Archive for standard

Halt and Catch Fire

Posted in hardware with tags , , , , , , on 2008.04.10 by ipv5

Got a disk for cheap off ebay, since the user forgot the ata password. Turned out the disk was 0xDEAD anyway, but I’ve learned a bit more about the ata/pata commands.
If you got a locked disk and do not care much for the contents read on.

First thing first: you really do want to go pay HddGuru a visit, they host some really great tools like mhdd (which lets you send ata commands directly to the disk), a forum, and of course the ATA/ATAPI-8 revision 2b — AT Attachment — 8 ATA/ATAPI Command Set (January 10, 2006). A not-in-any-way-dull list of all the stuff you can send to your disk, including HCF but sadly lacking RAISE_FROM_THE_DEAD.

Ok, let’s grab/burn our Ultimate boot CD (mhdd is under the diagnostic tools btw) and fire it up.
Select your locked disk (1 usually) and let’s ask IDENTIFY to the bugger. Yes, that’s way too much info.

The first thing to look for is the 8th bit in the 128th word, 0 is security=high, 1 is security=maximum.

If it’s zero we’re in luck, and we can either unlock the disk with the regular password (assuming you know it, I did not) or with the master password (you can find some of them on the net, just google for your model number). (edit: I’ve collected the passwords I’ve found here)

Let’s type UNLOCK, and reply 1 when asked [that means we’re using the master’s password], and enter our password.
If we do not get an error [ERR turns red on the top of the screen] we’re good to go, if we do there’s 4 more tries with the password before we need to powercycle the disk.
If we get the password right a DISPWD (followed by 1 and the password again) will stop all this locking nonsense for good.

Oh, right, there’s maximum security too.
Well, that’s more satisfacting if slow as a glacier.
Just send an ERASE PREPARE followed by an ERASE UNIT and after an hour or so you can go and DISPWD it for good. Yes that will erase it completely, told you it was more satisfacting.

list of interesting stuff from identify:

  • bit 8 in word 128: security, 0=high 1=maximum
  • word 92: if it’s 0xFFFE the master password is unchanged (and you could get lucky and find it on the net)
  • words 89 and 90: how long will it take to ERASE the disk
  • word 88: which kind of dma the disk supports
  • byte 2 in word 53: wheter the fields in word 88 are valid or not (wtf?)

list of interesting links:

Happy disk hacking everyone

tags for the spiders: how-to howto unlock a password protected hard disk hdd