I'm struggling with the same problem with two PM863a drives, ATA Secutiry level maximum, can't be Secure Erased due to unknown master password. No PSID on the printed label. Firmware is GXT5204Q. I don't need the data and my goal is to Secure Erase and reuse these drives.
JTAG works good. I'm using J-link V11 adapter to access it. I've tried OpenOCD 0.12.x on Linux via libkaylink and J-link's own software J-link Commander. I'v somehow failed to get stable and good performance with OpenOCD and switched to J-link commander although it can only access core0 in it's default configuration.
I'm trying to follow this brilliant paper to dump drive's crypto blob:
https://cs.ru.nl/~cmeijer/publications/ ... Drives.pdfOf course, I'v failed to read this blob.
As expected from an academic paper, some important details are missing from their description. Already found out what 3-step vendor unlock sequence was not fully described:
Before issuing CMD=0x85 FEAT=0x46 unlock command with given data buffer you need to issue FEAT 0x49, and FEAT 0x53 commands without data to advance unlock process through steps 1 and 2.
Still, even after step 3 unlock was performed, CMD=0x83 FEAT=0x12 to read out crypto block is not working. They mention the blow was increased to 128kBytes in 850 Evo, so I suppose this is the size for PM863a. I'v tried to read both 128k and 64k bytes via ATA Pass-through (12) and (16) commands and they all are failing. I suspect something else is missing from the paper.
Of course I'v tried to use 840 EVO knowledge accumlated by sourcerer, but still no luck.
The questions are:
- how to find SATA command table ?
- Any hints on how to find master password HMAC comparision routine? I'm totally out of ideas on how to locate this code because command handling is really obscure;
BTW, while doing lots of memory reads, async core halts and runs, I've managed to somehow disrupt normal firmware functioning and failed into ERRORMOD state. ERRORMOD state resets ATA security to high. After running "download firmware - secure erase" of ERRORMOD repair by uploading fake, 512-byte short firmware and performing secure erase I was able to accidentally restore one of my two drives.
However, some important SMART data was damaged after ERRORMOD. I still hope to find a better way to repair the second drive. The best thing is to find and patch master password compare routine, but I'm unable to find it in firmware dumps...