Author Topic: What's been tried so far..  (Read 65150 times)

0 Members and 2 Guests are viewing this topic.

Offline doug

  • Newbie
  • Posts: 2
Re: What's been tried so far..
« Reply #20 on: April 06, 2005, 09:53:31 pm »
So we know that there is no boot loader code in the MBR of the DMS, correct? There is absolutely nothing there. Starting at offset 0x1be is the partition table. What I find interesting is the 4 bytes that can be found at offset 0x1b8. If more people can get their 4 bytes off of their DMS, please do and post your results. I'm not sure what other information would be relevant right now, I have no idea what those 4 bytes signify. And it might be nothing. But it's still odd. (If you need help extracting this information, let me know)

Code: [Select]

000001b0h: 00 00 00 00 00 00 00 00 ED 77 ED 70 00 00 00 00 ; ........íwíp....
000001c0h: 01 01 0B 3F 60 04 00 08 00 00 00 20 08 00 00 00 ; ...?`...... ....
000001d0h: 41 05 05 3F E0 FF 00 28 08 00 00 00 4C 02 00 00 ; A..?àÿ.(....L...
000001e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000001f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ; ..............Uª

Offline sbingner

  • Administrator
  • Veteran.
  • *****
  • Posts: 1301
Re: What's been tried so far..
« Reply #21 on: April 07, 2005, 03:49:20 am »
Here's mine, doubt it's anything...

Code: [Select]
000001b0  00 00 00 00 00 00 00 00  0e 67 fe 3c 00 00 00 00  |.........g.<....|
000001c0  01 01 0b 3f 60 04 00 08  00 00 00 20 08 00 00 00  |...?`...... ....|
000001d0  41 05 05 3f e0 ff 00 28  08 00 00 88 23 01 00 00  |A..?...(....#...|
000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 aa  |..............U.|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

Offline A543

  • Senior Member
  • Veteran.
  • *****
  • Posts: 214
Re: What's been tried so far..
« Reply #22 on: April 07, 2005, 03:06:20 pm »
Those 4 bytes are put there by Windows NT-XP as a disk signature.

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: What's been tried so far..
« Reply #24 on: April 07, 2005, 08:32:44 pm »
http://www.codeproject.com/system/change_drive_sn.asp

code to change the disk sig serial number...  doubtful this is helpful in any way.

Offline doug

  • Newbie
  • Posts: 2
Re: What's been tried so far..
« Reply #25 on: April 07, 2005, 08:41:10 pm »
Quote
Those 4 bytes are put there by Windows NT-XP as a disk signature.


Absolutely right. Windows puts something there if it's zero. if it's nonzero, it just uses the data that's already there as a signature. That's what I get for posting before fully researching. There was data I could not explain, I got excited. It's still possible it could mean something else, i.e., maybe Windows didn't put it there, but I'll only bring it up again if I'm sure.

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: What's been tried so far..
« Reply #26 on: April 07, 2005, 10:28:46 pm »
Quote
Happy to supply info of 10GB or 40GB drive if someone provides the step-by-step.

Also, you are all aware that TerryKennedy has already cracked this aren't you? It's just that he's not telling...
...but if you search his posts in the PN forums you'll see he has left a few clues lying around.

e.g.
http://www.phatnoise.com/forum/showthread.php?s=&threadid=1795

http://www.phatnoise.com/forum/showthread.php?s=&threadid=1375

I think there might be some PrivateKey/PublicKey signing that will ultimately get in the way of being able to pick up an OEM drive and drop it in. e.g. encrypted string in the hidden sector, decrypted with PN public key by the PB firmware. If so i'm not sure you can succeed without the PN signing utility/private key.

But at least if we understand how it all works we can decide if this is ultimately a dead end or not.




As for Terry, the guy is smart, no doubt, but I am uncertian about the validity of his claims to have made his own drive.  I mean saying that telling us would do no good but not telling us is somewhat duplicitous.  I think that if he did figure it out he would have said how to do it by now, or someone else would have figured it out by now.  

What chaps my ass is that I just dont quite know enough about how hard drives work to really solve this problem on my own  That with the fact we have people talking DES encryption and Terry saying he did it on his own seem to be rather conflicting ideas.

« Last Edit: April 07, 2005, 10:35:04 pm by judb »

Offline sbingner

  • Administrator
  • Veteran.
  • *****
  • Posts: 1301
Re: What's been tried so far..
« Reply #27 on: April 07, 2005, 10:57:56 pm »
Quote
http://www.codeproject.com/system/change_drive_sn.asp

code to change the disk sig serial number...  doubtful this is helpful in any way.



could just change that with dd, but what he had to change is the actual hardware serial number reported by the firmware... via proprietary software.  I haven't been able to find anything that can do that, but if we could it would stand to reason that we could make one drive completely identical to the signed drive then do a data dump to get a working drive.

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: What's been tried so far..
« Reply #28 on: April 07, 2005, 11:41:11 pm »
We just need to know where on the drive it needs to be written.

I found a tool that allows me to write directly to the drives cache and read from it.. sending direct commands to the buffer etc.  

from what I have read the firmware of the drive largely resided on the platters just outside of the bios range reported for OS access.

Also, I have verified they are not using HPA (drive level hiding of sectors) with the DMS drives.

http://mhddsoftware.com/ is the software.

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: What's been tried so far..
« Reply #29 on: April 07, 2005, 11:42:10 pm »
Quote


could just change that with dd, but what he had to change is the actual hardware serial number reported by the firmware... via proprietary software.  I haven't been able to find anything that can do that, but if we could it would stand to reason that we could make one drive completely identical to the signed drive then do a data dump to get a working drive.



How do you know that was what he did?  I looked around and didnt see him ever say thats specifically what it took to do it.

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: What's been tried so far..
« Reply #30 on: April 07, 2005, 11:50:30 pm »
http://www.hdat2.com/files/hdat2en.pdf

Super informative PDF about hard drives... :)

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: What's been tried so far..
« Reply #31 on: April 08, 2005, 12:06:31 am »
Using the software from that site... here is all the info you could want about the 10 gig toshiba drive...

*******************************************************************************
HDAT2 v4.01.11 PM (c) 2005 CBL
*******************************************************************************
Device Information's [PhatNoise DMS 10GB]
*******************************************************************************

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Translation    Cylinder     Head     Sector         Total sectors       Size
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ATA 28-bits       16383       16         63              19640880   10.06 GB
CHS/Current       16383       16         63              16514064    8.46 GB
BIOS               1022      239         10               2455200    1.26 GB
CMOS [XX]         19485       16         63              19640880   10.06 GB
    LBA           8183      240         10              19639200   10.06 GB
    Normal       19485       16         63              19640880   10.06 GB
    Large         2435      128         63              19635840   10.05 GB
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
DPT                   ?        ?          ?              19640880   10.06 GB
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Device model [HDD]                                 PhatNoise DMS 10GB
Orphan (not useable) sectors                       0 = 0.00 KB
Translation/Addressing mode                        LBA/28-bits

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Hard disk drive parameter table INT41/46h at F000:94D0h
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
  -> hex dump [ 13 05 F0 A0 3F 00 00 00 08 FF 3F 10 1C 4C 4A 11 ]
  -> Phoenix EDD Translated Table
Number of cylinders                                1299
Number of heads                                    240
Number of physical sectors per track               63
Write-precompensation cylinder number              0
Control byte                                       0008h = 0000000000001000b
  -> more than 8 heads
  -> ECC retries enable
  -> Access retries enable
DPT Number of cylinders                            16383
DPT Number of heads                                16
Number of sectors per track (AT and later)         74
Cylinder number of landing zone (AT and later)     19484
Reserved/Checksum                                  11h
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
BIOS Data Area for Hard Disk Drive
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Hard disk drive (controller) status                0000h = 0000000000000000b
  -> Controller not busy
  -> Selected drive not ready
  -> no error
Hard disk drive error                              0000h = 0000000000000000b
Hard disk drive task complete flag                 00C0h = 0000000011000000b
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ATA/ATAPI Identify Device
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ATA version                                        0005h/FFFFh
ATA supported                                      UDMA4/ATA66
ATA active                                         UDMA4/ATA66
Serial number                                      X1E70304T
Firmware                                           A4.01 E
Cache                                              0 KB
General Configuration                              0040h
Specific Configuration                             C837h
  -> Device does not require SET FEATURES subcommand to spin-up after power-up and IDENTIFY DEVICE response is complete
Integrity Word                                     58A5h
  -> Signature = OK [reported=A5h, should be=A5h]
  -> Checksum  = OK [reported=58h, should be=58h]
Queue depth                                        1
Hardware Reset result                              604Bh = 0110000001001011b
  -> Device detected CBLID- above V[iH]
-> Device 0 Hardware Reset result                  01001011b
  -> device determined by : jumper was used
  -> diagnostics passed
  -> did not detect the assertion of PDIAG-
  -> did not detect the assertion of DASP-
  -> responds when Device 1 is selected
Detected an 80-conductor cable                     YES
Removable Media Status Notification                not supported
Master Password Revision Code                      FFFEh
Security Status                                    0001h = 0000000000000001b
  -> Security disabled
  -> Security supported
  -> Enhanced Security Erase: not supported
Time for Security erase unit                       16 minutes
Time for Enhanced security erase unit              not specified
Capabilities [49]                                  0F00h = 0000111100000000b
  -> DMA supported
  -> LBA supported
  -> IORDY may be disabled
  -> IORDY supported
Capabilities [50]                                  4000h = 0100000000000000b
Read/Write LONG: vendor specific bytes             46
Read/Write MULTIPLE: sectors per interrupt        
  -> Maximum                                      16
  -> Current                                      16

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: What's been tried so far..
« Reply #32 on: April 08, 2005, 12:06:41 am »
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Command Set 1 supported                            7C6Bh = 0111110001101011b
  -> SMART feature set
  -> Security Mode feature set
  -> Power Management feature set
  -> Write Cache
  -> Look Ahead
  -> Host Protected Area feature set
  -> WRITE VERIFY command (obsolete)
  -> WRITE BUFFER command
  -> READ BUFFER command
  -> NOP command
Command Set 2 supported                            4108h = 0100000100001000b
  -> Advanced Power Management (APM) feature set
  -> SET MAX security extension enabled by SET MAX SET PASSWORD
Command Set 3 supported                            4000h = 0100000000000000b
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Command Set 1 enabled                              7C49h = 0111110001001001b
  -> SMART feature set
  -> Power Management feature set
  -> Look Ahead
  -> Host Protected Area feature set
  -> WRITE VERIFY command (obsolete)
  -> WRITE BUFFER command
  -> READ BUFFER command
  -> NOP command
Command Set 2 enabled                              0008h = 0000000000001000b
  -> Advanced Power Management (APM) feature set
Command Set 3 enabled                              4000h = 0100000000000000b
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Advanced Power Management level value              80h
Acoustic management: recommended value             00h
Acoustic management: current value                 00h
Stream Minimum Request Size [sectors]              0
Streaming Transfer Time for DMA                    0
Streaming Access Latency for DMA and PIO           0
Streaming Performance Granularity [microsec]       0
Streaming Transfer Time for PIO                    0
Physical/Logical sector size                       0000000000000000b
Inter-seek delay for acoustic testing [microsec]   0
World Wide Name                                    0000000000000000h
Reserved for technical report                      0000h
Logical sector size in words                       0
Current set features option [vendor]               0000h = 0000000000000000b
Initial Power Mode Selection [vendor]              0000h = 0000000000000000b
Current media serial number                        not supported
Multiple LUN Support                               not supported
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Extended INT13h
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Extended INT13h support                            YES
Major/Internal/Extension Version                   30h/00h/00h
  -> EDD v2.0
Subset                                             0005h = 0000000000000101b
  -> Fixed disk access subset: YES
  -> Device locking and ejecting subset: NO
  -> Enhanced Disk Drive (EDD) support subset: YES
  -> 64-bit extension: NO
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Device Parameter Table (DPT)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
DPT buffer size                                65
Information flags                                  0000h = 0000000000000000b
  -> (bits 4-6 are not valid)
Sector size                                    512
DPT Extension (DPTE) pointer                       F000:9470h
Key to presence of Device Path [BEDDh]             BEDDh
Length of Device Path                              36
Host bus type                                      PCI
Interface type                                     ATA
Interface Path for bus type PCI                    
  -> hex dump = [ 00 1F 01 00 00 00 00 00 ]
  -> Bus      = 0
  -> Slot     = 31
  -> Function = 1
  -> Channel  = 0
Device Path for interface type ATA                
  -> hex dump = [ 00 00 00 00 00 00 00 00 ]
  -> ATA device = 0
Checksum for Device Path Information               AFh
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Device Parameter Table Extension (DPTE)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
I/O Port base address                              0170h
Control Port address                               0376h
IRQ                                                15 (0Fh)
Head register upper nibble                         00E0h = 0000000011100000b
  -> bit 4: ATA DEV bit = Master
  -> bit 6: LBA enable = YES
BIOS Vendor specific                               00h
Block Count for ATA READ/WRITE MULTIPLE cmds       16
DMA information                                    02h
  -> DMA channel = 02h
  -> DMA type = 00h
PIO information                                    04h
  -> PIO type = 04h
BIOS selected HW specific option flags             0897h = 0000100010010111b
  -> Fast PIO access
  -> Fast DMA access
  -> READ/WRITE MULTIPLE access
  -> LBA translation
  -> 32-bit transfer mode
  -> Bit-shift translation
  -> Ultra DMA access
Version                                            1.1 [11h]
Checksum                                          
  -> OK [reported=5Dh, should be=5Dh]
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Offline sbingner

  • Administrator
  • Veteran.
  • *****
  • Posts: 1301
Re: What's been tried so far..
« Reply #33 on: April 08, 2005, 03:41:49 am »
Quote


How do you know that was what he did?  I looked around and didnt see him ever say thats specifically what it took to do it.


I found something on another forum somewhere that he posted, but havent been able to find it since then... HE changed the serial in firmware, not the volume ID number.

If you can read everything, why not try searching through the drive for the serial number, then changing it and seeing if it changes the sn of the drive?   May fry a drive or two but hey heh :)

If you dont want to try, give me the info and I will...

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: What's been tried so far..
« Reply #34 on: April 08, 2005, 03:55:05 am »
I need to know what reserved area of the drive to try and access to read the serial number.  I have two 10 gig DMS drives here so I'd be happy to nuke one of them trying to make it work. hehe.

So if we can find out what the protected region is addressed as in hex I can try and retreive data from the drive that way.

Perhaps if someone could debug a drive flash utility to see what commands it issues to the drive for reads or writes that would be a good place to start.


Code: [Select]

; Commands are:
; Rx = yy    // put yy into register x
; REGS = yy1 yy2 yy3 yy4 yy5 yy6 yy7     // put everything to registers
;                                        // hex values format: $xx, i.e. $FF
; WAITNBSY   // wait-for-not-busy, i.e., wait for drive ready
; CHECKDRQ   // check for DRQ, exit if no DRQ
; CHECKERR   // check ERROR, exit if ERROR
; RESET   // reset the drive (need WAITNBSY after)
; SECTORSTO = xx    // Read sectors from drive's data register
;                   // to file xx (xx - filename)
; SECTORSFROM = xx    // Write sectors to drive's data register
;                     // from file xx (xx - filename)

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: What's been tried so far..
« Reply #35 on: April 08, 2005, 04:18:30 am »
http://www.t13.org/project/d1321r3-ATA-ATAPI-5.pdf
might be useful in fingering out what we need to do..


This is pretty cool to...
http://www.t13.org/project/d1407r5-Address-Offset.pdf  Dont think they are using this, but I dont know if this is the same thing as HPA or not.  HPA is not in use.
« Last Edit: April 08, 2005, 04:23:42 am by judb »

Offline sbingner

  • Administrator
  • Veteran.
  • *****
  • Posts: 1301
Re: What's been tried so far..
« Reply #36 on: April 08, 2005, 04:30:15 am »
Quote
I need to know what reserved area of the drive to try and access to read the serial number.  I have two 10 gig DMS drives here so I'd be happy to nuke one of them trying to make it work. hehe.

So if we can find out what the protected region is addressed as in hex I can try and retreive data from the drive that way.

Perhaps if someone could debug a drive flash utility to see what commands it issues to the drive for reads or writes that would be a good place to start.


can't you try brute force searching? heh...  how are you querying the reserved area?  Just from that text-gui?

If we could get say a linux program to query a single byte, could easily make a routine to search every possible address

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: What's been tried so far..
« Reply #37 on: April 08, 2005, 04:36:16 am »
You need to know what to tell the drive to read and then retrieve the data from the buffer.

The app that I mentioned before MHDD has a scripting interface (thats a sample script I posted) ... to use Linux you'd need to code something that used the Int13 interface to call those registers.  It could be done but I ain't no programmer like that my friend.


I'm meeting a buddy this weekend to try and debug a fujitsu HDD flash util to see what its putting in the command registers.

#$(*&@#$ I hope this isnt another waste of time.
« Last Edit: April 08, 2005, 04:37:11 am by judb »

Offline sbingner

  • Administrator
  • Veteran.
  • *****
  • Posts: 1301
Re: What's been tried so far..
« Reply #38 on: April 08, 2005, 04:42:32 am »
Doubt that the flash util will be writing the area that contains the serial number.  I spoke to a friend who works for WD a while back, and he said that it's all proprietary and since WD dosn't make laptop drives there wasnt really anything he could do to help me.   Of course that dosn't meant we can't figure it out ;)

I could ask him if WD stores it on protected area of the hdd itself or on flash...

Offline judb

  • Administrator
  • Veteran.
  • *****
  • Posts: 1329
  • ph4t l3wtz
Re: What's been tried so far..
« Reply #39 on: April 08, 2005, 02:31:33 pm »
Quote
Doubt that the flash util will be writing the area that contains the serial number.  I spoke to a friend who works for WD a while back, and he said that it's all proprietary and since WD dosn't make laptop drives there wasnt really anything he could do to help me.   Of course that dosn't meant we can't figure it out ;)

I could ask him if WD stores it on protected area of the hdd itself or on flash...



Yeah, that would be helpful.

the command set is standard, the location isnt, the memory registers seem to varry from company to company.  hmmm...

Any little bit helps though.