All times are UTC - 5 hours [ DST ]

Forum rules

Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...

Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: "Playing" with ATA passwords and HRT ATA Terminal :
PostPosted: March 30th, 2015, 19:29 
User avatar

Joined: December 19th, 2006, 8:49
Posts: 10828
Location: Portugal
Original Article here :

On this experiment I'm going to exemplify using the HRT ATA Terminal how an ATA password is set on a drive to lock it up and how it's possible to remove it, when the password it's known.

While I'm using for this experiment my HRT card (that I consider to be the best tool ever made for HDD firmware research) the following demonstration can be executed as well with other tools that provide direct I/O to the drive ATA interface and allow sending ATA commands to the drive.

For demonstration purpose only I'm using my old Quantum AS drive and some VSC (Vendor Specific Commands) to verify the experiment steps, but the basic understanding of how ATA passwords work can be applied to all modern drives and the commands to Lock, Unlock and Remove the password from the drive are ATA standard and NOT vendor specific.

Hope that you enjoy this demonstration and that you can learn something new.

Let's start by locking my test drive with the User password "Spildit" using Victoria for Windows :

1.png [ 21.3 KiB | Viewed 4433 times ]

As we can see my drive is now locked by ATA password.

2.png [ 18.52 KiB | Viewed 4433 times ]

Let's confirm it.

I'm going to issue a Quantum Vendor Specific Command by the use of a "Super" non-standard ATA terminal that will send a specific "string" of vendor specific command to the drive to "read" a CP containing the ATA user and Master password. This is NOT a standard ATA command and as such depends upon the drive we are using. I'm just posting this step as a confirmation for the presence of the ATA password on the drive CP/Firmware.

We issue the "Super On" to place the drive in a mode to accept VSC, then we issue a command to read from the drive the CD number 15 (0F in HEX) that contains the passwords. Then we dump the buffer.

3.png [ 12.27 KiB | Viewed 4433 times ]

As we can see our password is displayed :)

4.png [ 11.65 KiB | Viewed 4433 times ]

Now that we know our password let's just unlock the drive and disable the password using STANDARD ATA commands.

What I'm going to do next is NOT vendor specific and can be used on ANY modern drive as long as you know the ATA password, even if the password is a not readable hex-string :

Using the option to "Make Buffer" I create a "buffer" to be send to the drive with 512 bytes (a sector size buffer) and dump it.

5.png [ 13.46 KiB | Viewed 4433 times ]

As I'm going to use a "User" password I leave the first 2 bytes of my buffer as 00 and fill in the password that I want to use, either in HEX or ASCII. On this example I'm going to use "Spildit" as it's the correct password for my drive. Then I close the Buffer window and I will have a Buffer ready to be sent to the drive.

6.png [ 7.14 KiB | Viewed 4433 times ]

Now I issue the Security Unlock ATA standard command and wait for the drive to lit the DRQ status. DRQ is "Data Request" and means that there is request of data transfer to/from buffer. As soon as I confirm that the drive is waiting to get data I send my Buffer with the password and the drive goes back to DRDY and DSC. This means the command was accepted with success and there was no error with it. Now the drive should be unlocked.

7.png [ 36.04 KiB | Viewed 4433 times ]

Finally I repeat the same step but this time with the standard ATA command to REMOVE/DISABLE the ATA password. While the command to unlock the drive will only last until the drive is powered off and on again, Disabling the ATA password will make the drive unlocked even when it's re-powered. Yet it's important to remember that on the majority of drives it's necessary to unlock first and only then the drive will accept the command to disable the password. This might not be true for all drives.

8.png [ 35.02 KiB | Viewed 4433 times ]

Now we do an ATA reset or we power off - on the drive using the integrated HRT hardware power switching relay and as we can see, the drive is no longer locked by ATA password.

9.png [ 20.08 KiB | Viewed 4433 times ]

10.png [ 16.02 KiB | Viewed 4433 times ]

On this small experimentation I've demonstrated how a known ATA password can be sent to the drive using direct I/O and standard ATA commands in order to unlock the drive and remove the password.

Hope that you enjoyed this small guide and learned something new from it.

Regards !

1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations) - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 6 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group