Analysis of Samsung F3 firmware update

Analysis of Samsung F3 firmware update for AMD SB850 and Intel P67/H67 compatibility problem

Firmware patch/update for certain Samsung F3 and F3EG drives:
http://knowledge.seagate.com/articles/e ... Q/223631en

This patch code is released in order to solve the compatibilty problem between some motherboards (the AMD SB850 chipset and the Intel P67/H67 chipset) and Samsung-brand hard drives, F3 and F3EG models only.

This is relevant for Samsung-model internal drives with the following model numbers:

F3.exe - HD323HJ / HD502HJ / HD503HI / HD103SJ / HD105SI
http://www.seagate.com/staticfiles/supp ... ads/F3.exe

To get an idea of how Samsung's updates work, I examined earlier Dell updates for other Samsung models, eg ...

http://ftp.dell.com/ide/R139989.EXE

The update package includes the following:

Code:: 1107.EST - an encoded script file tk09m.DN2 - the firmware image sflash24.exe - the flash utility UPDATE.BAT - contains the line "sflash24 /run:1107.est /auto"

Here is the embedded documentation for Samsung's SFLASH firmware update utility:

Code:: SFLASH V5.32 SAMSUNG Electronics Co., Ltd. (C)2000-2009 ... HDD Microcode Download & Patch Tool for DOS [Usage] /SCAN - To scan all PCI IDE HBAs and display them /P:<portindex> - To scan all PCI IDE HBAs and select a specific HBA port /DETECT, /AUTO - To detect all IDE/SATA drives /I:<index> - To select a detected drive /COMPAT:xx - To select a compatible port PM - Primary Master (Default) SM - Secondary Master PS - Primary Slave SS - Secondary Slave /RUN:<filename> - Run a script [Example] A:\SFLASH /RUN:SCR.EST /P:0 - Run SCR.EST to the scanned port 0 A:\SFLASH /RUN:SCR.EST /AUTO - Run SCR.EST to all detected drives

Samsung's SpinPoint F3 update appears to pack all the above files into a single EXE.

The first part of the executable (F3.exe) contains SFLASH code that performs the update.

At offset 0x4D800 there is an MFLASH_H header that lists the starting offset and size of 4 embedded firmware images.

Code:: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 0004D800 4D 46 4C 41 53 48 5F 48 00 00 04 00 00 D8 04 00 MFLASH_H.....Ø.. 0004D810 00 CA 1A 00 D3 02 00 00 00 00 00 00 00 00 00 00 .Ê..Ó........... 0004D820 31 41 4A 45 34 4D 59 4D 2E 31 31 35 00 00 00 00 1AJE4MYM.115.... 0004D830 00 00 00 00 00 00 00 00 00 DA 04 00 00 7C 05 00 .........Ú...|.. 0004D840 31 41 4A 45 34 4D 59 4D 2E 31 31 36 00 00 00 00 1AJE4MYM.116.... 0004D850 00 00 00 00 00 00 00 00 00 56 0A 00 00 7C 05 00 .........V...|.. 0004D860 31 41 4A 45 34 4D 59 4D 2E 31 36 35 00 00 00 00 1AJE4MYM.165.... 0004D870 00 00 00 00 00 00 00 00 00 D2 0F 00 00 7C 05 00 .........Ò...|.. 0004D880 31 41 4A 45 34 4D 59 4D 2E 31 36 36 00 00 00 00 1AJE4MYM.166.... 0004D890 00 00 00 00 00 00 00 00 00 4E 15 00 00 7C 05 00 .........N...|..

For example, the first firmware image is 1AJE4MYM.115. It begins at 0x04DA00 and has a size of 0x057C00 bytes.

I believe that the tail end of the EXE file has an encoded script file. It is located at the end of the 4th firmware image. The MFLASH_H entry in the above table points to the location of this file (0x001ACA00), and specifies its length (0x000002D3).

I believe the script file contains instructions for matching the various firmware images against the detected model numbers. Seagate also does it this way. I have managed to decipher Seagate's scripts, but I haven't been able to do the same for Samsung.

The firmware images contain the following HDD model numbers:

Code:: 1AJE4MYM.115 -- HD502HJ -- 2 heads, 7200 RPM, SATA 2 1AJE4MYM.116 -- HD103SJ -- 4 heads, 7200 RPM, SATA 2 1AJE4MYM.165 -- HD502HI -- 2 heads, 5400 RPM, SATA 2 1AJE4MYM.166 -- HD103SI -- 4 heads, 5400 RPM, SATA 2

How to interpret Seagate (and Samsung, Maxtor) model numbers:
http://knowledge.seagate.com/articles/e ... Q/204763en

Original article:
http://malthus.zapto.org/viewtopic.php? ... 1986#p1986

Structure of firmware image file, eg 1AJE4MYM.115

Code:: 0x00000 - 0x00BFF - LFDR or FLDR 0x00A00 - 0x40BFF - 256KB ROM image 0x40A00 - 0x57BFF - MOVLY001

The first 0xA00 bytes of each firmware image file contain what appears to be some kind of flash or firmware loader code. There is an "LFDR" string in the header section. I suspect that this is 16-bit little endian, in which case it would read "FLDR" (LDR = LoaDeR).

The next section appears to be a complete 256KB ROM image. Since the firmware update appears to update the entire ROM, this would suggest that F3 ROMs contain no adaptive data. The remaining 256KB of the ROM (not included in the update) is filled with 0xFF bytes, apart from a small "FIPS" section between offsets 0x70000 - 0x703FF.

The last section appears to an image of SA firmware module MOVLY001. This is one of the modules loaded into RAM from the System Area after spinup.

Original article:
http://malthus.zapto.org/viewtopic.php? ... 1989#p1989

Analysis of checksums

Code:: 0x00000 - 0x00BFF - LFDR or FLDR 0x00A00 - 0x40BFF - 256KB ROM image 0x40A00 - 0x57BFF - MOVLY001

Each of the above components has a checksum of 0x0000. The sum is computed by adding the 16-bit words in little endian format.

The checksum bytes for MOVLY001 (0x5FC9) are located at the end of the module.

The checksum bytes for the 256K ROM image (0xEFD9) are also located at the end.

The FLDR appears to consist of two sections. The first is the loader code. The second section appears to identify those parts of the firmware that will be targeted by the update, in this case the ROM itself (TT ?) and the MOVLY001 SA module. Each section has its own 16-bit little endian checksum at the end (0xC65D and 0xABC2), and both sections sum to zero.

Code:: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 E3 01 00 EA E2 01 00 EA E1 01 00 EA E0 01 00 EA ã..êâ..êá..êà..ê 00000010 00 70 01 00 00 08 00 00 00 00 00 00 00 00 00 00 .p.............. 00000020 4C 46 52 44 07 01 01 0D 00 00 00 00 00 00 00 00 LFRD............ ........ 000007E0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 000007F0 FF FF FF FF FF FF FF FF FF FF FF FF FF FF 5D C6 ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ]Æ

Code:: Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000800 54 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 TT.............. 00000810 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 ................ ........ 000008F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000900 4D 4F 56 4C 59 30 30 31 00 00 01 02 B9 00 00 00 MOVLY001....¹... 00000910 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ ........ 000009E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000009F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C2 AB ..............Â«

Original article:
http://malthus.zapto.org/viewtopic.php? ... 2051#p2051

great work , thanks

thank you for sharing

Analysis of Samsung F3 firmware update

Forum rules

Analysis of Samsung F3 firmware update

Structure of firmware image file

Analysis of checksums

Re: Analysis of Samsung F3 firmware update

Re: Analysis of Samsung F3 firmware update