Switch to full style
Data recovery and disk repair questions and discussions related to old-fashioned SATA, SAS, SCSI, IDE, MFM hard drives - any type of storage device that has moving parts
Post a reply

ATA password bypassing

May 16th, 2009, 9:43

Hello everyone

What is the latest status with 'bypassing' ATA passwords ?

I was following progress in this area approx 3 years ago
especially as XBOX(v1) 5GB harddrives were locked via the ATA password
and there were many debates about any way to unlock if you didnt have the xbox main board eeprom with the password etc

At the time no one had found a way to bypass it, even trying live swapping of hdd electronic boards

The ATA password is probably on the reserved (manufactuerer system) area of the disk
rather than on eeprom on the electronics
so if you could fool the electronics into thinking it had unlocked it (from a known platter) mighht be able to switch to a target (locked) platter and read off the user sectors
etc

Or some way to zap or shortciruit the logic on the controller board to force unlocking

So, any developments in this area

Thanks

Re: ATA password bypassing

May 16th, 2009, 9:54

So, you came into the HDDGURU forum for what reason ? :mrgreen:

Re: ATA password bypassing

May 16th, 2009, 10:11

It is completely doable and no, it doesn't involve the PCB in any way.

Re: ATA password bypassing

May 16th, 2009, 10:32

It's like HEART bypass... some people are good at doing it, some other not :mrgreen:

Re: ATA password bypassing

May 16th, 2009, 11:27

Me too. And on Fujitsu, Samsung, Excelstor, Hitachi and so on... :mrgreen:

Re: ATA password bypassing

May 16th, 2009, 11:54

Getting back to the topic, there have been multiple posts about it here. I'm sure if OP was really interested he could turn something up.

Re: ATA password bypassing

May 16th, 2009, 13:48

Thanks for the tips

No particular reason, other than I've been watching some of the myharddrivedied videos on youtube
(and I used to do that sort of thing a few years back)
and he mentioned the mhdd program
and it reminded me of this topic
and I wondered if there had been any progress on it.
Sounds like there has, but your all being a bit secretive about it :-)
although of course the techniques must be very specific to specific drives and firmware revisions

Re: ATA password bypassing

May 16th, 2009, 14:01

The PC3000 sofware (and interface card) looks very interesting...
Does it need the dedicated IF board or will it run or partially run with a standard ide/ata controller ?

Re: ATA password bypassing

May 16th, 2009, 14:27

@Spildit,

I need to ask your opinion about something that bothers me.
At the company I am working, we have a lot of mini drives (My Passport Essential).

When our people securely disconect the drive, the led remains on and can not figure out if the drive still works or not, because by its nature it does not make any noise.
How can i confirm that the heads are parked securely?
Are there any windows utilities (hdparm -Y) that can help?

Any comments, propositions?
Eleana

Re: ATA password bypassing

May 16th, 2009, 14:47

No, pc3000 is card +sw.

Re: ATA password bypassing

May 18th, 2009, 7:32

Hello, me again

Will these techiniques also work in the Maximum security mode where it needs the User password and ignores the Master password.
Or in the lower 'high security' mode if the Master password had been changed

Or can we do a SECURITY ERASE PREPARE immediately followed by SECURITY ERASE UNIT but physically cut the write signal to the heads
-- but then it cant upda the SA, but might leave the firmware thinking its unlocked ?

Supplemental Q
Will mhdd or something similiar let me see the raw hex of the IDENTIFY response
or fully decide the words and bits
(else I'll have to breakin and see the raw data)

Thanks again
PS Of course I mean getting to the data rather than just reusing the drive

Re: ATA password bypassing

May 19th, 2009, 14:54

Well I finally dug out my old, locked, xbox WD 8GB drive (WD80EB)
and fired it up with MHDD
MHDD says PWD (ie locked)
Security: MAX, ON
Max = need unique and currently unknown user password only
as opposed to the other possibility of HIGH where either the Master or User password can be used, and the Master may or may not be the factory default

So I guess there is no way to unlock it, to get to any data
(I dont have the user password)
without something like a PC3000

Note - I dont need the data or the drive really, this is just for testing of if it was possible

I'll probably force erase the drive (which should be poosible)
so that I can use it to play with setting Master and User passwords

Any maybe some kind person will give any tip of any other possible method
(shorting of other jumper pins etc)
although that will be specific to this drive
and wont help me in the future if I ever get a real, important, locked drive to look at
(my friends are always asking me to recover corrupt partition tables etc)

Re: ATA password bypassing

May 19th, 2009, 15:04

And looks like a cant do an erase in MAX security mode (from MHDD)

ie cant send a SECURITY ERASE PREPARE command, immediately followed by SECURITY ERASE UNIT

or maybe I've overlooked how to do it from MHDD

Re: ATA password bypassing

May 19th, 2009, 15:27

Wow, thanks
I'll give that a try

Now that is the sort of friendly interaction and helpful advise I was expecting on here


I've also dug out another old drive
Maxtor 6L040L2
that supports ATA passwords

Shows Security: high, Off

I am able to set and remove user passwords
Can't seem to unlock with a Master password, but then I don't have the Master password (and cant seem to find it on the web etc)

And looks like I was wrong in that it in not possible (or not easily possible) to change the default Master password

Not that the Master password helps you when in Max mode

Re: ATA password bypassing

May 19th, 2009, 15:39

Sorry one more question
(I want this thread to be the definitive ATA Password thread)

In MHDD with my Maxtor drive Security: high, OFF
is there a way to put it in MAX security mode ?

Re: ATA password bypassing

May 19th, 2009, 17:00

THis is what the end of the 42.bin of my WD drive gives

00000390 00 00 00 00 00 00 00 00-57 44 43 57 44 43 57 44 *........WDCWDCWD*
000003A0 43 57 44 43 57 44 43 57-44 43 57 44 43 57 44 43 *CWDCWDCWDCWDCWDC*
000003B0 57 44 43 57 44 43 57 44-A9 4A D6 A8 31 9D 6B 3A *WDCWDCWD.J..1.k:*
000003C0 93 D1 13 9D 15 0F 55 B8-CF 89 D4 96 00 00 00 00 *......U.........*
000003D0 00 00 00 00 00 00 00 00-57 44 43 20 57 44 38 30 *........WDC WD80*
000003E0 45 42 2D 32 38 43 47 48-31 20 20 20 20 20 20 20 *EB-28CGH1 *
000003F0 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20 * *

(the *'s are from my hex editor)
Shows the default master password
Then 32bytes of hex (could be the user password, but not in a user enterable form)
Then the details of the WDC WD80EB drive

or have I missed something ?

Since it was locked by an xbox 'bios', I guess the random password it used doesnt have to be ascii ?

Thanks

Re: ATA password bypassing

May 19th, 2009, 17:41

xsoliman wrote:THis is what the end of the 42.bin of my WD drive gives

or have I missed something ?


Try writing your own password to it and seeing what changes.

Re: ATA password bypassing

May 19th, 2009, 18:48

Thanks for all the really useful info

I assume the '42' is a refernce to some particular SA block
although theres no $2a in the command sequence

If I modified the 42.bin file, is there a command sequence to write it back to the same place on the disk !
I'm sure there is, but not sure if you would be willing to share it ?

Hopefully this block isnt checksummed

Similarly I'd really like to know what the cmd codes do
eg which is the rd cmd and which specifies the SA block or -ve track etc
(and the info isn't too valuable as these 5GB drives are ancient, unless it works on all WD drives ...)
In fact youve already said that
$00 $02 $00 $00 $0F $E0 $21
is the bit that specifies the block to read

ANd good luck with your Seagate work.

Re: ATA password bypassing

May 20th, 2009, 15:13

Thanks yet again

After the wdc_super_on ($57 $44 $43 $00 $00 $a0 $8a)
I can then successfully read some sectors, but not all

Doing an F4 scan I get the following
(where M is a grey block of varying intensity ie a 255 sector block read ok)

MAMxMxMAMx
----> further on
same
further on
similar
further on - all reads ok (from about 24% into the 5GB drive)

is this expected ?
I haven't actually looked at the raw data in the readable blocks yet


Also my WD80EB has started staying BUSY for long periods after a 'spark' when plugging in to a live system
(thought I'd totally fried it at first)

In fact its stopped responding now and F4 gives me clicking .... as does power cycling it.
Looks like I'll have to get another disk for experiments


This is the most hacking fun I've had for many a month :-)

Re: ATA password bypassing

June 11th, 2009, 23:09

Spildit,
hey i been searching to unlock a maxtor
the ata password tool shows this
maxtor 6y230p0

rev yar41bw0

ata password tool v1.1
shows plus signs under
S, E, L, F, X, V
+ + + - - h

i wanted to know if its possible for me to unlock the drive? thanks and sorry to bother you but you wrote in a few topics to pm you to unlock a specific drive if you could help me out let me know.
Post a reply