Switch to full style
Anything related to computer forensics (new section!)
Post a reply

Serial Console Ctrl Z Not Working

June 4th, 2019, 13:12

Hello all!

Recently I have been trying to practice some disk forensics on a HDD that a company shipped out to me, and I've found myself a little stumped. The issue I'm running into is essentially my home system can no longer recognize the HDD (at POST, nothing happens) so I'm assuming that I have a BSY error going on. I've been able to get a serial console working by using an FT232 chip and putty connection on COM port 9 (with windows) or /dev/ttyUSB0 on linux.

Previously, the HDD was able to mount successfully onto windows and I was able to recover flash software as well as the correct .lod files for firmware flashing, but at some point, the HDD became unusable via normal SATA/USB connection.

The issue I'm running into now is that in the serial console (tx/rx 4 pin connection), there is custom code running with a continuous message telling me to "patch me!" that I believe is interfering with the ctrl+z method to open console controls. I believe that the tx connection from the FT232 device is working (there's a small blipping light everytime I press a keyboard function while connected to the console). The problem with this is that in order to patch (I believe) I need to flash .lod firmware onto the drive, but because it's BSY, I can't mount it to /dev/sg# nor does windows recognize it as a device.

Is there anyway to force a ctrl+z signal to the console? Or am I locked out for good here? Are there any tools that can further examine the serial port aside from, or ontop of PuTTy?

Model No. Seagate ST3160318AS

SATA + 4pin serial connector (tx,rx,gnd,bitspeed)

FT232 connection:
https://tinkersphere.com/electronic-com ... elper.html
baud : 38400

PCB ---- FT232 => laptop
tx . ----- . rx
rx . ----- . tx
gnd . --- . gnd
. ---X

Re: Serial Console Ctrl Z Not Working

June 6th, 2019, 13:53

- You shouldn't PRACTICE with drives that you care for and that you do need the data from.

- 7200.12 drives as yours don't have the LBA-0/BSY issue that 7200.11 drives do and if you run the internet fix on 7200.12 drives you will end up at best with partial access to LBA...

- If the drive was detected correctly there shouldn't be any need to flash anything or get loaders. You could had disabled stuff with congen to facilitate recovery. Apart from that it does look like you did mess up big time.

- That "patch me" thing ... It does look like you don't have a clue about what you are doing ... Hopefully you didn't brick the ROM ... If you somehow did erase the ROM and what you are getting is the boot code mode forget about getting data out of that drive as ROM is unique ...

- You would be way better off with decent firmware tools like PC-3000, MRT or at least SeDiv ...

I don't know what sort of "forensics" you did intend to do on the drive but it does look like you did mess it up for good ...

Sorry ...

Re: Serial Console Ctrl Z Not Working

June 30th, 2019, 4:02

Were you able to bypass the patch message and send the CTRL + Z command? Did you try configuring PuTTy by modifying the data bits and parity?

Re: Serial Console Ctrl Z Not Working

September 16th, 2019, 12:32

I'm sure there are more people around with the same problem, anyone have had any luck? because i sure dont.

Adding to the first reply, a flash is necessary as its part of the challenge description.

Re: Serial Console Ctrl Z Not Working

September 17th, 2019, 0:17

Just a note, this project was a bit outside my area of expertise, and I have since moved on from the project/company. I did get shipped out another HDD which was super helpful for testing purposes (crossing whatever wires I wanted on one of them and whatever other wild experiments lol) and the two are just kicking around my house right now in case I ever want to jump back into this.

To the other responses, I was not able to bypass the message without shorting out the entire chip (thus ruining the project like Spildit mentioned in a prior post). DON'T just willy-nilly touch wires together!
On this project alone, I bricked

    1 HDD
    2 HDD power cables
    1 FT232 Chip
    1 Arduino Board
    1 USB (laptop) socket

It's good in practice for learning, but not with "real" environments. Another good tip is to grab an arduino board so you have a bit more control than just FT232 rx/tx testing (you can program signals and such, though I didn't have too much luck going this route) as well as a multimeter for testing specific connections (just set it to the "noise" dial and hit connections with R/Blk wires from the meter to test connectivity) and resistances.

So here's the advice I got from the company :

1. The HDD device is supposed to become unrecognized by a normal computer system after some time (it's programmed this way).
2. Imagine the micro-board as a mini computer. What components are analogis to say RAM? Processor? Physical memory? And then, to that end, which component(s) is the the one messing up?

My answer to the question (and confirmed over the phone) was the boot-up memory for the functioning of the device, i.e. the winbond SPI flash chip which you can find documentation for here : https://www.winbond.com/resource-files/ ... 242015.pdf.
What was wrong with it (and how to fix it), though, I can't answer. From my experience (and my memory is a bit dated as of right now) it was that some custom code running on this 4MB chip had a loop that I couldn't send messages through. The solution is a physical one (hinted at), but in practice, this proved to be rather difficult as I only had 1 previous board to work on, and mix-and-matching wires turned out to be a good way to ruin everything listed above (RIP!).

I have some diagrams posted below of the chip ins/outs as well as some of the links connecting them which I'll post below. If anyone does eventually figure this out, I would LOVE to hear their solution, but physical hardware is just beyond me as of right now :/
SPI Winbond lead mapping (microcontroller)
SPI Winbond diagram

Re: Serial Console Ctrl Z Not Working

September 17th, 2019, 8:38

what about reading the chip, disassembling the code, patching and reflashing?

I would think the patch me would have been easy to spot

Re: Serial Console Ctrl Z Not Working

September 18th, 2019, 14:34

HaQue wrote:what about reading the chip, disassembling the code, patching and reflashing?

I would think the patch me would have been easy to spot

HaQue wrote:what about reading the chip, disassembling the code, patching and reflashing?

I would think the patch me would have been easy to spot

The only reading I was able to get off of the chip happened after I bricked it (unfortunately) and I'm just not savvy enough to know how to go about getting the rest of the (real?) data off of a working version of the SPI chip.

I do have some of the raw byte code I was able to pull off of the broken HDD's Winbond SPI serial console if anyone is brave enough to download some files from a drive link from some stranger on the internet (lol) : https://drive.google.com/drive/folders/ ... iQqoMwaSP1

The CAPTURED_object file is a byte file (open it up with any good editor like Sublime or HxD) that shows most (all) of the code I was able to pull off of the Winbond console. You'll notice that it repeats at line 2048 and each line is 16 bytes long == 4KB sectors of SPI assembly(?). I was never able to fully figure out what these instructions do as it seemed a bit too involved with architecture of the actual chip (micro-processor assembly calls which, from what I could find, are NOT public information).

The CAPTURED_Short.txt file is an example of output that the serial console was giving me as I was able to step through local memory addresses. Running a small script on my host computer, I was able to just save all this stuff to a text file and transform it into CAPTURED_object for better analysis. There is a method in the console to write to the chip itself, but note : If you're able to see this same output from your serial console, the HDD is hosed from my understanding :/

Also, terribly sorry if I'm breaking any rules with that link posting, just let me know if anyone has an issue with this post and I'll take it down.
Post a reply