Hello,

I have been experimenting with a Maxtor Calypso III. I would like to examine the SA and P-list, G-list. I want to know about the sectors that have been reallocated and whether they are in the same area or are sparsely scattered around the media.

I'm sure that nobody here who knows will tell me exactly how to do that, I have seen how people who don't want to think are treated here.

Where should I start looking for vendor specific commands? Do they generally have the same register format as the standardized commands and make use of one or more undefined opcodes (bottom byte of 'input' feature/count/address/command stack)?

How does the safe mode come into play with these operations? I tried the safe mode to investigate. It looks to me that this allows you to stop the 'bootloader' during the initialization process, maybe you can manipulate memory or diddle with hardware; after sending 'identify device' the disk appeared to act normally but I wasn't able to tell if anything is different.

Maybe if u think hard enough u might find the answer of what u are looking for.....maybe.......who knows....

What tools do you have?

Hi fistron,

Just think about your question - you want to examine P-List and G-List and SA.
You correctly identified that some type of vendor command is required.
Vendor commands exist in every data recovery program - protected I guess.

All over internet and at hddguru files download section you can find zillions
of data files of "modules" for various Maxtor drives including your Calypso you seek.

So for free and without vendor commands you can get plenty "G-Lists" and "P-Lists"
and more cause these files already created for you with vendor commands.

So, from these defect lists you want to find out where these defects are located.
Well, maybe someone who has time can send you G-List and P-List of some Calypso,
and then maybe they can also send you some listings of LBA locations or maybe CHS
of the defects matching the "G-List" and "P-List" modules - All for free.

So once you got linear list of defects you could figure out how the "modules"
represent the defects in hexadecimal notation, if you like.

Hope this helps in your research - hope you feel treated like a thinking person.

I love reverse engineering LOL... Anyway it's not matter only of ata v.u. Cmd's.

Interesting. Are you trying to find data that has been re-allocated to spare sectors?

Spare sectors are usually in the same place as a chunk of spares. When re-allocated the drive will skip the original defective location and seek to and use the spare LBA. You can see this as a slight increase in read access time.

It's easy to find data in "G Defects" when the disk drive is apparently empty or security erased (For Maxtor Anyway)

_________________
All went well until I plugged the drive in.

The trouble is G defects are usually defective. The slight decrease in access time is caused by the add of seek time to the "spare".
But if you move G to P.... ... An easy task : How translator works ? (Oh , I must stop teaching, it's a kind of fixation to me... )

Thanks for the replies. I don't have any pro data recovery tools. I can bit bang the ATA bus, though.

I have a lot of ideas about the G-list. Aside from translating them into physical locations so I can find out more about the media damage, I would like to see if large operations involving a G-list spot can be made faster by growing the G-list, by defecting all cylinders in an entire physical track instead of just one hard sector.

And reading data hidden by the G-list (it's probably not wiped with SECURE ERASE) is interesting too, I wonder if I have to take them out of the G-list or if there is a special read sector command that will allow direct addressing without going through the translation/mapping routines in the disk firmware.

So. I'm wondering about how to find the vendor specific commands. I identified 29 command bytes that are possibly implemented as vendor specific. Surely, not all of them are. Probably, Maxtor uses a group of opcodes that are next to each other. Maybe 0x8x is a good place to start.

In the case that some of the vendor commands work like ie. the SMART (0xB0) command where the feature byte is used along with the command byte to complete the command, this could take a long time to figure out.

So I'm thinking of scanning these for results with only the command byte set and all other bytes cleared to 00 (feature, address.) Maybe, I will get lucky, and if I stumble on some kind of write command, it won't do anything bad to write 0 sectors to LBA 0. Maybe I will not be so lucky and will format the SA by looking for commands.

I will have to look at the results very carefully to see if any hints are returned in the status register to help determine if a command byte deserves further investigation. Probably, an unimplemented command will come back with ABRT high. If I send a "supported" command with bad arguments, I hope something else will happen, like another error bit, so these can be differentiated.

I have found other 'undocumented' commands in protocols by pushing the object through IDA. A tool like that makes it pretty easy to find the branching structure of the command processor. Since the device responds to the ATA bus in safe mode, the bootloader must have a command processor. I wonder if this ARDENT chip, obviously an ASIC/SoC, uses a "common" processor core...

At last someone who loves experimenting and doing interesting things : keep on , fistron, you're not alone.
Anyway don't worry you'll never format SA by a chance.
The relocation process is something more complex than what you figured out, and anyway the tiny ARDENT chip is very powerful, and very powerful is the software in the modules too (as I have seen , in Maxtor the selfscan software is a masterpiece, probably in my opinion is surpassed only by SAMSUNG - anyway Samsung drives are more complex and "fine" in their structure).
In Maxtor the translator is capable of handling defect in a very intelligent way, by itself.
Also, the boot loader process is different and varies across drive families.
If you want, contact me via PM. I have done R&D on many brands to build up proprietary solutions for SA access and data recovery purpose. I want to have conversations peer to peer with tech people rather than power users of commercial solutions - many perople here know who I am, what I do and what I think.
Regards !