View topic - WD2000JD problem

Main » Forums home » Conventional hard drives

All times are UTC - 5 hours [ DST ]

WD2000JD problem

Page 3 of 18

[ 351 posts ]

Go to page Previous 1, 2, 3, 4, 5, 6 ... 18 Next

Previous topic | Next topic

Author

Message

Spildit

Post subject: Re: WD2000JD problem

Posted: March 5th, 2013, 20:01

Joined: December 19th, 2006, 8:49
Posts: 11038
Location: Portugal

Please also post the ROM dump for your drive. Just to take a look at it.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Top

louis

Post subject: Re: WD2000JD problem

Posted: March 5th, 2013, 20:24

Joined: August 22nd, 2011, 15:43
Posts: 214
Location: Romania

Here-s the dump made from my evolving app. Its identical with the one from wdr.

Very little compression...for the rar compared to .bin I see. I wonder what's the compression alg. inside the rom file...

Definitely there must be a loader builtin MCU which ...unpack and loads the ROM to RAM.

Is there a way to test the RAM?

Attachments:

buccanan.zip [125.55 KiB]
Downloaded 366 times

Top

Spildit

Post subject: Re: WD2000JD problem

Posted: March 5th, 2013, 20:47

Joined: December 19th, 2006, 8:49
Posts: 11038
Location: Portugal

Download Sediv from here :

http://sediv2008.narod.ru/

Utility can work with WD too, maybe it can give you more clues about the working of WD drives.

With that you can "Create LDR" that is the loader file. With that file you can put the drive in "Safe Mode" and load that file to the drive to make it work.
In your case you will not be able to do so because drive is damaged and can't read SA from platters.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Top

Spildit

Post subject: Re: WD2000JD problem

Posted: March 5th, 2013, 20:57

Joined: December 19th, 2006, 8:49
Posts: 11038
Location: Portugal

WDC WD3000JB-00KFA0-08-05J08-WD-WCAMR3501171

ROM attached

Just for comparing purpose.

Attachments:

ROM.zip [125.81 KiB]
Downloaded 362 times

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Top

louis

Post subject: Re: WD2000JD problem

Posted: March 5th, 2013, 21:01

Joined: August 22nd, 2011, 15:43
Posts: 214
Location: Romania

Spildit wrote:

WDC WD3000JB-00KFA0-08-05J08-WD-WCAMR3501171

ROM attached

Just for comparing purpose.

If you believe me I have that rom on my desktop. Looked at it few days ago. :lol:

As for sediv..it doesn't start on Hiren's XP nor my default OS w7

Top

Spildit

Post subject: Re: WD2000JD problem

Posted: March 5th, 2013, 21:14

Joined: December 19th, 2006, 8:49
Posts: 11038
Location: Portugal

Well, when the donor to your damaged drive arrives you will be able to test some more

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Top

Spildit

Post subject: Re: WD2000JD problem

Posted: March 7th, 2013, 18:43

Joined: December 19th, 2006, 8:49
Posts: 11038
Location: Portugal

So -- any more news or still waiting for donor drive to arrive ?
And what do you think about this ?

wd5000aaks-00v1a0-crash-t25446-40.html#p171505

Maybe you can assist us further with your knowledge and research.
Thanks.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Top

louis

Post subject: Re: WD2000JD problem

Posted: March 7th, 2013, 20:53

Joined: August 22nd, 2011, 15:43
Posts: 214
Location: Romania

I'm learning some ollydbg scripting

I'm waiting for the donor, but it's mostly a 2-3 week job. It comes from USA.

Top

Friedrich

Post subject: Re: WD2000JD problem

Posted: March 8th, 2013, 9:33

Banned User

Joined: December 6th, 2012, 14:49
Posts: 70
Location: Svenska

louis wrote:

Yes my friends

I downloaded it but my Norton internet security 2012 detects file WDR.exe as "WS.Reputation.1"
I uploaded the file to http://www.virustotal.com and this is the report log:
https://www.virustotal.com/it/file/ab12 ... 362749184/

as you can see, of 46 antivirus 4 detect it as a virus.
I don't really trust this program

Top

Spildit

Post subject: Re: WD2000JD problem

Posted: March 8th, 2013, 10:22

Joined: December 19th, 2006, 8:49
Posts: 11038
Location: Portugal

Friedrich wrote:

louis wrote:

Yes my friends

False positive due to the way the tool works, same as Sediv and other tools of that kind. But no-one forces you to use it !

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Top

louis

Post subject: Re: WD2000JD problem

Posted: March 8th, 2013, 14:22

Joined: August 22nd, 2011, 15:43
Posts: 214
Location: Romania

It has some marks inside...seems that someone unpacked it (don't know who..I just found it on the net while searching)...lordpe&imprec are known tools which marks "fixed" PE

Get a packer...pack notepad.exe then test it at virustotal...you'll be surprised what you'll find :mrgreen:

Sediv it's also a biatch. It's Themid-ed. It doesn't run on W7..nor XP form USB. Under wmvare the protector doesn't allow the execution. So I couldn't test the program. usually this happens on small tools too few tested or not tested at all on other OS's that the programmer works.

Top

Spildit

Post subject: Re: WD2000JD problem

Posted: March 8th, 2013, 14:56

Joined: December 19th, 2006, 8:49
Posts: 11038
Location: Portugal

louis wrote:

It has some marks inside...seems that someone unpacked it (don't know who..I just found it on the net while searching)...lordpe&imprec are known tools which marks "fixed" PE

Get a packer...pack notepad.exe then test it at virustotal...you'll be surprised what you'll find :mrgreen:

And how is your tool going ? Any progress ? Learning anuthing new ?

Look here :

the-death-rom-recovery-tool-instruction-t24650.html

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Top

Spildit

Post subject: Re: WD2000JD problem

Posted: March 8th, 2013, 15:05

Joined: December 19th, 2006, 8:49
Posts: 11038
Location: Portugal

Also read here :

marvell-88i6745n-jtag-t20324-20.html

Interesting

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Top

louis

Post subject: Re: WD2000JD problem

Posted: March 8th, 2013, 21:18

Joined: August 22nd, 2011, 15:43
Posts: 214
Location: Romania

Spildit wrote:

Also read here :

marvell-88i6745n-jtag-t20324-20.html

Interesting

yeah...so the first code executed inside MCU from the "ROM firmware" file it's he "kernel loader" described here:

Code:

Header of "kernel loader" is on 0x00000000 of Flash (physical addr: 0xfff00000)
in size of 0x20 with CHK
---------------------------
0x5a ;Header ID
04,0,0 ;?
0xd,0xc,0,0 ;=0x00000c0d size of "kernel loader" + CHK
0xc,0xc,0,0 ;=0x00000c0c size of "kernel loader"
0x20,1,0,0 ;=0x00000120 start of "kernel loader" data in FLASH (physical addr 0xfff00120)
0x80,0xa,1,0 ;=0x00010a80 physical addr where "kernel loader" have to be loaded
0x80,0xa,1,0 ;=0x00010a80 physical addr of execute start once "kernel loader" is loaded
0,0,0 ;?
0xd1 ;Header ID CHK 8-bit cheksum of first 0x1f bytes of "kernel loader" header

For this case bootstrap loads "kernel loader" to addr: 0x0x00010a80 in size 0x00000c0c
calculate 8 bit cheksum and compare with next byte (offset + 0x00000c0c)

So when you open the ROM file..the first 0x20bytes are the "kernel loader". If this is corrupted (CRC error) you have to listen the serial port etc...

Top

Spildit

Post subject: Re: WD2000JD problem

Posted: March 9th, 2013, 3:10

Joined: December 19th, 2006, 8:49
Posts: 11038
Location: Portugal

louis wrote:

Spildit wrote:

Also read here :

marvell-88i6745n-jtag-t20324-20.html

Interesting

yeah...so the first code executed inside MCU from the "ROM firmware" file it's he "kernel loader" described here:

Code:

Header of "kernel loader" is on 0x00000000 of Flash (physical addr: 0xfff00000)
in size of 0x20 with CHK
---------------------------
0x5a ;Header ID
04,0,0 ;?
0xd,0xc,0,0 ;=0x00000c0d size of "kernel loader" + CHK
0xc,0xc,0,0 ;=0x00000c0c size of "kernel loader"
0x20,1,0,0 ;=0x00000120 start of "kernel loader" data in FLASH (physical addr 0xfff00120)
0x80,0xa,1,0 ;=0x00010a80 physical addr where "kernel loader" have to be loaded
0x80,0xa,1,0 ;=0x00010a80 physical addr of execute start once "kernel loader" is loaded
0,0,0 ;?
0xd1 ;Header ID CHK 8-bit cheksum of first 0x1f bytes of "kernel loader" header

For this case bootstrap loads "kernel loader" to addr: 0x0x00010a80 in size 0x00000c0c
calculate 8 bit cheksum and compare with next byte (offset + 0x00000c0c)

So when you open the ROM file..the first 0x20bytes are the "kernel loader". If this is corrupted (CRC error) you have to listen the serial port etc...

Very cool indeed ! I liked the JTag idea to tplay with the MCU. Will test that as soon as i have time, now that the JTag points are discovered for that Board with MARVEL cpu.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Top

louis

Post subject: Re: WD2000JD problem

Posted: March 9th, 2013, 5:39

Joined: August 22nd, 2011, 15:43
Posts: 214
Location: Romania

For someone who knows stuff..it may be a stupid question...but the ATA implementation on the device side..shouldn't be handled by the ROM firmware? So if we hava a f.ed rom..no chance to fix it via VSC.

By the way, there's a smart VSC command which returns a 512bytes structure of device Status. if I call it immediately when the error reg is on..I have inside that structure..the error code I computed few posts ago: 0x4341. the structure It's mostly empty which it's obvious since we are in kernel mode.

Code:

VSC Status
-----------
Format Version                               = 1
VSC Implementation, Minor                    = 1
VSC Implementation, Major                    = 4
Max Action Code Supported                    = 47
Last Cmd Type                                = VSC Key CMD
Last Cmd Register                            = 0xB0
Last VSC Cmd Action Code                     = 0x0C

Last Feature Register                        = 0xD6
Last Sector Count Register                   = 0x1
Last Sector Number Register                  = 0xBE
Last Cylinder Register                       = 0xFFFFC24F
Last LBA High                                = 0x0
Last Device Control Register                 = 0x68
Last Device/head Register                    = 0xA0
Last Task File Response                      = 0x104
Extended Error                               = 0x4341
Extended Error Description                   = ()
Secondary Error Code                         = 0x0
Host Connection Speed                        = NOT SUPPORTED
APM Level                                    = 0x0

Sectors Xfer Pending to/from drive           = 0 (0x0)
Last Task File Data                          = 0x81
DLG_II Status                                = 0x0

That topic discuss the "internal" ROM corruption. But what's happening with the external ROM. It's there a way to flash it in place?

Yeah, with JTAG you can debug the MCU. With IDA you can even disassemble the ROM code (ARM opcodes) and see nice graphs with branches..where who calls etc.

Top

Spildit

Post subject: Re: WD2000JD problem

Posted: March 9th, 2013, 11:27

Joined: December 19th, 2006, 8:49
Posts: 11038
Location: Portugal

Quote:

Correct. VSC are loaded from ROM to RAM. If ROM is damaged you can't use the VSC to flash ROM again, that is why they figure out this :

the-death-rom-recovery-tool-instruction-t24650.html

Idea was to use a serial com port to send the ROM back either to Masked ROM on MCU or 8 leg external ROM chip.

Quote:

Here is what he's saying
1. Take WD PCB(ARM based) that has erased or incompatible ROM image (bricked PCB)
2. Connect serial port as shown
3. Short some magic pins to start X-Modem sequence in MCU boot code(E112 and 3.3V for PCB 13xx, 1335 for example). The number is etched on PCB as 2060-701335-xxx
4. Select correct ROM image file and flash it to the drive with the program. Program will use special loaders (called EraseL.dll, SystemL.dll) to do so
5. Per my understanding, provided utility supports only 128KB flash files (external flash chips). For 192KB flash the program will look for Erase.dll and System.dll files that are not provided, thus will not work with those.

Quote:

That topic discuss the "internal" ROM corruption. But what's happening with the external ROM. It's there a way to flash it in place?

Easy way, use an external eeprom programer. The problem is with the internal / masked ROM and that is solved with JTag. At any rate the idea will work either with masked ROM or External ROM.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Top

louis

Post subject: Re: WD2000JD problem

Posted: March 9th, 2013, 20:44

Joined: August 22nd, 2011, 15:43
Posts: 214
Location: Romania

I have gathered the infos by dex into a struct. The wd Rom.bin headers table to some data blocks...32 bytes each header..seems to be the same on the few bios-es I've opened in a hex-editor.

Code:

typedef struct Dir32SecBiosHeader 
{
   byte ID;                  //[Byte 00] Header ID  0x5A it's called "kernel loader"...it loads and unpacks all the others...being executed by the MCU's bootstrap?
   byte type;                  //[Byte 01]?? 1,3 compressed? 
   short decomp_sizeH;            //[Bytes 02:03] higher 16bit of the decompressed size ?? 
   int dir_size;               //Directory Size without checksum byte
   int dir_Size;               // -``- + CKS
   int dir_start;               //The offset in this file where dir starts
   int vir_addr;               //Mem addr Where the MCU's Bootstarp or the "kernel loader" (0x5a = first block-not compressed)  loads and unpack the data
   int entry_point;            //The EP for this directosy. Gets called if needs exec. if this is -1 won't be executed;
   byte UNK4[4];               //01 0A 00 00 
   short decomp_sizeL;            //lower 16bit of the decompressed size
   byte pad;
   byte CKS;                  //checksum is calculated over all buffer but the crc byte 
}Dir32SecBiosHeader;

I'll write a function to traverse all the headers and do a CRC check on all code blocks. The problem is that I don't know how to parse the modules at the EOF...adaptives etc for the 128kb roms which doesn't have te ROYL signature at the beginning of the header.

Top

Spildit

Post subject: Re: WD2000JD problem

Posted: March 9th, 2013, 21:12

Joined: December 19th, 2006, 8:49
Posts: 11038
Location: Portugal

louis wrote:

What would be the use of that CRC check ? To check for the intergrity of the donwloaded ROM ?

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.

Top

louis

Post subject: Re: WD2000JD problem

Posted: March 9th, 2013, 21:28

Joined: August 22nd, 2011, 15:43
Posts: 214
Location: Romania

yes. if ROM dump via VSC doesn't work..and you get a copy with the SOIC8..you wil be able to test it :wink:

I'm doing experiments.

Top

Page 3 of 18

[ 351 posts ]

Go to page Previous 1, 2, 3, 4, 5, 6 ... 18 Next

Main » Forums home » Conventional hard drives

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: Google [Bot] and 70 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum