Log in

View Full Version : [ARTeam-Tool] ARTeam UFD Password Revealer v1.0

potassium
December 17th, 2006, 17:35
I conjunction with my paper on USB Flash drive security I decided to write a tool for password recovery.

Give it a try Grab it here!

http://arteam.accessroot.com/releases/
potassium
January 5th, 2007, 01:20
Version 1.1 is now public! Get it here http://arteam.accessroot.com/releases/file_info/download1.php?file=ARTeam_UFD_Password_Revealer_v1_1_by_potassium.rar
Quote:

2006-12-17 Version 1.0 Public Release

2006-12-29 Version 1.1

* Improved send-receive buffer handling

Buffers are now blanked and restored prior to read.
v1.0 caused some UFD’s to hang due to erroneous send-buffers.

* Now displays which method that is used

Only to provide me with additional information if you run into trouble

* Improved detection of removable media

USB-devices such as card-readers etc. are detected as removable media via
GetDriveType function. To prevent accidental reading from an empty card reader
slot, which will lead a complete to system lockup, in v1.0 FindFirstFile was used to
determine whether it was reading from the actual UFD or not. However, if the disc
is empty it will find no files and the program would abort the reading of password.
So to prevent this kind of failure, now the drive serial number is read instead as
this should be present on all drives, empty or not.

* "Show dump on screen" function added

In case the password should be present in the dump, but at different offset, an onscreen
dump is available. Toggled via a checkbox.

* "Save dump to disc" function added

The program now creates a HTML document that contains a summary of the
completed operation. Displays information such as; drive-letter, drive serial number,
password, method, buffer size, password and the received dump both as ASCII and
hexadecimal.

* Status indicator added

I felt that more detailed output was needed, just in case something goes wrong.

korvak
January 8th, 2007, 22:39
enjoyed the paper... on the last device you tried to hack via software, and my natural trend towards hardware, i was wondering if you attempted to remove the "chip" with a "known" password and place it on the device that stores its "unlock" password onboard/in flash... you get the idea... if this worked... then once again "secured" usb devices would show how "un-secure" they really are.

just wondering...

Korvak
laola
January 8th, 2007, 23:45
I assume the password is stored in the "secured" memory area, so you would swap the passwords along with the data you want to access. I'd rather build an interface to dump the content of the memory chip... This should work unless the whole "secured" area is encrypted. Up to now, it usually doesn't seem to get encrypted, probably due to chip costs and/or performance issues.
Shub-nigurrath
January 9th, 2007, 07:06
probably a normal passive electromagnetic attack would reveal a lot of things when you enter the correct password or some "correct" chars into the right position.
Much probably a bruteforce guided by energy consumption patterns would give interesting results.

I don't think they added whitening or similar tricks to their chips.
korvak
January 9th, 2007, 09:25
with out seeing what this device has for "memory chips" behind the controller, i was assuming that there is an external memory array. the documents about the controller talk about different types and locations of memory, but do not give any sizes. it also states that it is capable of "8 x NAND flash memory for single-mode of 8GB", so if the "password" is stored internal to the controller chip, replacing it should allow access to the memory again, this assumes ALOT, as formating, partitions, and any other configurations could cause issues if the "new" controller chip does not have a way to recover or understand this information at power-up. then again, if desperate for the memory content, you could always "clip the chip" and read the memory directly.

just a thought....

Korvak