reading data with MHDD scripts

[drc]

Alright, so I can read the first 100 sectors of a drive with this script which was included with mhdd 4.5.

Code:

regs = 00 100 00 00 00 $e0 $20
waitnbsy
checkerr
checkdrq
sectorsto = lba0-99.bin

How would I go about modifying this script to read an arbitrary amount of data to a file? Would I have to read 256 sectors from start position 0, then read 256 from start position 256, and so on?

[drc]

Let me amend that by saying... I know it is possible that way, but is there a better way? Also, how can I get it to append the file instead of making a new one every time?

[xsoliman]

Any chance of a follow up about writing data with MHDD scripts
Bth to normal sectors and especially to selected SA blocks

eg block 42 as per the opposite of the following read script

; rm modul id 42
reset
waitnbsy
regs = $57 $44 $43 $00 $00 $a0 $8a
waitnbsy
regs = $00 $02 $00 $00 $0F $E0 $21
waitnbsy
checkdrq
sectorsto = 42.bin
; End.


Thanks

[Spildit]

You will have to modify the

regs = $00 $02 $00 $00 $0F $E0 $21

To include the WD Vendor specif Command to write to that sector.

Exemple using FUJITSU MPG :

Valid_mode= 0000 fa 43 42 41 40 a0 c1
Read_ram_01_DM= 0000 01 02 00 00 00 00 c2
Read_hdd_01_DM= 0000 01 01 00 00 00 00 c2
Write_ram_01_DM= 0000 01 02 00 00 00 a0 64
Write_hdd_01_DM= 0000 01 01 00 00 00 a0 64
Read_ram_02_PL= 0000 02 02 00 00 00 00 c2
Read_hdd_02_PL= 0000 02 01 00 00 00 00 c2
Write_ram_02_PL= 0000 02 02 00 00 00 a0 64
Write_hdd_02_PL= 0000 02 01 00 00 00 a0 64
Read_ram_03_TS= 0000 03 02 00 00 00 00 c2
Read_hdd_03_TS= 0000 03 01 00 00 00 00 c2
Write_ram_03_TS= 0000 03 02 00 00 00 a0 64
Write_hdd_03_TS= 0000 03 01 00 00 00 a0 64
Read_ram_04_HS= 0000 04 02 00 00 00 00 c2
Read_hdd_04_HS= 0000 04 01 00 00 00 00 c2
Write_ram_04_HS= 0000 04 02 00 00 00 a0 64
Write_hdd_04_HS= 0000 04 01 00 00 00 a0 64
Read_ram_05_FI= 0000 05 02 00 00 00 00 c2
Read_hdd_05_FI= 0000 05 01 00 00 00 00 c2
Write_ram_05_FI= 0000 05 02 00 00 00 a0 64
Write_hdd_05_FI= 0000 05 01 00 00 00 a0 64
Read_ram_06_DT= 0000 06 02 00 00 00 00 c2
Read_hdd_06_DT= 0000 06 01 00 00 00 00 c2
Write_ram_06_DT= 0000 06 02 00 00 00 a0 64
Write_hdd_06_DT= 0000 06 01 00 00 00 a0 64
Read_ram_07_SI= 0000 07 02 00 00 00 00 c2
Read_hdd_07_SI= 0000 07 01 00 00 00 00 c2
Write_ram_07_SI= 0000 07 02 00 00 00 a0 64
Write_hdd_07_SI= 0000 07 01 00 00 00 a0 64
Read_ram_08_SN= 0000 08 02 00 00 00 00 c2
Read_hdd_08_SN= 0000 08 01 00 00 00 00 c2
Write_ram_08_SN= 0000 08 02 00 00 00 a0 64
Write_hdd_08_SN= 0000 08 01 00 00 00 a0 64
Read_ram_09= 0000 09 02 00 00 00 00 c2
Read_hdd_09= 0000 09 01 00 00 00 00 c2
Write_ram_09= 0000 09 02 00 00 00 a0 64
Write_hdd_09= 0000 09 01 00 00 00 a0 64
Read_ram_0A= 0000 0A 02 00 00 00 00 c2
Read_hdd_0A= 0000 0A 01 00 00 00 00 c2
Write_ram_0A= 0000 0A 02 00 00 00 a0 64
Write_hdd_0A= 0000 0A 01 00 00 00 a0 64
Read_ram_0B= 0000 0B 02 00 00 00 00 c2
Read_hdd_0B= 0000 0B 01 00 00 00 00 c2
Write_ram_0B= 0000 0B 02 00 00 00 a0 64
Write_hdd_0B= 0000 0B 01 00 00 00 a0 64
Read_ram_0C_SM= 0000 0C 02 00 00 00 00 c2
Read_hdd_0C_SM= 0000 0C 01 00 00 00 00 c2
Write_ram_0C_SM= 0000 0C 02 00 00 00 a0 64
Write_hdd_0C_SM= 0000 0C 01 00 00 00 a0 64
Read_ram_0D_SU= 0000 0D 02 00 00 00 00 c2
Read_hdd_0D_SU= 0000 0D 01 00 00 00 00 c2
Write_ram_0D_SU= 0000 0D 02 00 00 00 a0 64
Write_hdd_0D_SU= 0000 0D 01 00 00 00 a0 64
Read_ram_0E_CI= 0000 0E 02 00 00 00 00 c2
Read_hdd_0E_CI= 0000 0E 01 00 00 00 00 c2
Write_ram_0E_CI= 0000 0E 02 00 00 00 a0 64
Write_hdd_0E_CI= 0000 0E 01 00 00 00 a0 64
Read_ram_10_SCH= 0000 10 02 00 00 00 00 c2
Read_hdd_10_SCH= 0000 10 01 00 00 00 00 c2
Write_ram_10_SCH= 0000 10 02 00 00 00 a0 64
Write_hdd_10_SCH= 0000 10 01 00 00 00 a0 64
Read_ram_11_SEQ= 0000 11 02 00 00 00 00 c2
Read_hdd_11_SEQ= 0000 11 01 00 00 00 00 c2
Write_ram_11_SEQ= 0000 11 02 00 00 00 a0 64
Write_hdd_11_SEQ= 0000 11 01 00 00 00 a0 64
Read_ram_12_WTP= 0000 12 02 00 00 00 00 c2
Read_hdd_12_WTP= 0000 12 01 00 00 00 00 c2
Write_ram_12_WTP= 0000 12 02 00 00 00 a0 64
Write_hdd_12_WTP= 0000 12 01 00 00 00 a0 64
Read_ram_13_END= 0000 13 02 00 00 00 00 c2
Read_hdd_13_END= 0000 13 01 00 00 00 00 c2
Write_ram_13_END= 0000 13 02 00 00 00 a0 64
Write_hdd_13_END= 0000 13 01 00 00 00 a0 64
Read_ram_14_ECT= 0000 14 02 00 00 00 00 c2
Read_hdd_14_ECT= 0000 14 01 00 00 00 00 c2
Write_ram_14_ECT= 0000 14 02 00 00 00 a0 64
Write_hdd_14_ECT= 0000 14 01 00 00 00 a0 64
Read_ram_15= 0000 15 02 00 00 00 00 c2
Read_hdd_15= 0000 15 01 00 00 00 00 c2
Write_ram_15= 0000 15 02 00 00 00 a0 64
Write_hdd_15= 0000 15 01 00 00 00 a0 64
Read_ram_16_SVE= 0000 16 02 00 00 00 00 c2
Read_hdd_16_SVE= 0000 16 01 00 00 00 00 c2
Write_ram_16_SVE= 0000 16 02 00 00 00 a0 64
Write_hdd_16_SVE= 0000 16 01 00 00 00 a0 64
Read_ram_17_TAM= 0000 17 02 00 00 00 00 c2
Read_hdd_17_TAM= 0000 17 01 00 00 00 00 c2
Write_ram_17_TAM= 0000 17 02 00 00 00 a0 64
Write_hdd_17_TAM= 0000 17 01 00 00 00 a0 64
Read_ram_18_DPT= 0000 18 02 00 00 00 00 c2
Read_hdd_18_DPT= 0000 18 01 00 00 00 00 c2
Write_ram_18_DPT= 0000 18 02 00 00 00 a0 64
Write_hdd_18_DPT= 0000 18 01 00 00 00 a0 64
Read_ram_1A_TS= 0000 1A 02 00 00 00 00 c2
Read_hdd_1A_TS= 0000 1A 01 00 00 00 00 c2
Write_ram_1A_TS= 0000 1A 02 00 00 00 a0 64
Write_hdd_1A_TS= 0000 1A 01 00 00 00 a0 64
Read_ram_1B_PL= 0000 1B 02 00 00 00 00 c2
Read_hdd_1B_PL= 0000 1B 01 00 00 00 00 c2
Write_ram_1B_PL= 0000 1B 02 00 00 00 a0 64
Write_hdd_1B_PL= 0000 1B 01 00 00 00 a0 64
Read_ram_1C_RRO= 0000 1C 02 00 00 00 00 c2
Read_hdd_1C_RRO= 0000 1C 01 00 00 00 00 c2
Write_ram_1C_RRO= 0000 1C 02 00 00 00 a0 64
Write_hdd_1C_RRO= 0000 1C 01 00 00 00 a0 64
Read_ram_1D= 0000 1D 02 00 00 00 00 c2
Read_hdd_1D= 0000 1D 01 00 00 00 00 c2
Write_ram_1D= 0000 1D 02 00 00 00 a0 64
Write_hdd_1D= 0000 1D 01 00 00 00 a0 64
Read_ram_1E= 0000 1E 02 00 00 00 00 c2
Read_hdd_1E= 0000 1E 01 00 00 00 00 c2
Write_ram_1E= 0000 1E 02 00 00 00 a0 64
Write_hdd_1E= 0000 1E 01 00 00 00 a0 64
Read_ram_1F_REC= 0000 1F 02 00 00 00 00 c2
Read_hdd_1F_REC= 0000 1F 01 00 00 00 00 c2
Write_ram_1F_REC= 0000 1F 02 00 00 00 a0 64
Write_hdd_1F_REC= 0000 1F 01 00 00 00 a0 64
Read_ram_20= 0000 20 02 00 00 00 00 c2
Read_hdd_20= 0000 20 01 00 00 00 00 c2
Write_ram_20= 0000 20 02 00 00 00 a0 64
Write_hdd_20= 0000 20 01 00 00 00 a0 64
Read_ram_27= 0000 27 02 00 00 00 00 c2
Read_hdd_27= 0000 27 01 00 00 00 00 c2
Write_ram_27= 0000 27 02 00 00 00 a0 64
Write_hdd_27= 0000 27 01 00 00 00 a0 64
Read_ram_28= 0000 28 02 00 00 00 00 c2
Read_hdd_28= 0000 28 01 00 00 00 00 c2
Write_ram_28= 0000 28 02 00 00 00 a0 64
Write_hdd_28= 0000 28 01 00 00 00 a0 64
Read_ram_29_SH= 0000 29 02 00 00 00 00 c2
Read_hdd_29_SH= 0000 29 01 00 00 00 00 c2
Write_ram_29_SH= 0000 29 02 00 00 00 a0 64
Write_hdd_29_SH= 0000 29 01 00 00 00 a0 64
Read_ram_2D_FA= 0000 2D 02 00 00 00 00 c2
Read_hdd_2D_FA= 0000 2D 01 00 00 00 00 c2
Write_ram_2D_FA= 0000 2D 02 00 00 00 a0 64
Write_hdd_2D_FA= 0000 2D 01 00 00 00 a0 64
Read_ram_2E= 0000 2E 02 00 00 00 00 c2
Read_hdd_2E= 0000 2E 01 00 00 00 00 c2
Write_ram_2E= 0000 2E 02 00 00 00 a0 64
Write_hdd_2E= 0000 2E 01 00 00 00 a0 64
Read_ram_30_ZP= 0000 30 02 00 00 00 00 c2
Read_hdd_30_ZP= 0000 30 01 00 00 00 00 c2
Write_ram_30_ZP= 0000 30 02 00 00 00 a0 64
Write_hdd_30_ZP= 0000 30 01 00 00 00 a0 64
Read_ram_31_RE= 0000 31 02 00 00 00 00 c2
Read_hdd_31_RE= 0000 31 01 00 00 00 00 c2
Write_ram_31_RE= 0000 31 02 00 00 00 a0 64
Write_hdd_31_RE= 0000 31 01 00 00 00 a0 64
Read_ram_32_WE= 0000 32 02 00 00 00 00 c2
Read_hdd_32_WE= 0000 32 01 00 00 00 00 c2
Write_ram_32_WE= 0000 32 02 00 00 00 a0 64
Write_hdd_32_WE= 0000 32 01 00 00 00 a0 64
Read_ram_50= 0000 50 02 00 00 00 00 c2
Read_hdd_50= 0000 50 01 00 00 00 00 c2
Write_ram_50= 0000 50 02 00 00 00 a0 64
Write_hdd_50= 0000 50 01 00 00 00 a0 64
Read_ram_51= 0000 51 02 00 00 00 00 c2
Read_hdd_51= 0000 51 01 00 00 00 00 c2
Write_ram_51= 0000 51 02 00 00 00 a0 64
Write_hdd_51= 0000 51 01 00 00 00 a0 64
Read_ram_52= 0000 52 02 00 00 00 00 c2
Read_hdd_52= 0000 52 01 00 00 00 00 c2
Write_ram_52= 0000 52 02 00 00 00 a0 64
Write_hdd_52= 0000 52 01 00 00 00 a0 64
Read_ram_70= 0000 70 02 00 00 00 00 c2
Read_hdd_70= 0000 70 01 00 00 00 00 c2
Write_ram_70= 0000 70 02 00 00 00 a0 64
Write_hdd_70= 0000 70 01 00 00 00 a0 64

One ATA vendor specific command Reads, the other writes.

By the way regs = $00 $02 $00 $00 $0F $E0 $21 = 0000 00 02 00 00 0F E0 21


But no-one will shara ATA vendor specific commands because they would render very expensive tools like PC-3000 useless. If people could replace tools that cost thousands of dollars with free MHDD commands, the sales of those expensive tools would drop. As long as the vendor specific commands are very secret, the ones who reverse-engeneer those commands intro comercial tools can sell those tools to any one on the data recovery buisness because there are no alternative (cheaper) tools to work with drives firmware.

[Spildit]

Don't expect people to SHARE those commands because they buisness depend on that.
You can try to figure out those commands by yourself playing with the ones that you allready have or reading the contents of the ROM on a drive PCB with programmer, debug the code with debuger and figure out how the drive read the code from the platters to the drive RAM, and than get that content and reverse engeneer that ....
But it will take allot of time. It's like re-inventing the weel. And because of competition no-one will tell you the commands on a public forum like this ....
And sometimes i get mad with answers like "It can't be done without expensive tools" also because i'm pretty sure that IT CAN BE DONE if you know the secrets ...
Remember Pc-3000, Salvation, HRT, etc ... are using the same commands we are talking about here.
Difference is, they have worked hard reverse-engeneering all drives models and brands in the world one by one and get those commands out.

[xsoliman]

ok, yes I appreciate that
and wasnt expecting to get any complete list
just some hints

But would be interested in how to script whdd to write normal sectors

eg the opposite of the read first 100 sectors script mentioned at the top of this topic, and reprinted here

regs = 00 100 00 00 00 $e0 $20
waitnbsy
checkerr
checkdrq
sectorsto = lba0-99.bin

obviously need to specify the data file first (how?)
then do some regs command that specifies the loaction and the write

maybe sectorsfrom = xxx.bin

And yes, I know it would be easier to use a normal disk editor for the normal sectors

[Spildit]

If you have expended $$$$$$$$$$ on PC-3000 and if you were living because of recoveries done with that tool you would fall intro one of two kind of people :

1 - You most likely wouldn0t know the commands that the software/hardware use to send the instructions to the drive, you would push some buttons and have your task done.

2 - You would find out some commands on private foruns, etc .. and you would be able to build your own tools ....

Anyway, i'm pretty sure that you wouldn't like to see the same commands on the hands of other people on open foruns and for free, enabling everyone to play with the firmware without having to expend the same money that you have and even worse stealing work that you could have done for hight cost.


Let's not forget that :

1 - Data recovery prices are usually inside the $500 - $2500 range

2 - "Data recovery experts" or "Gurus" use this forum to get in contact by PM with people that post problems here, quoting money for solving the problem .... so yes, for many people even inside the DR buisness this forum is a way to get some extra money from users that are in need for the data.

Would you expect that people (experts) that are using this forum on the background to fill the pockets would share really usefull knowledge for free and in public ?

I think you already have the answer.....

It's the kind of thing that you only don't see if you don't want to see.

[derp]

Hi Spildit,

I think you overglorify some DR companies, they often just buy vendor commands.
Except for a few recent drives you could, with time and trust get just about all
the commands needed to produce your own DR bundle.

Maybe BlackST will pm you some nice code for free I would hope.

[xsoliman]

ok
I wasnt asking for the special write commands to SA areas [yet and know they specify to particular drives and models]
I was just asking if mhdd has a way of writing normal sectors
to do the opposite of the normal read

eg the opposite of the read first 100 sectors script mentioned at the top of this topic, and reprinted here

regs = 00 100 00 00 00 $e0 $20
waitnbsy
checkerr
checkdrq
sectorsto = lba0-99.bin

[drc]

The script I posted isn't anything secret... its just a standard ATA command.

[xsoliman]

$20 is ATA read sectors (pio mode)

the equivalent write sectors is $30

$e0 is STANDBY IMMEDIATE


So we just need to know if mhdd has a way to fill its internal buffer first with specified data
(something like sectorsfrom ==xxx.bin)
then presumably

regs = 00 100 00 00 00 $e0 $30
waitnbsy
checkerr
checkdrq

[Spildit]

ATA Read Sector is $20
ATA write is $30

But on our little script to read SA from WD, we have $21 when reading module ....
If we manage to fill it in the buffer maybe we can try to write it back with $31 ???

[xsoliman]

Looks like mhdd does have a SECTORSFROM command

so I'll try it out (probably tomorrow)

[derp]

www.elektroda.pl/rtvforum/topic1180059.html

[Spildit]

Thank you, Derp.

[xsoliman]

Just to confirm you can write (to normal sectors)(the first 100 sectors here) with

regs = 00 100 00 00 00 $e0 $30
waitnbsy
checkerr
checkdrq
sectorsfrom = lba0-99.bin

The sectorsfrom has to be *after* the checkdrq

It uses sector numbering starting from 0 (ie LBA)

If want to write 2 sectors at LBA 1, the regs command is
regs = 00 02 01 00 00 $e0 $30

Not sure what the first 00 is, maybe some lead-in meaning normal cmds not special ones
But when I put the 01 there initially as a test it 'ignored' it and still worked

[xsoliman]

regs fields for normal read/write
1st - 00 ? (to be determined)
2nd - size in sectors (use 00 for 256 sectors)
3rd - LBA (lowest byte, 0- 255 decimal)
4th - LBA second lowest byte
5th - LBA third lowest bytes
6th - $E0 standby immediate
7th - $20 read, $30 write

can only do 24bit LBA addressing ie max 16million sectors = 8GB

Looks like there is also a regs48 command, which presumably can do 48 bit LBA's

[drc]

PDFs outlining the whole of standard ATA command use are freely available out there on the 'net.

[xsoliman]

Indeed, the ATA command spec and codes is available on the Web
But few new vistors to this site know how to apply them the MHDD scripts, until now

The seven bytes of the regs are as follows
(and their names are derived from the orgininal CHS terminology)
F (or FR) Features
SC Sector Count (0=256 sectors)
SN (or LL) Sector Number (or LBA low byte)
CL (or LM) Cylinder Low
CH (or LH) Cylinder High
DH Device/Head
CMD

(nb some terminology writes them in the opposite order, with CMD first)

I was wrong about the DH one ($E0 in my examples)
It contains the bit specifying LBA mode, and also contains the highest LBA bits 27:24
for the full 28 bit LBA addressing = 128GB aka '137GigaBytes'

[Nirvanowiec]

http://yura.projektas.lt/KALB/pol/info/SA.html
http://yura.projektas.lt/files/wd/hddlsct/index.html
http://yura.projektas.lt/files/wd/mhdd/index.html
http://yura.projektas.lt/files/wd/mhdd/wd_royl_rom.html
http://yura.projektas.lt/lit/WD64.html