Data recovery and disk repair questions and discussions related to old-fashioned SATA, SAS, SCSI, IDE, MFM hard drives - any type of storage device that has moving parts
May 16th, 2009, 9:43
Hello everyone
What is the latest status with 'bypassing' ATA passwords ?
I was following progress in this area approx 3 years ago
especially as XBOX(v1) 5GB harddrives were locked via the ATA password
and there were many debates about any way to unlock if you didnt have the xbox main board eeprom with the password etc
At the time no one had found a way to bypass it, even trying live swapping of hdd electronic boards
The ATA password is probably on the reserved (manufactuerer system) area of the disk
rather than on eeprom on the electronics
so if you could fool the electronics into thinking it had unlocked it (from a known platter) mighht be able to switch to a target (locked) platter and read off the user sectors
etc
Or some way to zap or shortciruit the logic on the controller board to force unlocking
So, any developments in this area
Thanks
May 16th, 2009, 9:54
So, you came into the HDDGURU forum for what reason ?
May 16th, 2009, 10:11
It is completely doable and no, it doesn't involve the PCB in any way.
May 16th, 2009, 10:32
It's like HEART bypass... some people are good at doing it, some other not
May 16th, 2009, 11:27
Me too. And on Fujitsu, Samsung, Excelstor, Hitachi and so on...
May 16th, 2009, 11:54
Getting back to the topic, there have been multiple posts about it here. I'm sure if OP was really interested he could turn something up.
May 16th, 2009, 13:48
Thanks for the tips
No particular reason, other than I've been watching some of the myharddrivedied videos on youtube
(and I used to do that sort of thing a few years back)
and he mentioned the mhdd program
and it reminded me of this topic
and I wondered if there had been any progress on it.
Sounds like there has, but your all being a bit secretive about it
although of course the techniques must be very specific to specific drives and firmware revisions
May 16th, 2009, 14:01
The PC3000 sofware (and interface card) looks very interesting...
Does it need the dedicated IF board or will it run or partially run with a standard ide/ata controller ?
May 16th, 2009, 14:27
@Spildit,
I need to ask your opinion about something that bothers me.
At the company I am working, we have a lot of mini drives (My Passport Essential).
When our people securely disconect the drive, the led remains on and can not figure out if the drive still works or not, because by its nature it does not make any noise.
How can i confirm that the heads are parked securely?
Are there any windows utilities (hdparm -Y) that can help?
Any comments, propositions?
Eleana
May 16th, 2009, 14:47
No, pc3000 is card +sw.
May 18th, 2009, 7:32
Hello, me again
Will these techiniques also work in the Maximum security mode where it needs the User password and ignores the Master password.
Or in the lower 'high security' mode if the Master password had been changed
Or can we do a SECURITY ERASE PREPARE immediately followed by SECURITY ERASE UNIT but physically cut the write signal to the heads
-- but then it cant upda the SA, but might leave the firmware thinking its unlocked ?
Supplemental Q
Will mhdd or something similiar let me see the raw hex of the IDENTIFY response
or fully decide the words and bits
(else I'll have to breakin and see the raw data)
Thanks again
PS Of course I mean getting to the data rather than just reusing the drive
May 19th, 2009, 14:54
Well I finally dug out my old, locked, xbox WD 8GB drive (WD80EB)
and fired it up with MHDD
MHDD says PWD (ie locked)
Security: MAX, ON
Max = need unique and currently unknown user password only
as opposed to the other possibility of HIGH where either the Master or User password can be used, and the Master may or may not be the factory default
So I guess there is no way to unlock it, to get to any data
(I dont have the user password)
without something like a PC3000
Note - I dont need the data or the drive really, this is just for testing of if it was possible
I'll probably force erase the drive (which should be poosible)
so that I can use it to play with setting Master and User passwords
Any maybe some kind person will give any tip of any other possible method
(shorting of other jumper pins etc)
although that will be specific to this drive
and wont help me in the future if I ever get a real, important, locked drive to look at
(my friends are always asking me to recover corrupt partition tables etc)
May 19th, 2009, 15:04
And looks like a cant do an erase in MAX security mode (from MHDD)
ie cant send a SECURITY ERASE PREPARE command, immediately followed by SECURITY ERASE UNIT
or maybe I've overlooked how to do it from MHDD
May 19th, 2009, 15:27
Wow, thanks
I'll give that a try
Now that is the sort of friendly interaction and helpful advise I was expecting on here
I've also dug out another old drive
Maxtor 6L040L2
that supports ATA passwords
Shows Security: high, Off
I am able to set and remove user passwords
Can't seem to unlock with a Master password, but then I don't have the Master password (and cant seem to find it on the web etc)
And looks like I was wrong in that it in not possible (or not easily possible) to change the default Master password
Not that the Master password helps you when in Max mode
May 19th, 2009, 15:39
Sorry one more question
(I want this thread to be the definitive ATA Password thread)
In MHDD with my Maxtor drive Security: high, OFF
is there a way to put it in MAX security mode ?
May 19th, 2009, 17:00
THis is what the end of the 42.bin of my WD drive gives
00000390 00 00 00 00 00 00 00 00-57 44 43 57 44 43 57 44 *........WDCWDCWD*
000003A0 43 57 44 43 57 44 43 57-44 43 57 44 43 57 44 43 *CWDCWDCWDCWDCWDC*
000003B0 57 44 43 57 44 43 57 44-A9 4A D6 A8 31 9D 6B 3A *WDCWDCWD.J..1.k:*
000003C0 93 D1 13 9D 15 0F 55 B8-CF 89 D4 96 00 00 00 00 *......U.........*
000003D0 00 00 00 00 00 00 00 00-57 44 43 20 57 44 38 30 *........WDC WD80*
000003E0 45 42 2D 32 38 43 47 48-31 20 20 20 20 20 20 20 *EB-28CGH1 *
000003F0 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20 * *
(the *'s are from my hex editor)
Shows the default master password
Then 32bytes of hex (could be the user password, but not in a user enterable form)
Then the details of the WDC WD80EB drive
or have I missed something ?
Since it was locked by an xbox 'bios', I guess the random password it used doesnt have to be ascii ?
Thanks
May 19th, 2009, 17:41
xsoliman wrote:THis is what the end of the 42.bin of my WD drive gives
or have I missed something ?
Try writing your own password to it and seeing what changes.
May 19th, 2009, 18:48
Thanks for all the really useful info
I assume the '42' is a refernce to some particular SA block
although theres no $2a in the command sequence
If I modified the 42.bin file, is there a command sequence to write it back to the same place on the disk !
I'm sure there is, but not sure if you would be willing to share it ?
Hopefully this block isnt checksummed
Similarly I'd really like to know what the cmd codes do
eg which is the rd cmd and which specifies the SA block or -ve track etc
(and the info isn't too valuable as these 5GB drives are ancient, unless it works on all WD drives ...)
In fact youve already said that
$00 $02 $00 $00 $0F $E0 $21
is the bit that specifies the block to read
ANd good luck with your Seagate work.
May 20th, 2009, 15:13
Thanks yet again
After the wdc_super_on ($57 $44 $43 $00 $00 $a0 $8a)
I can then successfully read some sectors, but not all
Doing an F4 scan I get the following
(where M is a grey block of varying intensity ie a 255 sector block read ok)
MAMxMxMAMx
----> further on
same
further on
similar
further on - all reads ok (from about 24% into the 5GB drive)
is this expected ?
I haven't actually looked at the raw data in the readable blocks yet
Also my WD80EB has started staying BUSY for long periods after a 'spark' when plugging in to a live system
(thought I'd totally fried it at first)
In fact its stopped responding now and F4 gives me clicking .... as does power cycling it.
Looks like I'll have to get another disk for experiments
This is the most hacking fun I've had for many a month
June 11th, 2009, 23:09
Spildit,
hey i been searching to unlock a maxtor
the ata password tool shows this
maxtor 6y230p0
rev yar41bw0
ata password tool v1.1
shows plus signs under
S, E, L, F, X, V
+ + + - - h
i wanted to know if its possible for me to unlock the drive? thanks and sorry to bother you but you wrote in a few topics to pm you to unlock a specific drive if you could help me out let me know.
Powered by phpBB © phpBB Group.