Analysis of Western Digital ROYL firmware MOD 02This tutorial is my attempt to understand the structure of WD's ROYL firmware
MOD 02.
MOD 02 is purely a data module that contains information relating to the identity and feature set of the drive.
It consists of three main sections ...
header
index of data records
data records
Here is the header section:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 52 4F 59 4C 01 00 30 00 02 00 03 00 09 5A D8 B3 ROYL............
00000010 30 30 30 38 30 30 30 30 07 07 07 00 00 00 00 00 00080000........
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Code:
Location data description
-----------------------------------------
0x0000 - 0x0003 "ROYL" header
0x0008 - 0x0009 0x0002 MOD ID
0x000A - 0x000B 0x0003 size in sectors
0x000C - 0x000F 0xB3D85A09 32-bit checksum
0x0010 - 0x0017 "00080000" MOD version
The checksum bytes are chosen so that the 32-bit little endian sum of all the 32-bit double words, including the checksum bytes, is 0x00000000.
Offsets
0x30 - 0x31 hold the
number of data records (0x001E = 30) in the table/index that follows. The entry for each record defines its location within the MOD and its length in bytes.
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000030 1E 00 AA 00 17 00 C1 00 18 00 D9 00 33 00 0C 01
00000040 33 00 D8 01 0C 00 E4 01 12 00 08 02 06 00 0E 02
00000050 06 00 14 02 13 00 27 02 11 00 38 02 27 00 5F 02
00000060 12 00 71 02 20 00 91 02 39 00 CA 02 0D 00 D7 02
00000070 0E 00 E5 02 44 00 29 03 46 00 6F 03 48 00 3F 01
00000080 33 00 72 01 33 00 F6 01 12 00 B7 03 10 00 C7 03
00000090 0E 00 D5 03 56 00 2B 04 1A 00 45 04 1D 00 A5 01
000000A0 33 00 62 04 12 00 74 04 02 00
Code:
record location location
number in table in MOD size description
-----------------------------------------------------------
1 0032 00AA 0017 serial number
2 0036 00C1 0018 capacity in LBAs
3 003A 00D9 0033
4 003E 010C 0033
5 0042 01D8 000C
6 0046 01E4 0012
7 004A 0208 0006
8 004E 020E 0006
9 0052 0214 0013
10 0056 0227 0011
11 005A 0238 0027
12 005E 025F 0012
13 0062 0271 0020
14 0066 0291 0039
15 006A 02CA 000D
16 006E 02D7 000E
17 0072 02E5 0044 model number
18 0076 0329 0046 DCM (?) & manufacture date (?)
19 007A 036F 0048 user & master password
20 007E 013F 0033
21 0082 0172 0033
22 0086 01F6 0012
23 008A 03B7 0010
24 008E 03C7 000E
25 0092 03D5 0056
26 0096 042B 001A family identifier / customer ID
27 009A 0445 001D
28 009E 01A5 0033
29 00A2 0462 0012
30 00A6 0474 0002
MOD 02 copies from different drives appear to be consistent in some aspects and different in others. In particular, the total number of data records in the table may vary, but the records appear to be numbered consistently. For example, the
model number appears to always occupy
record #17 and the
passwords are always in
record #19. However, the location of each record in the body of the module may vary, as may its size.
Serial NumberCode:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000000A0 00 01 57 44 2D 57 ..WD-W
000000B0 43 41 56 32 30 30 39 31 36 32 38 00 00 00 00 00 CAV20091628.....
000000C0 00
Capacity in LBAsCode:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000000C0 00 01 10 3F 00 00 00 00 AF EA 42 25 AF EA 42
000000D0 25 AF EA 42 25 AF EA 42 25
There are four capacities.
WDMarvel refers to them as ...
Max LBA
Destroke Max LBA
DCO Max LBA
Host Max LBA
Each has a value of
0x2542EAAF which represents the
maximum LBA (= capacity - 1).
Therefore the capacity of the drive is ...
(0x2542EAAF + 1) x 512 = 320 072 933 376 bytes
If the drive has had its capacity limited by a HPA or DCO, then this will be reflected in this record.
Model NumberCode:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000002E0 00 01 57 44 43 20 57 44 33 32 30 ..WDC WD320
000002F0 30 41 41 4B 53 2D 30 30 4C 39 41 30 20 20 20 20 0AAKS-00L9A0
00000300 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00000310 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00000320 20 20 20 20 20 20 20 00 00
DCM (?) and
Manufacture (?)
Date (MM-DD-YYYY)
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000320 00 01 53 7C 42 7C 4C ..S|B|L
00000330 44 50 37 4D 4B 48 37 43 41 52 52 56 4E 4B 59 55 DP7MKH7CARRVNKYU
00000340 46 00 20 20 20 20 20 20 20 20 20 20 20 20 20 31 F. 1
00000350 31 2D 32 32 2D 32 30 30 38 00 00 00 00 00 00 00 1-22-2008.......
00000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
User and Master PasswordCode:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000360 00 .
00000370 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000390 00 00 00 57 44 43 57 44 43 57 44 43 57 44 43 57 ...WDCWDCWDCWDCW
000003A0 44 43 57 44 43 57 44 43 57 44 43 57 44 43 57 44 DCWDCWDCWDCWDCWD
000003B0 43 57 00 08 40 FE FF CW.....
The master password is "
WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW".
There is no user password.
Here is an example from a different drive with and without a user password. Each user and master password occupies 32 bytes.
Code:
00000130 00 01 07 00 54 68 69 73 20 69 73 20 ....This is
00000140 74 68 65 20 55 73 65 72 20 50 61 73 73 77 6F 72 the User Passwor
00000150 64 00 00 00 00 00 00 00 57 44 43 57 44 43 57 44 d.......WDCWDCWD
00000160 43 57 44 43 57 44 43 57 44 43 57 44 43 57 44 43 CWDCWDCWDCWDCWDC
00000170 57 44 43 57 44 43 57 00 08 00 FE FF WDCWDCW.....
Code:
00000130 00 01 01 00 00 00 00 00 00 00 00 00 ............
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000150 00 00 00 00 00 00 00 00 57 44 43 57 44 43 57 44 ........WDCWDCWD
00000160 43 57 44 43 57 44 43 57 44 43 57 44 43 57 44 43 CWDCWDCWDCWDCWDC
00000170 57 44 43 57 44 43 57 00 08 00 FE FF WDCWDCW.....
There are flag bits in the 3rd byte which appear to indicate whether a password has been set.
The last word (
0xFFFE) appears to be related to Identify Device word 92 --
Master Password Revision Code.
Family Identifier / Customer IDCode:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000420 00 00 00 01 30 ....0
00000430 30 4C 39 30 30 30 30 01 00 12 00 01 00 00 00 00 0L90000.........
00000440 00 00 00 00 00
.....
This number ("
00L90000") also exists in
MOD 115, along with other similar numbers.
The text string appears to be divided in two parts:
00L9 = Family Identifier
0000 = Customer ID
A
WD3200BUDT-62DPZY0 model has "
0DPZ0062" in the same record.
0DPZ = Family Identifier
0062 = Customer ID
The following document provides an explanation:
http://www.acelab.ru/dep.pc/doc.pc3000d ... in-N-2.pdfHere is an English translation:
http://translate.google.com/translate?h ... in-N-2.pdfOriginal Article:
http://malthus.zapto.org/viewtopic.php? ... 3191#p3191