March 29th, 2020, 16:59
March 29th, 2020, 17:41
March 29th, 2020, 17:58
March 30th, 2020, 3:18
April 3rd, 2020, 10:58
April 3rd, 2020, 18:57
April 3rd, 2020, 19:29
eaxi wrote:I dig in Seagates only, so I can get you easy answer on one of your question:
"How companies Get The Names of Seagate ROM Modules, that its RAP, CAP SAP?"
I present small portion of factory log extracted from Seagate HDD SA, you can find similar logs on many Seagates. You can see the well-known names of ROM components used both by commercial and free soft - they are not invented by third-party DR software makers, they are original Seagates' ones:
Jan 13 2013-07:19:51 Sending Block: 800 of 1025: Size=512
Jan 13 2013-07:20:03 Sending Block: 1000 of 1025: Size=512
Jan 13 2013-07:20:12 Return Data:
PROGRAMMING COMPLETE! ---------------------------------------------------------- VERIFYING FLASH IMAGE... Header: 530B00004800000000000000E2B50400 Header plus boot code checksum verified! Offset Length Type ------ ------ ---- 0x00040 0x598E0 DL_CFW 0x598E0 0x00410 IAP 0x59CF0 0x16000 DL_SFW 0x6FCF0 0x01100 DL_SHELL 0x70DF0 0x00210 DL_CAPM 0x71000 0x0A000 DL_RAPM 0x7B000 0x05000 DL_SAPM Flash Byte size : 0x00080000 Entire flash image checksum: 0x44F0 PASS Done
Jan 13 2013-07:20:12 Flash Load time: 175.861538
..
So to get Seagates' original names and location of ROM components is real simple, but most people are to lazy to do it themselves. You just have to dump WHOLE SA, not only files selected by PC3K, find factory log and compare it with ROM of this disk...
..
As for general discussion:
1) I agree with fzabkar, that many valuable sources come from leaks/"illegal sales" by (ex-)Seagate/WD/... employees. The best example can be full WinFOF leak a few years ago - this was a VERY valuable source, at least for me I realized, how they prepare their disks for sale.
2) I agree with pepe, that there are still MANY valuable sources for reversing. If someone is concerned with Seagate - I can recommend STECON cracking - this is VERY educational. The first and usually the last barrier for average user is extracting SeaScripts from these distributions. They are encrypted by proprietary algorithm.
3) Reversing at all, not only concerning HDD firmware, had dramatically collapsed in free world in last 10 years. I will not attach any valuable stuff here, I will not send anything to people who I dont' know in real life. "Pirate-hunters" enjoy their success, because people stopped sharing their knowledge and soft. You can find valuable info mainly on chinese, russian etc sites... Big shame
Of course there is a second reason of reversing fall: knowledge is money
April 3rd, 2020, 19:31
eaxi wrote:I dig in Seagates only, so I can get you easy answer on one of your question:
"How companies Get The Names of Seagate ROM Modules, that its RAP, CAP SAP?"
I present small portion of factory log extracted from Seagate HDD SA, you can find similar logs on many Seagates. You can see the well-known names of ROM components used both by commercial and free soft - they are not invented by third-party DR software makers, they are original Seagates' ones:
Jan 13 2013-07:19:51 Sending Block: 800 of 1025: Size=512
Jan 13 2013-07:20:03 Sending Block: 1000 of 1025: Size=512
Jan 13 2013-07:20:12 Return Data:
PROGRAMMING COMPLETE! ---------------------------------------------------------- VERIFYING FLASH IMAGE... Header: 530B00004800000000000000E2B50400 Header plus boot code checksum verified! Offset Length Type ------ ------ ---- 0x00040 0x598E0 DL_CFW 0x598E0 0x00410 IAP 0x59CF0 0x16000 DL_SFW 0x6FCF0 0x01100 DL_SHELL 0x70DF0 0x00210 DL_CAPM 0x71000 0x0A000 DL_RAPM 0x7B000 0x05000 DL_SAPM Flash Byte size : 0x00080000 Entire flash image checksum: 0x44F0 PASS Done
Jan 13 2013-07:20:12 Flash Load time: 175.861538
..
So to get Seagates' original names and location of ROM components is real simple, but most people are to lazy to do it themselves. You just have to dump WHOLE SA, not only files selected by PC3K, find factory log and compare it with ROM of this disk...
..
As for general discussion:
1) I agree with fzabkar, that many valuable sources come from leaks/"illegal sales" by (ex-)Seagate/WD/... employees. The best example can be full WinFOF leak a few years ago - this was a VERY valuable source, at least for me I realized, how they prepare their disks for sale.
2) I agree with pepe, that there are still MANY valuable sources for reversing. If someone is concerned with Seagate - I can recommend STECON cracking - this is VERY educational. The first and usually the last barrier for average user is extracting SeaScripts from these distributions. They are encrypted by proprietary algorithm.
3) Reversing at all, not only concerning HDD firmware, had dramatically collapsed in free world in last 10 years. I will not attach any valuable stuff here, I will not send anything to people who I dont' know in real life. "Pirate-hunters" enjoy their success, because people stopped sharing their knowledge and soft. You can find valuable info mainly on chinese, russian etc sites... Big shame
Of course there is a second reason of reversing fall: knowledge is money
April 3rd, 2020, 20:05
April 3rd, 2020, 20:36
eaxi wrote:Sorry, Ali, but you didnt' understand
I didnt' download anything to this disk
Presented fragment is a dump from original SA on this disk.
It can be read as normal SA - you get files by FAT, you read free SA sectors by normal LBA access.
This is original factory log, produced by Seagate during preparing disk for use and for sale. This log was of course produced by WinFOF, but WinFOF of Seagate, not mine one.
So WinFOF has nothing to all this - you dont' need working WinFOF to read or doing something else with it.
You just have factory log with simple text variables and all you have to do is to apply it to ROM image from this disk. Then you will have DL_CAPM, DL_SAPM... etc names mapped to the ROM. And this is an answer to your question "how they get names of ROM components" - they have deduced them from logs like that
April 3rd, 2020, 20:46
April 3rd, 2020, 23:40
April 4th, 2020, 6:03
April 4th, 2020, 8:25
eaxi wrote:Ali, I really dont' understand what you try to do
You just want to give names to DL_CFW sub-components??
They have no specific names given by Seagate
But if you are programmer, you should know what are they
"ID=3" of your DL_CFW is typical ARM start code: interrupt table, ISR and so on
I've attached similar code from disk I work on:
And same parts of code marked on your module:
Other parts of this DL_CFW are "ID=2": code and "ID=1": data, as I see
The list of ROM modules, which you copied from F3ROMExplorer, doesnt' name sub-components, because there is no reason to give names to sub-components which cant' be used apart. You can add new CAP to flash-ROM, but you cant' change only "ID=3" in DL_CFW, leaving the rest unchanged - this would be total incompatible
April 4th, 2020, 8:53
April 4th, 2020, 12:04
April 4th, 2020, 12:18
This is the only way to get the VSC commands.
April 4th, 2020, 14:28
BGman wrote:One can find VSC commands by "sniffing" some demo versions of programs like WDR, SeDiv, SHT, etc....
And the best "sniffing" instrument for this purpose is the HDD itself.
Some commands can be found by "trials and errors". From t13 we know what to put in CR and just remains to figure out what to put in FR...
April 4th, 2020, 18:41
waqas_ali766 wrote:eaxi wrote:I present small portion of factory log extracted from Seagate HDD SA ...
PROGRAMMING COMPLETE! ---------------------------------------------------------- VERIFYING FLASH IMAGE... Header: 530B00004800000000000000E2B50400 Header plus boot code checksum verified! Offset Length Type ------ ------ ---- 0x00040 0x598E0 DL_CFW 0x598E0 0x00410 IAP 0x59CF0 0x16000 DL_SFW 0x6FCF0 0x01100 DL_SHELL 0x70DF0 0x00210 DL_CAPM 0x71000 0x0A000 DL_RAPM 0x7B000 0x05000 DL_SAPM Flash Byte size : 0x00080000 Entire flash image checksum: 0x44F0 PASS Done
Are you saying that all names , like rap cap sap. Are in side the rom.bin file ?
April 4th, 2020, 18:52
fzabkar wrote:waqas_ali766 wrote:eaxi wrote:I present small portion of factory log extracted from Seagate HDD SA ...
PROGRAMMING COMPLETE! ---------------------------------------------------------- VERIFYING FLASH IMAGE... Header: 530B00004800000000000000E2B50400 Header plus boot code checksum verified! Offset Length Type ------ ------ ---- 0x00040 0x598E0 DL_CFW 0x598E0 0x00410 IAP 0x59CF0 0x16000 DL_SFW 0x6FCF0 0x01100 DL_SHELL 0x70DF0 0x00210 DL_CAPM 0x71000 0x0A000 DL_RAPM 0x7B000 0x05000 DL_SAPM Flash Byte size : 0x00080000 Entire flash image checksum: 0x44F0 PASS Done
Are you saying that all names , like rap cap sap. Are in side the rom.bin file ?
AIUI, @eaxi is telling you that these names can be found in the factory logs in the SA. The names of these ROM modules are not present in the ROM, only their IDs.
Powered by phpBB © phpBB Group.