Jump to content











Photo
- - - - -

Unable to mount a formatted Flash Drive


  • Please log in to reply
13 replies to this topic

#1 zammibro

zammibro

    Member

  • Members
  • 59 posts
  •  
    United States

Posted 10 May 2021 - 03:48 AM

Hello everyone! 

 

I flashed checkn1x Linux ISO to a formatted USB flash drive with BalenaEtcher on a Windows 10 PC. The image contains bootable version of checkra1n tool used to jailbreak iOS devices. After flashing the drive would not be accessible in Windows File Manager, but appears to contain several partitions, including some Kali Linux volumes. 

 

Once flashed, its impossible to re-flash a different image to the drive with BalenaEtcher, since it can't find the drive. I had to format the flash drive in a Linux VM with Gparted, but it can see only one partition on it, so other partitions are hidden. Once visible partition is formatted to Fat32, Gparted can't mount the drive in Linux. However when released from the VM it mounts the Fat32 partition in Windows, and BalenaEtcher can flash another image to the drive. 

 

The questions are:

- why Gparted can't mount the drive upon formatting it? 

- how to discover, make visible, and format hidden (in a boot sector?) Kali Linux and possibly other small partitions on the flash drive?

- what tool to use to fully format it to factory state?

 

I used a Transcend 4GB flash drive, not sure with which controller. However, similar issue happens with any drive model upon flashing the above image to it.


Edited by zammibro, 10 May 2021 - 04:21 AM.


#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 10 May 2021 - 01:05 PM

Your questions show (no offence intended :)) that you miss at tthe moment a general understanding of the matter.

 

The first absolute sector of a storage device (LBA 0 or CHS 0/0/1) normally  contains either of:

1) a MBR (Master Boot Record) and if in this MBR there is at least one valid entry in the partition table the device is a partitioned device
2) a PBR or VBR (Partition Boot Record or Volume Boot Record) and if in this PBR/VBR there are valid values in the BPB (Bios Parameter Block) the device is non-partitioned or - commonly - a "super-floppy"

BUT it is entirely possible that *anything* else is written to it.

 

A MBR is defined as follows:
1) the boot code, some assembly code from byte offset 0 to byte 439 (that can well be all 00's)

2) the Disk Signature (on NT Systems) 4 bytes that can well be all 00's starting at offset 440

3) the partition table, 4 entries, 16 bytes each, starting at offset 446

4) the Magic Bytes (the hex values 55 AA) at offset 510

 

A PBR or VBR is defined as follows:
1) three "jump bytes" usually, but not always, EB xx 90 allowing to jump over the BPB

2) the BPB (that varies between different file systems bith in contents/fields AND in length)

3) some boot code, starting from the end of the BPB and up to offset 509

4) the Magic Bytes (the hex values 55 AA) at offset 510

 

Any OS might (or might not) use some (or some other) parameters to determine whether the sector is a MBR or a PBR, and decide to read/interpret (or fail to  read/interpreter) the data in the partition table or in the BPB along the standards or not.

As well, any tool running under this (or that) OS may require (or not require) additional parameters (or various values in given fields) to decide whether what follows is a partitioned device or a volume and if it is a valid one.

 

The BIOS (generically speaking, as there are exceptions) usually does two things:
1) verify that the Magic Bytes (55 AA at offset 510) are present
2) execute the assembly code starting at offset 0 in the sector, no other questions asked

 

The net result of all the above is that it is perfectly possible to have a bootable device that is not accessible/readable by a number of OS (except for the booted from that device one) or that it is inaccessible/unreadable with this (or that) tool.

 

Since all the info/parameters that may affect the way a given OS (or given tool) behaviour reside on this first sector of the device, the "universal" way to have the device (unpartitioned and unformatted) readable/accessible by *any* OS is to simply fill this sector with 00's.

 

This can be done by *any* hex/disk editor or by dd (or similar tool that can access the \\.\PhysicalDrive under Windows).

 

Once the first sector is 00'ed (possibly an unmount-mount, or reboot is needed to be able to access the device in its 00ed status, this depends on the specific OS and on the specific tool) for all that matters the device is in its "factory state", i.e. when connected to a NT based systyem, it will show as "this device needs to be initialized" in Disk Manager.

 

Gparted is a very good (but a tad bit too smart for its own good) tool as it attempts to read/interpret the contents of the MBR and PBR's/VBR's and if it finds something that is not "standard" (it's own standard, which is almost - but not quite - the actual standard, only as an example it has - or had - issues with FAT12 volumes on partitioned media, recognizes .iso partitions but can't do anything with them, etc.) .

 

Every other "smart" tool will have this (or that) peculiar way to deal with anything that is not EXACTLY "canonical" (and often have also some quirks with something that is actually correct or at least doable and not affecting anything in the OS), BalenaEtcher very likely expects this first sector to be either 00's (uninitialized) or to contain "valid" values, and throws a fit if neither of these two conditions are met.

 

For *whatever* reasons your checkn1x, once copied to a USB stick produces something that works (i.e. boots and works as expectred) BUT that is *somehow* non-standard.

 

Like many other tools both Gparted and BalenaEtcher belong to the category of "if it works, it works just fine, when it doesn't work, it doesn't work and you will likely never know why exactly" programs.

 

Use - when they don't work - other tools, possibly less "smart" and more "direct".

 

:duff:

Wonko


  • zammibro likes this

#3 zammibro

zammibro

    Member

  • Members
  • 59 posts
  •  
    United States

Posted 10 May 2021 - 02:08 PM

A general understanding of the matter.

 

I appreciate your detail introduction. However, it appears to address just the 1st of my 3 questions above. I don't know why you decided to stop at that very point, but... I still need the other 2 questions answered. Would someone be brave enough to do just that?  :D

 

Btw, I tried to remove and re-attach formatted by Gparted flash drive to the VM as you suggested, but each time Gparted marks it with a special sign and says it can't mount it. What I need is:

2) reveal all hidden Kali Linux volumes on it that Gparted can't see but Windows File Manager can before formatting the thumb with Gparted,

AND

3) Identify its controller and restore it with a factory or similar format tool to original factory state with a single FAT32 volume, and no hidden volumes or bad & hidden & irrelevant MBR records. Which tool can do that?


Edited by zammibro, 10 May 2021 - 02:36 PM.


#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 10 May 2021 - 04:57 PM

Actually the answers are there (between the lines), here they are more explicit:

2) DO NOT use Gparted (as for *some reasons* it corrupts the stick contents)

2 bis) also DO NOT use Balena Etcher (as it seemingly is - cannot say if only in conjunction with Gparted - causing issues)

2 ter)  use dd (or another similar tool) to write all 00's to the first sector, after you will have done this, the stick will be "as new"

You can also use dd instead of Banana Etcher to deploy the .iso to the stick, the checkn1x-1.1.6.iso is a hybridized .iso with an EFI partition (why? :w00t:), i.e. it is at the same time a .iso and an EFI partitioned disk image.

3) you DO NOT NEED any factory tool in your case, you first 00 the first sector, then use a suitable tool (it may depend on the speciifc linux distro, on Windows, depending on the version, built-in Disk Manager or diskpart may be enough, otherwise use any of the "good" tools, such as RMPREPUSB) to partition (create the volume) and format (apply the filesystem) to the volume.

dd-ing a set of 00's to the first 512 bytes of the device is ALL that is actually needed to "reset" the stick.

If you really-really want to use a manufacturer tool (and conversely run the risk of bricking for good that stick without any need) all the info and the needed tools (if they are available) can be found here:

https://www.usbdev.ru/

(Russian, you can use google translate if needed)

 

:duff:

Wonko



#5 zammibro

zammibro

    Member

  • Members
  • 59 posts
  •  
    United States

Posted 11 May 2021 - 12:50 AM

dd-ing a set of 00's to the first 512 bytes of the device

What command in Linux terminal would do that?

I assume EFI partition you mentioned is needed to boot the tool on a EFI PC. However, not sure why upon the above image being written to the thumb with Balena Etcher, Windows File Manager shows 3 Kali Linux Volumes and 1 FAT32 volume (or such) despite not allowing access to any of those? They only disappear upon deleting one visible partition with Gparted. I'll try dd next time after Gparted to erase the boot sector (?) as you suggested.

Edited by zammibro, 11 May 2021 - 12:51 AM.


#6 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 May 2021 - 10:10 AM

What command in Linux terminal would do that?

I assume EFI partition you mentioned is needed to boot the tool on a EFI PC. However, not sure why upon the above image being written to the thumb with Balena Etcher, Windows File Manager shows 3 Kali Linux Volumes and 1 FAT32 volume (or such) despite not allowing access to any of those? They only disappear upon deleting one visible partition with Gparted. I'll try dd next time after Gparted to erase the boot sector (?) as you suggested.

dd

The exact syntax may vary on different distro's, but it is usually something *like*:

dd if=/dev/zero of=/dev/sdx bs=512 count=1

of course making sure, double sure and triple sure that the device is actually "sdx" is needed.

 

See also:

https://github.com/b...g-broken-drives

 

Quick guide/reminder:

https://www.linuxque...eything_With_DD

 

I have no idea how that image works (if it works), what I am telling you is that by quickly looking at the.iso file with a hex editor, it  is a hybrid image, and its first few bytes are a MBR with a single, protective, EE (EFI) entry and a single partition in the EFI partition table.

 

 

:duff:

Wonko



#7 wimb

wimb

    Platinum Member

  • Developer
  • 3756 posts
  • Interests:Boot and Install from USB
  •  
    Netherlands

Posted 11 May 2021 - 11:44 AM

dd

The exact syntax may vary on different distro's, but it is usually something *like*:

dd if=/dev/zero of=/dev/sdx bs=512 count=1

of course making sure, double sure and triple sure that the device is actually "sdx" is needed.

 

 

This is for Linux, but what to use as Windows command to wipe MBR of disk 5 ?

 

diskpart clean works to wipe MBR USB and creates MBR bootcode but does not work to wipe GPT USB which is the present case ....

 

In case of GPT then after clean the disk is still GPT ....

 

Solution see dd for Windows  -  Partition0 is the entire disk

 

In Admin Command Window to wipe first sector of Harddisk 5

dd if=/dev/zero of=\\?\Device\Harddisk5\Partition0 bs=512 count=1

Attached File  dd_disk5_2021-05-11_142618.jpg   120.28KB   0 downloads == Attached File  dd_disk5_2021-05-11_143602.jpg   221.61KB   0 downloads



#8 zammibro

zammibro

    Member

  • Members
  • 59 posts
  •  
    United States

Posted 11 May 2021 - 02:06 PM

Partition0 is the entire disk

 

Xmm... The thumb seems to contain 4 partitions. And neither Windows Disk Manager no Diskpart can actually read it. But apparently File Explorer can mount some of its volumes while inaccessible. Did you actually try to flash that image to a flash drive, and then run dd command on it in Windows CMD? If "yes", why did you mention only Partition 0? Btw, this image is extremely popular to say the least to some surprise, since checkra1n is used in real numbers to jailbreak locked and unlocked iphones of various generations. :)

 

So Gparted in a Linux VM seems to delete only partition 2, create FAT32 volume instead, and then the flash can be mounted in Windows to be cleaned by whatever dd one can get. Yet again: Partition0 doesn't sound right. And how did you find that it GPT type?

 

Checkn1x-USB-Flash.jpg


Edited by zammibro, 11 May 2021 - 02:15 PM.


#9 wimb

wimb

    Platinum Member

  • Developer
  • 3756 posts
  • Interests:Boot and Install from USB
  •  
    Netherlands

Posted 11 May 2021 - 02:49 PM

Xmm... The thumb seems to contain 4 partitions. And neither Windows Disk Manager no Diskpart can actually read it. But apparently File Explorer can mount some of its volumes while inaccessible. Did you actually try to flash that image to a flash drive, and then run dd command on it in Windows CMD? If "yes", why did you mention only Partition 0? Btw, this image is extremely popular to say the least to some surprise, since checkra1n is used in real numbers to jailbreak locked and unlocked iphones of various generations. :)

 

So Gparted in a Linux VM seems to delete only partition 2, create FAT32 volume instead, and then the flash can be mounted in Windows to be cleaned by whatever dd one can get. Yet again: Partition0 doesn't sound right. And how did you find that it GPT type?

 

In dd for Windows then Partition0 has a special meaning, it is a placeholder and not an indication of an actual partition.

It means to start at the beginning (the very first sector) of the disk and that is actually what you want to wipe.

 

Yes I used balenaEtcher to flash the image and used Windows DiskManagement > Disk 5 > Properties > Volumes to see that PartitionStyle is GPT.

Then I used diskpart to select disk 5 and used clean, but the USB disk remained GPT instead of becoming MBR

 

Then I decided to use dd for Windows to wipe the first sector and to wipe the first 100 sectors so that also EFI PART sector is wiped.

Then used diskpart to clean so that MBR code was created and to create FAT32 partition as indicated in the figure.

 

At all stages I investigated the disk by using TinyHexer > File > Disk > Open drive ... of my Tiny_Hexer_MBR program.

So I knew exactly what was going on in the first sector as viewed as hexadecimal code.



#10 zammibro

zammibro

    Member

  • Members
  • 59 posts
  •  
    United States

Posted 11 May 2021 - 03:15 PM

Windows DiskManagement > Disk 5 > Properties > Volumes.

 

For me Disk Management hangs trying to read this thumb in Win 10 64-bit 20H2, and so the Diskpart. But System Information still shows the thumb info. Will dd still work? Any other means to identify the thumb in Windows?



#11 zammibro

zammibro

    Member

  • Members
  • 59 posts
  •  
    United States

Posted 11 May 2021 - 06:07 PM

At all stages I investigated the disk by using TinyHexer > File > Disk > Open drive ... of my Tiny_Hexer_MBR program.


Sure. However, the size to erase varies. I downloaded ddrelease64.exe, and listed volumes with command:

ddrelease64.exe --list

Then when writing zeros, it gave the error below. Any comment WHY? Everything else in your above example worked like a charm. No need to use a Linux VM, just erase the thumb and format in Windows CMD. Thank you both distinguished helpers again. :) Very useful scenario.
 

C:\Users\zammi\Downloads\Programs\Apple\For Mac>ddrelease64 if=/dev/zero of=\\?\Device\Harddisk2\Partition0 bs=512 count=100
rawwrite dd for windows version 1.0beta1 WIN64.
Written by John Newbigin <jnewbigin@chrysocome.net>
This program is covered by terms of the GPL Version 2.


Error writing file: 1 Incorrect function.


65+0 records in
64+0 records out

Edited by zammibro, 11 May 2021 - 06:13 PM.


#12 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 May 2021 - 09:36 PM

@Wimb

It is possible that the stupid Windows 10 diskpart checks the EFI/GPT partition table starting on LBA 1 or accesses the EFI/GPT "mirror structure" that is (or should be) at the end of the disk and as well (but the other way round) the Linux or Gparted or both like (or don't like) the presence (or the absence) of this mirror.

 

If you have it handy, the device should be checked with gdisk:

http://www.rodsbooks.com/gdisk/

 

@zammibro

The EFI partition table starts at LBA1 and (usually) it is limited to 128 entries in current implementations, since there are 4 entries per sector, the maximum extents are 128/4=32 sectors, so even if you want to overwrite the whole partition table, you don't need to 00 more than 33 sectors, but in this case, since there is only one entry,00ing 2 sectors will be enough (LBA 0 and1).

The 100 are "too many".

The fact that you have an error at 64 sectors may be connected to some of the *whatever* strange protections of Windows (the boot sector of the previous partition?) in these cases, some tools have issues and the disk needs to be put offline.

 

:duff:

Wonko



#13 wimb

wimb

    Platinum Member

  • Developer
  • 3756 posts
  • Interests:Boot and Install from USB
  •  
    Netherlands

Posted 12 May 2021 - 06:02 AM

In GPT partitioning the Protective MBR + GPT Header + GUID Partition Table = 34 sectors

 

So it is indeed not needed to wipe 100 sectors and wiping 10 sectors will be sufficient and 34 sectors at maximum to cover the whole GUID Partition Table.

 

Attached File  800px-GUID_Partition_Table_Scheme.png   83.76KB   0 downloads

 

Windows 10x64 diskpart clean command wipes but keeps the current partitioning scheme so that the Protective MBR + GPT Header are recreated in case of GPT.

In case of MBR partitioning then clean command will wipe and recreate MBR with bootcode, but having empty partition table.

 

@zammibro

I have no idea why the dd wiping stops at 64 sectors, but Wonko might be right that the error sector originates from previous partitioning and is somehow protected.

In my case the Kingston 32 GB USB-drive was originally FAT32 formatted with USB_FORMAT using Windows 10x64 20H2 as OS.

USB_FORMAT uses Diskpart to clean the stick and can make FAT32 + NTFS partition on the stick.



#14 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 May 2021 - 10:25 AM

The 100 sectors - only for the record - were suggested (by me) for years because they are a nice, round number to use with fsz/dsfo/dsfi, 512*100=51200, and in traditional MBR formatting (before the stupid 1 MB alignment change of convention) allowed to wipe:
1) the MBR
2) the following 62 "hidden sectors"

3) some additional 16 sectors + (i.e. the bootsector and related sectors of the first volume)

 

The "traditional" commands were something like:
fsz 51200 C.\temp\100zero.dat

dsfi \\.\PhysicalDriven 0 51200 C.\temp\100zero.dat

 

:duff:

Wonko






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users