Support for A-DATA MyFlash FP1 Fingerprint scanning device in Linux.

I've unfortunately bought one interesting device - A-DATA MyFlash FP1 memory stick with fingerprint protection. It looks pretty, much like iPod :) http://www.adata.com.tw/adata_en/product_detail.php?ProductNo=138

It identifies itself on bus as 0x1307:0x1169. I say unfortunately because it doesn't work under linux. How does it work under Windows: After plug two disks are visible. One is read-only usb disk, one is CDROM - they have similar contents. There is located Windows binary that automatically started and enable user to scan finger or enter master password. After password is checked, read-only usb disk disappears and read-write disk that may be used appears.

I've succeeded to enable write-protected disk with the following simple script. You need to install Plscsi program that makes scsi access from the shell easier. No need to check password, you can just run the command under root. It seems that "protection" is not protection at all, ADATA is very unprofessional here. After that unmount flash and run the following:

#!/bin/sh

# First we need to unmount devices, then mount them again, note
# that actual device may be different, it can be sdc or sda depending
# on the number of you SCSI disks.

export PLSCSI=/dev/sdb

./plscsi -p -v 
./plscsi -p -v -x "F1 00 00 00 00 00 00 00 00 00" -i 0xA
./plscsi -p -v -x "FC 00 00 00 00 00 00 00 01 00" -i 0xA

# Then you can mount /dev/sdb

Important: /dev/sdb is specific to your hardware setup, it can be sdc or sda if you have another usb or scsi device.

Ludek Finstrle (ludek dot finstrle at pzkagis dot cz) reported that in similar way you can enable write protection under Windows. It needs administrator rights (to access the PLSCSI device):

set PLSCSI=\\.\PHYSICALDRIVE1
 - the number could change in same way as sda, sdb, ...

This command change read/write (even on small 4MB partition).

plscsi.exe -p -v -x "F1 00 00 00 00 00 00 00 00 00"

This switch partitions (9. position: 00 - small 4MB, 01 - large).

plscsi.exe -p -v -x "FC 00 00 00 00 00 00 00 01 00"

Please note that with F1 you can rewrite contents of read-only small USB partition, but I suggest you avoid it, since it's dangerous.

I have digged this device with USB sniffer, and here goes all info I've collected currently. Of course we can support additional functionality like scanning on this device but it requires some effort. I blame ADATA since they rejected all my suggestions and haven't provided any useful information.

Here are the commands that are used in SCSI bulk requests:

00 TEST_UNIT_READY
03 REQUEST SENSE
12 INQUIRY
1A MODE SENSE
1E ALLOW MEDIUM REMOVAL
25 READ_CAPACITY
28 READ_10
2A WRITE_10
CF ---- ???
F1 ---- Change read/write (even on small USB partition)
F6 ---- ???
FC ---- Switch partitions (0 - small, 1 - big)
FD ---- ???

Command format:

/* command block wrapper */ 
struct bulk_cb_wrap {
	__le32	Signature; /* contains 'USBC' */ 
	__u32   Tag; /* unique per command id */
	__le32	DataTransferLength;	/* size of data */
	__u8	Flags;			/* direction in	bit 0 */
	__u8	Lun;			/* LUN normally 0 */
	__u8	Length;			/* of of the CDB */
	__u8	CDB[16];		/* max command */ 
};

--------------------------------------------------------------------------
Scanning the finger

003991: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:38.2738112 +0.0100144
Pipe Handle: 0x812734bc (Endpoint Address: 0x1)
Send 0x1f bytes to the device:
 55 53 42 43 C8 18 38 FC 00 0C 00 00 80 00 06 CF   USBCE.8u....?..I
 21 00 00 00 06 00 00 00 00 00 00 00 00 00 00      !..............

003992: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:38.2738112 +0.0
Pipe Handle: 0x812734dc (Endpoint Address: 0x82)
Get 0xc00 bytes from the device:
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
						   Here goes the scanned data

----------------------------------------------------------------------

The process of getting stored passwords

Probably it enables writeable disk here.

002095: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:31.8045088 +0.0
Pipe Handle: 0x812734bc (Endpoint Address: 0x1)
Send 0x1f bytes to the device:
 55 53 42 43 08 70 BD FB 00 00 00 00 00 00 0A F1   USBC.p?u.......n
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ...............

002096: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:31.8045088 +0.0
Pipe Handle: 0x812734dc (Endpoint Address: 0x82)
Get 0xd bytes from the device:
 55 53 42 53 08 70 BD FB 00 00 00 00 00            USBS.p?u.....
 
002097: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:31.8045088 +0.0
Pipe Handle: 0x812734bc (Endpoint Address: 0x1)
Send 0x1f bytes to the device:
 55 53 42 43 08 70 BD FB 00 28 00 00 00 00 0A FD   USBC.p?u.(.....y
 0F 00 00 20 00 00 00 14 00 00 00 00 00 00 00      ... ...........
   
002098: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:31.8045088 +0.0
Pipe Handle: 0x812734bc (Endpoint Address: 0x1)
Send 0x2800 bytes to the device:
 5A 41 52 44 00 00 00 00 00 00 00 00 00 00 00 00   ZARD............
 .................................                 Here goes the data
						   about passwords encrypted
						   with hash like in passwd
						   
002099: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:31.8045088 +0.0
Pipe Handle: 0x812734dc (Endpoint Address: 0x82)
Get 0xd bytes from the device:
 55 53 42 53 08 70 BD FB 00 00 00 00 00            USBS.p?u.....
 
 
Now we know that the following enables write access:
 
002100: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:31.8045088 +0.0
Pipe Handle: 0x812734bc (Endpoint Address: 0x1)
Send 0x1f bytes to the device:
 55 53 42 43 08 70 BD FB 00 00 00 00 00 00 0A F1   USBC.p?u.......n
 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00      ...............
   
002101: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:31.8045088 +0.0
Pipe Handle: 0x812734dc (Endpoint Address: 0x82)
Get 0xd bytes from the device:
 55 53 42 53 08 70 BD FB 00 00 00 00 00            USBS.p?u.....
 

--------------------------------------------------------------------

No idea what is done by this command

004034: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:40.3968640 +0.0
Pipe Handle: 0x812734bc (Endpoint Address: 0x1)
Send 0x1f bytes to the device:
 55 53 42 43 08 60 79 FC 08 00 00 00 80 00 0A FD   USBC.`yu....?..y
 0C 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ...............

004035: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:40.3968640 +0.0
Pipe Handle: 0x812734dc (Endpoint Address: 0x82)
Get 0x8 bytes from the device:
 00 20 00 00 00 08 00 00                           . ......

004036: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:40.3968640 +0.0
Pipe Handle: 0x812734dc (Endpoint Address: 0x82)
Get 0xd bytes from the device:
 55 53 42 53 08 60 79 FC 00 00 00 00 00            USBS.`yu.....

----------------------------------------------------------------------

Switches partitions:

004109: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:42.5800032 +0.0
Pipe Handle: 0x812734bc (Endpoint Address: 0x1)
Send 0x1f bytes to the device:
 55 53 42 43 D8 31 4F FC 00 00 00 00 00 00 0A FC   USBCO1Ou.......u
 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00      ...............

004110: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:42.5800032 +0.0
Pipe Handle: 0x812734dc (Endpoint Address: 0x82)
Get 0xd bytes from the device:

  55 53 42 53 D8 31 4F FC 00 00 00 00 00            USBSO1Ou.....

----------------------------------------------------

No idea what is done here:

004099: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:42.5800032 +0.0
Pipe Handle: 0x812734bc (Endpoint Address: 0x1)
Send 0x1f bytes to the device:
 55 53 42 43 D8 31 4F FC 04 00 00 00 80 00 0A F6   USBCO1Ou....?..o
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00      ...............
  
004100: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:42.5800032 +0.0
Pipe Handle: 0x812734dc (Endpoint Address: 0x82)
Get 0x4 bytes from the device:
   00 00 66 00

004101: Bulk or Interrupt Transfer (UP), 25.04.2006 20:14:42.5800032 +0.0
Pipe Handle: 0x812734dc (Endpoint Address: 0x82)
Get 0xd bytes from the device:
  55 53 42 53 D8 31 4F FC 00 00 00 00 00            USBSO1Ou.....