All times are UTC - 5 hours [ DST ]


Forum rules


Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...



Post new topic Reply to topic  [ 36 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Analysis of Seagate F3 Firmware Update
PostPosted: March 24th, 2014, 15:35 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15440
Location: Australia
Analysis of Seagate F3 Firmware Update

This tutorial is my attempt to understand Seagate's firmware updates. I will be analysing the Moose SD1A update that was issued to address the 7200.11 BSY bug.

Firmware Update for ST3500320AS, ST3500620AS, ST3500820AS, ST3640330AS, ST3640530AS, ST3750330AS, ST3750630AS, ST31000340AS:
http://knowledge.seagate.com/articles/e ... Q/207951en

In particular, I will be using the following bootable CD ISO package which targets 2-platter models such as the ST3500320AS:

http://www.seagate.com/staticfiles/supp ... 6-32MB.iso

IMHO the easiest way to extract the files from the ISO is to use 7-Zip. Alternatively one could use IsoBuster in combination with WinImage.

The ISO contains a file named Bootable_1.44M.img which is a virtual image of a 1.44MB floppy diskette. This floppy image is of a bootable FreeDOS OS. The AUTOEXEC.BAT creates a RAM drive (Turbodsk), copies the files from the CD to the RAM drive, UNZIPs them and then executes FLASH.BAT.

SD1A2D.ZIP contains the actual payload for the update.

It includes SD1A2D.LOD which is the firmware image file.

FLASH.BAT is the batch file that controls the update.

FDL464.EXE is the executable that downloads the firmware to the drive. It is an updated version of Seagate's original SeaFlash utility, and has been packed with UPX.

After unpacking FDL464.EXE, we find the following embedded documentation:
http://www.users.on.net/~fzabkar/FLD464_usage.txt

Code:
Usage: %s <port|#> <0|1|#> [options]
       <port|#>    Flash devices located at the specified base or any, '#',
                   port address.  Port address must be in hexadecimal.
       <0|1|#>     Flash master, '0', slave, '1', or both, '#', devices.
       -f <file>   Specify the filename prefix of the flash files.
                   This defaults to 'seaflash' if not provided.  Filename
                   extensions '.fls', '.ovl', '.crt', and '.tbl' are assumed.
       -c          Send a congen file, fully specified by -f.
       -r          Include the serial flash file when flashing.
       -s          Only send a single file, fully specified by -f.
       -e <rev>    Exclude firmare if this version exists.
       -v          Toggles verbose mode on/off.  Default is off.
       -l          List supported models.
       -u          Feature spin up

Usage: %s <port|#> <0|1|#> [options]
       <port|#>    Flash devices located at the specified base or any, '#',
                   port address.  Port address must be in hexadecimal.
       <0|1|#>     Flash master, '0', slave, '1', or both, '#', devices.
       -e <rev>    Exclude firmare if this version exists.
       -v          Toggles verbose mode on/off.  Default is off.
       -l          List supported models.
       -u          Feature spin up
       -k <UID>    Specify the unique descriptor to flash
       -z          Spin down after flashing (Standby Immediate)

Usage: %s -m <name> [options]
       -m <name>    Specify the model family to flash.
       -f <file>    Specify the filename prefix of the flash files.
                    This defaults to 'seaflash' if not provided.  Filename
                    extensions '.fls', '.ovl', '.crt', and '.tbl' are assumed.
       -g <file>    read a configuration file to get information on whether the 
                    firmware should be downloaded to the specified model drive,
                    please refer to 'cfgreadme.txt'.
       -h <file>    read a configuration file to check valid drive model,
                    firmware version(full name)and firmware file name line by
                    line.if match all the parameters, starts downloading.
                    please refer to 'hcfgreadme.txt'
       -j <file>    encrypt the config file for -h option from *.cfg to *.cfs.
       -o <file>    decrypt the config file for -h option from *.cfs to *.cfg.
       -c           Send a congen file, fully specified by -f.
       -r           Include the serial flash file when flashing.
       -s           Only send a single file, fully specified by -f.
       -p <port>    Only flash devices located at the specified base
                    port address.  Port address must be in hexadecimal.
       -d <0|1>     Only flash master, '0', or slave, '1', devices.
       -e <rev>     Exclude firmare if this version exists.
       -v           Toggles verbose mode on/off.  Default is off.
       -l           List supported family names and models.
       -u           Feature spin up
       -n           Disable Promise 66/100/133 card.
       -b           Segmented download of DLDxx.BIN files , or
                    the -f <file> if specified.
       -w           SMART Clear Logs.
       -t           Diagnostics Unlock Of M2TD.
       -i <Model>   Tolerent or Explicit Model Check.
       -k <UID>     Specify the unique descriptor to flash
       -a <seconds> Specify how long to delay after download complete
       -z           Spin down after flashing (Standby Immediate)

Usage: %s -<target> <datafile> -m <name> [options]
       -<target>   pm, ps, sm, ss (pm = primary master, etc..)
       -m <name>   Specify the model family to flash.
       -c          Send a congen file.
       -r          Include the serial flash file when flashing.
       -s          Only send a single file, fully specified by -f.
       -v          Toggles verbose mode on/off.  Default is off.
       -l          List supported family names and models.
       -b          Segmented download of DLDxx.BIN files or the -f <file> if specified.
       -w          SMART Clear Logs.
       -f <file>   Specify the filename prefix of the flash files.
                   This defaults to 'seaflash' if not provided.  Filename
                   extensions '.fls', '.ovl', '.crt', and '.tbl' are assumed.
       -k <UID>    Specify the unique descriptor to flash.


FLASH.BAT calls FDL464.EXE in either of two ways.

It can either explicitly specify the drive's parameters as follows:

FDL464.EXE -m %family% -f %firmware% -i %model% %options%

... or it can make use of a configuration file to automatically select suitable candidates for the update:

FDL464.EXE -h %cfgfile% %options%

Examples are ...

FDL464.EXE -m Moose -f SD1A2D.LOD -i ST3500320AS -s -x -b -v -a 20

FDL464.EXE -h ms-sd1a.cfs -s -x -b -v -a 20

Seagate's configuration files are encrypted. I don't know why they do this because the encryption algorithm is trivial. It simply involves substituting one ASCII character for another in a consistent manner.

Attached is my decoder software (cfsdecod.exe). It is also available here:

http://www.users.on.net/~fzabkar/HDD/cfsdecod.exe

Seagate uses two encryption schemes which I have identified as "old" and "new".

The subject CD ISO does not include a configuration file, but the original version of this update did.

This was the original "ms-sd1a.cfs" file:
http://www.users.on.net/~fzabkar/ms-sd1a.cfs

Code:
092881
#Vttxj =866.77 Mnxy~ \MM7 gwfshm
#Vttxj =866.77 : mjfi
\]9;66986J\AV\67BB.\MM7.JMBBBB.BMBB.L6OBA8M\M7J.UXMAV\676L.\MM7.JZ7=66.\M7J.L6OO
\]9;66986J\AV\67BB.\MM7.JZ7966.\M7J.L6OOA8M\M7J.UXMAV\676L.\MM7.JZ7=66.\M7J.L6OO
\]9;66986J\AV\67BB.\MM7.M\BBBB.BMBB.L6OBA8M\M7J.UXMAV\676L.\MM7.JZ7=66.\M7J.L6OO
\]9;66986J\AV\67BB.\MM7.MbBBBB.BMBB.L6OBA8M\M7J.UXMAV\676L.\MM7.JZ7=66.\M7J.L6OO

\]9;66<86J\AV\67BB.\MM7.JMBBBB.BMBB.L6OBA8M\M7J.UXMAV\676L.\MM7.JZ7=66.\M7J.L6OO
\]9;66<86J\AV\67BB.\MM7.JZ7966.\M7J.L6OOA8M\M7J.UXMAV\676L.\MM7.JZ7=66.\M7J.L6OO
\]9;66<86J\AV\67BB.\MM7.M\BBBB.BMBB.L6OBA8M\M7J.UXMAV\676L.\MM7.JZ7=66.\M7J.L6OO
\]9;66<86J\AV\67BB.\MM7.MbBBBB.BMBB.L6OBA8M\M7J.UXMAV\676L.\MM7.JZ7=66.\M7J.L6OO

\]9;66>86J\AV\67BB.\MM7.JMBBBB.BMBB.L6OBA8M\M7J.UXMAV\676L.\MM7.JZ7=66.\M7J.L6OO
\]9;66>86J\AV\67BB.\MM7.JZ7966.\M7J.L6OOA8M\M7J.UXMAV\676L.\MM7.JZ7=66.\M7J.L6OO
\]9;66>86J\AV\67BB.\MM7.M\BBBB.BMBB.L6OBA8M\M7J.UXMAV\676L.\MM7.JZ7=66.\M7J.L6OO
\]9;66>86J\AV\67BB.\MM7.MbBBBB.BMBB.L6OBA8M\M7J.UXMAV\676L.\MM7.JZ7=66.\M7J.L6OO

#Vttxj =866.77 < mjfi
\]9=;6996J\AV\67BB.\MM7.JMBBBB.BMBB.KBBBA9M:M\M7J.UXMAV\677K.\MM7.JZ7=66.\M7J.K766
\]9=;6996J\AV\67BB.\MM7.JZ7966.\M7J.K766A9M:M\M7J.UXMAV\677K.\MM7.JZ7=66.\M7J.K766
\]9=;6996J\AV\67BB.\MM7.M\BBBB.BMBB.KBBBA9M:M\M7J.UXMAV\677K.\MM7.JZ7=66.\M7J.K766
\]9=;6<96J\AV\67BB.\MM7.JMBBBB.BMBB.KBBBA9M:M\M7J.UXMAV\677K.\MM7.JZ7=66.\M7J.K766
\]9=;6<96J\AV\67BB.\MM7.JZ7966.\M7J.K766A9M:M\M7J.UXMAV\677K.\MM7.JZ7=66.\M7J.K766
\]9=;6<96J\AV\67BB.\MM7.M\BBBB.BMBB.KBBBA9M:M\M7J.UXMAV\677K.\MM7.JZ7=66.\M7J.K766

#Vttxj =866.77 > mjfi
\]976669:6J\AV\67BB.\MM7.JMBBBB.BMBB.KBBBA9M:M\M7J.UXMAV\677K.\MM7.JZ7=66.\M7J.K766
\]976669:6J\AV\67BB.\MM7.JZ6BBB.BMBB.KBBBA9M:M\M7J.UXMAV\677K.\MM7.JZ7=66.\M7J.K766
\]976669:6J\AV\67BB.\MM7.JZ7966.\M7J.K766A9M:M\M7J.UXMAV\677K.\MM7.JZ7=66.\M7J.K766
\]976669:6J\AV\67BB.\MM7.MbBBBB.BMBB.KBBBA9M:M\M7J.UXMAV\677K.\MM7.JZ7=66.\M7J.K766


Here is the decoded version:
http://www.users.on.net/~fzabkar/MS-SD1A.TXT

Code:
092881
;Moose 7200.11 Disty SDD1 branch
;Moose 7200.11 4 head
ST3500320AS MS01??.SDD1.AD????.?D??.C0F? 2DSD1A.LOD MS010C.SDD1.AQ1700.SD1A.C0FF
ST3500320AS MS01??.SDD1.AQ1300.SD1A.C0FF 2DSD1A.LOD MS010C.SDD1.AQ1700.SD1A.C0FF
ST3500320AS MS01??.SDD1.DS????.?D??.C0F? 2DSD1A.LOD MS010C.SDD1.AQ1700.SD1A.C0FF
ST3500320AS MS01??.SDD1.DY????.?D??.C0F? 2DSD1A.LOD MS010C.SDD1.AQ1700.SD1A.C0FF

ST3500620AS MS01??.SDD1.AD????.?D??.C0F? 2DSD1A.LOD MS010C.SDD1.AQ1700.SD1A.C0FF
ST3500620AS MS01??.SDD1.AQ1300.SD1A.C0FF 2DSD1A.LOD MS010C.SDD1.AQ1700.SD1A.C0FF
ST3500620AS MS01??.SDD1.DS????.?D??.C0F? 2DSD1A.LOD MS010C.SDD1.AQ1700.SD1A.C0FF
ST3500620AS MS01??.SDD1.DY????.?D??.C0F? 2DSD1A.LOD MS010C.SDD1.AQ1700.SD1A.C0FF

ST3500820AS MS01??.SDD1.AD????.?D??.C0F? 2DSD1A.LOD MS010C.SDD1.AQ1700.SD1A.C0FF
ST3500820AS MS01??.SDD1.AQ1300.SD1A.C0FF 2DSD1A.LOD MS010C.SDD1.AQ1700.SD1A.C0FF
ST3500820AS MS01??.SDD1.DS????.?D??.C0F? 2DSD1A.LOD MS010C.SDD1.AQ1700.SD1A.C0FF
ST3500820AS MS01??.SDD1.DY????.?D??.C0F? 2DSD1A.LOD MS010C.SDD1.AQ1700.SD1A.C0FF

;Moose 7200.11 6 head
ST3750330AS MS01??.SDD1.AD????.?D??.B??? 3D4DSD1A.LOD MS011B.SDD1.AQ1700.SD1A.B100
ST3750330AS MS01??.SDD1.AQ1300.SD1A.B100 3D4DSD1A.LOD MS011B.SDD1.AQ1700.SD1A.B100
ST3750330AS MS01??.SDD1.DS????.?D??.B??? 3D4DSD1A.LOD MS011B.SDD1.AQ1700.SD1A.B100
ST3750630AS MS01??.SDD1.AD????.?D??.B??? 3D4DSD1A.LOD MS011B.SDD1.AQ1700.SD1A.B100
ST3750630AS MS01??.SDD1.AQ1300.SD1A.B100 3D4DSD1A.LOD MS011B.SDD1.AQ1700.SD1A.B100
ST3750630AS MS01??.SDD1.DS????.?D??.B??? 3D4DSD1A.LOD MS011B.SDD1.AQ1700.SD1A.B100

;Moose 7200.11 8 head
ST31000340AS MS01??.SDD1.AD????.?D??.B??? 3D4DSD1A.LOD MS011B.SDD1.AQ1700.SD1A.B100
ST31000340AS MS01??.SDD1.AQ0???.?D??.B??? 3D4DSD1A.LOD MS011B.SDD1.AQ1700.SD1A.B100
ST31000340AS MS01??.SDD1.AQ1300.SD1A.B100 3D4DSD1A.LOD MS011B.SDD1.AQ1700.SD1A.B100
ST31000340AS MS01??.SDD1.DY????.?D??.B??? 3D4DSD1A.LOD MS011B.SDD1.AQ1700.SD1A.B100


Each line of the configuration file has the following syntax:

<model number> <original firmware package version> <firmware file> <final package version>

The SD1A update is intended to be applied to drives with the following firmware versions:

AD14, SD15, SD16, SD17, SD18, SD19, SD81

However, as can be seen in the configuration file, there are certain SD1A package versions that are themselves updated by the SD1A update.

Here are other examples of decoded configuration files:

http://www.users.on.net/~fzabkar/6HSD4B.TXT
http://www.users.on.net/~fzabkar/BR-SD1B.TXT
http://www.users.on.net/~fzabkar/Brinks_3D6H_SD3B.txt
http://www.users.on.net/~fzabkar/dell_fw_cfg.txt
http://www.users.on.net/~fzabkar/HDD/4HCFGPRE.TXT
http://www.users.on.net/~fzabkar/HDD/6HSD4B.TXT
http://www.users.on.net/~fzabkar/HDD/8HCFGSD1.TXT
http://www.users.on.net/~fzabkar/HDD/AN-SD23.TXT
http://www.users.on.net/~fzabkar/HDD/AN-SD23X.TXT
http://www.users.on.net/~fzabkar/HDD/AN-SD24.TXT
http://www.users.on.net/~fzabkar/HDD/AN-SD25.TXT
http://www.users.on.net/~fzabkar/HDD/AN-SD26.TXT
http://www.users.on.net/~fzabkar/HDD/AN-SD28.TXT
http://www.users.on.net/~fzabkar/HDD/BG-CC32.TXT
http://www.users.on.net/~fzabkar/HDD/BR4HSD3B.TXT
http://www.users.on.net/~fzabkar/HDD/BRNKMOOS.TXT
http://www.users.on.net/~fzabkar/HDD/Brinks_1HSD2B.TXT
http://www.users.on.net/~fzabkar/HDD/Brinks_2HSD2B.TXT
http://www.users.on.net/~fzabkar/HDD/GR-CC4H.TXT
http://www.users.on.net/~fzabkar/HDD/GRCC4CD9.TXT
http://www.users.on.net/~fzabkar/HDD/JC47.TXT
http://www.users.on.net/~fzabkar/HDD/JC49.TXT
http://www.users.on.net/~fzabkar/HDD/JC49_STANDARD.TXT
http://www.users.on.net/~fzabkar/HDD/JC4A.TXT
http://www.users.on.net/~fzabkar/HDD/PH-CC3D.TXT
http://www.users.on.net/~fzabkar/HDD/PH-CC3E.TXT
http://www.users.on.net/~fzabkar/HDD/PH-CC46.TXT
http://www.users.on.net/~fzabkar/HDD/PH-CC49.TXT
http://www.users.on.net/~fzabkar/HDD/SN06BCFG.TXT
http://www.users.on.net/~fzabkar/HDD/SN06CCFG.TXT
http://www.users.on.net/~fzabkar/HDD/SN16BCFG.TXT
http://www.users.on.net/~fzabkar/HDD/SN16CCFG.TXT

Users will sometimes find that a drive which appears to be a suitable candidate for an update will be rejected by the updater. This is because its existing firmware package version isn't a match for any that are called out in the configuration file.

For example, see the qualifying entries for ST2000DM001 models with firmware version CC49 in the following update matrix:

http://www.users.on.net/~fzabkar/HDD/GRCC4CD9.TXT

ST2000DM001-9YN164;GR75?C.CCD4.BD01AR.CC49.C399;GRCC4C4H.LOD;GR753C.CCD4.BD02AR.CC4C.C39A

ST2000DM001-9YN164;GR75?D.CCD4.BD01AR.CC49.D399;GRCC4C6H.LOD;GR753D.CCD4.BD02AR.CC4C.D39A

ST2000DM001-9YN164;GR75?C.CCD4.BD01AR.CC49.D399;GRCC4C6H.LOD;GR753D.CCD4.BD02AR.CC4C.D39A

CC49 firmware that doesn't match any of the above 3 entries will not qualify for the update and will be rejected.


References:

UPX: the Ultimate Packer for eXecutables:
http://upx.sourceforge.net/

7-Zip:
http://www.7-zip.org/

IsoBuster:
http://www.isobuster.com/

WinImage:
http://www.winimage.com/

Original article:
http://malthus.zapto.org/viewtopic.php? ... 3165#p3165

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: July 7th, 2015, 16:43 
Offline

Joined: July 2nd, 2015, 13:17
Posts: 17
Location: Ottawa, Canada
Can you post the source code for http://www.users.on.net/~fzabkar/HDD/cfsdecod.exe? Because it won't run on Win 7 x64. But if it's just implementing a simple substitution cipher, I expect I can just compile it myself for my machine. Thanks in advance.


Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: July 7th, 2015, 17:00 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15440
Location: Australia
It's a DOS program. It should run in a DOS box under Windows.

BTW, you don't need IsoBuster or WinImage. 7-Zip can extract everything.

Also be aware that the latest updates use a more complicated cipher which I haven't managed to work out.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: July 7th, 2015, 17:21 
Offline

Joined: July 2nd, 2015, 13:17
Posts: 17
Location: Ottawa, Canada
Since you've already essentially shown one of the algorithms (byte +/- 0x9, with some modulo) is there any reason not to post the src, so that people don't have to run under DOS?


Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: July 7th, 2015, 18:23 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15440
Location: Australia
cbcb wrote:
Since you've already essentially shown one of the algorithms (byte +/- 0x9, with some modulo) is there any reason not to post the src, so that people don't have to run under DOS?

Embarrassment.

I'm not a programmer, so the code is ugly. Secondly, it was written in the DOS 6.22 version of QBasic which does not have support for byte variables among other things, so I had to do some horrible kludging.

In any case I can't find it on my current drive, so I would have to dig through my backup DVDs. I had been meaning to rewrite it in FreeBasic but never got around to it.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: July 8th, 2015, 16:01 
Offline

Joined: July 2nd, 2015, 13:17
Posts: 17
Location: Ottawa, Canada
Makes sense to me :) Thanks for the honest reply


Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: September 9th, 2015, 17:16 
Offline

Joined: September 17th, 2012, 13:42
Posts: 61
Location: Europe
cbcb wrote:
Can you post the source code for http://www.users.on.net/~fzabkar/HDD/cfsdecod.exe? Because it won't run on Win 7 x64. But if it's just implementing a simple substitution cipher, I expect I can just compile it myself for my machine. Thanks in advance.

Compile?
Well, we Linux people need not "compile" this stuff. I managed to decode fzabkar's original file (thanks for sharing your work!!) just by the following awk program executed on my shell:

Code:
#!/usr/bin/awk
@load "ordchr"
# decode.awk
NR>9
BEGIN { ORS="" }
{   o = ord(substr(RT,1));
    odiff = 0;
    if (RT)
       {
         if (o>47&&o<65) odiff=6
           else if (o==35) odiff=-24
              else if (o==65) odiff=33
                  else if (o==66) odiff=3
                     else if (o>98) odiff=5
                        else if (o!=10 && o!=32 && o!=46) odiff=9
            printf chr(o-odiff)
     }}  RS="[[:print:][:space:]]"

and here's the one-liner version for the "code-golfers" :)

Code:
$ head -1 ms-sd1a.cfs && awk -n '@load "ordchr"; NR>9 { o=ord(substr(RT,1)); odiff=0; if (RT) { if (o>47&&o<65) odiff=6; else if (o==35) odiff=-24; else if (o==65) odiff=33; else if (o==66) odiff=3; else if (o>98) odiff=5; else if (o!=10 && o!=32 && o!=46) odiff=9; printf chr(o-odiff)""}}' RS="[[:print:][:space:]]" ms-sd1a.cfs

It's still very hackish, I can't deny. But for heck, it works. :P

The human-readable version must be called like this:

Code:
$ head -1 encodedfile.cfs && awk -nf dec.awk encodedfile.cfs


Yes the "head -1" thing is a kludge, but it IS very important that the first line with the non-encoded number is not touched at all.
And since we're working with a custom-defined record separator RS, it is not certain whether the "EOL==newline" criteria will always match reliably enough. But any improvements are welcome, of course.


Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: September 10th, 2015, 3:53 
Offline

Joined: October 24th, 2005, 17:04
Posts: 242
script for ZOC
http://rusfolder.com/44193995


Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: September 10th, 2015, 21:00 
Offline

Joined: September 17th, 2012, 13:42
Posts: 61
Location: Europe
Thanks for your work, Moltke. Unfortunately I'm a total rookie at Rexx...whilst a colleague of mine has been working for IBM since 20+ years, no wonder he is a guru at this language ;)
BTW, why haven't you ever considered uploading it to http://pastebin.com instead? This iFolder thing is a total nightmare in the free version; plus, you must be able to read Russian to figure out what to do to download.


Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: September 10th, 2015, 21:46 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15440
Location: Australia
I don't know if this is the latest version ...

http://www.hddoracle.com/viewtopic.php?f=113&t=815

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: September 11th, 2015, 7:24 
Offline

Joined: October 24th, 2005, 17:04
Posts: 242
syntaxerror
Thanks for your work, Moltke.
Thank you fzabkar and syntaxerror


Attachments:
CFS2.zip [1.13 KiB]
Downloaded 1413 times
Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: January 15th, 2016, 7:35 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15440
Location: Australia
Later firmware updates used a different substitution algorithm. See example in attachment.

Code:
encod  decod  diff  ASCII
--------------------------------------------------
08-17  70-7F  +68   p-z {|}~ 0xFF
18-27  60-6F  +48   ` a-o
28-37  50-5F  +28   P-Z [\]^_
38-47  40-4F  +8    @ A-O
48-57  30-3F  -18   0-9 :;<=>?
58-67  20-2F  -38   space !"#$%&'()*+,-./
68-77  10-1F  -58   control chars
78-87  00-0F  -78   LF CR  and other control chars

    outbyt = inbyt + 0x68 - LShift( RShift(inbyt,4), 5 )

The most recent updates use stronger encryption.


Attachments:
Barracuda-GRCC9D.rar [651 Bytes]
Downloaded 1417 times

_________________
A backup a day keeps DR away.
Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: January 16th, 2016, 15:32 
Offline

Joined: October 24th, 2005, 17:04
Posts: 242
ok.update


Attachments:
CFS3.zip [2.81 KiB]
Downloaded 1491 times
Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: January 16th, 2016, 23:07 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15440
Location: Australia
Do you want to try decoding the latest format (GrenadaBP-CC29-CC49)?


Attachments:
GPCC2949.zip [590 Bytes]
Downloaded 1337 times

_________________
A backup a day keeps DR away.
Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: January 17th, 2016, 9:21 
Offline

Joined: October 24th, 2005, 17:04
Posts: 242
fzabkar wrote:
Do you want to try decoding the latest format (GrenadaBP-CC29-CC49)?

ok.

Interestingly STECon supports '092881' -algorithm and does not support the '020410'


Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: January 17th, 2016, 10:03 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15440
Location: Australia
I haven't tried executing the GrenadaBP-CC29-CC49 update, but I know that earlier FreeDOS based updates unpacked the software and LOD files into a RAM drive. I'm wondering whether the Linux based updater also uses a RAM drive. If so, then perhaps the decoded CFS file is written to a temp file on the RAM drive. If you abort the update script, then maybe you will see this temp file.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: January 17th, 2016, 16:57 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15440
Location: Australia
The LOD and CFS files in the latest Linux based update ISOs can be found in the "stelogs" directory, eg ...

ISOboot-SeagateFirmwareUpdate.Barracuda-GrenadaBP-CC29-CC49.anat-31205.iso\isolinux\tinycore_Seagate.gz\tinycore_Seagate\root\stelogs\

    GBP2TBCC29.LOD
    GBP1TBCC49.LOD
    GBP3TBCC29.LOD
    GPCC2949.CFS

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: January 18th, 2016, 1:18 
Offline

Joined: October 24th, 2005, 17:04
Posts: 242
fzabkar wrote:
I haven't tried executing the GrenadaBP-CC29-CC49 update, but I know that earlier FreeDOS based updates unpacked the software and LOD files into a RAM drive. I'm wondering whether the Linux based updater also uses a RAM drive. If so, then perhaps the decoded CFS file is written to a temp file on the RAM drive. If you abort the update script, then maybe you will see this temp file.

until I see that the title is compared with the '092881', but the code is very bulky and heavy .... I doubt that I will be able to understand the conversion. :oops:


Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: January 19th, 2016, 5:57 
Offline

Joined: October 24th, 2005, 17:04
Posts: 242
fzabkar
see file
7zip(SeagateFirmwareUpdate.Barracuda-GrenadaBP-CC29-CC49.sg-SFX)==>SeagateFirmwareUpdate.Barracuda-GrenadaBP-CC29-CC49

maybe there CFS described parts :?:


Top
 Profile  
 
 Post subject: Re: Analysis of Seagate F3 Firmware Update
PostPosted: January 19th, 2016, 7:41 
Offline

Joined: October 24th, 2005, 17:04
Posts: 242
maybe it DES
Code:
_shadow_DES_check_key


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 36 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group