All times are UTC - 5 hours [ DST ]


Forum rules


Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...



Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: Customising firmware to identify stolen property
PostPosted: August 26th, 2016, 17:32 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 9609
Location: Australia
Here is one way to customise the firmware in your WD drive so that it can be uniquely traced to you in the event that your computer is stolen.

The method involves adding an extra section to module #02.

Offset 0x18 (pre-ROYL) or offset 0x30 (ROYL) reports the number of sections in the module. Subsequent words define the offset and size of each section.

Here is a pre-ROYL example:

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  04 0C 06 FD 02 30 38 30 30 3F 00 00 00 00 00 00  ...ý.0800?......
00000010  00 00 00 00 00 00 02 00 1C 00 8A 00 16 00 A0 00  ..........Š... .
00000020  1E 00 BE 00 19 00 D7 00 33 00 70 01 11 00 81 01  ..¾...×.3.p.....
00000030  18 00 B1 01 0A 00 BB 01 09 00 C4 01 15 00 D9 01  ..±...»...Ä...Ù.
00000040  11 00 EA 01 1C 00 06 02 14 00 1A 02 1F 00 39 02  ..ê...........9.
00000050  3A 00 73 02 15 00 88 02 14 00 9C 02 20 00 BC 02  :.s...ˆ...œ. .¼.
00000060  4C 00 08 03 4C 00 0A 01 33 00 3D 01 33 00 99 01  L...L...3.=.3.™.
00000070  18 00 54 03 10 00 64 03 12 00 76 03 56 00 CC 03  ..T...d...v.V.Ì.
00000080  06 00 D2 03 06 00 D8 03 06 00 00 01 57 44 2D 57  ..Ò...Ø.....WD-W

The number of sections is 0x1C. The first section is located at offset 0x8A and has a size of 0x16 bytes.

Start by increasing the number of sections by 1, ie change 0x1C to 0x1D. Then shift the data area by 4 bytes to accommodate the offset and size of the new section. Determine the location and size of the extra section and edit the table accordingly.

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  04 0C 06 FD 02 30 38 30 30 3F 00 00 00 00 00 00  ...ý.0800?......
00000010  00 00 00 00 00 00 02 00 1D 00 8A 00 16 00 A0 00  ..........Š... .
                                  ^^^^^
00000020  1E 00 BE 00 19 00 D7 00 33 00 70 01 11 00 81 01  ..¾...×.3.p.....
00000030  18 00 B1 01 0A 00 BB 01 09 00 C4 01 15 00 D9 01  ..±...»...Ä...Ù.
00000040  11 00 EA 01 1C 00 06 02 14 00 1A 02 1F 00 39 02  ..ê...........9.
00000050  3A 00 73 02 15 00 88 02 14 00 9C 02 20 00 BC 02  :.s...ˆ...œ. .¼.
00000060  4C 00 08 03 4C 00 0A 01 33 00 3D 01 33 00 99 01  L...L...3.=.3.™.
00000070  18 00 54 03 10 00 64 03 12 00 76 03 56 00 CC 03  ..T...d...v.V.Ì.
00000080  06 00 D2 03 06 00 D8 03 06 00 00 00 00 00 00 01  ..Ò...Ø.........
                                        ^^^^^^^^^^^

Now add +4 to each of the section offsets in the table.

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  04 0C 06 FD 02 30 38 30 30 3F 00 00 00 00 00 00  ...ý.0800?......
00000010  00 00 00 00 00 00 02 00 1D 00 8E 00 16 00 A4 00  ..........Ž...¤.
                                        ^^          ^^

Your customised section could contain any information of your choosing, eg your name. I'll post a complete example, plus a software tool, in due course. I know that one particular lurker will be very interested. ;-)

One caveat is that you need to ensure that the additional section does not cross a sector boundary. If this happens, then you will need to edit the directory (module 01) to increase the size of the module by 1 sector and then ensure that there remains a gap between module 02 and the next module on the same track.

If someone motivates me enough, I'll post another method. ISTM that this approach could form the basis for a useful community service. Perhaps a tutorial at Tom's Hardware would be well received.

I have few more ideas in respect of other storage media. For example, SanDisk's flash products have a few possibilities in this regard. Their CF cards are particularly good candidates for investigation with a cheap home-made IDE logger. Current events in another storage forum have really begun to motivate me. :-|

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Customising firmware to identify stolen property
PostPosted: August 29th, 2016, 10:46 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3110
Location: Chicago
fzabkar wrote:
Perhaps a tutorial at Tom's Hardware would be well received.

If that happens WD would ensure that SA access won't be that easy on the next generation

_________________
https://www.linkedin.com/in/artemrubtsov/


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group