All times are UTC - 5 hours [ DST ]


Forum rules


Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...



Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: Analysis of Samsung SpinPoint F3 ROM
PostPosted: April 6th, 2014, 0:10 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 11008
Location: Australia
Analysis of Samsung SpinPoint F3 ROM

This "tutorial" is my attempt to analyse the structure of the ROM image supplied with the following Samsung F3 firmware update which addressed an AMD SB850 and Intel P67/H67 compatibility problem.

F3.exe - HD323HJ / HD502HJ / HD503HI / HD103SJ / HD105SI
http://www.seagate.com/staticfiles/supp ... ads/F3.exe

In the following thread I explain how to extract the relevant files from the aforementioned EXE:

viewtopic.php?t=28341

My intention is to analyse 1AJE4MYM.115 which is the ROM image that is applied to model HD502HJ.

Attached are the relevant firmware images and the ROM, MOVLY001, and FLDR sections which I've extracted from 1AJE4MYM.115.

At the beginning of the ROM, from 0x000 to 0x50F, is what appears to be the code that unpacks the ROM's component modules and loads them into RAM.

Offset 0x510 appears to be the beginning of the FLASHTBL. The FLASHTBL is a table of modules, both in ROM and SA. Each entry specifies the modules's starting location in ROM, its size in bytes, and its load address in memory.

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000510  5A FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00000520  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00000530  02 0F 01 FF 46 4C 41 53 48 54 42 4C 01 00 FF FF  ....FLASHTBL....
00000540  00 00 FF FF FF FF FF FF 00 00 00 00 00 00 00 00

00000550  01 02 BC FF 10 05 00 00 10 05 F0 FF 20 03 00 00
00000560  02 08 28 FF 30 08 00 00 30 08 F0 FF E8 12 00 00
00000570  03 00 92 FF 20 1B 00 00 00 00 00 00 D8 BA 01 00
00000580  04 01 00 FF 00 D6 01 00 00 CD 01 00 08 31 00 00
00000590  05 00 85 FF 08 D6 01 00 00 00 00 04 64 0F 00 00
000005A0  06 00 00 FF 74 E5 01 00 60 5B 00 04 00 00 00 00
000005B0  07 00 94 FF 7C E5 01 00 00 5C 00 04 44 02 00 00
000005C0  08 00 00 FF C8 E7 01 00 00 60 00 04 00 00 00 00
000005D0  09 00 4F FF D0 E7 01 00 00 D8 02 10 0C D0 01 00
000005E0  0A 01 00 FF E4 B7 03 00 00 B8 05 10 90 3E 01 00
000005F0  0B 00 E5 FF EC B7 03 00 00 00 00 14 E0 07 00 00
00000600  0C 00 AC FF D4 BF 03 00 00 B8 07 14 54 25 00 00
00000610  0D 00 00 FF 30 E5 03 00 00 00 00 1C 00 00 00 00
00000620  0E 00 00 FF 38 E5 03 00 00 00 FE 1F 00 00 00 00
00000630  0F 00 FD FF 00 E8 03 00 00 E8 F3 FF 98 17 00 00

00000640  10 FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00
00000650  11 FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00
........
00000700  1C FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00
00000710  1D FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00

00000720  FF FF FF FF FF FF FF FF 00 CD 01 00 00 33 00 00
00000730  FF FF FF FF FF FF FF FF 00 B8 05 10 00 00 02 00

00000740  FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00
........
00000810  FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00
00000820  00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF


The following data were extracted from offsets 0x550 - 0x63F:

Code:
Modul Byte  Byte  Byte   Memory     Start     Size       End      Function
ID    #1    #2    #3    Address    Offset              Offset
-----------------------------------------------------------------------------
01    02    BC    FF    FFF00510  00000510  00000320  0000082F   FLASHTBL
02    08    28    FF    FFF00830  00000830  000012E8  00001B17
03    00    92    FF    00000000  00001B20  0001BAD8  0001D5F7
04    01    00 *  FF    0001CD00  0001D600  00003108  00020707   --------
05    00    85    FF    04000000  0001D608  00000F64  0001E56B
06    00    00 *  FF    04005B60  0001E574  00000000  --------   --------
07    00    94    FF    04005C00  0001E57C  00000244  0001E7BF   FIPS
08    00    00 *  FF    04006000  0001E7C8  00000000  --------   --------
09    00    4F    FF    1002D800  0001E7D0  0001D00C  0003B7DB
0A    01    00 *  FF    1005B800  0003B7E4  00013E90  0004F673   --------
0B    00    E5    FF    14000000  0003B7EC  000007E0  0003BFCB   calibration
0C    00    AC    FF    1407B800  0003BFD4  00002554  0003E527
0D    00    00 *  FF    1C000000  0003E530  00000000  --------   --------
0E    00    00 *  FF    1FFE0000  0003E538  00000000  --------   --------
0F    00    FD    FF    FFF3E800  0003E800  00001798  0003FF97   FLASHDAT


The "Module ID" does not appear to be consistent across firmware versions, so it is probably not an ID per se, but probably just reflects the number of the entry in the table.

Byte #1 might reflect the "module type".

There appear to be several entries in the table which are not ROM modules. For example, there are several that have a size of zero. These also have values of 0x00 or 0xFF for byte #2. In fact ISTM that any module with a value of 0x00 for byte #2 is not present in ROM, even if its size is non-zero.

The FLASHDAT module appears to store the ROM version (1AJe4my_.115).

I don't know what "FIPS" does.

The module I have identified as "calibration" appears to be somehow related to "adaptive" information, but I don't believe it stores any actual adaptives.

    BIAS CAL
    KT CAL
    LINCAL A
    AB CAL
    MR SKEW
    HEAD GAP
    LP GAIN0
    LP GAIN T

The same module also contains the strings "PREAMP" and "PA785X". I believe that "PA785X" is the part number of the preamp that this particular firmware expects to find.

In fact the following thread shows terminal output from good and bad HD103SJ drives:
viewtopic.php?f=1&t=27116

In normal operation the drive appears to identify the preamp type as follows:

Code:
*PA VID=0000 PN=0004 Rev=0002- 785x Found
*PA VID=0000 PN=0004 Rev=0002- 785x Found


After spinup, the drive produces the following terminal output:

Code:
Loaded FIT ( 0: 0: 1)
CalibTable Loaded. Rev:0x14
Selective MARC NX Loaded
ResoTable Loaded. Rev:0x01
Ovly loaded to 0x0001CD00
Ovly loaded to 0x1005B800


I notice that the addresses for the overlays (0x0001CD00 and 0x1005B800) correspond to the memory addresses for modules 04 and 0A in the ROM. ISTM that the drive is loading modules from the System Area on the platters to memory. This would explain why certain modules in the FLASHTBL appear to be non-resident in ROM. It appears that the table is comprised of ROM resident modules and those SA modules that are loaded at power-up.

The following entries in the FLASHTBL point to the two overlays that are loaded from the SA.

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000720  FF FF FF FF FF FF FF FF 00 CD 01 00 00 33 00 00 
00000730  FF FF FF FF FF FF FF FF 00 B8 05 10 00 00 02 00


Code:
Bytes 0x8 - 0xB     = memory address
Bytes 0xC - 0xF     = size


Here is the header of SA module MOVLY001 from another drive (HD103SJ-1AJ10001-S246JDWZ213837):

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00000010  02 00 00 00 00 01 08 FF 24 01 00 00 00 CD 01 00 
00000020  FC 30 00 00 01 01 8B FF 24 32 00 00 00 B8 05 10


Here is the same header that I carved out of the F3 firmware update:

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000010  02 00 00 00 00 01 3A FF 24 01 00 00 00 CD 01 00
00000020  08 31 00 00 01 01 21 FF 30 32 00 00 00 B8 05 10


Notice that the same two addresses appear on the 2nd and 3rd lines. This suggests that MOVLY001 is loaded into memory as two separate overlays.

Original article:
http://malthus.zapto.org/viewtopic.php? ... 1992#p1992


Attachments:
SpinPoint_F3_ROM_MOVLY001_FLDR.zip [239.96 KiB]
Downloaded 299 times
SpinPoint_F3_SB850_update.zip [2.15 MiB]
Downloaded 292 times

_________________
A backup a day keeps DR away.
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group