Harware specific HDD commands.
Page 1 of 1

Author:  Sfor [ December 17th, 2006, 18:41 ]
Post subject:  Harware specific HDD commands.

I've wrote a few low level HDD access programs. But, all commands I can use are those in the ATA specification.

What I'm looking for are the commands exceeding the specification. I was unable to find a source for such informations. Yet, I know those commands are existing. In other words, I'm looking for ways to do things not covered by the ATA.

So far, I was able to write an LBA48 restore program (when the samsung Hutil refused to enable it, after switching it off). Or a few password recovery utilities. Yet, all those were done with what ATA specification provided.

I have a few tricks in my pockets I can share with others. But, I would like to learn something useful, as well.

Author:  Spildit [ December 22nd, 2006, 20:32 ]
Post subject: 

I also could use those vendor specific ATA commands ....
If you find something, please let me know.

Author:  aimtrading [ January 9th, 2007, 13:00 ]
Post subject: 

I've found some, but still experimenting with them ...

Author:  Sfor [ January 9th, 2007, 13:19 ]
Post subject: 

I've been experimenting with IBM DJSA drive. Looks like there is a FE command available. Feature register is the subcommand (function) switch.

A1 subcommand sends service area block list.
A2 reads a particular block
A4 saves a paticular block
A6 tranfsers something (unknown)

there are a few other unknown commands, as well.

Author:  Sfor [ January 10th, 2007, 6:01 ]
Post subject: 

The FE A2 command reads a block from the drive. To make it work it is necesary to fill in proper values in the drive registers. The table of blocks readed by FE A1 commands gives the detailed data:

00000  52 44 4D 31 | C9 40 FE 0F | 20 00 00 00 | 01 00 00 00   RDM1É@ţ ...
00010  52 44 4D 32 | C9 41 FE 0F | 20 00 00 00 | 01 00 00 00   RDM2ÉAţ ...
       Name        | Register values
                     |  |  |  |  | Sector Count
                     |  |  |  SDH
                     |  |  Cylinder high
                     |  Cylinder Low
                     Sector number

The amount of sectors is kept in the Sector Count register.

Author:  aimtrading [ January 11th, 2007, 0:14 ]
Post subject: 

The interesting, hidden, 'vendor specific' commands are not easy to get to. The people that know them on this forum won't tell you, but luckily, if you work hard enough, you can find them out yourself :)

These 'secret' commands that nobody will explain to you, vary from model to model.

Sometimes dedicated 'new' commands are used, like the 0xFE for DJSA that you described. Alternatively, sometimes these Vendor commands are extensions to 'normal' (not vendor specific) commands. For example, on most modern Western Digital HDD's, the interesting 'secret' commands are extensions to the 'SMART' 0xD0h ATA cmd. They can be accessed by setting special values in the Feature register en sector/cylinder selectors. But not only the features and the sector/cylinders regs are being used to 'convert' normal ATA cmds to vendor specific commands, sometimes even the drivehead register has to be set differently, to get to the 'secret' code => bit 7, 6 and 5 should always be 1,0,1 .... according to the standard ATA specifications ;) So you have to think 'out of the box' ...

And sometimes standard ATA's are used, but you have to issue another 'unlock' ATA first to modify behaviour (the 'unlock' command (i believe somebody called it 'SuperOn', on this forum) switches the drive to a different mode). For example, on some HDD's you can read the SA with normal 0x20/0x21 ATA commands, BUT you have to issue the 'unlock' ATA before, otherwise the drive will reject reading the SA. And sometimes a combination is used (for example, the extensions to 0xD0 on WD, won't work, if you haven't sent the WD 'superon' command first)

Anyway, can't help you with the specific DJSA drive, haven't looked into that one, but hope this info is useful to you.

Author:  Sfor [ January 15th, 2007, 12:14 ]
Post subject: 

Here are the module names I've found on a DJSA dive:


I can read all modules except the last 3 ones WRT1, WRT2 and WRT3. The drive reports some strange errors while reading them.

The DIAG block holds old reports of the IBM DFT utility. I do not know the purpose of other blocks.

Page 1 of 1 All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group