------------------------------------------------------------------------------------------------
Western Digital
------------------------------------------------------------------------------------------------

First what is known is that many Western Digital HDD can be unlocked.
Method download MHDD bootable disc.
Run these scripts.... To test:
;script name: read md
;reads md 02 on WD marwell drives
;
reset
waitnbsy

regs = $45 $0b $00 $44 $57 $a0 $80
waitnbsy

regs = $d6 $01 $be $4f $c2 $a0 $b0
waitnbsy
checkdrq
sectorsfrom = cs.bin

regs = $d5 $01 $bf $4f $c2 $a0 $b0
waitnbsy
checkdrq
sectorsto = 21.bin

regs = $d5 $01 $bf $4f $c2 $a0 $b0
waitnbsy
checkdrq
sectorsto = 22.bin

; end

OR THIS SCRIPT

; rm modul id 42
reset
waitnbsy
regs = $57 $44 $43 $00 $00 $a0 $8a
waitnbsy
regs = $00 $02 $00 $00 $0F $E0 $21
waitnbsy
checkdrq
sectorsto = 42.bin
; End.

You will look for a dump with info similar to this reply below:

The script worked perfectly! While the ones at this page didn't work for much:
http://yura.projektas.lt/files/wd/mhdd/index.html

Some hitches:
Had to set BIOS to IDE->Enhanced -> Native, and things worked. Didn't like IDE in flat out compatibility mode, and AHCI bombed horribly. (Board is non-public Intel 975x chipset w/ very weird BIOS options for IDE/SATA)

Also, after much tearing out of hair, I just got to the point of booting off CD (which sadly is PATA) and running the older MHDD off a usb flash drive (seen by system as C:, heh).

The end result was that I was able to very happily remove a password on a drive; this drive I've had for a long time. No interesting data on it; just kept in case 'some day' I found a way to deal with it. (Actually, figured from what I'd read before, that at some point, I could just reformat the drive and have a spare, but this was way more fun.)

For people interested, the first post is with a password (NOT the original: I set this one, and it'll be exactly obvious, especially if anyone happens to enjoy the movie reviews from spill.com (watch on youtube, less annoying than loading their site!) but even if not, it'll be absolutely obvious):
Code:
00000000 FA 00 00 01 0E 00 00 00 02 02 00 0F 32 0C CA FA ............2...
00000010 0A 32 0A 01 41 46 05 01 00 00 20 00 64 00 00 01 .2..AF.... .d...
00000020 60 02 12 00 22 00 0A 00 00 00 00 00 00 00 00 00 `..."...........
00000030 00 00 00 01 E0 01 0F 0F 01 02 02 0A 01 02 00 02 ................
00000040 02 06 01 00 FF FF 02 03 50 01 1E 01 01 01 04 40 ........P......@
00000050 0B 00 01 00 00 00 00 05 00 00 00 00 00 FF FF 00 ................
00000060 00 00 00 12 0A 12 00 00 00 05 00 00 00 00 00 1E ................
00000070 00 00 00 00 00 00 00 00 00 4D 00 24 00 07 00 12 .........M.$....
00000080 00 00 00 00 0E 00 00 00 00 00 00 00 01 00 00 00 ................
00000090 00 00 00 07 00 01 02 0D 00 00 00 00 00 00 00 00 ................
000000A0 00 01 03 00 03 01 01 01 00 00 00 00 00 00 00 00 ................
000000B0 00 00 00 00 00 01 57 44 43 20 57 44 36 30 30 42 ......WDC WD600B
000000C0 45 56 53 2D 32 32 52 53 54 30 20 20 20 20 20 20 EVS-22RST0
000000D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
000000E0 20 20 00 00 00 00 00 00 00 01 53 7C 42 7C 4C 7C ........S|B|L|
000000F0 50 4D 4D 53 48 47 43 55 52 48 56 42 4B 47 55 4A PMMSHGCURHVBKGUJ
00000100 00 20 20 20 20 20 20 20 20 20 20 20 20 20 30 35 . 05
00000110 2D 30 35 2D 32 30 30 37 00 00 00 00 00 00 00 00 -05-2007........
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000130 00 00 00 00 00 01 07 00 53 4F 4D 45 4F 4C 45 42 ........SOMEOLEB
00000140 55 4C 4C 53 48 49 54 00 00 00 00 00 00 00 00 00 ULLSHIT.........
00000150 00 00 00 00 00 00 00 00 57 44 43 57 44 43 57 44 ........WDCWDCWD
00000160 43 57 44 43 57 44 43 57 44 43 57 44 43 57 44 43 CWDCWDCWDCWDCWDC
00000170 57 44 43 57 44 43 57 00 08 00 FE FF 00 00 00 00 WDCWDCW.........
00000180 00 01 30 00 00 05 00 64 00 14 20 32 00 00 00 0F ..0....d.. 2....
00000190 00 01 02 00 40 00 2C 01 32 00 20 00 55 FF 00 00 ....@.,.2. .U...
000001A0 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001B0 00 00 00 00 00 00 00 00 00 00 00 00 58 58 58 58 ............XXXX
000001C0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
000001D0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
000001E0 58 58 58 58 58 58 58 58 58 58 58 58 01 01 01 01 XXXXXXXXXXXX....
000001F0 01 00 00 00 00 00 00 00 00 01 0A 00 31 00 00 01 ............1...

Note byte at offset 137, now look at password cleared:
Code:
00000000 FA 00 00 01 0E 00 00 00 02 02 00 0F 32 0C CA FA ............2...
00000010 0A 32 0A 01 41 46 05 01 00 00 20 00 64 00 00 01 .2..AF.... .d...
00000020 60 02 12 00 22 00 0A 00 00 00 00 00 00 00 00 00 `..."...........
00000030 00 00 00 01 E0 01 0F 0F 01 02 02 0A 01 02 00 02 ................
00000040 02 06 01 00 FF FF 02 03 50 01 1E 01 01 01 04 40 ........P......@
00000050 0B 00 01 00 00 00 00 05 00 00 00 00 00 FF FF 00 ................
00000060 00 00 00 12 0A 12 00 00 00 05 00 00 00 00 00 1E ................
00000070 00 00 00 00 00 00 00 00 00 4D 00 24 00 07 00 12 .........M.$....
00000080 00 00 00 00 0E 00 00 00 00 00 00 00 01 00 00 00 ................
00000090 00 00 00 07 00 01 02 0D 00 00 00 00 00 00 00 00 ................
000000A0 00 01 03 00 03 01 01 01 00 00 00 00 00 00 00 00 ................
000000B0 00 00 00 00 00 01 57 44 43 20 57 44 36 30 30 42 ......WDC WD600B
000000C0 45 56 53 2D 32 32 52 53 54 30 20 20 20 20 20 20 EVS-22RST0
000000D0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
000000E0 20 20 00 00 00 00 00 00 00 01 53 7C 42 7C 4C 7C ........S|B|L|
000000F0 50 4D 4D 53 48 47 43 55 52 48 56 42 4B 47 55 4A PMMSHGCURHVBKGUJ
00000100 00 20 20 20 20 20 20 20 20 20 20 20 20 20 30 35 . 05
00000110 2D 30 35 2D 32 30 30 37 00 00 00 00 00 00 00 00 -05-2007........
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000130 00 00 00 00 00 01 01 00 00 00 00 00 00 00 00 00 ................
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000150 00 00 00 00 00 00 00 00 57 44 43 57 44 43 57 44 ........WDCWDCWD
00000160 43 57 44 43 57 44 43 57 44 43 57 44 43 57 44 43 CWDCWDCWDCWDCWDC
00000170 57 44 43 57 44 43 57 00 08 00 FE FF 00 00 00 00 WDCWDCW.........
00000180 00 01 30 00 00 05 00 64 00 14 20 32 00 00 00 0F ..0....d.. 2....
00000190 00 01 02 00 40 00 2C 01 32 00 20 00 55 FF 00 00 ....@.,.2. .U...
000001A0 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001B0 00 00 00 00 00 00 00 00 00 00 00 00 58 58 58 58 ............XXXX
000001C0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
000001D0 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
000001E0 58 58 58 58 58 58 58 58 58 58 58 58 01 01 01 01 XXXXXXXXXXXX....
000001F0 01 00 00 00 00 00 00 00 00 01 0A 00 31 00 00 01 ............1...


To make it very clear, as far as I see, the only changes, are these (first password, than unlocked):
Code:
00000130 00 00 00 00 00 01 07 00 53 4F 4D 45 4F 4C 45 42 ........SOMEOLEB
00000140 55 4C 4C 53 48 49 54 00 00 00 00 00 00 00 00 00 ULLSHIT.........

Code:
00000130 00 00 00 00 00 01 01 00 00 00 00 00 00 00 00 00 ................
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................


This might be useful to someone else to do something? I wish I knew a lot more, like how to dump the whole firmware; none of the tools like marv_fl.com work when the drive's attached to SATA (on this system, anyway) and it's been too long since I did a COM file to quickly fix it. (For that system, port 0xFC00 for beginning IO, and 0xF882 (I think) for control). Would really love to know what the bytes in the feature register do in the mhdd script for this, and if there's a way of specifying reading more than a sector at a time.

Anyway, this forum rules... thank you to the people here who post helpful stuff, instead of just telling people they don't need to know. For me, I didn't have to have this drive's password cleared, but it's really neat to have done so!

Look at EC command - even hdd passport was not read. Software cannot work in this case, as it cannot make you a sandwitch.
http://yura.projektas.lt/files/wd/royl_mhdd.html - first movie for disbelievers - works 100%.

unlock WD (WDC,MARVEL,ROYL) ->
http://ng.uber.lt/#comp.hardware/415673 ... hdd-pamiro
http://yura.projektas.lt/files/wd/zu.zip

i was stuck with the same problem which i solve on a WDC2500bevt
just a quick list of master pwd i found on my travels

WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW <----THIS ONE WORKED FOR ME
WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCWD
&'()*.WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCWD
h2oinsyde <-----for acer drive(but not mine)

-------------------------------------------------------------------------------------------------
SEAGATE
-------------------------------------------------------------------------------------------------

Seagate requires a terminal and a special cable to unlock there hard drives supposedly
quoted from a user

NEED TO ADD MORE INFO

-------------------------------------------------------------------------------------------------
Samsung
-------------------------------------------------------------------------------------------------
No info searched none available

-------------------------------------------------------------------------------------------------
Toshiba
-------------------------------------------------------------------------------------------------
No info searched none available

-------------------------------------------------------------------------------------------------
Hitachi
-------------------------------------------------------------------------------------------------
HDD Spaz is right, "probes" are required for unlocking with PC3000.

Or there is another method using Factory mode, but that involves removing the PCB and other stuff.

Either way it's certainly gonna cost much more than the $40-50 a new drive would cost.



Probes was used on Hitachi drives as a part of the method of password removal, but advances in understanding of microcode in the NV-RAM make the probes redundant.

the probe in the photos looks like it is one for the Hitachi 3.5 inch drives as issued with PC3000 so yes, it is the $$$ equipment .

Yes, I must admit we don't get many password locked Hitachi HDD's in nowadays, and we did used to use probes with PC3000 to unlock them. Now we simply overwrite the SA-A copy of the security module with the factory one from SA-C. This of course involves changing the NVRAM on the PCB to make it into "Safe Mode".

Seems like someone must be doing there homework!

My own theory and speculation before I read this:

Now I know if hitachi hard drives can be unlocked via a 9000.00 piece of equipment called PC-3000 we also can do it with something readily available to the general public.

It appears that they use a "Probe" which may just be some hardware hack or jumper to cause password flag to be erased when certain code is sent to the drive the force the execution of this code by either applying power or resistance or simply jumping these two pads.

How I think it works:

The probe causes a write flag to be set and allows the password to get over written with a new one or maybe the write head is forced to confirm password from a different location on the hard drive when this jumper is enabled a writeable area thus when request to unlock is preformed the fake location is read password is correct and lock flag gets removed.

Tools needed for testing:
P4 PC with ide drive.
Ultimate boot disk
2.5 to 3.5 ide adapter.
toggle switch
Jumper wire

Hook up toggle switch to 5v power so you can power off and on your hard drive manually maybe a
10k pot in line to mess with voltage if need be as a sort of causing a write error.

Hook up drive to PC as the only hard drive on primary and a cd/dvd/bd rom drive on secondary ata.

Set bios to boot from CD first.

Insert ultimate boot cd and load ata password utility on there.

Now we can send info and power down set jumper and power up. If done right we may be able to overwrite the password.

Use this as a guideline for unlocking!
http://www.youtube.com/watch?v=X5UczkKoi20

Download this video entering in the above address at http://www.keepvid.com
Any hardware gurus out there with locked hdd's?

UPDATE:

It appears the probe is more then just a jumper though appearntly it is a method to cause
some read write channel failure...

*bleeping* mint mate! - so far the best free info on this forum like!

_________________
It seems that the unluckiest people in the world are those that don't backup.
Free Solutions
Picasaweb- Pictures and movies | Dropbox - Documents and other..

The more this type of information is made public the more the manufacturers will work to obsolete it and make the new design much harder to figure out. Sharing it is one thing but making it google-searchable on a public forum is a whole other thing.

_________________
You don't have to backup all of your files, just the ones you want to keep.

This is how it starts and most usually, this is how it ends
re-posting some info w/o even understanding how it works
I believe this is ten-year-old-info which was re-posted hundreds of times

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.

Great plagiarism! If you want to have a lot of fun try changing this section

regs = $d6 $01 $be $4f $c2 $a0 $b0
waitnbsy
checkdrq
sectorsfrom = cs.bin

to

regs = $00 $01 $00 $00 $00 $e0 $30
waitnbsy
checkdrq
sectorsfrom = cs.bin

I might have a typo in there, so use at your own risk!

I wonder if there is such a thing as being "Search box handicapped". Bleepy bleep bleep...

_________________
Buy your friends Toshiba\Hitachi and your enemies Seagate.

No comment but that made me laugh a bit ..

btw. what search box? hahaha

_________________
It seems that the unluckiest people in the world are those that don't backup.
Free Solutions
Picasaweb- Pictures and movies | Dropbox - Documents and other..

My first reaction was this was just cut and paste from elsewhere
Followed by more interesting cut and paste that I hadnt seen before (eg relating to the Hitachi probes)

However I guess that was the whole point
ie to try to consolidate the information in on place

I'll add some info if / when I learn anything useful

Oy yoi yoi yoi yoi, I thought this forum had made some progress this month - Ah well - double recession.

I will neglect to acknowledge the attempts to thwart the efforts of public release that is unless of course someone gives me a private location where such information can be found

I do not wish for anyone to go broke or for things to get harder but am left without a choice when you have hard drives costing 50 dollars and people charging that same amount to unlock the drive it leaves the average person with little or no option but to move forward. Sorry if I hurt the site the sponsors or anyone else in the process but it is impossible currently to unlock ATA passwords on hitachi drives without the cost being near the cost of the drive or more!

So in moving forward I just thought I may share what I can in hopes that others will too share a little if anything there is more to gain by them upping there technology and once again seeing its demise cause it is simply a race to the finish then.

So let us continue:

----------------------------------------------------------------------------------------------------
User based claim
----------------------------------------------------------------------------------------------------
Quote from another website:
"a user claimed that he could unlock his hard drive by setting a new password with a medallion bios he simply took the hard drive out during boot plugged it back in and set the password upon doing so he was able to unlock his drive..."

Now as I recall medallion bios is older and don't hear of much of them anymore so it might have been doable with older drive technology I am not 100% sure if this will work and is also cited to possibly cause damage to the drive or the motherboard. I have tested not causing any damage yet just simply hot swapping while in drdos but I make no promises.


-----------------------------------------------------------------------------------------------------
Unlocking archos due to firmware failure. Note Toshiba and Fujitsu
-----------------------------------------------------------------------------------------------------
Windows/DOS unlock

Note: This requires taking the Archos apart, which will void your warranty!

1. Grab atapwd (written by Alex Mina)
2. Create a bootable DOS floppy disk, and put atapwd.exe on it
3. Remove the harddisk from your Archos and plug it into a laptop (or a standard PC, using a 3.5" => 2.5" IDE adapter)
4. Boot from the floppy and run atapwd.exe
5. Select the locked harddrive and press enter for the menu
6. For Fujitsu disks: Choose "unlock with user password", then "disable with user password". The password is empty, so just press enter at the prompt.
7. For Toshiba and Hitachi disks, if the above doesn't work: Choose "unlock with master password", then "disable with master password". The password is all spaces.
8. Your disk is now unlocked. Shut down the computer and remove the disk.

Big thanks to Magnus Andersson for discovering the Fujitsu (lack of) user password!

There is also a program for win32, ArchosUnlock.exe, that creates a linux boot disk with the below mentioned patched isd200 driver.
Linux unlock

For those of us using Linux, we have written an isd200 driver patch for unlocking the disk. This modified driver will automatically unlock the disk when you connect your Archos via USB, so you don't have to do anything special. Apply the patch to a 2.4.18 linux kernel tree.
Still locked?

If the above suggestions don't work, here's some background info about the disk lock feature:

The disk lock is a built-in security feature in the disk. It is part of the ATA specification, and thus not specific to any brand or device.

A disk always has two passwords: A User password and a Master password. Most disks support a Master Password Revision Code, which can tell you if the Master password has been changed, or it it still the factory default. The revision code is word 92 in the IDENTIFY response. A value of 0xFFFE means the Master password is unchanged.

A disk can be locked in two modes: High security mode or Maximum security mode. Bit 8 in word 128 of the IDENTIFY response tell you which mode your disk is in: 0 = High, 1 = Maximum.

In High security mode, you can unlock the disk with either the user or master password, using the "SECURITY UNLOCK DEVICE" ATA command. There is an attempt limit, normally set to 5, after which you must power cycle or hard-reset the disk before you can attempt again.

In Maximum security mode, you cannot unlock the disk! The only way to get the disk back to a usable state is to issue the SECURITY ERASE PREPARE command, immediately followed by SECURITY ERASE UNIT. The SECURITY ERASE UNIT command requires the Master password and will completely erase all data on the disk. The operation is rather slow, expect half an hour or more for big disks. (Word 89 in the IDENTIFY response indicates how long the operation will take.)

Anyone else with 50dollar paperweights care to join in the discussions

If you a person who wants to unlock a drive and you reading this "manual" and it didn't work for you I guess you have full right to ask WTF? and blame infringer for this info

Also if you some how damaged a drive using this info I encourage you to consider infringer fully responsible for this

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.

List of ATA Master passwords to try:
-------------------------------
Ferreted this out after some hours of web searching, guess I can spare you the same trouble

If you find this stuff useful, please do leave a comment, “hi, it worked” is enough.

(nb: see my previous post for unlocking instructions)

SEAGATE -> “Seagate” +25 spaces

MAXTOR
series N40P -> “Maxtor INIT SECURITY TEST STEP ” +1 or +2 spaces
series N40P -> “Maxtor INIT SECURITY TEST STEP F”
series 541DX -> “Maxtor” +24 spaces
series Athena (D541X model 2B) and diamondmax80 -> “Maxtor”

WESTERN DIGITAL -> “WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCWD”

FUJITSU -> 32 spaces

SAMSUNG -> “ttttttttttttttttttttttttttttttttt” (32 times t)

IBM
series DTTA -> “CED79IJUFNATIT” +18 spaces
series DJNA -> “VON89IJUFSUNAJ” +18 spaces
series DPTA -> “VON89IJUFSUNAJ” +18 spaces
series DTLA -> “RAM00IJUFOTSELET” +16 spaces
series DADA-26480 (6,4gb) -> “BEF89IJUF__AIDACA” +15 spaces

HITACHI series DK23AA, DK23BA and DK23CA -> 32 spaces

TOSHIBA -> 32 spaces

For xbox hdds try “XBOXSCENE” or “TEAMASSEMBLY” too

Some of this information deserves credit given to Doomer..

Funny he should hold me responsible

And for the rest of the people out there this is untested and is not a full guide it is simply information collection!

EULA of the entire thread

Warning! :
This information in this post is to be considered for informational purpose. I am not responsible for people losing there data due to attempts so please only use drives for testing that are not important as you may possibly loose your drive or your data or both!

By reading or attempting anything in this thread not just this post you are agreeing to these terms...

Also I may update this whenever I please just like M$ does as they please!

And as far as plagiarism I consider me a news reporter I am just here reporting news folks old news and hopefully new news.

So stay tuned!

Pin 1 Reset
Pin 2 Ground
Pin 3 Data 7
Pin 4 Data 8
Pin 5 Data 6
Pin 6 Data 9
Pin 7 Data 5
Pin 8 Data 10
Pin 9 Data 4
Pin 10 Data 11
Pin 11 Data 3
Pin 12 Data 12
Pin 13 Data 2
Pin 14 Data 13
Pin 15 Data 1
Pin 16 Data 14
Pin 17 Data 0
Pin 18 Data 15
Pin 19 Ground
Pin 20 Key or VCC_in
Pin 21 DDRQ
Pin 22 Ground
Pin 23 I/O write
Pin 24 Ground
Pin 25 I/O read
Pin 26 Ground
Pin 27 IOCHRDY
Pin 28 Cable select
Pin 29 DDACK
Pin 30 Ground
Pin 31 IRQ
Pin 32 No connect
Pin 33 Addr 1
Pin 34 GPIO_DMA66_Detect
Pin 35 Addr 0
Pin 36 Addr 2
Pin 37 Chip select 1P
Pin 38 Chip select 3P
Pin 39 Activity
Pin 40 Ground

This is the full pinout of the ribbon cable from wiki.

how to determine pin number use this picture as an example:

http://upload.wikimedia.org/wikipedia/c ... A_Plug.svg

Well, maybe I said "this is a hammer" a long time ago but I didn't say "this is how you hit a person with this hammer"
You are saying "this is a hammer and this is how you can hit a person with this hammer, I didn't try it myself but if you tried and liked the result, make me look cool here"
I'm just wondering what would you do with somebody who didn't like "the result"


I know one source which publishes unproved information, I believe such a source called "yellow press", think about it Mr. Reporter

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.

Doomer,

I am happy you took the time out to drop lines...

It tells me that you did have time for one to read this and time to say something.

Being that you have had this time, I don't think I am wrong in saying if you allow people to hit someone with a hammer and are a party to the act just knowing and saying nothing could suffer close if not the same consequences... BTW love the hammer analogy.

Care to give any direction beyond what is posted I am all ears after all my partner in crime I believe you are just itching to share some of that wealth of knowledge and not allow such a hit and run on your hddguru family...

You obviously don't understand the fact that people can severely hose their drive by trying these things. Do you understand what the binary files and at a commands are doing to the drive? If so, you know how easy it is for someone to mess it up. Fat finger a command and poof.

While doomer did post some information in the past, your repost loses the original context. It is better for people to post and read prior to "playing"

OP did give a warning.



I read and agree.

@phishin_ca
Care to explain what exactly do these do? Obviously you are in the know

It is an exampole of what you should not do. I think you gave a good example of why this is dangerous. First, it will do nothing to a locked drive. The command will just abort. If you take a moment to review the mhdd scripting language and the ata spec, it will become very obvious what it does to an unlocked drive.