Original Article here :http://www.hddoracle.com/viewtopic.php?f=59&t=1214
On this experiment I'm going to exemplify using the HRT ATA Terminal how an ATA password is set on a drive to lock it up and how it's possible to remove it, when the password it's known.
While I'm using for this experiment my HRT card (that I consider to be the best tool ever made for HDD firmware research) the following demonstration can be executed as well with other tools that provide direct I/O to the drive ATA interface and allow sending ATA commands to the drive.
For demonstration purpose only I'm using my old Quantum AS drive and some VSC (Vendor Specific Commands) to verify the experiment steps, but the basic understanding of how ATA passwords work can be applied to all modern drives and the commands to Lock, Unlock and Remove the password from the drive are ATA standard and NOT vendor specific.
Hope that you enjoy this demonstration and that you can learn something new.
Let's start by locking my test drive with the User password "Spildit" using Victoria for Windows :
As we can see my drive is now locked by ATA password.
Let's confirm it.
I'm going to issue a Quantum Vendor Specific Command by the use of a "Super" non-standard ATA terminal that will send a specific "string" of vendor specific command to the drive to "read" a CP containing the ATA user and Master password. This is NOT a standard ATA command and as such depends upon the drive we are using. I'm just posting this step as a confirmation for the presence of the ATA password on the drive CP/Firmware.
We issue the "Super On" to place the drive in a mode to accept VSC, then we issue a command to read from the drive the CD number 15 (0F in HEX) that contains the passwords. Then we dump the buffer.
As we can see our password is displayed
Now that we know our password let's just unlock the drive and disable the password using STANDARD ATA commands.
What I'm going to do next is NOT vendor specific and can be used on ANY modern drive as long as you know the ATA password, even if the password is a not readable hex-string :
Using the option to "Make Buffer" I create a "buffer" to be send to the drive with 512 bytes (a sector size buffer) and dump it.
As I'm going to use a "User" password I leave the first 2 bytes of my buffer as 00 and fill in the password that I want to use, either in HEX or ASCII. On this example I'm going to use "Spildit" as it's the correct password for my drive. Then I close the Buffer window and I will have a Buffer ready to be sent to the drive.
Now I issue the Security Unlock ATA standard command and wait for the drive to lit the DRQ status. DRQ is "Data Request" and means that there is request of data transfer to/from buffer. As soon as I confirm that the drive is waiting to get data I send my Buffer with the password and the drive goes back to DRDY and DSC. This means the command was accepted with success and there was no error with it. Now the drive should be unlocked.
Finally I repeat the same step but this time with the standard ATA command to REMOVE/DISABLE the ATA password. While the command to unlock the drive will only last until the drive is powered off and on again, Disabling the ATA password will make the drive unlocked even when it's re-powered. Yet it's important to remember that on the majority of drives it's necessary to unlock first and only then the drive will accept the command to disable the password. This might not be true for all drives.
Now we do an ATA reset or we power off - on the drive using the integrated HRT hardware power switching relay and as we can see, the drive is no longer locked by ATA password.
On this small experimentation I've demonstrated how a known ATA password can be sent to the drive using direct I/O and standard ATA commands in order to unlock the drive and remove the password.
Hope that you enjoyed this small guide and learned something new from it.