All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 72 posts ]  Go to page Previous  1, 2, 3, 4  Next
Author Message
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: September 30th, 2016, 19:56 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9796
Location: Australia
Here are the CPs I extracted from zenelli's ROM:


Attachments:
MK5061GSY_ROM_CPs.rar [23.15 KiB]
Downloaded 117 times

_________________
A backup a day keeps DR away.
Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: October 1st, 2016, 8:36 
Offline

Joined: January 7th, 2012, 11:48
Posts: 25
Location: netherlands
fzabkar wrote:
Here are the CPs I extracted from zenelli's ROM:


I'm not an expert so i dont know where to look for the password


Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: October 4th, 2016, 2:52 
Offline

Joined: February 18th, 2016, 14:37
Posts: 14
Location: Romania
Does anyone have any idea what this might refer to ?



" 512KB 12V BTIN_ROM UART Program Loader..for Gibson1.0 model Loader Version AUGB14064.00 "


Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: October 24th, 2016, 7:44 
Offline

Joined: February 18th, 2016, 14:37
Posts: 14
Location: Romania
Okay, so I've managed to get a read on a locked ROM by the use of a programmer. Here it is. So far, the differences between it and a normal ROM are MANY. I'm also uploading the ROM of a MQ01ABD of 320 GB, yet do bear in mind that it's firmware is AX01, not AZ01Q like the locked one's. At a close analysis, it crushed any hope to figure out how it's locked, due to the huge number of differences ( more than 30k ), yet I can point out several locations that seemed "suspect" :
at 0x30800 we have smth called scrt_flag;
at 0x54A60 several flags indicating different options appear to be set ( eg hdd is frozen, security locked ).


Before anything, I'll try to understand a bit more about it's internal workings, since there are many descriptions inside available (btw, the omnipresent japanese wording is there).


Attachments:
000000-07FFFF(unlocked AX).rar [284.11 KiB]
Downloaded 99 times
newlockedrom.rar [283.13 KiB]
Downloaded 98 times
Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: October 24th, 2016, 19:22 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9796
Location: Australia
The newlockedrom.bin dump appears to be from the 320GB HDD whereas the 000000-07FFFF(unlocked AX) dump is from the 500GB HDD. Is this correct?

newlockedrom.bin

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0007AFE0  4D 4E 20 20 20 20 20 20 20 20 20 20 20 20 20 20  MN             
0007AFF0  20 20 20 20 20 58 34 37 58 54 58 30 43 54 54 4F       X47XTX0CTTO
0007B000  53 48 49 42 41 20 4D 51 30 31 41 42 44 30 33 32  SHIBA MQ01ABD032
0007B010  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 
0007B020  20 20 20 20 20 20 00 00 00 00 00 00 00 00 00 00

000000-07FFFF.bin

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0007AFE0  4D 4E 20 20 20 20 20 20 20 20 20 20 20 20 20 20  MN             
0007AFF0  20 20 20 20 20 32 35 4A 41 50 31 57 48 54 54 4F       25JAP1WHTTO
0007B000  53 48 49 42 41 20 4D 51 30 31 41 42 44 30 35 30  SHIBA MQ01ABD050
0007B010  56 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20  V               
0007B020  20 20 20 20 20 20 00 00 00 00 00 00 00 00 00 00

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: October 24th, 2016, 19:59 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9796
Location: Australia
FWIW, this is my take on the situation.

Each ROM has a table of CPs. The two tables are identical.

newlockedrom.bin

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13

0005BCE8                                      AA 00 54 4F 00 00 00 00              ª.TO....
0005BCFC  D0 8A 05 D0 A0 03 A0 03 90 03 01 00 34 00 52 43 00 00 00 00  Њ.Р. .....4.RC....
0005BD10  40 8A 05 D0 70 00 70 00 6E 00 01 00 33 00 57 43 00 00 00 00  @Š.Ðp.p.n...3.WC....
0005BD24  D0 32 0A D0 50 0E 50 0E 4E 0E 01 00 99 00 4D 4F 00 00 00 00  Ð2.ÐP.P.N...™.MO....
0005BD38  70 8E 05 D0 10 00 00 00 00 00 00 00 44 00 53 47 00 00 00 00  pŽ.Ð........D.SG....
0005BD4C  80 8E 05 D0 30 00 30 00 2E 00 01 00 92 00 43 4F 00 00 00 00  €Ž.Ð0.0.....’.CO....
0005BD60  B0 8E 05 D0 10 00 10 00 0C 00 01 00 C1 00 47 4F 00 00 00 00  °Ž.Ð........Á.GO....
0005BD74  C0 8E 05 D0 10 00 10 00 02 00 01 00 95 00 48 54 00 00 00 00  ÀŽ.Ð........•.HT....
0005BD88  D0 8E 05 D0 10 00 10 00 0C 00 01 00 55 00 4D 4E 00 00 00 00  ÐŽ.Ð........U.MN....
0005BD9C  E0 8E 05 D0 C0 00 40 00 00 00 01 00 56 00 4D 4E 00 00 00 00  àŽ.ÐÀ.@.....V.MN....
........
0005C6FC  D0 D1 05 D0 10 00 10 00 0E 00 01 00 0A 01 56 46 00 00 00 00  ÐÑ.Ð..........VF....
0005C710  D0 2F 0B D0 E0 0F E0 0F DE 0F 01 00 0B 01 45 44 00 00 00 00  Ð/.Ðà.à.Þ.....ED....
0005C724  00 5B 05 D0 00 18 00 18 FE 17 01 00 83 00 00 00 53 48 00 00  .[.Ð....þ...ƒ...SH..
0005C738  E0 8F 05 D0 20 00 20 00 18 00 00 00 53 5A 00 00 00 90 05 D0  à..Ð . .....SZ.....Ð
0005C74C  D0 00 D0 00 C6 00 00 00 48 50 00 00 D0 90 05 D0 10 00 10 00  Ð.Ð.Æ...HP..Ð..Ð....
0005C760  0C 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ....................

000000-07FFFF.bin

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13

0005BD9C                          AA 00 54 4F 00 00 00 00 D0 8A 05 D0          ª.TO....Њ.Ð
0005BDB0  A0 03 A0 03 90 03 01 00 34 00 52 43 00 00 00 00 40 8A 05 D0   . .....4.RC....@Š.Ð
0005BDC4  70 00 70 00 6E 00 01 00 33 00 57 43 00 00 00 00 D0 32 0A D0  p.p.n...3.WC....Ð2.Ð
0005BDD8  50 0E 50 0E 4E 0E 01 00 99 00 4D 4F 00 00 00 00 70 8E 05 D0  P.P.N...™.MO....pŽ.Ð
0005BDEC  10 00 00 00 00 00 00 00 44 00 53 47 00 00 00 00 80 8E 05 D0  ........D.SG....€Ž.Ð
0005BE00  30 00 30 00 2E 00 01 00 92 00 43 4F 00 00 00 00 B0 8E 05 D0  0.0.....’.CO....°Ž.Ð
0005BE14  10 00 10 00 0C 00 01 00 C1 00 47 4F 00 00 00 00 C0 8E 05 D0  ........Á.GO....ÀŽ.Ð
0005BE28  10 00 10 00 02 00 01 00 95 00 48 54 00 00 00 00 D0 8E 05 D0  ........•.HT....ÐŽ.Ð
0005BE3C  10 00 10 00 0C 00 01 00 55 00 4D 4E 00 00 00 00 E0 8E 05 D0  ........U.MN....àŽ.Ð
0005BE50  C0 00 40 00 00 00 01 00 56 00 4D 4E 00 00 00 00 E0 8E 05 D0  À.@.....V.MN....àŽ.Ð
........
0005C7B0  10 00 10 00 0E 00 01 00 0A 01 56 46 00 00 00 00 D0 2F 0B D0  ..........VF....Ð/.Ð
0005C7C4  E0 0F E0 0F DE 0F 01 00 0B 01 45 44 00 00 00 00 00 5B 05 D0  à.à.Þ.....ED.....[.Ð
0005C7D8  00 18 00 18 FE 17 01 00 83 00 00 00 53 48 00 00 E0 8F 05 D0  ....þ...ƒ...SH..à..Ð
0005C7EC  20 00 20 00 18 00 00 00 53 5A 00 00 00 90 05 D0 D0 00 D0 00   . .....SZ.....ÐÐ.Ð.
0005C800  C6 00 00 00 48 50 00 00 D0 90 05 D0 10 00 10 00 0C 00 00 00  Æ...HP..Ð..Ð........
0005C814  03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ....................

The CPs in both ROMs are located at 0x79400.

newlockedrom.bin

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13

00079400  54 4F 06 0A B3 EC 06 0A B3 EC 00 00 DC EC 00 00 DC EC 36 03  TO..³ì..³ì..Üì..Üì6.
00079414  2A F9 36 03 2A F9 36 03 2A F9 36 03 2A F9 36 03 2A F9 36 03  *ù6.*ù6.*ù6.*ù6.*ù6.
00079428  2A F9 36 03 2A F9 36 03 2A F9 00 00 00 00 00 00 00 00 00 00  *ù6.*ù6.*ù..........
0007943C  00 00 00 1B 43 53 01 00 A0 00 50 00 00 00 00 00 00 00 00 E1  ....CS.. .P........á
00079450  43 53 01 00 A0 00 50 00 00 00 00 00 00 00 00 E1 43 53 00 00  CS.. .P........áCS..
00079464  00 00 00 00 00 00 00 00 00 00 00 94 43 53 00 00 00 00 00 00  ...........”CS......

000000-07FFFF.bin

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13

00079400  54 4F 65 05 42 EC 65 05 42 EC 00 00 FC EC 00 00 FC EC 36 03  TOe.Bìe.Bì..üì..üì6.
00079414  2A F9 36 03 2A F9 36 03 2A F9 36 03 2A F9 36 03 2A F9 36 03  *ù6.*ù6.*ù6.*ù6.*ù6.
00079428  2A F9 36 03 2A F9 36 03 2A F9 00 00 00 00 00 00 00 00 00 00  *ù6.*ù6.*ù..........
0007943C  00 00 00 1B 43 53 01 00 A0 00 50 00 00 00 00 00 00 00 00 E1  ....CS.. .P........á
00079450  43 53 01 00 A0 00 50 00 00 00 00 00 00 00 00 E1 43 53 00 00  CS.. .P........áCS..
00079464  00 00 00 00 00 00 00 00 00 00 00 94 43 53 00 00 00 00 00 00  ...........”CS......

ISTM that it may be worth trying to patch the locked drive's CPs (addresses 0x79400 - 0x7FFFF) into an unlocked ROM. Each CP has its own XOR8 checksum. However, I don't know if there are any additional checksums. If other checksums do exist, then hopefully the patch will not invalidate them. Also, the patch assumes that the lock is not contained within a CP. If it is, then hopefully the unlocked ROM code will ignore this lock. One additional question is whether the ROM firmware needs to match the SA firmware in some way.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: October 25th, 2016, 1:23 
Offline

Joined: February 18th, 2016, 14:37
Posts: 14
Location: Romania
Yes, the second dump is from a 500 GB HDD. So for now, I should just attempt to patch the locked CPs into the unlocked ROM. Actually, I think if the lock is located within a CP that would be great, as we can just extract the CPs from both ROMs and then compare them and see exactly in which CP the lock is located. Otherwise, I assume the lock is located above the CP table and that would be...not so great. Regarding the ROM firmware needing to match the SA firmware...I somehow doubt it has to, but it's just a hunch.


Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: October 25th, 2016, 1:27 
Offline

Joined: February 18th, 2016, 14:37
Posts: 14
Location: Romania
Another thing worth trying would be to take the CPs from the unlocked one and patch them to a locked ROM...and if it would unlock it, then I guess we can be pretty sure where the lock is. Though I do have to ask, don't these CPs contain data essential to each HDD ? Moving them around from one another seems like a stretch.


Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: October 25th, 2016, 13:59 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 8163
Location: Portugal
First of all @fzabkar i can't make your Toshiba Rom-CP extraction tool to work with the attached ROMs.

http://www.hddoracle.com/viewtopic.php?f=22&t=1724

I'm geting an error message when trying to extract the CPs with that tool.

Then i would try 2 things.

1 - Get a ROM from an unlocked drive of the same model and copy the CPs (all of them) from the locked drive to the unlocked ROM. Most likely this will NOT WORK as i bet the lock is on CP and not on the ROM code but if the lock is on the ROM itself then you should be ok.

2 - Get a ROM from an unlocked drive and extract CPs from it. Patch the Locked ROM in a way that it will recieve CP56 and DD from the unlocked drive. Test it.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: October 25th, 2016, 14:32 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9796
Location: Australia
My CP extraction tool assumes that the CPs are located at 0x70000. When I wrote it I didn't have many ROM examples to work with, so I didn't know what differences I would encounter. I'll try to update it when I can.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: October 25th, 2016, 15:00 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 8163
Location: Portugal
Ok ! Thanks !

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: October 25th, 2016, 23:05 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9796
Location: Australia
I have extracted the CPs from each ROM.

The first CP is actually CP 0x010B ("ED") at offset 0x77C00. Sorry for my error.


Attachments:
MQ01ABD032.rar [19.53 KiB]
Downloaded 92 times
MQ01ABD050V.rar [21.21 KiB]
Downloaded 111 times

_________________
A backup a day keeps DR away.
Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: October 26th, 2016, 3:34 
Offline

Joined: October 24th, 2014, 4:57
Posts: 212
Location: Remote Raid Help on planet Earth
fzabkar wrote:

Each ROM has a table of CPs. The two tables are identical.



Those tables are not complete. They are contains some standard command set.

_________________
http://www.alfadatarecovery.com


Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: October 26th, 2016, 5:13 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9796
Location: Australia
Martin wrote:
fzabkar wrote:
Each ROM has a table of CPs. The two tables are identical.


Those tables are not complete. They are contains some standard command set.

I don't understand. I count 134 CPs in total in each table. Are you saying that there are more?

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: October 26th, 2016, 16:43 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9796
Location: Australia
These empty CPs (PP, WV, PQ) are not in the table. I haven't checked for others.

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0007F2E0  50 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00  PP..............
0007F2F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0007F300  57 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00  WV..............
0007F310  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01  ................
0007F320  50 51 FF FF FF FF FF FF FF FF FF FF FF FF FF FF  PQÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0007F330  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0007F340  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0007F350  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0007F360  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0007F370  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0007F380  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0007F390  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 79  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿy

There are several CPs (DB -> VF) in the table that don't appear to be in the ROM.

Code:
ID     Name  Dword2     Rel/Abs Address  Byt11  Size (ROM/SA/size3)   Byt18  Byt19  XOR8
----------------------------------------------------------------------------------------

0109   SX    00000000   05D1D0 / 07F2D0    D0   0010 / 0010 / 000E    01     00     00

- the following empty (?) CPs are not in the table
       PP                        7F2E0          0020
       WV                        7F300          0020
       PQ                        7F320          0080 ?

- the following CPs are in the table but not in ROM ???
00F8   DB    00000000   09F010 / 0C1110    D0   1C90 / 1C90 / 1C8E    01     00     00
00FC   AM    00000000   0A0CA0 / 0C2DA0    D0   0990 / 0990 / 098E    01     00     00
00BF   OU    00000000   0A1630 / 0C3730    D0   0E50 / 0E50 / 0E4E    01     00     00
00C9   OV    00000000   0A2480 / 0C4580    D0   0E50 / 0E50 / 0E4E    01     00     00
0033   WC    00000000   0A32D0 / 0C53D0    D0   0E50 / 0E50 / 0E4E    01     00     00
0230   CA    00000000   0A4120 / 0C6220    D0   1630 / 1630 / 162E    01     00     00
0231   CB    00000000   0A5750 / 0C7850    D0   1630 / 1630 / 162E    01     00     00
0232   CC    00000000   0A6D80 / 0C8E80    D0   1630 / 1630 / 162E    01     00     00
0233   CD    00000000   0A83B0 / 0CA4B0    D0   1630 / 1630 / 162E    01     00     00
0234   CE    00000000   0A99E0 / 0CBAE0    D0   1630 / 1630 / 162E    01     00     00
0235   CF    00000000   0AB010 / 0CD110    D0   1630 / 1630 / 162E    01     00     00
00D3   ZH    00000000   0AC640 / 0CE740    D0   6760 / 6760 / 675E    01     00     00
00F7   FC    00000000   0B2DA0 / 0D4EA0    D0   01A0 / 01A0 / 019E    01     00     00
00F4   WD    00000000   0B2F40 / 0D5040    D0   0090 / 0090 / 008E    01     00     00
010A   VF    00000000   0B2FD0 / 0D50D0    D0   0FE0 / 0FE0 / 0FDE    01     00     00

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: October 26th, 2016, 18:45 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 8163
Location: Portugal
Let's not forget that some CPs are stored on the platters.
So it's normal to have CPs listed on the table but not present on the ROM.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: October 26th, 2016, 23:47 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9796
Location: Australia
In the case of the MK5061GSY model, all the CPs in the table were in the ROM. The MQ01ABD050V and MQ01ABD032 models differ from the MK5061GSY in this respect. Also, the newer drives have a slightly different table structure, and they have 2-byte CP IDs.

I now suspect that the parameter which I have called "Relative Address" is in fact, together with "Byt11", the loadpoint of the CP in RAM. For example, I believe that the loadpoint for CP 0x0109 ("SX") is 0xD007F2D0. Likewise, I believe that the loadpoint for CP 0x00F8 ("DB") is 0xD00C1110. For the most part, the layout of the CPs in ROM ("Absolute Address") matches their layout in RAM.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: November 2nd, 2016, 17:44 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9796
Location: Australia
AFAICT, the header of the ROM stores the location of the CPs. It also appears to point to 6 bytes which look like they may be some kind of CRC. If I'm correct, then I expect it would be possible to patch the CP section (0x77C00 - 0x7FFFF) from the patient into a donor ROM without affecting any checksum(s).

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  43 6F 70 79 72 69 67 68 74 20 31 39 39 39 20 54  Copyright 1999 T
00000010  4F 53 48 49 42 41 20 43 6F 72 70 6F 72 61 74 69  OSHIBA Corporati
00000020  6F 6E 00 00 00 00 00 00 00 00 00 00 00 00 00 00  on..............
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000080  00 00 00 00 00 00 00 00 78 7B 07 00 00 7C 07 00  ........x{...|..
          location of 6-byte CRC? ^^^^^^^^^^^ ^^^^^^^^^^^ location of CPs in ROM
00000090  00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00  ................
                                  ^^^^^^^^^^^ size of ROM ?
000000A0  00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00  ................
000000B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 23  ...............#

The following program extracts the CPs from the newer ROM type.

http://www.users.on.net/~fzabkar/temp/toromcp4.bas
http://www.users.on.net/~fzabkar/temp/toromcp4.exe

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: February 16th, 2017, 10:36 
Offline

Joined: August 18th, 2010, 17:35
Posts: 3095
Location: Massachusetts, USA
https://monosnap.com/file/QuzF60yO0PZAq ... YU91Z7Tpsk

_________________
Hard Drive and RAID Data Recovery Specialist in Massachusetts


Top
 Profile  
 
 Post subject: Re: Toshiba 500GB out of DVR Locked
PostPosted: February 16th, 2017, 15:14 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 8163
Location: Portugal
labtech wrote:
https://monosnap.com/file/QuzF60yO0PZAqJYLfttwYU91Z7Tpsk


Attachment:
catalog_en_20160301.pdf+-+Google+Chrome+2017-02-16+09.32.22.png
catalog_en_20160301.pdf+-+Google+Chrome+2017-02-16+09.32.22.png [ 109.25 KiB | Viewed 1443 times ]


Yes, we already know that the drive is locked ...

The question would be how to unlock it ...

Here is my take. If you have one locked and one unlocked drive (NOT ATA password - DVR LOCKED) then i would try this :

1 - Backup all CPs and FULL ROM on the LOCKED drive. Then FORMAT ALL TRACKS. Write P-List/G-list (DD CP) and re-set password and S.M.A.R.T. (to create those "modules"/sectors on TRACKS). Power OFF/On.

Is it still locked ?

If So :

2 - Get Donor UNLOCKED drive and try to move ADAPTIVES/CPs from Locked drive to unlocked drive. You will get Unlocked drive + locked drive adaptives. Move PCB to locked drive. Did it "unlock" itself ?

3 - Try "silly stuff" like regen translator ATA command or Factory Reset terminal command.


Are you willing to ship the samples of the drives to me ? Maybe i can find how they are locked.


There are several ways to lock the drive.

Lock can be :

1 - MAIN ROM CODE.
2 - CPs on the ROM.
3 - CPs on the platter.
4 - "Hidden" Sector on the platter - like ATA password module.

:shock: :shock: :shock:

I would need the drive to investigate and figure that out.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 72 posts ]  Go to page Previous  1, 2, 3, 4  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: maninder and 37 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group