
---

>> 0x00
description:
 Read a page with some sort of device info

type: request

command:

 CBWCB = 0xFF 0x00 0x00 0x03 0x00 0x27 0x00 0x00 0x00 0x00 0x00 0x00

 byte	data		description
 ------------------------------------------------------------------------------
 0	0xFF		SCSI opcode
 1-2	0x0000		command
 3-4	0x0003		Page number
 5-6	0x27		Request data length
 9	0x0		??? sofware update tool also uses 0x01 here

 valid page numbers according to bCSWStatus:
  verbatime: 0x3, 0x4, 0x6, 0x8, 0xa, 0xc, 0xe, 0x13, 0x14

data:
 6+ bytes

 0000  03 00 01 00 27 00                                 |....'.          |

 byte	data		description
 ------------------------------------------------------------------------------
 0-1	0x0003		page number
 2-3	0x0001		??? mostly 0x01, once 0x03
 4-5	0x0027		total usefull data length (including 6 byte header)


page 0x03:

 0000  03 00 01 00 27 00 77 00  00 00 03 81 07 06 54 30  |....'.w.......T0|
 0016  30 30 30 31 31 41 31 41  41 31 31 41 41 41 31 81  |00011A1AA11AAA1.|
 0032  07 06 54 91 4e 0f 00                              |..T.N..|

 byte	data		description
 ------------------------------------------------------------------------------
 0-5			header(see above)
 6			Real size of full record...????
 7-11			??? same for both verbatime and sandisk
 11-14	0x54060781	??? same as @ byte 31 (actual value different on verbatim)
 15-30	"000011A1AA11AAA1"	Serial number
 31-34	0x54060781	??? same as @ byte 11
 35-38	0x000f4e91	Device size in 512-byte blocks

page 0x0c:

 0000  0c 00 01 00 0a 00 10 27  00 00                    |.......'..      |

 byte	data		description
 ------------------------------------------------------------------------------
 0-5			header(see above)
 6-9	0x00002710	Maximum wrong password try for secure zone.

---

>> 0x20
description:
 Round CD size to a value the device likes

type: action

command:
 CBWCB = 0xFF 0x20 0x00 0x02 0xFF 0x03 0x00 0x00 0x00 0x00 0x00 0x00

 byte	data		description
 ------------------------------------------------------------------------------
 0	0xFF		scsi opcode
 1-2	0x0020		command
 3	0x02		??? can atleast be 0x02 and 0x03 but not 0, 1, 4, is
			this some sort of domain id to select the partition,
			like in 0x21, byte 3??? the verbatim is less picky and
			accepts all values...
 4-7	0x3FF		Value to round (in 512-byte sectors)
 8	0x0		Direction to round(0x00 = down, 0x01 = up)

data:
 4 bytes

 0000  00 02 00 00                                      |....|

 byte	data		description
 ------------------------------------------------------------------------------
 0-3	0x200		Rounded value

---

>> 0x21
description:
 get information about the partition configuration

type: request

command:
 CBWCB = 0xFF 0x21 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

 byte	data		description
 ------------------------------------------------------------------------------

data:

 0000  02 02 00 00 00 91 1e 0f  00 03 01 00 00 00 30 00  |..............0.|
 can be read in any multiple of 8 all dat beyond the above data is zero(0)

 u3-remover uses the following data(IIRC), (0x0f4e91 == full drive size):
 0000  01 02 00 00 00 91 4e 0f  00                       |.........       |


 byte	data		description
 ------------------------------------------------------------------------------
 0	02		amount of available records, where 1 record = 8 byte???
 1	02		??? some sort of domain id???
 3-4	00 00 00	??
 5-8	0x000F1E91	size of data partition in 512-byte sectors
 9	0x03		?? some sort of domain id????
 10	0x01		?? WARNING: If set to 0 on Sandisk cruzer, cd drive
			will show up as direct-access, but can't be used, also
			drive doesn't react to command 0x00, page 3 and you
			won't be able to re-partition device!!!!
 11-12	00 00		??
 13-15	0x003000	size of cdrom partitoin in 512-byte sectors

---

>> 0x22
description:
 Repartition device

type: action

command:
 CBWCB = 0xFF 0x22 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

 byte	data		description
 ------------------------------------------------------------------------------

data:
 0000  02 02 00 00 00 91 1e 0f  00 03 01 00  00 00 30 00 |..............0.|
 0016  00                                                |.               |


 byte	data		description
 ------------------------------------------------------------------------------
 0	0x02		amount of dword of data(+1byte+1dword=packet_size)
 1-4	0x00000002	???
 5-8	0x000f1e91	Size of data partition in 512-byte sectors
 9-12	0x00000103	??? 0x0003 make's it a direct access partition.(but can't partition afterwards, and page 3 of command 0x0000 isn't accessible anymore...)
 13-16	0x00003000	Size of CD partition in 512-byte sectors

---

>> 0x42
description:
 Write block of data to CD-rom partition

type: action

command:
 CBWCB = 0xFF 0x42 0x00 0x01 0x00 0x00 0x01 0x1D 0x00 0x00 0x00 0x01 

 byte	data		description
 ------------------------------------------------------------------------------
 0	0xFF		scsi opcode
 1-2	0x42		command
 3	0x01		???
 4-7	0x0000011D	Block Address (Big Endian!!!!!!!)
 8-11	0x01		??? (Big Endian?)

data:
 A 2048 byte block

---

>> 0x61
description:
 read out hidden data/config storage. Looks the same as with mDrive.

type: request

command:
 CBWCB = 0xFF 0x61 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

 byte	data		description
 ------------------------------------------------------------------------------

data:


 byte	data		description
 ------------------------------------------------------------------------------

---

>> 0x63
description:
 read out hidden data/config storage. Looks the similar as with mDrive.

type: request

command:
 CBWCB = 0xFF 0x63 0x00 0x00 0x00 0x55 0x33 0x49 0x4E 0x50 0x52 0x50

 byte	data		description
 ------------------------------------------------------------------------------

data:


 byte	data		description
 ------------------------------------------------------------------------------

---

>> 0xA0
description:
 get some sort of data partition information

type: request

command:

 CBWCB = 0xFF 0xA0 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

 byte	data		description
 ------------------------------------------------------------------------------

data:
 16 byte

 0000  40 ab 1d 00 00 00 00 00  00 00 00 00 00 00 00 00  |@...............|

 0000  40 ab 1d 00 40 ab 1d 00  01 00 00 00 00 00 00 00  |@...@...........| (secured)


 byte	data		description
 ------------------------------------------------------------------------------
 0-3	0x001dab40	Total data partition size
 4-7	0x001dab40	Amount of data partition encrypted????
 8-11	0x00000001	Lock(=0) or Unlocked(=1)
 12-15	0x00000000	Wrong password try counter

---

>> 0xA1
description:
 FUZED

type: Request?

command:

 CBWCB = 0xFF 0xA1 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

 byte	data		description
 ------------------------------------------------------------------------------
 0			scsi opcode
 1-2			command
 3	0		Failes on Sandisk if != 0
 4-			changing these doesn't seem to have any effect

data:

 data is random, and changes due to executing commands

 byte	data		description
 ------------------------------------------------------------------------------


---

>> 0xA2
description:
 Secure data partition

 Password hash is a md5 sum of the unicode password including the terminating
 null. So for a password of 'a' the following byte stream is fead to the md5
 function: 0x61 0x00 0x00 0x00 == UNICODE "a\0"

 It seems that if the whole of the data partition is made secure zone, then
 the data currently on the data partition is accessible in the secure zone.
 If only a part of the data partition is made secure zone than the first part
 of the data on the partition is retained and the rest isn't accessible. In
 this case the secure zone will contain garbage(the data on that was on that
 part of the data partition but decrypted with an other key).

 If the device is already secured and this command is issued again, the current
 data on the device is lost(if secure zone == 100%).

type: action

command:

 CBWCB = 0xFF 0xA2 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

 byte	data		description
 ------------------------------------------------------------------------------

data:
 20 byte

 0000  40 ab 1d 00 33 2c e7 85  e9 73 57 4a 1c 5f da f3  |@...3,...sWJ._..|
 0016  ee e3 f0 83                                       |....|


 byte	data		description
 ------------------------------------------------------------------------------
 0-3	0x001dab40	Size of private zone????
 4-19	...		Password hash ( pass='a')


---

>> 0xA3
description:
 value rounding for data partition securing

type: request

command:
 CBWCB = 0xFF 0xA3 0x00 0x00 0x40 0xAB 0x1D 0x00 0x01 0x00 0x00 0x00

 byte	data		description
 ------------------------------------------------------------------------------
 0	0xFF		scsi opcode
 1-2	0x00A3		Command
 3	0x00		???
 4-7	0x001DAB40	Value to round (in 512-byte sectors)
 8	0x01		Direction to round(0x00 = down, 0x01 = up)
 

data:
 4 byte

 0000  40 ab 1d 00                                      |@...|

 byte	data		description
 ------------------------------------------------------------------------------
 0-3	0x001DAB40	Rounded value

---

>> 0xA4
description:
 unlock device

 Password hash is a md5 sum of the unicode password including the terminating
 null. So for a password of 'a' the following byte stream is fead to the md5
 function: 0x61 0x00 0x00 0x00 == UNICODE "a\0"

type: action

command:

 CBWCB = 0xFF 0xA4 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

 byte	data		description
 ------------------------------------------------------------------------------

data:
 16 byte

 0000  33 2c e7 85 e9 73 57 4a  1c 5f da f3 ee e3 f0 83  |3,...sWJ._......|

 byte	data		description
 ------------------------------------------------------------------------------
 0-15	...		password hash (pass='a')

---

>> 0xA6
description:
 change password

 Password hash is a md5 sum of the unicode password including the terminating
 null. So for a password of 'a' the following byte stream is fead to the md5
 function: 0x61 0x00 0x00 0x00 == UNICODE "a\0"

type: action

command:

 CBWCB = 0xFF 0xA6 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

 byte	data		description
 ------------------------------------------------------------------------------

data:

 0000  33 2c e7 85 e9 73 57 4a  1c 5f da f3 ee e3 f0 83  |3,...sWJ._......|
 0016  c0 51 c1 bb 98 b7 1c cb  15 b0 cf 9c 67 d1 43 ee  |.Q..........g.C.|

 byte	data		description
 ------------------------------------------------------------------------------
 0-15	...		Old password hash ( pass='a')
 16-31	...		New password hash ( pass='b')

---

>> 0xA7
description:
 Remove security

 Password hash is a md5 sum of the unicode password including the terminating
 null. So for a password of 'a' the following byte stream is fead to the md5
 function: 0x61 0x00 0x00 0x00 == UNICODE "a\0"

 hmm... if security zone size != size of data partition, then this fails!!!
 it returns a failed status but doesn't increase the password try counter,
 even if password was incorrect.... to remove the secure zone if it doesn't
 fully occupy the data partition, recreate the secure zone with maximum size.
 > Possible cause: If this command is issued the secure zone becomes the public
 zone, and thus all data on the disk will be retained. It is suspected that all
 partitions/zones are stored encrypted on the flash device(Yes, even the public
 zone). So, if this command is issued the secure zone key is decrypted(if
 encrypted at all) and the zone is marked as public. Logically this would not
 work if there is a public and secure zone. Then you would end up with two
 public zone's with different encryptions keys.

 Byte 3 of command does something... but still doesn't allow for removing half
 secure zones.

type: action

command:

 CBWCB = 0xFF 0xA7 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

 byte	data		description
 ------------------------------------------------------------------------------

data:

 0000  c0 51 c1 bb 98 b7 1c cb  15 b0 cf 9c 67 d1 43 ee  |.Q..........g.C.|

 byte	data		description
 ------------------------------------------------------------------------------
 0-15	...		Password hash (in this case 'b')

---

>> 0x100
description:
 seen used after a 0xA4(with some normal scsi stuff in between...).
 generate reset some sort of reset or insert condition on data disk. Linux old 2.4
 usb-storage sees it as a disconnect of the drive.

type: 

command:

 CBWCB = 0xFF 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

 byte	data		description
 ------------------------------------------------------------------------------

data:
 No data....


---

>> 0x101
description:
 disconnect's and possibly reconnects device

type: action

command:

 CBWCB = 0xFF 0x01 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 

 byte	data		description
 ------------------------------------------------------------------------------

data:
  12 bytes

  0000  50 00 00 00 40 9c 00 00  01 00 00 00              |P...@.......|

 byte	data		description
 ------------------------------------------------------------------------------
 8	0x01		If 1 reconnect after disconnect, else not
 all other byte's dont seem to have any effect...

---

>> 0x103
description:
Get chip maker and version

type: request

command:

 CBWCB = 0xFF 0x03 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

 byte	data		description
 ------------------------------------------------------------------------------

data:
 24 bytes

 0000  33 2e 32 31 00 00 00 00  53 61 6e 44 69 73 6b 20  |3.21....SanDisk |
 0016  00 00 00 00 00 00 00 00                           |........|

 byte	data		description
 ------------------------------------------------------------------------------
 0-7	"3.21"		Chip version
 8-23	"SanDisk"	Chip maker







possible read commands:
0x20
0x21
0x61
0x63
0x68
0x6b 512?
0x81 128-byte
0x84 64-byte
0x85 64-byte
0x88 64-byte
0xa1 4-byte
0xc1
0xe2 = read random?, 64-byte

0x102 512-byte

Write:
0x01 -> 0x1f
0x22 -> 0x40
0x42
0x60
0x62
0x6a
0x6c
0x6d
0x6e
0x82 128 byte
0x83 64 byte?
0x86
0x87
0xc0
0xc2




---

>>
description:

type: 

command:

 byte	data		description
 ------------------------------------------------------------------------------

data:


 byte	data		description
 ------------------------------------------------------------------------------


