All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: Harware specific HDD commands.
PostPosted: December 17th, 2006, 18:41 
Offline

Joined: December 17th, 2006, 17:42
Posts: 9
Location: Poland
I've wrote a few low level HDD access programs. But, all commands I can use are those in the ATA specification.

What I'm looking for are the commands exceeding the specification. I was unable to find a source for such informations. Yet, I know those commands are existing. In other words, I'm looking for ways to do things not covered by the ATA.

So far, I was able to write an LBA48 restore program (when the samsung Hutil refused to enable it, after switching it off). Or a few password recovery utilities. Yet, all those were done with what ATA specification provided.

I have a few tricks in my pockets I can share with others. But, I would like to learn something useful, as well.


Top
 Profile  
 
 Post subject:
PostPosted: December 22nd, 2006, 20:32 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 10828
Location: Portugal
I also could use those vendor specific ATA commands ....
If you find something, please let me know.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject:
PostPosted: January 9th, 2007, 13:00 
Offline

Joined: December 23rd, 2006, 10:50
Posts: 28
I've found some, but still experimenting with them ...


Top
 Profile  
 
 Post subject:
PostPosted: January 9th, 2007, 13:19 
Offline

Joined: December 17th, 2006, 17:42
Posts: 9
Location: Poland
I've been experimenting with IBM DJSA drive. Looks like there is a FE command available. Feature register is the subcommand (function) switch.

A1 subcommand sends service area block list.
A2 reads a particular block
A4 saves a paticular block
A6 tranfsers something (unknown)

there are a few other unknown commands, as well.


Top
 Profile  
 
 Post subject:
PostPosted: January 10th, 2007, 6:01 
Offline

Joined: December 17th, 2006, 17:42
Posts: 9
Location: Poland
The FE A2 command reads a block from the drive. To make it work it is necesary to fill in proper values in the drive registers. The table of blocks readed by FE A1 commands gives the detailed data:

Code:
00000  52 44 4D 31 | C9 40 FE 0F | 20 00 00 00 | 01 00 00 00   RDM1É@ţ ...
00010  52 44 4D 32 | C9 41 FE 0F | 20 00 00 00 | 01 00 00 00   RDM2ÉAţ ...
       Name        | Register values
                     |  |  |  |  | Sector Count
                     |  |  |  SDH
                     |  |  Cylinder high
                     |  Cylinder Low
                     Sector number

The amount of sectors is kept in the Sector Count register.


Top
 Profile  
 
 Post subject:
PostPosted: January 11th, 2007, 0:14 
Offline

Joined: December 23rd, 2006, 10:50
Posts: 28
The interesting, hidden, 'vendor specific' commands are not easy to get to. The people that know them on this forum won't tell you, but luckily, if you work hard enough, you can find them out yourself :)

These 'secret' commands that nobody will explain to you, vary from model to model.

Sometimes dedicated 'new' commands are used, like the 0xFE for DJSA that you described. Alternatively, sometimes these Vendor commands are extensions to 'normal' (not vendor specific) commands. For example, on most modern Western Digital HDD's, the interesting 'secret' commands are extensions to the 'SMART' 0xD0h ATA cmd. They can be accessed by setting special values in the Feature register en sector/cylinder selectors. But not only the features and the sector/cylinders regs are being used to 'convert' normal ATA cmds to vendor specific commands, sometimes even the drivehead register has to be set differently, to get to the 'secret' code => bit 7, 6 and 5 should always be 1,0,1 .... according to the standard ATA specifications ;) So you have to think 'out of the box' ...

And sometimes standard ATA's are used, but you have to issue another 'unlock' ATA first to modify behaviour (the 'unlock' command (i believe somebody called it 'SuperOn', on this forum) switches the drive to a different mode). For example, on some HDD's you can read the SA with normal 0x20/0x21 ATA commands, BUT you have to issue the 'unlock' ATA before, otherwise the drive will reject reading the SA. And sometimes a combination is used (for example, the extensions to 0xD0 on WD, won't work, if you haven't sent the WD 'superon' command first)

Anyway, can't help you with the specific DJSA drive, haven't looked into that one, but hope this info is useful to you.


Top
 Profile  
 
 Post subject:
PostPosted: January 15th, 2007, 12:14 
Offline

Joined: December 17th, 2006, 17:42
Posts: 9
Location: Poland
Here are the module names I've found on a DJSA dive:

RDM1
RDM2
ELG1
ELG2
PID1
PID2
PIDM
ZONE
PDM1
PDM2
SRVM
CHNM
MFGP
AMPM
HLR1
HLR2
DDD0
MRDM
DIAG
WRT0
WRT1
WRT2
WRT3

I can read all modules except the last 3 ones WRT1, WRT2 and WRT3. The drive reports some strange errors while reading them.

The DIAG block holds old reports of the IBM DFT utility. I do not know the purpose of other blocks.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google Adsense [Bot] and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group