ATA Passw0rd Unl0cking for all drives

[ri0toUs]

it will become very obvious what it does to an unlocked drive.

Code:

regs fields for normal read/write
1st - 00 ? (to be determined)
2nd - size in sectors (use 00 for 256 sectors)
3rd - LBA (lowest byte, 0- 255 decimal)
4th - LBA second lowest byte
5th - LBA third lowest bytes
6th - $E0 standby immediate
7th - $20 read, $30 write


from reading-data-with-mhdd-scripts-t11452.html

And your point on altering the MHDD script to a write instead of a read is ?

[phishin_ca]

keep looking.

[infringer]

$00 $01 $00 $00 $00 $e0 $30

regs fields for normal read/write
1st - 00 ? (to be determined)
2nd - size in sectors (use 00 for 256 sectors)
3rd - LBA (lowest byte, 0- 255 decimal)
4th - LBA second lowest byte
5th - LBA third lowest bytes
6th - $E0 standby immediate
7th - $20 read, $30 write

$00 ?? to be determined dunno what this is
$01 would this be 1 sector or is there a number of sectors lets say 512 sectors each incrament of this byte causing another 256 sectors to be written?
$00 Lowest byte
$00 Second lowest byte
$00 highest byte
$E0 Standby immediate
$30 Write

We are using little endian which would make sense. As the computer does but is only able to handle 24bits unlike the computers typical 32bits.

"Little Endian" means that the low-order byte of the number is stored in memory at the lowest address, and the high-order byte at the highest address. (The little end comes first.) For example, a 3 byte LongInt

Byte2 Byte1 Byte0

will be arranged in memory as follows:

Base Address+0 Byte0
Base Address+1 Byte1
Base Address+2 Byte2


Intel processors (those used in PC's) use "Little Endian" byte order.

So basically overwrite the area 000000 with whatever sectors from bin would contain but only 1 sector...

Where does it specify a base address though is it the sectorsfrom.bin which would specify the base address?

This whole specialty tool thing kinda makes me wonder though if we can write to ram could we not load some kind of payload into the ram to cause the hard drive to spit out our password into ram and have it spit out...

I dunno the rules and there is not much about the hitachi drive available that I have found while I must admit I have been busy with life the last couple days.

By the way thank you for shedding some light on such a tucked away subject I greatly appreciate it.

What does a typical cmd look like?

What is a negative cmd rx?

What is a good cmd rx?

Is there anyway for mhdd to be set to verbose so that you can see everything tx and rx?

These are basic things that we should be asking ourselves ...

We could try a script with a crap load of safe commands and log all data and see which commands are good and which are bad just by the rx ...

More needs to be learned before we can do this and determine even if there is a safe way to do so.

[phishin_ca]

$00 $01 $00 $00 $00 $e0 $30

regs fields for normal read/write
1st - 00 ? (to be determined)
2nd - size in sectors (use 00 for 256 sectors)
3rd - LBA (lowest byte, 0- 255 decimal)
4th - LBA second lowest byte
5th - LBA third lowest bytes
6th - $E0 standby immediate
7th - $20 read, $30 write

$00 ?? to be determined dunno what this is
$01 would this be 1 sector or is there a number of sectors lets say 512 sectors each incrament of this byte causing another 256 sectors to be written?
$00 Lowest byte
$00 Second lowest byte
$00 highest byte
$E0 Standby immediate
$30 Write

We are using little endian which would make sense. As the computer does but is only able to handle 24bits unlike the computers typical 32bits.

"Little Endian" means that the low-order byte of the number is stored in memory at the lowest address, and the high-order byte at the highest address. (The little end comes first.) For example, a 3 byte LongInt

Byte2 Byte1 Byte0

will be arranged in memory as follows:

Base Address+0 Byte0
Base Address+1 Byte1
Base Address+2 Byte2


Intel processors (those used in PC's) use "Little Endian" byte order.

So basically overwrite the area 000000 with whatever sectors from bin would contain but only 1 sector...

Where does it specify a base address though is it the sectorsfrom.bin which would specify the base address?

This whole specialty tool thing kinda makes me wonder though if we can write to ram could we not load some kind of payload into the ram to cause the hard drive to spit out our password into ram and have it spit out...

I dunno the rules and there is not much about the hitachi drive available that I have found while I must admit I have been busy with life the last couple days.

By the way thank you for shedding some light on such a tucked away subject I greatly appreciate it.

What does a typical cmd look like?

What is a negative cmd rx?

What is a good cmd rx?

Is there anyway for mhdd to be set to verbose so that you can see everything tx and rx?

These are basic things that we should be asking ourselves ...

We could try a script with a crap load of safe commands and log all data and see which commands are good and which are bad just by the rx ...

More needs to be learned before we can do this and determine even if there is a safe way to do so.

While I am glad I have spurred your interest in learning more about the program, my example was to show the fact that it was easy for someone to just grab a script an run it without understanding what it does. My example overwrites the boot sector of the disk with whatever is contained in that bin file. I can tell you that mhdd is not designed to do what you are looking for, but you have the right approach to analyzing it. I have already written my own software and I am quite comfortable. You should look to do the same. Just make sure when you are done, you post it here for everyone.

[infringer]

1 sector is 512 bytes got that much will share more when I have more time but now the door is starting to open and I can see a little light.

I am still interested in seeing a true communications log from a hard drive in normal operation...

does it follow the 21 tx 12 rx format or something different?

Surely I will if I don't become a complete failure which in all likely hood may just happen not that I am giving up yet but the complexities of stuff go beyond just understanding a simple thing like mhdd.

What language to use to best suit my needs?

It is interesting though I would bet that someone could just make an unlocker to hook hard drives up to and it would pool the drive for information using the ECh command reference to a table and send commands to preform the unlock information and then have the data update via the USB or internet auto update.

Now that would be a hell of a tool just plug into unlocker push a button and viola. Sounds good in principal maybe not possible though who knows.

Yes I do understand just how I could cause issues with other peoples drives. I wish there was a way I could edit my first post to warn people of this or prevent certain people from seeing the post entirely... but it is unfortunate there is no selective thing like this with knowledge comes great responsibility I agree but some people gotta use there own head as well.

Common sense is going to be lost if we continue our current course.

We have stickers to tell us how to peel off stickers nowadays it is sad really!

Last edited by infringer on July 26th, 2010, 23:31, edited 1 time in total.

[phishin_ca]

You can find the ata specs in the documents section of the home page. Start there.

[xsoliman]

I corrected my listing of what the 7 bytes are in an earlier post
as I got the 6th one wrong (not standby immediate)
Its Device/Head and also contains the bit specifying LBA mode, and also contains the highest LBA bits 27:24
for the full 28 bit LBA addressing = 128GB aka '137GigaBytes'

The seven bytes of the regs are as follows
(and their names are derived from the orgininal CHS terminology)
F (or FR) Features
SC Sector Count (0=256 sectors)
SN (or LL) Sector Number (or LBA low byte)
CL (or LM) Cylinder Low
CH (or LH) Cylinder High
DH Device/Head
CMD


MHDD (or a similar custom written tool) is a very useful tool
but still need to know the vendor specif commands to send
Many WD special commands are 'known' but again are probably model specific

I am also glad I have spurred your interest in learning more about the program
but as mentioned several times, this is the easy bit. The acquiring and researching of the vendor specific commands etc is the hard bit

[drc]

Now that would be a hell of a tool just plug into unlocker push a button and viola.

Here's what you're not understanding:

Say you invented a special key that would automagically open any lock that exists. Now say you made a billion copies and gave them away to everyone. Do you really think for ten seconds that everyone wouldn't change their locks ASAP so that you couldn't open them anymore?

Now, if you want to be a locksmith, nobody is stopping you. But it is understood that you won't just give every random person you run across the ability to open any lock they want.

[BlackST]

Would be of much more fun if someone steals HIS notebook or portable HDD , unlock it and then have access to his data, ID, documents and pictures and use them, steal whatever they can and post on Youtube and everywhere else. This is what internet is intended for, no ?

This can be a scenario. too. That's why even having the K-H or tooling or both , it is always a delicate subject.

[infringer]

So you don't wish for me to continue with this in public I get it I get it.

What are my other options.

Pay the price of a hard drive to get it unlocked.
Or pray to some fairy that someone will befriend me and help me further along the line privately.

I aint paying no 50bux.
And I doubt the later will happen to in this world it is every man for himself it seems hard to find someone willing to give there time like phisinca for instance....

I thank phisinca for the lesson.

And I thank all of you for the warning I completely understand your stance 100% I am not no retard and I think I will not release nothing public because of the good points brought up, but I will indeed not stop searching for the answer and the public is the only thing I know.

And as a response to DRC I am not just some random person I fix computers and have select certifications to fix and build computers it is a side job and I've had to turn people away simply because I could not unlock there drive for them it sucks really now going on my third used laptop with a locked hard drive I am tired of paying the price for a new drive each time and throwing out perfectly good drives simply because they are locked with an ata password gotta break that chain somewhere.

[BlackST]

50 $ : if you were here it would cost you less and less.
BUT in any case you have to sign an agreement with YOUR data where you declare UNDER YOUR RESPONSIBILITY that the drive/data contained is yours and you want the drive unlocked / erased / both.

[Doomer]

I aint paying no 50bux.

Sure you will bro
You ain't got no drive you can't reset the password yet

[BlackST]

And as a response to DRC I am not just some random person I fix computers and have select certifications to fix and build computers it is a side job and I've had to turn people away simply because I could not unlock there drive for them it sucks really now going on my third used laptop with a locked hard drive I am tired of paying the price for a new drive each time and throwing out perfectly good drives simply because they are locked with an ata password gotta break that chain somewhere.

A-ha. If you ask the nearest PRO I think it's not gonna cost you 50$, but expect to be asked for proof of purchase or declaration of responsibility to unlock / erase.
Take into account that a lot of stolen laptops and drives go on the regular / grey / black market everyday and it can give you a lot of troubles depending on what happens.
Drives like notebooks DO have a serial number and on some it is hard encoded also, so you cannot give the drive "another identity" so easily.
Luckily on many modern ACTUAL drives/families things are not so easy - even the most expensive tools for diagnose and HDD repair can do little on some families. This means more safety for end users and less possibilities of dispersal of data. You never know what drives can hold inside.

[drc]

I fix computers and have select certifications to fix and build computers it is a side job and I've had to turn people away simply because I could not unlock there drive

So you're angry because nobody will tell you for free how to do something you want to charge people money for?

Uhhhh, sure. That makes sense.

[BlackST]

Ever heard about outsourcing ? You could say "sure I can" then outsource to the nearest pro. It would have been a win-win situation.

Hope your customers don't read this forum....

[guru]

Surely with the amount of time you have wasted it would have been better to work flipping burgers and spitting on ongion rings and then buy yourself a nice new drive?


Quote "I aint paying no 50bux"


The ATA command set is not brain surgery, all the PUBLIC info you want is out there, so much you will probably fall sick with gout. Finding factory commands is not so easy ;o)

[phishin_ca]

In addition, the people here will answer questions. They have to be posed properly though. If you act like someone who is just trying to be walked through everything, you will get a cold shoulder. If you pose your question as someone who needs help with some smaller aspect, you will be amazed at the helpful responses. My next peice of advice is personal: If you want to continue down this path start coding. Once you get to the point where you are attacking your problems at that lower level, your knowledge will skyrocket. I will warn you that if you take me as an example, you will still be working on this for years and feel stupid

To add to what Guru posted: Finding the factory commands is a pain, but it is doable.

Follow this up with some code examples where you are starting to build an ATA terminal and you will get some life. Good Luck!

[infringer]

Sweet deal thanks for the comments guys I hear yah!

It is my laptop I do have proof of purchase...

I would gladly direct my customers to this thread I have nothing to hide I feel more embarased not knowing then showing them that I am trying to learn actually a fellow coder linux guru and long time friend from across a couple of countries I showed him this thread and his personal opinon was that you folks were being a bit stuck up.... Very smart fella so I know it was not only me with the piss poor approach as well. Might sound nuts huh you not perfect well guess what you can count me on the not so perfect left of center band wagon as well.

Factory commands should be able to be had by the rx I would assume depending on the cmd handler on the chip it is just an assumption that a good cmd would cause a good rx... IDK obviously I need to do lots of studies.

Anyways thanks again for the criticizing and the help I suppose I need both.

[ri0toUs]

hdparm and smartmontools are open-source projects and are available on many platforms. The source code is freely available. hdparm has implemented ATA security commands since many releases ago. There is a Cygwin port of hdparm which works on Win32.

The code will help in understanding the ATA command set.

[BlackST]

On many ACTUAL drives it takes a lot more than ATA stuff...