3

I'm working on a firmware which was developed in 2011. The device has a USB OTG module and can be plugged into USB port of a PC. It has a 1 MB flash memory. When USB plug in is detected, the firmware generates two files, a PDF and a TTV (proprietary format). Those files are saved in the flash memory. Then the flash memory is exposed to Windows as mass storage device. The firmware always generates the files and then exposes the device to Windows. User can read the files and also put their own file on the flash device.

The firmware uses FatFs library for the file system. We're using FAT format for the flash storage.

When USB plugged in, if the PDF and TTV files are not found in the file system, then they are generated by the firmware and saved in the file system.

Now consider the following workflow:

  1. User formats the flash drive from Windows 10. It has to be a low level format. Windows generates a folder named "System Volume Information."
  2. The device is unplugged.
  3. The device is plugged in.
  4. The firmware detects the absence of the files.
  5. Firmware generates the PDF file. Saves it using the file system. FAT and Root directory updated accordingly.
  6. Firmware generates the TTV file. Saves it using the file system. FAT and Root directory updated accordingly.
  7. Firmware exposes the flash drive to Windows.
  8. The PDF file is randomly found corrupted.

What happens when Windows 10 formats a FAT file system? It creates a FAT in either of the following 3 fashions:

Style 1

enter image description here

Style 2

enter image description here

Style 3

enter image description here

Consider Style 1. When firmware will generate the PDF file, it will start from cluster 5 (as FAT[0] to FAT[4] are occupied). All goes well. The PDF file can be opened from the flash drive from Windows.

enter image description here

Consider Style 2. When firmware will generate the PDF file, it will start from cluster 3. The firmware generates PDF and TTV files, saves them in flash memory, updates FAT and root directory correctly (I'm certain as I've seen this from debug). When the device is plugged in, Windows writes 0x000 to FAT[3] and all other FAT entries which spanned the PDF file!

enter image description here

The entry in the root directory is still there for the PDF file.

enter image description here

This results in corrupted PDF when the PDF file is opened from Windows 10 in any PDF reader. Similar thing appears in Style 3 too. It appears that Windows 10 doesn't like other device to write in cluster 0 to cluster 4 (cluster 0 and 1 are already reserved).

This doesn't occur in any prior version of Windows (7 or 8.x).

So what happens to Windows 10? Why Windows 10 is corrupting the FAT?

Donotalo
  • 12,748
  • 25
  • 83
  • 121
  • 1
    Does tracing the mass storage I/Os requests performed by the Windows system in conjuction with the trashing reveal anything interesting? In particular is anything else written or read in conjunction with this request? – doynax Dec 20 '17 at 09:48
  • @doynax: Haven't tried. Any software available to trace mass storage IO? – Donotalo Dec 20 '17 at 11:54
  • 1
    I've mostly used hardware USB sniffers, though there are software-only solutions such as Wireshark. I was thinking more along the lines of placing hooks to trace the sector reads/writes request patterns on the device side and verify that the application-level interlocks are working properly. – doynax Dec 20 '17 at 12:59

0 Answers0