Seagate Tech Unlock Handshake Key

[mpaoli]

Hi to all HDD Gurus,
I am wondering how to handle ROM patched Seagate DM devices.
Both PC3K and MRT can patch original ROM with one click.

Sending Unlock Key does enable SA access.

We want to handle terminal commands "out of the tools"

Question is how does work handshake command/key ?

EG. Tech Unlock Handshake: 0x0552391E

We tried some CRC 16/32 or XOR combination with no luck.
We are pretty sure CRC tables are not useful as mask.

Thank You !

[pepe]

[fzabkar]

Start by examining the patched and unpatched ROMs with F3RomExplorer. You'll find an extra block of code which can be decompressed. It appears to contain a key or signature of some sort.

[pepe]

unlock with the tool, then connect it to your other terminal and work with it?
I am sure i could work it out but i won't, it does sound like breaching sw licences...
(and i also have my own way to unlock these, so one more reason not to hack it)

pepe

[mpaoli]

pepe, My First Try was opening roms with F3RomExplorer. I didnt't understand anything .I will try to decompress extra bytes following fzabkar suggestions. Of course patching rom or enabling sa access with custom tricks would be interesting. Can you share It ( or some starting point ) ?

[pepe]

Why is it not a solution to unlock it in the tool you have, then attach another terminal and work with the drive freely?

pepe

[mpaoli]

pepe, Usually our PC3K Ports are all Busy of Running Tasks. It would be useful to move to other imaging workstations.
In most cases we need to reload original rom after fixing flags to read device out of the tools.
Anyway it's good learning other methods for a deeper knowledge.
I Attached 2 sample roms original + patched ( in this case we used PC3K ).

Attachments

rosewood_a5_pc3k.zip

(1005.45 KiB) Downloaded 636 times

[fzabkar]

In F3RomExplorer, d-click DL_BFWCTNR 0. This will bring up the next directory level.

D-click DL_BOOTFW and then d-click the second CPRS segment. This will decompress the code.

Now select File -> Save to file -> 0001EC68_File_01_unCPRS.bin

This file now contains the decompressed code.

[mpaoli]

fzabkar, This is and excellent starting point ! I will update you on my researches results. Thank You !

[eiedr]

Hello,

as I had few of those Rosewood drives, I would like to be able to unlock the Terminal. I have seen the differences between Original ROM and Pathed one, but unfortunatelly just for one drive.
I believe that few more pares of Original-Pathed are needed in order to get an ideea about the logic behind pathing. Am I right?

[SWM]

It is better to have the correct RAM dumps of the patched disk.
Than a few copies of ACE Lab dirty laundry.

[sin]

Just sniff what is being sent through the UART. Also what is being sent on the UART while you click unlock button has nothing to do with the unlock key values that the terminal displays after spin up etc.(example, dont connect terminal...spin up the drive, wait for a min or 30 sec to be on safe side, then put your terminal pins and click unlock. It will unlock, so i feel the whole unlock key that the terminal displays is no more used to generate unlock response.)

Also DFL unlocked roms can accept unlock command of PC3k and vice a versa.

If my pc3000 ports are busy or if there seems a drive that requires longer imaging time, i unlock, then i simply swap sata cables to ddi to do HM. If I forget to to that, i could always parse pc3000 map to ddi map

Again DDI is a work horse and i can keep it on for DAYS! Marvelous engineering.

[SWM]

The Ace patch code is absolutely useless without terminal activation.
Studying the activation process and who stole the technique from whom is too long a way.
It's easier to study the already unlocked working code in memory.

[pepe]

It's easier to study the already unlocked working code in memory.

one thing is to find what's changed and another one is to reproduce the change. Unlocking is a complex process, regardless of the fact that the result comes down to a difference of 4 bytes.
Not hard, if you know what to do when and where

pepe

[SWM]

Well, reverse engineering with hints will be faster.
Than searching from scratch in disassembled code.
I looked at the Ace code a few years ago. As soon as the unlocked ROMs appeared in the public.
Perhaps I would have mastered the unlock myself. But why waste time on this if you were only doing repairs.
And repairing disks over 2 TB is not time-efficient. Especially SMR...

[lcoughey]

Unless it changed, I saw the ACE unlock code on my screen once and confirmed that I can type it manually. But, it is not my information to share.

[SWM]

On the screen is a code that starts decoding part of the Ace code.
And this part of the code unlocks the terminal and erase itself after.
Something like this, for a long time looked this code. Plagiarism protection.

And Ace rewrites one exception vector onto itself. Apparently, to increase the rights to access memory. If I remember correctly.

[pepe]

I estimate the complexity of understanding what their code is doing and why to be comparable to understanding the fw components and how to interfere with them, so where's the gain...
you won't understand their code without having some insight in the fw.
I unlocked these before pc3k or any other tools, i only know Doomer who was able to do it prior to that.

pepe

[SWM]

To understand the work of the FW, you need to understand the work of the ARM.
After some time of the reverse of the FW, I switched to the programming of STM32.

And I am in the know how the "cslip" and "eslip" differs.
Disassemble these protocols did not make up great difficulties.
But I strongly doubt that package SG commands could be understood from the reverse of FW ...

[pepe]

commands take you nowhere if you want to unlock them... well, with one exception, which is Lombard... and a few others as far as i remember