Author Topic: What's been tried so far.. (Read 48153 times)

doug · « **Reply #20 on:** April 06, 2005, 09:53:31 pm »

So we know that there is no boot loader code in the MBR of the DMS, correct? There is absolutely nothing there. Starting at offset 0x1be is the partition table. What I find interesting is the 4 bytes that can be found at offset 0x1b8. If more people can get their 4 bytes off of their DMS, please do and post your results. I'm not sure what other information would be relevant right now, I have no idea what those 4 bytes signify. And it might be nothing. But it's still odd. (If you need help extracting this information, let me know)

Code: [Select]


000001b0h: 00 00 00 00 00 00 00 00 ED 77 ED 70 00 00 00 00 ; ........íwíp....
000001c0h: 01 01 0B 3F 60 04 00 08 00 00 00 20 08 00 00 00 ; ...?`...... ....
000001d0h: 41 05 05 3F E0 FF 00 28 08 00 00 00 4C 02 00 00 ; A..?àÿ.(....L...
000001e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000001f0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ; ..............Uª

sbingner · « **Reply #21 on:** April 07, 2005, 03:49:20 am »

Here's mine, doubt it's anything...

Code: [Select]

000001b0  00 00 00 00 00 00 00 00  0e 67 fe 3c 00 00 00 00  |.........g.<....|
000001c0  01 01 0b 3f 60 04 00 08  00 00 00 20 08 00 00 00  |...?`...... ....|
000001d0  41 05 05 3f e0 ff 00 28  08 00 00 88 23 01 00 00  |A..?...(....#...|
000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 aa  |..............U.|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

A543 · « **Reply #22 on:** April 07, 2005, 03:06:20 pm »

Those 4 bytes are put there by Windows NT-XP as a disk signature.

judb · « **Reply #23 on:** April 07, 2005, 08:30:45 pm »

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prkd_tro_kyrr.asp

How to read that disk signature and decode it...

judb · « **Reply #24 on:** April 07, 2005, 08:32:44 pm »

http://www.codeproject.com/system/change_drive_sn.asp

code to change the disk sig serial number... doubtful this is helpful in any way.

doug · « **Reply #25 on:** April 07, 2005, 08:41:10 pm »

Quote

Those 4 bytes are put there by Windows NT-XP as a disk signature.

Absolutely right. Windows puts something there if it's zero. if it's nonzero, it just uses the data that's already there as a signature. That's what I get for posting before fully researching. There was data I could not explain, I got excited. It's still possible it could mean something else, i.e., maybe Windows didn't put it there, but I'll only bring it up again if I'm sure.

judb · « **Reply #26 on:** April 07, 2005, 10:28:46 pm »

Quote

Happy to supply info of 10GB or 40GB drive if someone provides the step-by-step.

Also, you are all aware that TerryKennedy has already cracked this aren't you? It's just that he's not telling...
...but if you search his posts in the PN forums you'll see he has left a few clues lying around.

e.g.
http://www.phatnoise.com/forum/showthread.php?s=&threadid=1795

http://www.phatnoise.com/forum/showthread.php?s=&threadid=1375

I think there might be some PrivateKey/PublicKey signing that will ultimately get in the way of being able to pick up an OEM drive and drop it in. e.g. encrypted string in the hidden sector, decrypted with PN public key by the PB firmware. If so i'm not sure you can succeed without the PN signing utility/private key.

But at least if we understand how it all works we can decide if this is ultimately a dead end or not.

As for Terry, the guy is smart, no doubt, but I am uncertian about the validity of his claims to have made his own drive. I mean saying that telling us would do no good but not telling us is somewhat duplicitous. I think that if he did figure it out he would have said how to do it by now, or someone else would have figured it out by now.

What chaps my ass is that I just dont quite know enough about how hard drives work to really solve this problem on my own That with the fact we have people talking DES encryption and Terry saying he did it on his own seem to be rather conflicting ideas.

sbingner · « **Reply #27 on:** April 07, 2005, 10:57:56 pm »

Quote

http://www.codeproject.com/system/change_drive_sn.asp

code to change the disk sig serial number... doubtful this is helpful in any way.

could just change that with dd, but what he had to change is the actual hardware serial number reported by the firmware... via proprietary software. I haven't been able to find anything that can do that, but if we could it would stand to reason that we could make one drive completely identical to the signed drive then do a data dump to get a working drive.

judb · « **Reply #28 on:** April 07, 2005, 11:41:11 pm »

We just need to know where on the drive it needs to be written.

I found a tool that allows me to write directly to the drives cache and read from it.. sending direct commands to the buffer etc.

from what I have read the firmware of the drive largely resided on the platters just outside of the bios range reported for OS access.

Also, I have verified they are not using HPA (drive level hiding of sectors) with the DMS drives.

http://mhddsoftware.com/ is the software.

judb · « **Reply #29 on:** April 07, 2005, 11:42:10 pm »

Quote

could just change that with dd, but what he had to change is the actual hardware serial number reported by the firmware... via proprietary software. I haven't been able to find anything that can do that, but if we could it would stand to reason that we could make one drive completely identical to the signed drive then do a data dump to get a working drive.

How do you know that was what he did? I looked around and didnt see him ever say thats specifically what it took to do it.

judb · « **Reply #30 on:** April 07, 2005, 11:50:30 pm »

http://www.hdat2.com/files/hdat2en.pdf

Super informative PDF about hard drives...

judb · « **Reply #31 on:** April 08, 2005, 12:06:31 am »

Using the software from that site... here is all the info you could want about the 10 gig toshiba drive...

*******************************************************************************
HDAT2 v4.01.11 PM (c) 2005 CBL
*******************************************************************************
Device Information's [PhatNoise DMS 10GB]
*******************************************************************************

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Translation Cylinder Head Sector Total sectors Size
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ATA 28-bits 16383 16 63 19640880 10.06 GB
CHS/Current 16383 16 63 16514064 8.46 GB
BIOS 1022 239 10 2455200 1.26 GB
CMOS [XX] 19485 16 63 19640880 10.06 GB
LBA 8183 240 10 19639200 10.06 GB
Normal 19485 16 63 19640880 10.06 GB
Large 2435 128 63 19635840 10.05 GB
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
DPT ? ? ? 19640880 10.06 GB
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Device model [HDD] PhatNoise DMS 10GB
Orphan (not useable) sectors 0 = 0.00 KB
Translation/Addressing mode LBA/28-bits

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Hard disk drive parameter table INT41/46h at F000:94D0h
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
-> hex dump [ 13 05 F0 A0 3F 00 00 00 08 FF 3F 10 1C 4C 4A 11 ]
-> Phoenix EDD Translated Table
Number of cylinders 1299
Number of heads 240
Number of physical sectors per track 63
Write-precompensation cylinder number 0
Control byte 0008h = 0000000000001000b
-> more than 8 heads
-> ECC retries enable
-> Access retries enable
DPT Number of cylinders 16383
DPT Number of heads 16
Number of sectors per track (AT and later) 74
Cylinder number of landing zone (AT and later) 19484
Reserved/Checksum 11h
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
BIOS Data Area for Hard Disk Drive
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Hard disk drive (controller) status 0000h = 0000000000000000b
-> Controller not busy
-> Selected drive not ready
-> no error
Hard disk drive error 0000h = 0000000000000000b
Hard disk drive task complete flag 00C0h = 0000000011000000b
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ATA/ATAPI Identify Device
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
ATA version 0005h/FFFFh
ATA supported UDMA4/ATA66
ATA active UDMA4/ATA66
Serial number X1E70304T
Firmware A4.01 E
Cache 0 KB
General Configuration 0040h
Specific Configuration C837h
-> Device does not require SET FEATURES subcommand to spin-up after power-up and IDENTIFY DEVICE response is complete
Integrity Word 58A5h
-> Signature = OK [reported=A5h, should be=A5h]
-> Checksum = OK [reported=58h, should be=58h]
Queue depth 1
Hardware Reset result 604Bh = 0110000001001011b
-> Device detected CBLID- above V[iH]
-> Device 0 Hardware Reset result 01001011b
-> device determined by : jumper was used
-> diagnostics passed
-> did not detect the assertion of PDIAG-
-> did not detect the assertion of DASP-
-> responds when Device 1 is selected
Detected an 80-conductor cable YES
Removable Media Status Notification not supported
Master Password Revision Code FFFEh
Security Status 0001h = 0000000000000001b
-> Security disabled
-> Security supported
-> Enhanced Security Erase: not supported
Time for Security erase unit 16 minutes
Time for Enhanced security erase unit not specified
Capabilities [49] 0F00h = 0000111100000000b
-> DMA supported
-> LBA supported
-> IORDY may be disabled
-> IORDY supported
Capabilities [50] 4000h = 0100000000000000b
Read/Write LONG: vendor specific bytes 46
Read/Write MULTIPLE: sectors per interrupt
-> Maximum 16
-> Current 16

judb · « **Reply #32 on:** April 08, 2005, 12:06:41 am »

ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Command Set 1 supported 7C6Bh = 0111110001101011b
-> SMART feature set
-> Security Mode feature set
-> Power Management feature set
-> Write Cache
-> Look Ahead
-> Host Protected Area feature set
-> WRITE VERIFY command (obsolete)
-> WRITE BUFFER command
-> READ BUFFER command
-> NOP command
Command Set 2 supported 4108h = 0100000100001000b
-> Advanced Power Management (APM) feature set
-> SET MAX security extension enabled by SET MAX SET PASSWORD
Command Set 3 supported 4000h = 0100000000000000b
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Command Set 1 enabled 7C49h = 0111110001001001b
-> SMART feature set
-> Power Management feature set
-> Look Ahead
-> Host Protected Area feature set
-> WRITE VERIFY command (obsolete)
-> WRITE BUFFER command
-> READ BUFFER command
-> NOP command
Command Set 2 enabled 0008h = 0000000000001000b
-> Advanced Power Management (APM) feature set
Command Set 3 enabled 4000h = 0100000000000000b
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Advanced Power Management level value 80h
Acoustic management: recommended value 00h
Acoustic management: current value 00h
Stream Minimum Request Size [sectors] 0
Streaming Transfer Time for DMA 0
Streaming Access Latency for DMA and PIO 0
Streaming Performance Granularity [microsec] 0
Streaming Transfer Time for PIO 0
Physical/Logical sector size 0000000000000000b
Inter-seek delay for acoustic testing [microsec] 0
World Wide Name 0000000000000000h
Reserved for technical report 0000h
Logical sector size in words 0
Current set features option [vendor] 0000h = 0000000000000000b
Initial Power Mode Selection [vendor] 0000h = 0000000000000000b
Current media serial number not supported
Multiple LUN Support not supported
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Extended INT13h
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Extended INT13h support YES
Major/Internal/Extension Version 30h/00h/00h
-> EDD v2.0
Subset 0005h = 0000000000000101b
-> Fixed disk access subset: YES
-> Device locking and ejecting subset: NO
-> Enhanced Disk Drive (EDD) support subset: YES
-> 64-bit extension: NO
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Device Parameter Table (DPT)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
DPT buffer size 65
Information flags 0000h = 0000000000000000b
-> (bits 4-6 are not valid)
Sector size 512
DPT Extension (DPTE) pointer F000:9470h
Key to presence of Device Path [BEDDh] BEDDh
Length of Device Path 36
Host bus type PCI
Interface type ATA
Interface Path for bus type PCI
-> hex dump = [ 00 1F 01 00 00 00 00 00 ]
-> Bus = 0
-> Slot = 31
-> Function = 1
-> Channel = 0
Device Path for interface type ATA
-> hex dump = [ 00 00 00 00 00 00 00 00 ]
-> ATA device = 0
Checksum for Device Path Information AFh
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Device Parameter Table Extension (DPTE)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
I/O Port base address 0170h
Control Port address 0376h
IRQ 15 (0Fh)
Head register upper nibble 00E0h = 0000000011100000b
-> bit 4: ATA DEV bit = Master
-> bit 6: LBA enable = YES
BIOS Vendor specific 00h
Block Count for ATA READ/WRITE MULTIPLE cmds 16
DMA information 02h
-> DMA channel = 02h
-> DMA type = 00h
PIO information 04h
-> PIO type = 04h
BIOS selected HW specific option flags 0897h = 0000100010010111b
-> Fast PIO access
-> Fast DMA access
-> READ/WRITE MULTIPLE access
-> LBA translation
-> 32-bit transfer mode
-> Bit-shift translation
-> Ultra DMA access
Version 1.1 [11h]
Checksum
-> OK [reported=5Dh, should be=5Dh]
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

sbingner · « **Reply #33 on:** April 08, 2005, 03:41:49 am »

Quote

How do you know that was what he did? I looked around and didnt see him ever say thats specifically what it took to do it.

I found something on another forum somewhere that he posted, but havent been able to find it since then... HE changed the serial in firmware, not the volume ID number.

If you can read everything, why not try searching through the drive for the serial number, then changing it and seeing if it changes the sn of the drive? May fry a drive or two but hey heh

If you dont want to try, give me the info and I will...

judb · « **Reply #34 on:** April 08, 2005, 03:55:05 am »

I need to know what reserved area of the drive to try and access to read the serial number. I have two 10 gig DMS drives here so I'd be happy to nuke one of them trying to make it work. hehe.

So if we can find out what the protected region is addressed as in hex I can try and retreive data from the drive that way.

Perhaps if someone could debug a drive flash utility to see what commands it issues to the drive for reads or writes that would be a good place to start.

Code: [Select]


; Commands are:
; Rx = yy    // put yy into register x
; REGS = yy1 yy2 yy3 yy4 yy5 yy6 yy7     // put everything to registers
;                                        // hex values format: $xx, i.e. $FF
; WAITNBSY   // wait-for-not-busy, i.e., wait for drive ready
; CHECKDRQ   // check for DRQ, exit if no DRQ
; CHECKERR   // check ERROR, exit if ERROR
; RESET   // reset the drive (need WAITNBSY after)
; SECTORSTO = xx    // Read sectors from drive's data register
;                   // to file xx (xx - filename)
; SECTORSFROM = xx    // Write sectors to drive's data register
;                     // from file xx (xx - filename)

judb · « **Reply #35 on:** April 08, 2005, 04:18:30 am »

http://www.t13.org/project/d1321r3-ATA-ATAPI-5.pdf
might be useful in fingering out what we need to do..

This is pretty cool to...
http://www.t13.org/project/d1407r5-Address-Offset.pdf Dont think they are using this, but I dont know if this is the same thing as HPA or not. HPA is not in use.

sbingner · « **Reply #36 on:** April 08, 2005, 04:30:15 am »

Quote

I need to know what reserved area of the drive to try and access to read the serial number. I have two 10 gig DMS drives here so I'd be happy to nuke one of them trying to make it work. hehe.

So if we can find out what the protected region is addressed as in hex I can try and retreive data from the drive that way.

Perhaps if someone could debug a drive flash utility to see what commands it issues to the drive for reads or writes that would be a good place to start.

can't you try brute force searching? heh... how are you querying the reserved area? Just from that text-gui?

If we could get say a linux program to query a single byte, could easily make a routine to search every possible address

judb · « **Reply #37 on:** April 08, 2005, 04:36:16 am »

You need to know what to tell the drive to read and then retrieve the data from the buffer.

The app that I mentioned before MHDD has a scripting interface (thats a sample script I posted) ... to use Linux you'd need to code something that used the Int13 interface to call those registers. It could be done but I ain't no programmer like that my friend.

I'm meeting a buddy this weekend to try and debug a fujitsu HDD flash util to see what its putting in the command registers.

#$(*&@#$ I hope this isnt another waste of time.

sbingner · « **Reply #38 on:** April 08, 2005, 04:42:32 am »

Doubt that the flash util will be writing the area that contains the serial number. I spoke to a friend who works for WD a while back, and he said that it's all proprietary and since WD dosn't make laptop drives there wasnt really anything he could do to help me. Of course that dosn't meant we can't figure it out

I could ask him if WD stores it on protected area of the hdd itself or on flash...

judb · « **Reply #39 on:** April 08, 2005, 02:31:33 pm »

Quote

Doubt that the flash util will be writing the area that contains the serial number. I spoke to a friend who works for WD a while back, and he said that it's all proprietary and since WD dosn't make laptop drives there wasnt really anything he could do to help me. Of course that dosn't meant we can't figure it out

I could ask him if WD stores it on protected area of the hdd itself or on flash...

Yeah, that would be helpful.

the command set is standard, the location isnt, the memory registers seem to varry from company to company. hmmm...

Any little bit helps though.

News:

Author Topic: What's been tried so far.. (Read 48153 times)