Skip to content

Instantly share code, notes, and snippets.

@rickmark

rickmark/README.md

Created January 9, 2020 03:38
Show Gist options
  • Save rickmark/dcdd5e2e006e523e75ea7403a64d3eb9 to your computer and use it in GitHub Desktop.
Save rickmark/dcdd5e2e006e523e75ea7403a64d3eb9 to your computer and use it in GitHub Desktop.
Download ZIP
Target Disk Mode - Invalid String Descriptors
Raw
README.md

This is a capture of a suspected infected T2 processor on a MacBook Air being booted in Target Disk Mode with a TotalPhase Beagle 3000 Ultimate between it and a raspberry Pi

When directly connected the raspberry Pi had the following kernel mode error in dmesg

usb 1-1.4.1: device descriptor read/64, error -32

The other attached files are USB packet captures with malformed string descriptors (see length)

The original TDC file will be appended shortly

Raw
bad_target_disk_mode.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 1 column, instead of 2 in line 1.
# Total Phase Data Center(tm) v6.73
# (c) 2005-2017 Total Phase, Inc.
# www.totalphase.com
#
# Wed Jan 08 18:58:29 2020
#
# Level,Sp,Index,m:s.ms.us,Dur,Len,Err,Dev,Ep,Record,Summary
0,,0,0:00.000.000,,,,,,Capture started (Aggregate),[Wed 08 Jan 2020 04:00:22 PM PST]
0,SS,7,0:00.000.350,,,,,,<Manual Trigger or USB2 Trigger>,
0,SS,247101,1:00.854.633,13.224 us,8 B,,02,00,Get Device Descriptor,Index=0 Length=8
0,SS,247136,1:00.854.746,2.112 us,0 B,,02,00,Set Isoch Delay,Delay=40ns
0,SS,247157,1:00.854.835,3.728 us,18 B,,02,00,Get Device Descriptor,Index=0 Length=18
1,SS,247158,1:00.854.835,800 ns,8 B,,02,00, SETUP Txn ,80 06 00 01 00 00 12 00
1,SS,247168,1:00.854.837,1.220 us,18 B,,02,00, IN Txn ,12 01 00 03 00 00 00 09 AC 05 00 18 01 01 01 02 03 01
1,SS,247182,1:00.854.838,752 ns,,,02,00, STATUS Txn ,
0,SS,247192,1:00.854.924,4.768 us,5 B,,02,00,Get BOS Descriptor,Index=0 Length=5
1,SS,247193,1:00.854.924,808 ns,8 B,,02,00, SETUP Txn ,80 06 00 0F 00 00 05 00
1,SS,247203,1:00.854.927,1.160 us,5 B,,02,00, IN Txn ,05 0F 0F 00 01
1,SS,247217,1:00.854.928,744 ns,,,02,00, STATUS Txn ,
2,SS,247218,1:00.854.928,308 ns,,,02,00, Status Transaction,[HdrSeq=6]
2,SS,247221,1:00.854.928,16 ns,8 B,,,, Link Credit C,
2,SS,247222,1:00.854.929,168 ns,,,02,00, Ack Transaction,{SeqNum=1 NumP=0} [HdrSeq=4]
2,SS,247225,1:00.854.929,16 ns,8 B,,,, Link Credit A,
0,SS,247227,1:00.855.025,6.264 us,15 B,,02,00,Get BOS Descriptor,Index=0 Length=15
1,SS,247228,1:00.855.025,816 ns,8 B,,02,00, SETUP Txn ,80 06 00 0F 00 00 0F 00
1,SS,247238,1:00.855.027,1.192 us,15 B,,02,00, IN Txn ,05 0F 0F 00 01 0A 10 03 00 08 00 03 00 00 00
1,SS,247252,1:00.855.031,736 ns,,,02,00, STATUS Txn ,
0,SS,247262,1:00.855.165,3.648 us,9 B,,02,00,Get Configuration Descriptor,Index=0 Length=9
1,SS,247263,1:00.855.165,800 ns,8 B,,02,00, SETUP Txn ,80 06 00 02 00 00 09 00
1,SS,247273,1:00.855.167,1.184 us,9 B,,02,00, IN Txn ,09 02 2C 00 01 01 00 C0 00
1,SS,247287,1:00.855.168,736 ns,,,02,00, STATUS Txn ,
0,SS,247297,1:00.855.250,3.872 us,44 B,,02,00,Get Configuration Descriptor,Index=0 Length=44
0,SS,247332,1:00.855.338,50.000 us,4 B,,02,00,Get String Descriptor,Index=0 Length=255
0,SS,247380,1:00.855.474,58.736 us,22 B,,02,00,Get String Descriptor,Index=2 Length=255
0,SS,247428,1:00.855.610,13.864 us,24 B,,02,00,Get String Descriptor,Index=1 Length=255
0,SS,247476,1:00.855.711,56.956 us,28 B,,02,00,Get String Descriptor,Index=3 Length=255
0,SS,247524,1:00.858.210,3.104 us,0 B,,02,00,Set Configuration,Configuration=1
0,,100326597,41:26.020.783,,,,,,Capture stopped,[Wed 08 Jan 2020 04:41:48 PM PST]
Raw
bad_target_disk_mode_bytes.csv
We can make this file beautiful and searchable if this error is corrected: It looks like row 2 should actually have 1 column, instead of 2 in line 1.
# Total Phase Data Center(tm) v6.73
# (c) 2005-2017 Total Phase, Inc.
# www.totalphase.com
#
# Wed Jan 08 19:00:28 2020
#
# Level,Sp,Index,m:s.ms.us,Dur,Len,Err,Dev,Ep,Record,Data,Summary,ASCII
0,,0,0:00.000.000,,,,,,Capture started (Aggregate),,[Wed 08 Jan 2020 04:00:22 PM PST],
0,SS,7,0:00.000.350,,,,,,<Manual Trigger or USB2 Trigger>,,,
0,SS,247101,1:00.854.633,13.224 us,8 B,,02,00,Get Device Descriptor,12 01 00 03 00 00 00 09,Index=0 Length=8,........
0,SS,247136,1:00.854.746,2.112 us,0 B,,02,00,Set Isoch Delay,,Delay=40ns,
0,SS,247157,1:00.854.835,3.728 us,18 B,,02,00,Get Device Descriptor,12 01 00 03 00 00 00 09 AC 05 00 18 01 01 01 02 03 01,Index=0 Length=18,..................
1,SS,247158,1:00.854.835,800 ns,8 B,,02,00, SETUP Txn ,80 06 00 01 00 00 12 00,,........
1,SS,247168,1:00.854.837,1.220 us,18 B,,02,00, IN Txn ,12 01 00 03 00 00 00 09 AC 05 00 18 01 01 01 02 03 01,,..................
1,SS,247182,1:00.854.838,752 ns,,,02,00, STATUS Txn ,,,
0,SS,247192,1:00.854.924,4.768 us,5 B,,02,00,Get BOS Descriptor,05 0F 0F 00 01,Index=0 Length=5,.....
1,SS,247193,1:00.854.924,808 ns,8 B,,02,00, SETUP Txn ,80 06 00 0F 00 00 05 00,,........
1,SS,247203,1:00.854.927,1.160 us,5 B,,02,00, IN Txn ,05 0F 0F 00 01,,.....
1,SS,247217,1:00.854.928,744 ns,,,02,00, STATUS Txn ,,,
2,SS,247218,1:00.854.928,308 ns,,,02,00, Status Transaction,,[HdrSeq=6],
2,SS,247221,1:00.854.928,16 ns,8 B,,,, Link Credit C,FE FE FE F7 82 18 82 18,,........
2,SS,247222,1:00.854.929,168 ns,,,02,00, Ack Transaction,,{SeqNum=1 NumP=0} [HdrSeq=4],
2,SS,247225,1:00.854.929,16 ns,8 B,,,, Link Credit A,FE FE FE F7 80 A0 80 A0,,........
0,SS,247227,1:00.855.025,6.264 us,15 B,,02,00,Get BOS Descriptor,05 0F 0F 00 01 0A 10 03 00 08 00 03 00 00 00,Index=0 Length=15,...............
1,SS,247228,1:00.855.025,816 ns,8 B,,02,00, SETUP Txn ,80 06 00 0F 00 00 0F 00,,........
1,SS,247238,1:00.855.027,1.192 us,15 B,,02,00, IN Txn ,05 0F 0F 00 01 0A 10 03 00 08 00 03 00 00 00,,...............
1,SS,247252,1:00.855.031,736 ns,,,02,00, STATUS Txn ,,,
0,SS,247262,1:00.855.165,3.648 us,9 B,,02,00,Get Configuration Descriptor,09 02 2C 00 01 01 00 C0 00,Index=0 Length=9,..,......
1,SS,247263,1:00.855.165,800 ns,8 B,,02,00, SETUP Txn ,80 06 00 02 00 00 09 00,,........
1,SS,247273,1:00.855.167,1.184 us,9 B,,02,00, IN Txn ,09 02 2C 00 01 01 00 C0 00,,..,......
1,SS,247287,1:00.855.168,736 ns,,,02,00, STATUS Txn ,,,
0,SS,247297,1:00.855.250,3.872 us,44 B,,02,00,Get Configuration Descriptor,09 02 2C 00 01 01 00 C0 00 09 04 00 00 02 DC 02 01 00 07 05 01 02 00 04 00 06 30 00 00 00 00 07 05 81 02 00 04 00 06 30 00 00 00 00,Index=0 Length=44,..,.......................0............0....
0,SS,247332,1:00.855.338,50.000 us,4 B,,02,00,Get String Descriptor,04 03 04 09,Index=0 Length=255,....
0,SS,247380,1:00.855.474,58.736 us,22 B,,02,00,Get String Descriptor,14 03 4D 00 61 00 63 00 69 00 6E 00 74 00 6F 00 73 00 68 00 00 00,Index=2 Length=255,..M.a.c.i.n.t.o.s.h...
0,SS,247428,1:00.855.610,13.864 us,24 B,,02,00,Get String Descriptor,16 03 41 00 70 00 70 00 6C 00 65 00 20 00 49 00 6E 00 63 00 2E 00 00 00,Index=1 Length=255,..A.p.p.l.e. .I.n.c.....
0,SS,247476,1:00.855.711,56.956 us,28 B,,02,00,Get String Descriptor,1A 03 46 00 56 00 46 00 5A 00 39 00 31 00 30 00 52 00 4D 00 36 00 58 00 35 00 00 00,Index=3 Length=255,..F.V.F.Z.9.1.0.R.M.6.X.5...
0,SS,247524,1:00.858.210,3.104 us,0 B,,02,00,Set Configuration,,Configuration=1,
0,,100326597,41:26.020.783,,,,,,Capture stopped,,[Wed 08 Jan 2020 04:41:48 PM PST],
Raw
gistfile1.txt
# Total Phase Data Center(tm) v6.73
# (c) 2005-2017 Total Phase, Inc.
# www.totalphase.com
#
# Wed Jan 08 18:58:29 2020
#
# Level,Sp,Index,m:s.ms.us,Dur,Len,Err,Dev,Ep,Record,Summary
0,,0,0:00.000.000,,,,,,Capture started (Aggregate),[Wed 08 Jan 2020 04:00:22 PM PST]
0,SS,7,0:00.000.350,,,,,,<Manual Trigger or USB2 Trigger>,
0,SS,247101,1:00.854.633,13.224 us,8 B,,02,00,Get Device Descriptor,Index=0 Length=8
0,SS,247136,1:00.854.746,2.112 us,0 B,,02,00,Set Isoch Delay,Delay=40ns
0,SS,247157,1:00.854.835,3.728 us,18 B,,02,00,Get Device Descriptor,Index=0 Length=18
1,SS,247158,1:00.854.835,800 ns,8 B,,02,00, SETUP Txn ,80 06 00 01 00 00 12 00
1,SS,247168,1:00.854.837,1.220 us,18 B,,02,00, IN Txn ,12 01 00 03 00 00 00 09 AC 05 00 18 01 01 01 02 03 01
1,SS,247182,1:00.854.838,752 ns,,,02,00, STATUS Txn ,
0,SS,247192,1:00.854.924,4.768 us,5 B,,02,00,Get BOS Descriptor,Index=0 Length=5
1,SS,247193,1:00.854.924,808 ns,8 B,,02,00, SETUP Txn ,80 06 00 0F 00 00 05 00
1,SS,247203,1:00.854.927,1.160 us,5 B,,02,00, IN Txn ,05 0F 0F 00 01
1,SS,247217,1:00.854.928,744 ns,,,02,00, STATUS Txn ,
2,SS,247218,1:00.854.928,308 ns,,,02,00, Status Transaction,[HdrSeq=6]
2,SS,247221,1:00.854.928,16 ns,8 B,,,, Link Credit C,
2,SS,247222,1:00.854.929,168 ns,,,02,00, Ack Transaction,{SeqNum=1 NumP=0} [HdrSeq=4]
2,SS,247225,1:00.854.929,16 ns,8 B,,,, Link Credit A,
0,SS,247227,1:00.855.025,6.264 us,15 B,,02,00,Get BOS Descriptor,Index=0 Length=15
1,SS,247228,1:00.855.025,816 ns,8 B,,02,00, SETUP Txn ,80 06 00 0F 00 00 0F 00
1,SS,247238,1:00.855.027,1.192 us,15 B,,02,00, IN Txn ,05 0F 0F 00 01 0A 10 03 00 08 00 03 00 00 00
1,SS,247252,1:00.855.031,736 ns,,,02,00, STATUS Txn ,
0,SS,247262,1:00.855.165,3.648 us,9 B,,02,00,Get Configuration Descriptor,Index=0 Length=9
1,SS,247263,1:00.855.165,800 ns,8 B,,02,00, SETUP Txn ,80 06 00 02 00 00 09 00
1,SS,247273,1:00.855.167,1.184 us,9 B,,02,00, IN Txn ,09 02 2C 00 01 01 00 C0 00
1,SS,247287,1:00.855.168,736 ns,,,02,00, STATUS Txn ,
0,SS,247297,1:00.855.250,3.872 us,44 B,,02,00,Get Configuration Descriptor,Index=0 Length=44
0,SS,247332,1:00.855.338,50.000 us,4 B,,02,00,Get String Descriptor,Index=0 Length=255
0,SS,247380,1:00.855.474,58.736 us,22 B,,02,00,Get String Descriptor,Index=2 Length=255
0,SS,247428,1:00.855.610,13.864 us,24 B,,02,00,Get String Descriptor,Index=1 Length=255
0,SS,247476,1:00.855.711,56.956 us,28 B,,02,00,Get String Descriptor,Index=3 Length=255
0,SS,247524,1:00.858.210,3.104 us,0 B,,02,00,Set Configuration,Configuration=1
0,,100326597,41:26.020.783,,,,,,Capture stopped,[Wed 08 Jan 2020 04:41:48 PM PST]
Raw
gistfile2.txt
# Total Phase Data Center(tm) v6.73
# (c) 2005-2017 Total Phase, Inc.
# www.totalphase.com
#
# Wed Jan 08 19:00:28 2020
#
# Level,Sp,Index,m:s.ms.us,Dur,Len,Err,Dev,Ep,Record,Data,Summary,ASCII
0,,0,0:00.000.000,,,,,,Capture started (Aggregate),,[Wed 08 Jan 2020 04:00:22 PM PST],
0,SS,7,0:00.000.350,,,,,,<Manual Trigger or USB2 Trigger>,,,
0,SS,247101,1:00.854.633,13.224 us,8 B,,02,00,Get Device Descriptor,12 01 00 03 00 00 00 09,Index=0 Length=8,........
0,SS,247136,1:00.854.746,2.112 us,0 B,,02,00,Set Isoch Delay,,Delay=40ns,
0,SS,247157,1:00.854.835,3.728 us,18 B,,02,00,Get Device Descriptor,12 01 00 03 00 00 00 09 AC 05 00 18 01 01 01 02 03 01,Index=0 Length=18,..................
1,SS,247158,1:00.854.835,800 ns,8 B,,02,00, SETUP Txn ,80 06 00 01 00 00 12 00,,........
1,SS,247168,1:00.854.837,1.220 us,18 B,,02,00, IN Txn ,12 01 00 03 00 00 00 09 AC 05 00 18 01 01 01 02 03 01,,..................
1,SS,247182,1:00.854.838,752 ns,,,02,00, STATUS Txn ,,,
0,SS,247192,1:00.854.924,4.768 us,5 B,,02,00,Get BOS Descriptor,05 0F 0F 00 01,Index=0 Length=5,.....
1,SS,247193,1:00.854.924,808 ns,8 B,,02,00, SETUP Txn ,80 06 00 0F 00 00 05 00,,........
1,SS,247203,1:00.854.927,1.160 us,5 B,,02,00, IN Txn ,05 0F 0F 00 01,,.....
1,SS,247217,1:00.854.928,744 ns,,,02,00, STATUS Txn ,,,
2,SS,247218,1:00.854.928,308 ns,,,02,00, Status Transaction,,[HdrSeq=6],
2,SS,247221,1:00.854.928,16 ns,8 B,,,, Link Credit C,FE FE FE F7 82 18 82 18,,........
2,SS,247222,1:00.854.929,168 ns,,,02,00, Ack Transaction,,{SeqNum=1 NumP=0} [HdrSeq=4],
2,SS,247225,1:00.854.929,16 ns,8 B,,,, Link Credit A,FE FE FE F7 80 A0 80 A0,,........
0,SS,247227,1:00.855.025,6.264 us,15 B,,02,00,Get BOS Descriptor,05 0F 0F 00 01 0A 10 03 00 08 00 03 00 00 00,Index=0 Length=15,...............
1,SS,247228,1:00.855.025,816 ns,8 B,,02,00, SETUP Txn ,80 06 00 0F 00 00 0F 00,,........
1,SS,247238,1:00.855.027,1.192 us,15 B,,02,00, IN Txn ,05 0F 0F 00 01 0A 10 03 00 08 00 03 00 00 00,,...............
1,SS,247252,1:00.855.031,736 ns,,,02,00, STATUS Txn ,,,
0,SS,247262,1:00.855.165,3.648 us,9 B,,02,00,Get Configuration Descriptor,09 02 2C 00 01 01 00 C0 00,Index=0 Length=9,..,......
1,SS,247263,1:00.855.165,800 ns,8 B,,02,00, SETUP Txn ,80 06 00 02 00 00 09 00,,........
1,SS,247273,1:00.855.167,1.184 us,9 B,,02,00, IN Txn ,09 02 2C 00 01 01 00 C0 00,,..,......
1,SS,247287,1:00.855.168,736 ns,,,02,00, STATUS Txn ,,,
0,SS,247297,1:00.855.250,3.872 us,44 B,,02,00,Get Configuration Descriptor,09 02 2C 00 01 01 00 C0 00 09 04 00 00 02 DC 02 01 00 07 05 01 02 00 04 00 06 30 00 00 00 00 07 05 81 02 00 04 00 06 30 00 00 00 00,Index=0 Length=44,..,.......................0............0....
0,SS,247332,1:00.855.338,50.000 us,4 B,,02,00,Get String Descriptor,04 03 04 09,Index=0 Length=255,....
0,SS,247380,1:00.855.474,58.736 us,22 B,,02,00,Get String Descriptor,14 03 4D 00 61 00 63 00 69 00 6E 00 74 00 6F 00 73 00 68 00 00 00,Index=2 Length=255,..M.a.c.i.n.t.o.s.h...
0,SS,247428,1:00.855.610,13.864 us,24 B,,02,00,Get String Descriptor,16 03 41 00 70 00 70 00 6C 00 65 00 20 00 49 00 6E 00 63 00 2E 00 00 00,Index=1 Length=255,..A.p.p.l.e. .I.n.c.....
0,SS,247476,1:00.855.711,56.956 us,28 B,,02,00,Get String Descriptor,1A 03 46 00 56 00 46 00 5A 00 39 00 31 00 30 00 52 00 4D 00 36 00 58 00 35 00 00 00,Index=3 Length=255,..F.V.F.Z.9.1.0.R.M.6.X.5...
0,SS,247524,1:00.858.210,3.104 us,0 B,,02,00,Set Configuration,,Configuration=1,
0,,100326597,41:26.020.783,,,,,,Capture stopped,,[Wed 08 Jan 2020 04:41:48 PM PST],
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment