All times are UTC - 5 hours [ DST ]


Forum rules


Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...



Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: Regenerating a WD ROYL ROM from SA MODs
PostPosted: March 24th, 2014, 14:34 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
Regenerating a WD ROYL ROM from SA MODs

This tutorial is my attempt to understand the process of regenerating a WD ROYL ROM from backup modules in the SA. It should be read in conjunction with the following article.

Analysis of the "ROM" on a Western Digital ROYL HDD:
http://malthus.zapto.org/viewtopic.php?f=59&t=225

Our example will be a WD10EAVS-00D7B1, firmware version 01.01A01.

The following list shows the correspondence between SA modules (MODs 102 - 109) and their ROM resident counterparts.

    MOD 102 = MOD 0A -- head map
    MOD 103 = MOD 47
    MOD 104 = MOD 0D -- identity (MODs are similar but not identical)
    MOD 105 = MOD 30
    MOD 106 = MOD 4F
    MOD 107 = MOD 0B -- module directory
    MOD 109 = header + ROM code + MOD templates

MOD 109 consists of a ROM image preceded by a 512-byte ROYL header/sector. The ROM image contains MOD "templates" which may or may not correspond to the actual MOD contents.

The ROM regeneration process involves taking MOD 109, stripping off the 512-byte header, and then replacing each of the MOD templates with its corresponding SA MOD. Each SA MOD needs to be converted to its corresponding ROM MOD by changing the MOD ID and then recomputing the module's checksum. Trailing zeros are discarded, and the module's size is adjusted according to the data in MOD 0B. MOD 0B is a directory of all the ROM MODs. It specifies the location and size of each module.

Here is SA MOD 107:

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11

00000000  52 4F 59 4C 04 00 1E 00 07 01 01 00 03 C8 F8 C5 30 30  ROYL.........ÈøÅ00
00000012  30 32 30 30 30 30 00 00 00 00 00 00 06 12 01 0A 00 3E  020000
00000024  00 00 19 00 00 B2 FF 02 00 00 00 00 00 12 01 0B 00 D1
00000036  00 00 19 00 00 E1 FE 02 00 00 00 00 00 12 01 30 00 00
00000048  04 00 19 00 00 E1 FA 02 00 00 00 00 00 12 01 47 00 00
0000005A  04 00 19 00 00 20 F3 02 00 00 00 00 00 12 01 0D 00 84
0000006C  00 00 19 00 00 9C F2 02 00 00 00 00 00 12 01 4F 00 E0
0000007E  00 00 19 00 00 20 F7 02 00 00 00 00 00 46 06 FF 0F 3F
00000090  00 26 8C 02 00 00 00 00 00 26 8C 02 00 E2 6F 03 00 26
000000A2  8C 02 00 C4 DF 06 00 26 8C 02 00 A6 4F 0A 00 26 8C 02
000000B4  00 88 BF 0D 00 26 8C 02 00 6A 2F 11 00 00 00 00 00 00


Here is ROM MOD 0B:

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11

00000000  52 4F 59 4C 04 00 1E 00 0B 00 01 00 FF C8 F8 C5 30 30  ROYL........ÿÈøÅ00
00000012  30 32 30 30 30 30 00 00 00 00 00 00 06 12 01 0A 00 3E  020000
00000024  00 00 19 00 00 B2 FF 02 00 00 00 00 00 12 01 0B 00 D1 
00000036  00 00 19 00 00 E1 FE 02 00 00 00 00 00 12 01 30 00 00 
00000048  04 00 19 00 00 E1 FA 02 00 00 00 00 00 12 01 47 00 00 
0000005A  04 00 19 00 00 20 F3 02 00 00 00 00 00 12 01 0D 00 84 
0000006C  00 00 19 00 00 9C F2 02 00 00 00 00 00 12 01 4F 00 E0 
0000007E  00 00 19 00 00 20 F7 02 00 00 00 00 00 46 06 FF 0F 3F
00000090  00 26 8C 02 00 00 00 00 00 26 8C 02 00 E2 6F 03 00 26
000000A2  8C 02 00 C4 DF 06 00 26 8C 02 00 A6 4F 0A 00 26 8C 02
000000B4  00 88 BF 0D 00 26 8C 02 00 6A 2F 11 00 00 00 00 00 00


MOD 0B template in MOD 109

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11

00000000  52 4F 59 4C 04 00 1E 00 0B 00 01 00 FD 58 8F 39 30 30  ROYL........ýX.900
00000012  30 32 30 30 30 30 00 00 00 00 00 00 06 12 01 0A 00 3E  020000...........>
00000024  00 00 19 00 00 B2 FF 02 00 00 00 00 00 12 01 0B 00 D1  .....²ÿ..........Ñ
00000036  00 00 19 00 00 E1 FE 02 00 00 00 00 00 12 01 30 00 00  .....áþ........0..
00000048  04 00 19 00 00 E1 FA 02 00 00 00 00 00 12 01 47 00 00  .....áú........G..
0000005A  04 00 19 00 00 20 F3 02 00 00 00 00 00 12 01 0D 00 84  ..... ó..........„
0000006C  00 00 19 00 00 9C F2 02 00 00 00 00 00 12 01 4F 00 E0  .....œò........O.à
0000007E  00 00 19 00 00 20 F7 02 00 00 00 00 00 46 08 FF 0F FF  ..... ÷......F.ÿ.ÿ
00000090  00 A4 A5 01 00 00 00 00 00 A4 A5 01 00 E2 6F 03 00 A4  .¤¥......¤¥..âo..¤
000000A2  A5 01 00 C4 DF 06 00 00 00 00 00 00 00 00 00 00 00 00  ¥..Äß.............
000000B4  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ..................


The ROM and SA MODs differ only in the MOD ID at offsets 0x08 - 0x09 (little endian) and the 32-bit checksum at 0x0C - 0x0F. The checksum bytes are chosen so that the 32-bit little endian sum of all double words, including the checksum bytes, is zero.

The structure of each of the 6 directory entries can be better seen in the following table:

Code:
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11

12 01 0A 00 3E 00 00 19 00 00 B2 FF 02 00 00 00 00 00
12 01 0B 00 D1 00 00 19 00 00 E1 FE 02 00 00 00 00 00
12 01 30 00 00 04 00 19 00 00 E1 FA 02 00 00 00 00 00
12 01 47 00 00 04 00 19 00 00 20 F3 02 00 00 00 00 00
12 01 0D 00 84 00 00 19 00 00 9C F2 02 00 00 00 00 00
12 01 4F 00 E0 00 00 19 00 00 20 F7 02 00 00 00 00 00


    0x02 - 0x03 = MOD ID
    0x04 - 0x05 = size in bytes
    0x0A - 0x0C = location within ROM

For example, MOD 0x000B has a size of 0x00D1 bytes and is located at offset 0x02FEE1 within the ROM.

Therefore, to incorporate MOD 107 into the ROM image, we would take MOD 109, strip off the 512-byte header, convert SA MOD 107 into ROM MOD 0B by editing the ID and checksum bytes, and then patch the first 0x00D1 bytes of MOD 0B into the ROM at offset 0x02FEE1. We would then repeat this procedure for each of the remaining 5 MODs.

The following table lists the ID and location of each MOD template in MOD 109. Note that, although MODs 30 and 47 are missing, their positions are filled with 0xFF place-holder bytes. The locations of the other MODs coincide with their locations in the ROM.

Code:
ID  offset   offset - 0x200

0D  0x2F49C  0x2F29C
4F  0x2F920  0x2F720
0B  0x300E1  0x2FEE1
0A  0x301B2  0x2FFB2


The following hex dumps illustrate the differences between the actual ROM MODs and their corresponding templates in MOD 109.

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

MOD 0A in ROM

00000000  52 4F 59 4C 04 00 1E 00 0A 00 01 00 4B 52 C2 64  ROYL........KRÂd
00000010  30 30 58 31 30 30 30 32 0A 0A 08 00 00 00 20 06  00X10002...... .
00000020  00 06 06 FC 3F 00 7C 7C 7C 52 4B 37 46 4B 46 35  ...ü?.|||RK7FKF5
00000030  55 55 00 00 00 00 00 00 00 00 00 00 95 FA        UU..........•ú


MOD 0A template in MOD 109

00000000  52 4F 59 4C 04 00 1E 00 0A 00 01 00 64 50 06 4C  ROYL........dP.L
00000010  30 30 30 31 30 30 30 30 00 00 00 00 00 00 20 06  00010000...... .
00000020  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000030  00 00 00 00 00 00 00 00 00 00 00 00 DB FF        ............Ûÿ


Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

MOD 4F in ROM

00000000  52 4F 59 4C 04 00 1E 00 4F 00 01 00 A8 EF 50 CB  ROYL....O...¨ïPË
00000010  30 30 30 35 30 30 41 50 00 00 00 00 00 00 00 00  000500AP........
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000050  55 AA 06 00 B5 5B 45 5C 7B 5C 42 5D 19 5E B2 5C
00000060  00 00 00 00 55 AA 06 00 54 00 30 DD 6E FF 58 FB
00000070  01 00 3F 00 1F 00 19 00 1C 00 FC FF 6D FF CE EF
00000080  AF FF 93 FB C0 FF 0E 00 0B 00 F7 FF 0E 00 FE FF
00000090  04 F8 37 E5 65 FF 5B FB EB FF 39 00 F7 FF E2 FF
000000A0  EE FF E1 FF 8B 03 4A EE 7C FF A9 FB F7 FF 50 00
000000B0  F1 FF 15 00 E4 FF FD FF 05 FD 6B E0 94 FF E6 FA
000000C0  0C 00 65 00 12 00 D3 FF DB FF F0 FF 92 00 B0 E6
000000D0  2D FF 36 FB 06 00 DF FF 09 00 E8 FF 01 00 24 00


MOD 4F template in MOD 109

00000000  52 4F 59 4C 04 00 1E 00 4F 00 01 00 FB 4F 16 2E  ROYL....O...ûO..
00000010  30 30 30 35 30 30 41 50 00 00 00 00 00 00 00 00  000500AP........
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
........
000000D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................



Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

MOD 0D in ROM

00000000  52 4F 59 4C 04 00 1E 00 0D 00 01 00 8E D7 8E F2  ROYL........Ž×Žò
00000010  30 30 30 31 30 30 30 30 00 00 00 00 00 00 00 01  00010000........
00000020  30 31 2E 30 31 41 30 31 02 01 03 00 00 00 50 01  01.01A01......P.
00000030  4E E2 02 19 1F 40 00 01 FE FF 00 00 00 00 00 00  Nâ...@..þÿ......
00000040  01 01 01 00 00 00 20 20 20 20 20 20 20 20 20 20  ......         
00000050  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 
00000060  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 
00000070  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 
00000080  20 20                                             


MOD 0D template in MOD 109

00000000  52 4F 59 4C 04 00 1E 00 0D 00 01 00 FE 0B E2 0C  ROYL........þ.â.
00000010  30 30 30 31 30 30 30 30 00 00 00 00 00 00 00 00  00010000........
00000020  30 30 2E 30 30 30 30 30 00 01 03 02 00 00 00 00  00.00000........
00000030  00 00 00 00 00 00 00 01 FE FF 00 00 00 00 00 00  ........þÿ......
00000040  01 01 01 00 00 00 20 20 20 20 20 20 20 20 20 20  ......         
00000050  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 
00000060  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 
00000070  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 
00000080  20 20 00 00                                        ..


MOD 104 in SA

00000000  52 4F 59 4C 04 00 1E 00 04 01 01 00 07 0B E2 0C  ROYL..........â.
00000010  30 30 30 31 30 30 30 30 00 00 00 00 00 00 00 00  00010000........
00000020  30 30 2E 30 30 30 30 30 00 01 03 02 00 00 00 00  00.00000........
00000030  00 00 00 00 00 00 00 01 FE FF 00 00 00 00 00 00  ........þÿ......
00000040  01 01 01 00 00 00 20 20 20 20 20 20 20 20 20 20  ......         
00000050  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 
00000060  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 
00000070  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 
00000080  20 20 00 00                                        ..


MOD 104 matches the MOD 0D template in MOD 109. However, the actual content of MOD 0D in ROM is significantly different.

Original article:
http://malthus.zapto.org/viewtopic.php? ... 2710#p2710

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Regenerating a WD ROYL ROM from SA MODs
PostPosted: April 17th, 2014, 13:15 
Offline

Joined: July 22nd, 2013, 13:04
Posts: 71
Location: US
Thanks for the help :)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group