Embedded software/hardware inside USB stick

I have a very old USB stick, 8 GB. That has a secondary drive everytime I insert it called F: while my storage drive is D:

I wonder if this should be a concern, and most important how I can disrupt/remove it. I have tried Linux GParted, Windows DiskPart, Windows DiskManagement and nothing works. I was just thinking about opening up the plastic around it and seeing if there are hardware placed.

(Sorry I’m using Windows, this is a modified version and can’t ping outside :slight_smile:)

1 Like

I succeeded to remove this “CD drive” (software) from my Cruzer Enterprise, but this was long time ago (not sure how). Try this one: http://u3-tool.sourceforge.net/ or very same method. If not helping, at least this gives you same idea. Perhaps launchpadremoval might work for your USB stick, just try it or … eventually you’ll suceed (or not).

1 Like

Under Windows, maybe it is a concern. It depends on whether more recent versions of Windows have disabled this functionality by default. It has been too long since I used Windows, so I couldn’t guess what version of Windows you are using.

Under Linux, probably not a concern. I expect that none of the software on the “CD” part of the drive will work at all under Linux and it is very likely that Linux would not try to execute the software anyway.

1 Like

Good point! Link to threat analysis paper (full-text) is here.

1 Like

When I write Linux to Flash drives. Often they have a boot sector which is one partition name, and another with the Linux Payload, and perhaps, there is an open area on drive I might try to partition and use, which would have a third letter for a name.

If you made it all one contiguous partition again, when you write Linux you will likely have two sectors again. One is a boot sector with one name, like D, and the second is the next letter in alphabet, which has the Linux payload.

That is normal. Embedded malware in the USB is another subject, which I know little about. Used to have some Windows Security software to do things with USB to prevent USB malware.

This isn’t partitioning. Follow the link for U3-tool above to the linked U3 disambiguation Wikipedia page to the U3 software Wikipedia page. This is unfortunately more “evil”.

If it were just partitioning then gparted would be able to fix it.


If you wanted to remove it, in a Linux terminal, couldn’t you just

sudo dd if=/dev/null of=/dev/<drivename>

I have done that before to completely wipe a USB drive. Oh, and fair warning, this will wipe the entire drive.


I wish that dd if=/dev/zero helps, yet I don’t think this is usable method here, almost 100% sure. But, you are right anyway, as second step it is highly recommended. I guess such drives were not cheap and sold sometimes even with single-level cell (SLC) memory type.

Just after testing/using launchpadremoval tool, I’d encourage @Nami to install pv, and afterwards execute:

sudo fdisk -l    
sudo dd if=/dev/urandom of=/dev/sdUSB bs=2048 count=1
sudo dd if=/dev/zero conv=noerror,notrunc,sync bs=512 | pv >/dev/sdUSB

Hopefully we will have adequate solution/feedback soon from Nami or from someone with very same USB flash drive (it just looks like USB stick) partitioning experience, recent/real one. Anyway, as long as and if dd if=/dev/zero helps right away I don’t mind loosing.

1 Like

No! This is more subtle than that.

Short version: USB devices that are capable of behaving like this have embedded firmware that presents the storage NOT as a single mass storage class device (an array of blocks that you can partition and format however you like) but as, for example, two devices e.g. one “CDROM” device and one mass storage class device.

The “CDROM” is of course pre-populated with the malware^H^H^H^H^H^H^HWindows software and should be enforced by the firmware as “read-only” (and would under normal circumstances also be enforced as “read-only” by the operating system).

So in effect the storage is partitioned behind the scenes in such a way that you can’t get rid of or alter the contents of the first partition, the “CDROM” - at least, you can’t do so via the normal mass storage class device interface.

The icing on the cake for Windows users is that Windows is supposed to run an executable that is stored on the “CDROM” automatically on insertion of the USB drive. Hopefully everyone can see the potential security issues with that!

In theory, the same might happen for Linux but for a number of reasons I doubt that it would happen for Linux, and I suspect that the functionality (of running an executable) was also disabled long ago by Windows.


Short version: USB devices that are capable of behaving like this have embedded firmware that presents the storage NOT as a single mass storage class device (an array of blocks that you can partition and format however you like) but as, for example, two devices e.g. one “CDROM” device and one mass storage class device.

Wow! I had no idea there were USB devices like that. Thank you for the education.

1 Like

how can the average user figure out to distinguish between the good and less desirable varieties ?
i mean BEFORE they shell out cash for the product … is there any way to tell ? just read reviews from people that were ALREADY “burned” ?

Good question.

A few answers that don’t answer the question:

  • Probably for a Linux user it doesn’t matter (apart from the small reduction in usable storage).
  • I own a ton of USB flash drives and I have never encountered one that behaves like the one described above. (I do have a USB device that behaves more or less like the one above but it is a bit different and is not a USB flash drive and is a bit more complex.)
  • Maybe @Nami can post a photo of the USB flash drive and, less plausibly, its original packaging.

It depends on whether you are worried about legitimate but undesirable uses of this kind of functionality or you are worried about malicious or nefarious uses.

For the former (legitimate but undesirable):

  • Look for the branding. It was speculated above that the flash drive implements the U3 Specification. According to Wikipedia that has been discontinued and superseded by StartKey. There is no particular reason for a random USB flash drive manufacturer or vendor to use this functionality but look for the branding. It’s worth a shot.

  • If the flash drive is distributed as a promotion or distributed by a software provider it is more likely to be using this functionality.

Honestly, if I bought a batch of random USB flash drives and they were using this functionality, I would send them back for replacement or credit.

For the latter (malicious):

  • Be careful about where you get your flash drives from. Good: USB flash drive from reputable vendor from reputable manufacturer in unopened packaging. Bad: This woman I met in a club gave it to me and she said the flash drive contained her dance music play list. :wink:

indeed. i would ask @Nami if he/she could post this information here so we have less trouble speculating …

TMUS is special kind of tool (software) within USB device used mainly for standalone computers.

Although partially obsolete, you might check them (as suggested already), here is one very good example (original status):
sudo lsusb -d 0781:540e
Bus 001 Device 015: ID 0781:540e SanDisk Corp. Cruzer Contour Flash Drive
sudo fdisk -l /dev/sdX
Disk /dev/sdb: 7.7 GiB, 8220645888 bytes, 16055949 sectors
Disk model: Cruzer Contour
sudo u3-tool -i /dev/sdX
Total device size: 7.66 GB (8220645888 bytes)
CD size: 0.00 B (0 bytes)
Data partition size: 7.66 GB (8220645888 bytes)

This one provides strange output but this is just because of u3-tool unsupported type of controller, IMO:
sudo lsusb -d 1370:2168
Bus 001 Device 013: ID 1370:2168 Swissbit
sudo fdisk -l /dev/sdX
Disk /dev/sdb: 244 MiB, 255852544 bytes, 499712 sectors
Disk model: Victorinox 2.0
sudo u3-tool -i /dev/sdX
u3_partition_info() failed: Device reported command failed: status 1




Is there a model number on there somewhere?

Transcend Jf V10

This USB Flash uses Alcor Micro AU6988 controller. Here is direct link to original MPtool that might remove this CDFS partition, but I’m not familiar with.

EDIT: Otherwise use: JetFlash Online Recovery.

Hmmm. Worried about the security implications of this kind of flash drive and have to run random blackbox software to fix it? :wink:

Ooh. That’s nasty. No indication at all that the flash drive might harbor malware.

I believe our goal is to remove TMUS (on CDFS), meaning just trying to remove CDFS from TS8GJFV10. From that standpoint Transcend JetFlash Online Recovery should connect to the online firmware database without real installation into the Win10, I think. Here is another link to AlcorMP JetFlash Online Recovery (v7.0.0.25) if CDFS (iso9660) still exists after using the original one from Transcend (*The repair process will delete all data stored on your flash drive.) As I cannot test things on this particular UFD, I just hope it will help @Nami to get rid of TMUS belonging CDFS and gain this USB Flash Drive original state back to factory default, default state as defined from manufacturer side, nothing else.

Anyway @kieran we’ve learned few important things from your posts here, thank you!