All times are UTC - 5 hours [ DST ]


Forum rules


Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...



Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: Analysis of Western Digital ROYL firmware MOD 02
PostPosted: March 17th, 2014, 17:27 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
Analysis of Western Digital ROYL firmware MOD 02

This tutorial is my attempt to understand the structure of WD's ROYL firmware MOD 02.

MOD 02 is purely a data module that contains information relating to the identity and feature set of the drive.

It consists of three main sections ...

    header
    index of data records
    data records

Here is the header section:

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  52 4F 59 4C 01 00 30 00 02 00 03 00 09 5A D8 B3  ROYL............
00000010  30 30 30 38 30 30 30 30 07 07 07 00 00 00 00 00  00080000........
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Code:
Location          data        description
-----------------------------------------
0x0000 - 0x0003   "ROYL"      header
0x0008 - 0x0009   0x0002      MOD ID
0x000A - 0x000B   0x0003      size in sectors
0x000C - 0x000F   0xB3D85A09  32-bit checksum
0x0010 - 0x0017   "00080000"  MOD version

The checksum bytes are chosen so that the 32-bit little endian sum of all the 32-bit double words, including the checksum bytes, is 0x00000000.

Offsets 0x30 - 0x31 hold the number of data records (0x001E = 30) in the table/index that follows. The entry for each record defines its location within the MOD and its length in bytes.

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000030  1E 00 AA 00 17 00 C1 00 18 00 D9 00 33 00 0C 01
00000040  33 00 D8 01 0C 00 E4 01 12 00 08 02 06 00 0E 02
00000050  06 00 14 02 13 00 27 02 11 00 38 02 27 00 5F 02
00000060  12 00 71 02 20 00 91 02 39 00 CA 02 0D 00 D7 02
00000070  0E 00 E5 02 44 00 29 03 46 00 6F 03 48 00 3F 01
00000080  33 00 72 01 33 00 F6 01 12 00 B7 03 10 00 C7 03
00000090  0E 00 D5 03 56 00 2B 04 1A 00 45 04 1D 00 A5 01
000000A0  33 00 62 04 12 00 74 04 02 00

Code:
record    location   location
number    in table   in MOD     size       description
-----------------------------------------------------------

1         0032       00AA       0017       serial number
2         0036       00C1       0018       capacity in LBAs
3         003A       00D9       0033
4         003E       010C       0033
5         0042       01D8       000C
6         0046       01E4       0012
7         004A       0208       0006
8         004E       020E       0006
9         0052       0214       0013
10        0056       0227       0011
11        005A       0238       0027
12        005E       025F       0012
13        0062       0271       0020
14        0066       0291       0039
15        006A       02CA       000D
16        006E       02D7       000E
17        0072       02E5       0044       model number
18        0076       0329       0046       DCM (?) & manufacture date (?)
19        007A       036F       0048       user & master password
20        007E       013F       0033
21        0082       0172       0033
22        0086       01F6       0012
23        008A       03B7       0010
24        008E       03C7       000E
25        0092       03D5       0056
26        0096       042B       001A       family identifier / customer ID
27        009A       0445       001D
28        009E       01A5       0033
29        00A2       0462       0012
30        00A6       0474       0002

MOD 02 copies from different drives appear to be consistent in some aspects and different in others. In particular, the total number of data records in the table may vary, but the records appear to be numbered consistently. For example, the model number appears to always occupy record #17 and the passwords are always in record #19. However, the location of each record in the body of the module may vary, as may its size.

Serial Number

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

000000A0                                00 01 57 44 2D 57            ..WD-W
000000B0  43 41 56 32 30 30 39 31 36 32 38 00 00 00 00 00  CAV20091628.....
000000C0  00   


Capacity in LBAs

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

000000C0     00 01 10 3F 00 00 00 00 AF EA 42 25 AF EA 42
000000D0  25 AF EA 42 25 AF EA 42 25


There are four capacities. WDMarvel refers to them as ...

    Max LBA
    Destroke Max LBA
    DCO Max LBA
    Host Max LBA

Each has a value of 0x2542EAAF which represents the maximum LBA (= capacity - 1).

Therefore the capacity of the drive is ...

(0x2542EAAF + 1) x 512 = 320 072 933 376 bytes

If the drive has had its capacity limited by a HPA or DCO, then this will be reflected in this record.


Model Number

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

000002E0                 00 01 57 44 43 20 57 44 33 32 30       ..WDC WD320
000002F0  30 41 41 4B 53 2D 30 30 4C 39 41 30 20 20 20 20  0AAKS-00L9A0   
00000300  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 
00000310  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 
00000320  20 20 20 20 20 20 20 00 00


DCM (?) and Manufacture (?) Date (MM-DD-YYYY)

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000320                             00 01 53 7C 42 7C 4C           ..S|B|L
00000330  44 50 37 4D 4B 48 37 43 41 52 52 56 4E 4B 59 55  DP7MKH7CARRVNKYU
00000340  46 00 20 20 20 20 20 20 20 20 20 20 20 20 20 31  F.             1
00000350  31 2D 32 32 2D 32 30 30 38 00 00 00 00 00 00 00  1-22-2008.......
00000360  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ...............


User and Master Password

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000360                                               00                 .
00000370  01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000380  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000390  00 00 00 57 44 43 57 44 43 57 44 43 57 44 43 57  ...WDCWDCWDCWDCW
000003A0  44 43 57 44 43 57 44 43 57 44 43 57 44 43 57 44  DCWDCWDCWDCWDCWD
000003B0  43 57 00 08 40 FE FF                             CW.....


The master password is "WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW".

There is no user password.

Here is an example from a different drive with and without a user password. Each user and master password occupies 32 bytes.

Code:
00000130              00 01 07 00 54 68 69 73 20 69 73 20       ....This is
00000140  74 68 65 20 55 73 65 72 20 50 61 73 73 77 6F 72   the User Passwor
00000150  64 00 00 00 00 00 00 00 57 44 43 57 44 43 57 44   d.......WDCWDCWD
00000160  43 57 44 43 57 44 43 57 44 43 57 44 43 57 44 43   CWDCWDCWDCWDCWDC
00000170  57 44 43 57 44 43 57 00 08 00 FE FF               WDCWDCW.....


Code:
00000130              00 01 01 00 00 00 00 00 00 00 00 00       ............
00000140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00000150  00 00 00 00 00 00 00 00 57 44 43 57 44 43 57 44   ........WDCWDCWD
00000160  43 57 44 43 57 44 43 57 44 43 57 44 43 57 44 43   CWDCWDCWDCWDCWDC
00000170  57 44 43 57 44 43 57 00 08 00 FE FF               WDCWDCW.....


There are flag bits in the 3rd byte which appear to indicate whether a password has been set.

The last word (0xFFFE) appears to be related to Identify Device word 92 -- Master Password Revision Code.


Family Identifier / Customer ID

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000420                                   00 00 00 01 30             ....0
00000430  30 4C 39 30 30 30 30 01 00 12 00 01 00 00 00 00  0L90000.........
00000440  00 00 00 00 00 
.....


This number ("00L90000") also exists in MOD 115, along with other similar numbers.

The text string appears to be divided in two parts:

    00L9 = Family Identifier
    0000 = Customer ID

A WD3200BUDT-62DPZY0 model has "0DPZ0062" in the same record.

    0DPZ = Family Identifier
    0062 = Customer ID

The following document provides an explanation:
http://www.acelab.ru/dep.pc/doc.pc3000d ... in-N-2.pdf

Here is an English translation:
http://translate.google.com/translate?h ... in-N-2.pdf

Original Article:
http://malthus.zapto.org/viewtopic.php? ... 3191#p3191

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Analysis of Western Digital ROYL firmware MOD 02
PostPosted: March 5th, 2015, 22:46 
Offline

Joined: February 28th, 2015, 5:35
Posts: 26
Location: teeatatata
Great job! Thanks


Top
 Profile  
 
 Post subject: Re: Analysis of Western Digital ROYL firmware MOD 02
PostPosted: March 6th, 2015, 3:54 
Offline
User avatar

Joined: December 8th, 2013, 4:48
Posts: 831
Location: Pakistan
Thank you "fzabkar" for sharing.

_________________
Data Recovery Pakistan


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 17 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group