65 72 72 6f 72 ff 0d 0a 50 72 65 73 73 sk error...Press 171.1.432
20 61 6e 79 20 6b 65 79 20 74 6f 20 72 65 73 74 any key to rest 171.1.448
61 72 74 0d 0a 00 00 00 00 00 00 00 00 00 00 00 art............. 171.1.464
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 171.1.480
00 00 00 00 00 00 00 00 ac 01 b9 01 00 00 55 aa ..............U. 171.1.496
16.1 IN 55 53 42 53 b0 f9 39 2d 00 00 00 00 00 USBS..9-..... 172.1.0
//SCSI: Data In LUN: 0x00 (Mode Sense(6) Response Data) [Return All Mode Pages (0x3f)]返回所有的模式页参数,如下我们可以看到一共有四个页。
16.2 OUT 55 53 42 43 b0 f9 39 2d c0 00 00 00 80 00 06 1a USBC..9-........ 174.1.0
00 3f 00 c0 00 00 00 00 00 00 00 00 00 00 00 .?............. 174.1.16
16.1 IN 53 00 00 08 03 a7 19 47 00 00 02 00 01 0a 80 03 S......G........ 175.1.0
00 00 00 00 03 00 00 00 05 1e 20 00 00 20 00 00 .......... .. .. 175.1.16
0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 175.1.32
00 00 00 00 00 00 00 00 08 12 00 00 00 00 00 00 ................ 175.1.48
00 00 00 00 20 00 00 00 00 00 00 00 1c 06 00 06 .... ........... 175.1.64
00 00 00 00 .... 175.1.80
16.1 USTS c0000004 stall pid 176.1.0
16.1 RESET 177.1.0
16.1 IN 55 53 42 53 b0 f9 39 2d 6c 00 00 00 00 USBS..9-l.... 178.1.0
17 SSTS 12 data overrun 173.3.0
//Inquiry LUN: 0x00 Block Limits Page
16.2 OUT 55 53 42 43 f0 da 7d 2a ff 00 00 00 80 00 06 12 USBC...*........ 180.1.0
01 b0 00 ff 00 00 00 00 00 00 00 00 00 00 00 ............... 180.1.16
16.1 IN 00 b0 00 10 00 00 00 00 00 7f ff ff 00 7f ff ff ................ 181.1.0
00 00 00 00 .... 181.1.16
16.1 USTS c0000004 stall pid 182.1.0
16.1 RESET 183.1.0
16.1 IN 55 53 42 53 f0 da 7d 2a eb 00 00 00 00 USBS...*..... 184.1.0
17 SSTS 12 data overrun 179.3.0
//SCSI: Test Unit Ready LUN: 0x00,关于这条指令请参考SPC-4协议说明378页,如下:
//连续两次测试逻辑单元是否就绪,返回都是good状态。
16.2 OUT 55 53 42 43 20 aa f2 2b 00 00 00 00 00 00 06 00 USBC ..+........ 186.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 186.1.16
16.1 IN 55 53 42 53 20 aa f2 2b 00 00 00 00 00 USBS ..+..... 187.1.0
17 ok 185.2.0
16.2 OUT 55 53 42 43 10 50 d7 2a 00 00 00 00 00 00 06 00 USBC.P.*........ 190.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 190.1.16
16.1 IN 55 53 42 53 10 50 d7 2a 00 00 00 00 00 USBS.P.*..... 191.1.0
17 ok 188.2.0
//READ CAPACITY
16.2 OUT 55 53 42 43 b0 f9 39 2d 08 00 00 00 80 00 0a 25 USBC..9-.......% 192.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 192.1.16
16.1 IN 03 a7 19 46 00 00 02 00 ...F.... 193.1.0
16.1 IN 55 53 42 53 b0 f9 39 2d 00 00 00 00 00 USBS..9-..... 194.1.0
16.2 OUT 55 53 42 43 b0 f9 39 2d 08 00 00 00 80 00 0a 25 USBC..9-.......% 196.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 196.1.16
16.1 IN 03 a7 19 46 00 00 02 00 ...F.... 197.1.0
16.1 IN 55 53 42 53 b0 f9 39 2d 00 00 00 00 00 USBS..9-..... 198.1.0
//从逻辑块地址0开始,连续读取第一个逻辑块的所有512字节内容过来
16.2 OUT 55 53 42 43 b0 f9 39 2d 00 02 00 00 80 00 0a 28 USBC..9-.......( 200.1.0
00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ............... 200.1.16
16.1 IN eb 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .^.............. 201.1.0
02 00 00 00 00 00 00 00 3f 00 ff 00 00 00 00 00 ........?....... 201.1.16
00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 ................ 201.1.32
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 201.1.48
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 201.1.64
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 201.1.80
31 db 8e db 89 dd 8e d3 bc 00 7c 06 57 b8 00 02 1...........W... 201.1.96
8e c0 40 b9 01 00 89 ce 30 f6 e8 1a 01 e8 6e 00 ..@.....0.....n. 201.1.112
8b 3e ae 21 60 68 20 02 80 3e ad 21 80 73 1f b4 .>.!`h ..>.!.s.. 201.1.128
41 bb aa 55 cd 13 72 16 81 eb 55 aa 75 10 f6 c1 A..U..r...U.u... 201.1.144
01 74 0b 58 8e c0 e8 7a 00 61 fe ce eb 1e 07 61 .t.X...z.a.....a 201.1.160
fe c6 e8 e2 00 50 e8 24 00 a2 b0 21 58 86 ee e8 .....P.$...!X... 201.1.176
d5 00 e8 18 00 f6 36 b0 21 a2 b1 21 c6 06 09 21 ......6.!..!...! 201.1.192
3c a1 b2 21 40 e8 41 00 ea 9e 23 00 00 a1 fe 23 <..!@.A...#....# 201.1.208
3d 55 aa 75 06 e8 06 00 a1 ae 23 29 f8 c3 26 81 =U.u......#)..&. 201.1.224
3e b4 01 46 42 75 4f c3 60 31 c0 cd 13 61 3c 07 >..FBuO.`1...a<. 201.1.240
76 04 b0 07 eb 06 3c 01 76 a5 b0 01 80 fe ff 75 v.....<.v......u 201.1.256
03 88 44 02 a2 ad 21 eb 6d 29 f8 83 dd 00 80 fe ..D...!.m)...... 201.1.272
ff 75 26 89 c1 56 31 c0 50 50 55 51 06 53 a0 ad .u&..V1.PPUQ.S.. 201.1.288
21 39 f0 76 02 89 f0 50 6a 10 89 e6 b4 42 e8 45 !9.v...Pj....B.E 201.1.304
00 83 c4 10 5e c3 f4 eb fd 52 89 ea 89 c1 a0 b0 ....^....R...... 201.1.320
21 f6 26 b1 21 91 f7 f1 89 c1 89 d0 f6 36 b0 21 !.&.!........6.! 201.1.336
5a 88 c6 c0 e5 06 08 e5 86 cd 0f b6 06 b0 21 28 Z.............!( 201.1.352
c8 24 3f 3a 06 ad 21 76 03 a0 ad 21 39 f0 76 02 .$?:..!v...!9.v. 201.1.368
89 f0 b4 02 fe c1 e8 07 00 0f 82 6b ff 30 e4 c3 ...........k.0.. 201.1.384
60 f9 cd 13 fb 61 c3 e8 f6 ff 72 aa c3 00 00 00 `....a....r..... 201.1.400
00 00 00 00 00 00 00 00 00 00 00 00 00 3f 00 00 .............?.. 201.1.416
3f ff 3f 00 46 42 42 46 85 88 b7 31 00 00 80 1e ?.?.FBBF...1.... 201.1.432
18 47 0c fe ff ff 00 6f 11 00 47 aa 95 03 00 00 .G.....o..G..... 201.1.448
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 201.1.464
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 201.1.480
00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa ..............U. 201.1.496
16.1 IN 55 53 42 53 b0 f9 39 2d 00 00 00 00 00 USBS..9-..... 202.1.0
16.2 OUT 55 53 42 43 b0 f9 39 2d 08 00 00 00 80 00 0a 25 USBC..9-.......% 204.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 204.1.16
16.1 IN 03 a7 19 46 00 00 02 00 ...F.... 205.1.0
16.1 IN 55 53 42 53 b0 f9 39 2d 00 00 00 00 00 USBS..9-..... 206.1.0
//从逻辑块地址0x00116f00开始,连续读取16个逻辑块的所有8192字节内容过来,至此,后续是一些多块连续数据读取的测试,我们这里就不细述了,测试完成后,U盘就就绪了,这里我们把U盘枚举过程就介绍到这里了,关于FAT文件系统也稍作了一些介绍,详细的请读者自行阅读FAT相关博文了。
16.2 OUT 55 53 42 43 b0 f9 39 2d 00 20 00 00 80 00 0a 28 USBC..9-. .....( 208.1.0
00 00 11 6f 00 00 00 10 00 00 00 00 00 00 00 ...o........... 208.1.16
16.1 IN eb 58 90 4d 53 44 4f 53 35 2e 30 00 02 40 a8 06 .X.MSDOS5.0..@.. 209.1.0
02 00 00 00 00 f8 00 00 3f 00 ff 00 00 6f 11 00 ........?....o.. 209.1.16
47 aa 95 03 ac 1c 00 00 00 00 00 00 02 00 00 00 G............... 209.1.32
01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.48
80 00 29 f8 ee 8d da 4e 4f 20 4e 41 4d 45 20 20 ..)....NO NAME 209.1.64
20 20 46 41 54 33 32 20 20 20 33 c9 8e d1 bc f4 FAT32 3..... 209.1.80
7b 8e c1 8e d9 bd 00 7c 88 56 40 88 4e 02 8a 56 .........V@.N..V 209.1.96
40 b4 41 bb aa 55 cd 13 72 10 81 fb 55 aa 75 0a @.A..U..r...U.u. 209.1.112
f6 c1 01 74 05 fe 46 02 eb 2d 8a 56 40 b4 08 cd ...t..F..-.V@... 209.1.128
13 73 05 b9 ff ff 8a f1 66 0f b6 c6 40 66 0f b6 .s......f...@f.. 209.1.144
d1 80 e2 3f f7 e2 86 cd c0 ed 06 41 66 0f b7 c9 ...?.......Af... 209.1.160
66 f7 e1 66 89 46 f8 83 7e 16 00 75 39 83 7e 2a f..f.F.....u9..* 209.1.176
00 77 33 66 8b 46 1c 66 83 c0 0c bb 00 80 b9 01 .w3f.F.f........ 209.1.192
00 e8 2c 00 e9 a8 03 a1 f8 7d 80 c4 7c 8b f0 ac ..,............. 209.1.208
84 c0 74 17 3c ff 74 09 b4 0e bb 07 00 cd 10 eb ..t.<.t......... 209.1.224
ee a1 fa 7d eb e4 a1 7d 80 eb df 98 cd 16 cd 19 ................ 209.1.240
66 60 80 7e 02 00 0f 84 20 00 66 6a 00 66 50 06 f`...... .fj.fP. 209.1.256
53 66 68 10 00 01 00 b4 42 8a 56 40 8b f4 cd 13 Sfh.....B.V@.... 209.1.272
66 58 66 58 66 58 66 58 eb 33 66 3b 46 f8 72 03 fXfXfXfX.3f;F.r. 209.1.288
f9 eb 2a 66 33 d2 66 0f b7 4e 18 66 f7 f1 fe c2 ..*f3.f..N.f.... 209.1.304
8a ca 66 8b d0 66 c1 ea 10 f7 76 1a 86 d6 8a 56 ..f..f....v....V 209.1.320
40 8a e8 c0 e4 06 0a cc b8 01 02 cd 13 66 61 0f @............fa. 209.1.336
82 74 ff 81 c3 00 02 66 40 49 75 94 c3 42 4f 4f .t.....f@Iu..BOO 209.1.352
54 4d 47 52 20 20 20 20 00 00 00 00 00 00 00 00 TMGR ........ 209.1.368
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.384
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.400
00 00 00 00 00 00 00 00 00 00 00 00 0d 0a 44 69 ..............Di 209.1.416
73 6b 20 65 72 72 6f 72 ff 0d 0a 50 72 65 73 73 sk error...Press 209.1.432
20 61 6e 79 20 6b 65 79 20 74 6f 20 72 65 73 74 any key to rest 209.1.448
61 72 74 0d 0a 00 00 00 00 00 00 00 00 00 00 00 art............. 209.1.464
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.480
00 00 00 00 00 00 00 00 ac 01 b9 01 00 00 55 aa ..............U. 209.1.496
52 52 61 41 00 00 00 00 00 00 00 00 00 00 00 00 RRaA............ 209.1.512
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.528
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.544
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.560
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.576
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.592
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.608
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.624
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.640
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.656
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.672
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.688
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.704
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.720
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.736
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.752
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.768
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.784
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.800
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.816
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.832
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.848
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.864
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.880
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.896
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.912
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.928
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.944
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.960
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.976
00 00 00 00 72 72 41 61 a5 55 0e 00 06 00 00 00 ....rrAa.U...... 209.1.992
00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa ..............U. 209.1.1008
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1024
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1040
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1056
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1072
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1088
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1104
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1120
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1136
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1152
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1168
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1184
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1200
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1216
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1232
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1248
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1264
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1280
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1296
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1312
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1328
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1344
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1360
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1376
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1392
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1408
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1424
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1440
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1456
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1472
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1488
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1504
00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa ..............U. 209.1.1520
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1536
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1552
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1568
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1584
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1600
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1616
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1632
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1648
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1664
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1680
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1696
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1712
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1728
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1744
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1760
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1776
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1792
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1808
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1824
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1840
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1856
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1872
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1888
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1904
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1920
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1936
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1952
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1968
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 209.1.1984
16.1 IN 55 53 42 53 b0 f9 39 2d 00 00 00 00 00 USBS..9-..... 210.1.0
16.2 OUT 55 53 42 43 10 f0 2d 2d 00 00 00 00 00 00 06 00 USBC..--........ 212.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 212.1.16
16.1 IN 55 53 42 53 10 f0 2d 2d 00 00 00 00 00 USBS..--..... 213.1.0
17 ok 211.2.0
//。。。这里小编我省略了一大段测试传输和块读取的内容。。。//
16.1 IN 55 53 42 53 b0 f9 39 2d 00 00 00 00 00 USBS..9-..... 302.1.0
16.2 OUT 55 53 42 43 40 79 8d 2f 00 00 00 00 00 00 06 00 USBC@y./........ 304.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 304.1.16
16.1 IN 55 53 42 53 40 79 8d 2f 00 00 00 00 00 USBS@y./..... 305.1.0
17 ok 303.2.0
16.2 OUT 55 53 42 43 10 30 d4 2b 00 00 00 00 00 00 06 00 USBC.0.+........ 307.1.0
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 307.1.16
16.1 IN 55 53 42 53 10 30 d4 2b 00 00 00 00 00 USBS.0.+..... 308.1.0
17 ok 306.2.0
这里小编我将相关的资料资源下载链接放在下面:
1.圈圈教你玩usb,一本介绍usb不错的书:http://download.csdn/download/tanjiaqi2554/10049482
2.usb协议和文件系统用的一些分析软件:http://download.csdn/download/tanjiaqi2554/10049478
3.pc用usb摄像头点亮软件:http://download.csdn/download/tanjiaqi2554/10049469
4.USBlyzer,一款不错的usb设备类分析软件:http://download.csdn/download/tanjiaqi2554/10049464
5.介绍伽马在摄像和显示中存在的原因和意义:http://download.csdn/download/tanjiaqi2554/10049457
6.FAT文件系统介绍文档和官方协议:http://download.csdn/download/tanjiaqi2554/10049444
7.使用wireshark和bushound抓取的usb设备数据包:http://download.csdn/download/tanjiaqi2554/10049454
8.USB协议官方文档:http://download.csdn/download/tanjiaqi2554/10049441
更多推荐
从调试数据分析USB通信协议——USB存储介质【U盘】(二)
发布评论