Regenerating a WD ROYL ROM from SA MODsThis tutorial is my attempt to understand the process of regenerating a WD ROYL ROM from backup modules in the SA. It should be read in conjunction with the following article.
Analysis of the "ROM" on a Western Digital ROYL HDD:
http://malthus.zapto.org/viewtopic.php?f=59&t=225Our example will be a
WD10EAVS-00D7B1, firmware version
01.01A01.
The following list shows the correspondence between SA modules (MODs 102 - 109) and their ROM resident counterparts.
MOD 102 = MOD 0A -- head map
MOD 103 = MOD 47
MOD 104 = MOD 0D -- identity (MODs are similar but not identical)
MOD 105 = MOD 30
MOD 106 = MOD 4F
MOD 107 = MOD 0B -- module directory
MOD 109 = header + ROM code + MOD templates
MOD 109 consists of a ROM image preceded by a 512-byte ROYL header/sector. The ROM image contains MOD "templates" which may or may not correspond to the actual MOD contents.
The ROM regeneration process involves taking MOD 109, stripping off the 512-byte header, and then replacing each of the MOD templates with its corresponding SA MOD. Each SA MOD needs to be converted to its corresponding ROM MOD by changing the MOD ID and then recomputing the module's checksum. Trailing zeros are discarded, and the module's size is adjusted according to the data in MOD 0B. MOD 0B is a directory of all the ROM MODs. It specifies the location and size of each module.
Here is SA
MOD 107:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11
00000000 52 4F 59 4C 04 00 1E 00 07 01 01 00 03 C8 F8 C5 30 30 ROYL.........ÈøÅ00
00000012 30 32 30 30 30 30 00 00 00 00 00 00 06 12 01 0A 00 3E 020000
00000024 00 00 19 00 00 B2 FF 02 00 00 00 00 00 12 01 0B 00 D1
00000036 00 00 19 00 00 E1 FE 02 00 00 00 00 00 12 01 30 00 00
00000048 04 00 19 00 00 E1 FA 02 00 00 00 00 00 12 01 47 00 00
0000005A 04 00 19 00 00 20 F3 02 00 00 00 00 00 12 01 0D 00 84
0000006C 00 00 19 00 00 9C F2 02 00 00 00 00 00 12 01 4F 00 E0
0000007E 00 00 19 00 00 20 F7 02 00 00 00 00 00 46 06 FF 0F 3F
00000090 00 26 8C 02 00 00 00 00 00 26 8C 02 00 E2 6F 03 00 26
000000A2 8C 02 00 C4 DF 06 00 26 8C 02 00 A6 4F 0A 00 26 8C 02
000000B4 00 88 BF 0D 00 26 8C 02 00 6A 2F 11 00 00 00 00 00 00
Here is ROM
MOD 0B:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11
00000000 52 4F 59 4C 04 00 1E 00 0B 00 01 00 FF C8 F8 C5 30 30 ROYL........ÿÈøÅ00
00000012 30 32 30 30 30 30 00 00 00 00 00 00 06 12 01 0A 00 3E 020000
00000024 00 00 19 00 00 B2 FF 02 00 00 00 00 00 12 01 0B 00 D1
00000036 00 00 19 00 00 E1 FE 02 00 00 00 00 00 12 01 30 00 00
00000048 04 00 19 00 00 E1 FA 02 00 00 00 00 00 12 01 47 00 00
0000005A 04 00 19 00 00 20 F3 02 00 00 00 00 00 12 01 0D 00 84
0000006C 00 00 19 00 00 9C F2 02 00 00 00 00 00 12 01 4F 00 E0
0000007E 00 00 19 00 00 20 F7 02 00 00 00 00 00 46 06 FF 0F 3F
00000090 00 26 8C 02 00 00 00 00 00 26 8C 02 00 E2 6F 03 00 26
000000A2 8C 02 00 C4 DF 06 00 26 8C 02 00 A6 4F 0A 00 26 8C 02
000000B4 00 88 BF 0D 00 26 8C 02 00 6A 2F 11 00 00 00 00 00 00
MOD 0B template in MOD 109
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11
00000000 52 4F 59 4C 04 00 1E 00 0B 00 01 00 FD 58 8F 39 30 30 ROYL........ýX.900
00000012 30 32 30 30 30 30 00 00 00 00 00 00 06 12 01 0A 00 3E 020000...........>
00000024 00 00 19 00 00 B2 FF 02 00 00 00 00 00 12 01 0B 00 D1 .....²ÿ..........Ñ
00000036 00 00 19 00 00 E1 FE 02 00 00 00 00 00 12 01 30 00 00 .....áþ........0..
00000048 04 00 19 00 00 E1 FA 02 00 00 00 00 00 12 01 47 00 00 .....áú........G..
0000005A 04 00 19 00 00 20 F3 02 00 00 00 00 00 12 01 0D 00 84 ..... ó..........„
0000006C 00 00 19 00 00 9C F2 02 00 00 00 00 00 12 01 4F 00 E0 .....œò........O.à
0000007E 00 00 19 00 00 20 F7 02 00 00 00 00 00 46 08 FF 0F FF ..... ÷......F.ÿ.ÿ
00000090 00 A4 A5 01 00 00 00 00 00 A4 A5 01 00 E2 6F 03 00 A4 .¤¥......¤¥..âo..¤
000000A2 A5 01 00 C4 DF 06 00 00 00 00 00 00 00 00 00 00 00 00 ¥..Äß.............
000000B4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..................
The ROM and SA MODs differ only in the MOD ID at offsets 0x08 - 0x09 (little endian) and the 32-bit checksum at 0x0C - 0x0F. The checksum bytes are chosen so that the 32-bit little endian sum of all double words, including the checksum bytes, is zero.
The structure of each of the 6 directory entries can be better seen in the following table:
Code:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11
12 01 0A 00 3E 00 00 19 00 00 B2 FF 02 00 00 00 00 00
12 01 0B 00 D1 00 00 19 00 00 E1 FE 02 00 00 00 00 00
12 01 30 00 00 04 00 19 00 00 E1 FA 02 00 00 00 00 00
12 01 47 00 00 04 00 19 00 00 20 F3 02 00 00 00 00 00
12 01 0D 00 84 00 00 19 00 00 9C F2 02 00 00 00 00 00
12 01 4F 00 E0 00 00 19 00 00 20 F7 02 00 00 00 00 00
0x02 - 0x03 = MOD ID
0x04 - 0x05 = size in bytes
0x0A - 0x0C = location within ROM
For example, MOD 0x000B has a size of 0x00D1 bytes and is located at offset 0x02FEE1 within the ROM.
Therefore, to incorporate MOD 107 into the ROM image, we would take MOD 109, strip off the 512-byte header, convert SA MOD 107 into ROM MOD 0B by editing the ID and checksum bytes, and then patch the first 0x00D1 bytes of MOD 0B into the ROM at offset 0x02FEE1. We would then repeat this procedure for each of the remaining 5 MODs.
The following table lists the ID and location of each MOD template in MOD 109. Note that, although MODs 30 and 47 are missing, their positions are filled with 0xFF place-holder bytes. The locations of the other MODs coincide with their locations in the ROM.
Code:
ID offset offset - 0x200
0D 0x2F49C 0x2F29C
4F 0x2F920 0x2F720
0B 0x300E1 0x2FEE1
0A 0x301B2 0x2FFB2
The following hex dumps illustrate the differences between the actual ROM MODs and their corresponding templates in MOD 109.
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
MOD 0A in ROM
00000000 52 4F 59 4C 04 00 1E 00 0A 00 01 00 4B 52 C2 64 ROYL........KRÂd
00000010 30 30 58 31 30 30 30 32 0A 0A 08 00 00 00 20 06 00X10002...... .
00000020 00 06 06 FC 3F 00 7C 7C 7C 52 4B 37 46 4B 46 35 ...ü?.|||RK7FKF5
00000030 55 55 00 00 00 00 00 00 00 00 00 00 95 FA UU..........•ú
MOD 0A template in MOD 109
00000000 52 4F 59 4C 04 00 1E 00 0A 00 01 00 64 50 06 4C ROYL........dP.L
00000010 30 30 30 31 30 30 30 30 00 00 00 00 00 00 20 06 00010000...... .
00000020 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 DB FF ............Ûÿ
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
MOD 4F in ROM
00000000 52 4F 59 4C 04 00 1E 00 4F 00 01 00 A8 EF 50 CB ROYL....O...¨ïPË
00000010 30 30 30 35 30 30 41 50 00 00 00 00 00 00 00 00 000500AP........
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000050 55 AA 06 00 B5 5B 45 5C 7B 5C 42 5D 19 5E B2 5C
00000060 00 00 00 00 55 AA 06 00 54 00 30 DD 6E FF 58 FB
00000070 01 00 3F 00 1F 00 19 00 1C 00 FC FF 6D FF CE EF
00000080 AF FF 93 FB C0 FF 0E 00 0B 00 F7 FF 0E 00 FE FF
00000090 04 F8 37 E5 65 FF 5B FB EB FF 39 00 F7 FF E2 FF
000000A0 EE FF E1 FF 8B 03 4A EE 7C FF A9 FB F7 FF 50 00
000000B0 F1 FF 15 00 E4 FF FD FF 05 FD 6B E0 94 FF E6 FA
000000C0 0C 00 65 00 12 00 D3 FF DB FF F0 FF 92 00 B0 E6
000000D0 2D FF 36 FB 06 00 DF FF 09 00 E8 FF 01 00 24 00
MOD 4F template in MOD 109
00000000 52 4F 59 4C 04 00 1E 00 4F 00 01 00 FB 4F 16 2E ROYL....O...ûO..
00000010 30 30 30 35 30 30 41 50 00 00 00 00 00 00 00 00 000500AP........
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
........
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
MOD 0D in ROM
00000000 52 4F 59 4C 04 00 1E 00 0D 00 01 00 8E D7 8E F2 ROYL........Ž×Žò
00000010 30 30 30 31 30 30 30 30 00 00 00 00 00 00 00 01 00010000........
00000020 30 31 2E 30 31 41 30 31 02 01 03 00 00 00 50 01 01.01A01......P.
00000030 4E E2 02 19 1F 40 00 01 FE FF 00 00 00 00 00 00 Nâ...@..þÿ......
00000040 01 01 01 00 00 00 20 20 20 20 20 20 20 20 20 20 ......
00000050 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00000060 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00000070 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00000080 20 20
MOD 0D template in MOD 109
00000000 52 4F 59 4C 04 00 1E 00 0D 00 01 00 FE 0B E2 0C ROYL........þ.â.
00000010 30 30 30 31 30 30 30 30 00 00 00 00 00 00 00 00 00010000........
00000020 30 30 2E 30 30 30 30 30 00 01 03 02 00 00 00 00 00.00000........
00000030 00 00 00 00 00 00 00 01 FE FF 00 00 00 00 00 00 ........þÿ......
00000040 01 01 01 00 00 00 20 20 20 20 20 20 20 20 20 20 ......
00000050 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00000060 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00000070 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00000080 20 20 00 00 ..
MOD 104 in SA
00000000 52 4F 59 4C 04 00 1E 00 04 01 01 00 07 0B E2 0C ROYL..........â.
00000010 30 30 30 31 30 30 30 30 00 00 00 00 00 00 00 00 00010000........
00000020 30 30 2E 30 30 30 30 30 00 01 03 02 00 00 00 00 00.00000........
00000030 00 00 00 00 00 00 00 01 FE FF 00 00 00 00 00 00 ........þÿ......
00000040 01 01 01 00 00 00 20 20 20 20 20 20 20 20 20 20 ......
00000050 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00000060 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00000070 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00000080 20 20 00 00 ..
MOD 104 matches the MOD 0D template in MOD 109. However, the actual content of MOD 0D in ROM is significantly different.
Original article:
http://malthus.zapto.org/viewtopic.php? ... 2710#p2710