All times are UTC - 5 hours [ DST ]


Forum rules


Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...



Post new topic Reply to topic  [ 24 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Looking for someone to collaborate disassembling Seagate ROM
PostPosted: May 29th, 2019, 22:14 
Offline

Joined: May 29th, 2019, 22:00
Posts: 15
Location: United States
I am looking for someone to collaborate with to disassemble both the Seagate Yeti boot ROM and the firmware for a hard drive.

I own a PC3000 and am very familiar with the conventional methods of data recovery. The PC3000 enables recovery by repairing whatever is wrong with the drive.

My ultimate goal is to modify parts of the code to read from damaged drives, even if the drive will not boot, by bypassing parts of the initialization that are preventing the drive to boot. Envision reading the servo marks and the raw data, saving it for later decoding.

I am looking for someone who understands ARM processors and/or IDA

Anyone interested ?


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: May 31st, 2019, 9:14 
Offline

Joined: May 29th, 2019, 22:00
Posts: 15
Location: United States
Does anyone have an IDA project for the Seagate YETI bootloader ?

Just looking to save some time before I start from scratch.....


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: May 31st, 2019, 9:40 
Offline

Joined: September 26th, 2016, 4:26
Posts: 110
Location: Russia
I think
Quote:
disassemble Seagate Yeti boot ROM
will not help you
Quote:
to modify parts of the code to read from damaged drives
.
Or you mean the bootloader, which is somewhat different thing?
And... There are ways to do this without using IDA.


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: May 31st, 2019, 18:52 
Offline

Joined: May 29th, 2019, 22:00
Posts: 15
Location: United States
I am actually talking about both the bootloader and the ROM, but I want to start with the Yeti bootloader.

If anyone has attempted this, I am interested in what you have.
It will save me a lot of time and effort to not "re-invent the wheel"

Also if there are recommendations instead of IDA, I am all ears.....


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: May 31st, 2019, 19:17 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
I would think that you would need to disassemble the BOOTFW, CFW, and SFW segments of the external ROM. ISTM that the Yeti code would only deal with basic functions and would not know how to access peripheral devices (eg motor controller, read/write channel).

FWIW, @Severance (at HDD Oracle) has developed a nice GUI based tool to read and write memory via the Tiny Console in a WD drive. I suspect that PC3K can do this, though.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: May 31st, 2019, 21:12 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
you probably know about Binwalk, https://github.com/ReFirmLabs/binwalk
with some example here http://gearsofresistance.com/2018/09/demystifying-firmware-debugging/

IDA probably has the most support but you would need probably more than a standard install.


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: May 31st, 2019, 22:44 
Offline

Joined: May 29th, 2019, 22:00
Posts: 15
Location: United States
my only interest in the Yeti code is to determine what get loaded where and what is the entry point in the loaded code

I don't think it would initialize much beyond memory, serial i/o, and flash


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: June 4th, 2019, 18:04 
Offline

Joined: March 25th, 2018, 16:39
Posts: 26
Location: Europe
I'm not an expert, but I can give a few advices:
1. Seagate firmwares disassemble OK enough in IDA. Selected small parts of code can even be debugged under IDA+QEMU - I attached a screenshot - with well-known limitations of such debugging, e.g. memory is not filled during execution... :(
2. dont' try to disassemble any files without knowing their loading addresses - it makes no sense, because there are direct addresses in code and you will lost any references to them
3. you can get loading addresses for parts of ROM e.g. from E123s' soft - F3 ROM explorer
4. the best method is not to take loading addresses from firmware itself, but dump RAM and then check, when given file/part of code loads. Then you are sure, that your code in disassembler is like in live drive.
5. you cant' really understand such low-level code without original symbols. Try to find such symbols in firmware updates... it's really difficult, symbols are intentionally removed from any distributed soft. I know only a few exceptions to this - old disks of Quantum or Samsung. Symbols dont' need to be for the given version - any are priceless.
6. chips: ROM initializes chips, which have no public available datasheets.... Try to find older/similar ones. For Lucent/Agere/LSI - forget it. For proprietary Seagates' ASIC - forget it. You can decrypt pins with logic analyzer of proper speed and cost :), with probes of proper raster (0,025'' or smaller) and cost.... and proper very specialistic KNOWLEDGE.
The simple UART base address visible on attached disassembly was manually found by me, of course. Real meanings and names of [800D3000] address or function "ROM_puts_to_UART" dont' exist in firmware retail code :)
7. So.... I dont' think so :)


Attachments:
w.jpg
w.jpg [ 237.39 KiB | Viewed 40705 times ]
Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: June 4th, 2019, 18:38 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
eaxi wrote:
6. chips: ROM initializes chips, which have no public available datasheets.... Try to find older/similar ones.

The L7250 SMOOTH motor controller has a public datasheet.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: June 7th, 2019, 18:37 
Offline

Joined: May 29th, 2019, 22:00
Posts: 15
Location: United States
I think a info is available for something very similar.....this is from October 2010

https://www.digchip.com/datasheets/3264 ... ndard.html



The second paragraph says.....

The TrueStore SC9500 IC is delivered with reference firmware


How do I locate this firmware ?
Anyone have a copy ?


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: June 8th, 2019, 19:48 
Offline

Joined: March 25th, 2018, 16:39
Posts: 26
Location: Europe
@skeeter, sorry, but I'm sure you cant' get firmware or pinout of LSI chips.
Internals of such chips are too valuable to let them release to public.
The only method to uncover internals of them is reversing, but this is REAL hard - and often IMPOSSIBLE - work.
An example: uncovering Lucent (->Agere->LSI-> Avago->Broadcom) read-channel pins:
http://www.hddoracle.com/viewtopic.php? ... int#p19042
This was Quantum firmware research, made by Spildit, fzabkar and me.
For uncover this > 20-years-old chip, I had:
1. datasheets for all other chips on the board,
2. full disassembly with original Quantum symbols of firmware on the board.
3. easy access to 0,05'' pitch pins with standard probes
4. transfer on the board easy covered with 200MHz logic analyzer
And you can see the results: most important pins, as NRZ0-1 = bare output from disk, CLK, ReadGate, ServoGate.... - were revealed, but the rest remained secret.


Attachments:
a.jpg
a.jpg [ 817.15 KiB | Viewed 40547 times ]
Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: June 8th, 2019, 21:29 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
@skeeter, you need something like this:

http://samples.technology-writer.com/ASIC.pdf

;-)

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: June 9th, 2019, 9:33 
Offline

Joined: May 29th, 2019, 22:00
Posts: 15
Location: United States
where do I get a copy of the whole document ?


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: June 9th, 2019, 18:00 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
skeeter wrote:
where do I get a copy of the whole document ?

Seagate owns the IP, so you would need to ask them. In reality it would be highly unlikely that you would find the complete document anywhere.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: June 10th, 2019, 9:01 
Offline

Joined: May 29th, 2019, 22:00
Posts: 15
Location: United States
not the Seagate one, but the entire Quantum document.
The one toy referenced was only the table of contents.....


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: June 10th, 2019, 16:50 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
skeeter wrote:
not the Seagate one, but the entire Quantum document.
The one toy referenced was only the table of contents.....

Quantum was acquired by Maxtor, and Maxtor was then acquired by Seagate ...

Presumably the document exists in abridged form because its author is using it to showcase his technical writing ability without infringing on Quantum's/Seagate's copyright.

http://samples.technology-writer.com/

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: June 10th, 2019, 17:29 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
Try to contact the author (R.C. Ayeras):

http://technology-writer.com/cover.html

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: October 25th, 2020, 19:17 
Offline

Joined: May 29th, 2019, 22:00
Posts: 15
Location: United States
I have made progress on the YETI rom.
I have an ongoing IDA project.
Wow, what a way to code.....using a static base, add offsets to print different strings.
If you think you can add to the project, let me know

I have most of the JTAG pins figured out also. I can see all 3 TAPs.
Problem is that the CPU wont halt, and I can't find SRST.
The mictor pads pin 9 is not connected to anything.

Code:
TotalIRLen = 12, IRPrint = 0x0111
Using DBGRQ to halt CPU
Resetting TRST in order to halt CPU
CP15.0.0: 0x41259661: ARM, Architecure 5TE
J-Link: ARM9, 966 core

****** Error: Unable to halt CPU core
Found 3 JTAG devices, Total IRLen = 12:
#0 Id: 0x25966041, IRLen: 04, IRPrint: 0x1, ARM966E-S Core
#1 Id: 0x25966041, IRLen: 04, IRPrint: 0x1, ARM966E-S Core
#2 Id: 0x00000001, IRLen: 04, Unknown device
J-Link>


any ideas on how to locate SRST ????


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: April 6th, 2021, 15:27 
Offline

Joined: April 6th, 2021, 14:50
Posts: 3
Location: Brasil
Looking the thread, I can say that althounght the ASIC document does not say too much, is possible to use it to help reverse eng. the firmware of Quantum disks.

The document have several memory position for configuration registers in the summary :D

I'll try to use them to map the registers inside the firmware!

By the way, do someone has an annotaded reverse firmware for Quantum?


Top
 Profile  
 
 Post subject: Re: Looking for someone to collaborate disassembling Seagate
PostPosted: April 8th, 2021, 15:54 
Offline

Joined: September 17th, 2016, 16:06
Posts: 430
Location: India
A very novice question from my side to HaQue et all;

if Binwalk returns a very high entropy so either the FW/blob is compressed or encrypted.

How would one approach such scenarios where there are no magic numbers localized?

--


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 24 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 14 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group