Analysis of Samsung F3 firmware update for AMD SB850 and Intel P67/H67 compatibility problem

Firmware patch/update for certain Samsung F3 and F3EG drives:
http://knowledge.seagate.com/articles/e ... Q/223631en

This patch code is released in order to solve the compatibilty problem between some motherboards (the AMD SB850 chipset and the Intel P67/H67 chipset) and Samsung-brand hard drives, F3 and F3EG models only.

This is relevant for Samsung-model internal drives with the following model numbers:

F3.exe - HD323HJ / HD502HJ / HD503HI / HD103SJ / HD105SI
http://www.seagate.com/staticfiles/supp ... ads/F3.exe

To get an idea of how Samsung's updates work, I examined earlier Dell updates for other Samsung models, eg ...

http://ftp.dell.com/ide/R139989.EXE

The update package includes the following:



Here is the embedded documentation for Samsung's SFLASH firmware update utility:



Samsung's SpinPoint F3 update appears to pack all the above files into a single EXE.

The first part of the executable (F3.exe) contains SFLASH code that performs the update.

At offset 0x4D800 there is an MFLASH_H header that lists the starting offset and size of 4 embedded firmware images.



For example, the first firmware image is 1AJE4MYM.115. It begins at 0x04DA00 and has a size of 0x057C00 bytes.

I believe that the tail end of the EXE file has an encoded script file. It is located at the end of the 4th firmware image. The MFLASH_H entry in the above table points to the location of this file (0x001ACA00), and specifies its length (0x000002D3).

I believe the script file contains instructions for matching the various firmware images against the detected model numbers. Seagate also does it this way. I have managed to decipher Seagate's scripts, but I haven't been able to do the same for Samsung.

The firmware images contain the following HDD model numbers:



How to interpret Seagate (and Samsung, Maxtor) model numbers:
http://knowledge.seagate.com/articles/e ... Q/204763en

Original article:
http://malthus.zapto.org/viewtopic.php? ... 1986#p1986

_________________
A backup a day keeps DR away.

Structure of firmware image file, eg 1AJE4MYM.115



The first 0xA00 bytes of each firmware image file contain what appears to be some kind of flash or firmware loader code. There is an "LFDR" string in the header section. I suspect that this is 16-bit little endian, in which case it would read "FLDR" (LDR = LoaDeR).

The next section appears to be a complete 256KB ROM image. Since the firmware update appears to update the entire ROM, this would suggest that F3 ROMs contain no adaptive data. The remaining 256KB of the ROM (not included in the update) is filled with 0xFF bytes, apart from a small "FIPS" section between offsets 0x70000 - 0x703FF.

The last section appears to an image of SA firmware module MOVLY001. This is one of the modules loaded into RAM from the System Area after spinup.

Original article:
http://malthus.zapto.org/viewtopic.php? ... 1989#p1989

_________________
A backup a day keeps DR away.

Analysis of checksums



Each of the above components has a checksum of 0x0000. The sum is computed by adding the 16-bit words in little endian format.

The checksum bytes for MOVLY001 (0x5FC9) are located at the end of the module.

The checksum bytes for the 256K ROM image (0xEFD9) are also located at the end.

The FLDR appears to consist of two sections. The first is the loader code. The second section appears to identify those parts of the firmware that will be targeted by the update, in this case the ROM itself (TT ?) and the MOVLY001 SA module. Each section has its own 16-bit little endian checksum at the end (0xC65D and 0xABC2), and both sections sum to zero.





Original article:
http://malthus.zapto.org/viewtopic.php? ... 2051#p2051

_________________
A backup a day keeps DR away.

great work , thanks

_________________
http://www.hpwlab.com

thank you for sharing

_________________
Data Recovery Pakistan