CRC on rom block table seems to be ok on my .bin

Now I came across the following problem. How the heck should I get the ROM MODS at the end of the bios file? I know that there are 2 version..one having 24byte header and one with 48 bytes in which ROYL are the first 4 bytes. For the second version I could scan for the ROYL sign to find the header, but again, that header doesn't contain any size information about the MOD..only the name ID and the length in sectors.

Well, i can't help you out with that one, sorry ....

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

I've implemented the VSC command which queries a specific MODule. Somthing like VSC_getmodule(int iModID) ->a file mod_id.bin similar to using key file for MHDD starting with 0x8, 0,1, MOD_ID...

My bios has the old header's format...without ROYL mark. This command returns the MODS from BIOS firmware...and an error for the mods in SA (VSC error code decoded: 0x3701 -->> FM_ERR_DIR)

In this way I managed to get the 4 mods i can see at the end of the ROM.bin:
0A - head map
0D - firmware version
30 - Service Area translator
47 - Service Area adaptives

But I've done that..by inspecting the rom end..getting from there the mod's ID to pass to VSC. I know that in the ROYL ROM there's another MOD called 0xb - ROM module directory..which contains the list of mods present in the firmware's last bytes...which contain the exact position in the rom file..and the sizes of each ROM MOD. But my ROM it's the old version type which doesn't contain the rom mod directory. I assume that the ROM's mod number and position/size for each one is hard-coded in rom.bin executable code...since it knows how to find those mod's..for the getmodule VCS command.

Very interesting indeed. Thank you for sharing the experiment in public and for sharing this knowledge.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

- Check PM.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

I've done the test you asked. With the PCB totally separated from the hdd (but PC powered and connected to sata) I can read the rom exactly as before with my app. So no difference between the PCB in hand or mounted to the HDD. off course I must wait about 30 secs because that's the ATA standard ...max waiting time in which the MCU tries to read the platters and reports busy state.

Does it work with WDR tool too ?
Thanks.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Wdr doesn't like w7 and I have too may windows opened to reboot now

It should work. It works on the same principle. ATA commands directly to hdd's controller.

So the more I study the more it becomes clear. You can control and access the PCB as long as you have a valid firmware inside which can handle ATA commands. If you flash an incompatible fw. on a PCB and that code crashes inside the mcu during initialization, you won't be able to access the PCB via software because it won't respond to any commands..it won't be seen (to be seen means..it neds to reply to ATA cmds sent by software). Then you'll need to do a external writing to rom...via unsoldering.. etc.

I believe that CON1 is the gate trough which wd handle all this situations. They have custom loaders and perhaps they short some pins there to make the bootstrap start what they want.

Had a look at that link "death to blabla" ...they put the bootstrap in a mode shorting a point (which on my PCB oesn't exist) which accepts commands through the PC's com port, not loading any ROM content (internal or external); then they send 2 files...one which performs rom erase...and one which is called repeatedly with chunks of 16k from the rom.bin appended at the end...until the entire rom file is processed. Both files seems to have a 32 bytes header, but only for the the first file is sent. Who wrote those file they use...a real guru I assume that they hacked the kernel code..found the ports and what it's needed when the VSC erase/write the new firmware. but the more important stuff is that they found the protocol...how to fetch the code sent through com to mcu...so that the MCU to execute that code. "grab this code and execute it"

That U-command thing is Very, Very cool !
Are you making progress toward your drive ? Because even if you master the art of uploading ROM and Modules you will still have to deal with the problem of dead heads ....
Did you manage to implement the CRC verification for ROM ?

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Yes..all code blocks indicated in the rom starting header are fine. I could bet it's fine..because rom code works..the hdd it's detected as much as the rom code allows not having the SA infos.
I don't know at this moment how to do the CRC on the MODS located inside the rom. If, how I previously said, I Found a way to download each one, I still cannot do the CRC because I don't know the size of any mod downloaded from the rom. I get a multiple of 512bytes chunk of data..for any..and as I see..at the end of the rom...they are smaller. I should try it like this..because 0 padded zones doesn't matter on the crc; but it's not right...the size must be a must...and I believe that it's hard-coded inside the rom exec code...not in another mod (0xb) like on ROYL firmware.

I'll wait for the donor. After that..I'll ask locally how much will they charge for a head-swap. With the right tools it's a 10min op. The problem it's after that with the head alignment. I could bet that the preamp it's dead.

Meanwhile...I ordered a programmer with that soic8 clip...on aliexpress but seems that doesn't want to accept my cc damn.

Well, just keep us informed
I will love to ear from your experiments when you recieve the donnor drive.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Found a nice VSC command. ReadMemory(address, size). I can dump the 0xffff0000 aka the bootstrap...if that's the address on my marvel; or the unpacked blocks of code described in the table at the beginning of the rom.bin

Very, very cool !
That would be the masked/embeded Rom code on the Mcu (even when you have External Rom chip, that is loaded on the first place, checks the rom content and executes it, right ?

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

new thread with some work on Bootstrap internals

Will follow that ! Very cool research !

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

The donor has arrived. It is in a really bad shape outside. It has some marks from a fall down or something. First time I plugged in I was amazed by the sound...it was like from an old CD-Rom. Looking closer I realized that the air filter is half broken and missing. Patched with some scotch. It came in a plastic bag (which it's intact) with a sticker closing the opening..and since I haven't found the rest of the filter inside..I assume that it was sold like this..although the ebay seller stated "good condition"

Despite it's bad external shape, the donor works fine. It spins and I can access the SA..with my head/track/ vsc reading routine. I did the PCB swap...without any rom flashing. The result it's the same. 2 clicks repeated 5 times. So the problem it's inside. I tried reading the track -1 with the head 0..and no chances. I get the same error 0x4341 as before;

So..with a working PCB the same model, version etc I can't read any head on patient. This leads to a dead pre-amp, because the ROM information it's all that is needed by one head to go to the SA and read something on track -1. I assume that a module conflict (ROM<->SA) wouldn't influence the head reading. The drive won't work..but at least it would let me read the head, no?

YES. I HAD RIGHT. I did the swap in the opposite direction. The donor with the patient PCB. It runs..no clicking here...but it's identified also as WDC ROM BUCCANER (as I assumed before ).
Te "module conflict" SA-ROM modules...doesn't influence the head's reading (readability). I can read the heads in this situation! Basic stuff that no one wants to tell you. Yeah...I found it myself.

So, are you able to read SA modules/tracks on your ebay drive with the damaged drive pcb withot any ROM flashing ?
Can you read your donor drive in that condition (with patient pcb) on a different head (not head 0) ? And on the damaged drive with ebay pcb, did you try to read using a diferent head ? And with modifyed head map on RAM ?

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Yes. I did a short test, reading with a VSC the track -1 head 0...and returns fine the header of the Module 0x1...which holds the modules hosted on the SA. I've stopped here the researches, don't want to push the donor, because it has that hole patched and I'm afraid not getting dust inside.


Tried only on head 0, but it should work fine on all the heads. The problem should appear as we take distance from the track -1 and the read head doesn't stay on the same track with the write head. The adaptives handle that.


So if my be stored on AS..you don't need them to read SA. You need the head map etc..which on the same model..should be the same.


No...I know where you point...but I'm sure 100% that I'll get the same result as with the original PCB. It's clear...with the patient's PCB I can access the SA of the donor...not having any clicking, without any touch to the firmware.

My final diagnostic: dead-PREAMP.

Better, I would say here...when the reading arm it's orthogonal on the platter's radius. So it depends on the HSA position..where on the disk would happen that.

And what will you do next ?
What's the "Next Step" ?
Are you going to send the drive to someone for Head Replacement ?

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.