experiments with HDD logicboards

[muuh]

BlueCop: sorry i'm not familiar with avr applications.
i've send that russian text to a friend. Perhaps she will translate it into german or english.
could you post your new circuit?
in which timezone do you live? it's 10:30 am here =) not really a time to sleep ..

[BlueCop]

muuh: the only difference is a power the chip from the 5 volts of my power supply rather then its more complicated circuit.

I was playing. throwing some commands at the terminal. Some of the output is interesting. I am manually babblefishing eash part of the command manual to keep the table structure and make sure stuff is correctly spaced to make good translations.

CurrentCHS=3fff/10/3f  MltSiz=10  DMAMod=42
MLITE - 1_Disk    3.01  03-15-05 20:19
Built for MLITE,PITKIN,Redback,TI1922 PreAmp,STA053 PreAmp,InternalSpin,SVC133,OneToOne,2Disk,LowDelta,148 Servos,5400RPM,NonModGray,2x,100MHz,Code DRAM,Ramp Load,Stall Converter,RwFeat=0004,HeadPol=0001,SeaDex,VBAR,MDW
Jumper:00
Free Q:LBA      Len  Tag Flags FUA
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
00000000 0000 00 00 0000
New Q:LBA      Len  Tag Flags FUA
RO Q:LBA      Len  Tag Flags FUA
FUA Q:LBA      Len  Tag Flags FUA
InUse:00 InProgress:00 TagsInProgress:00000000 LowOverhead:00
FUA 00000000 00
ReadLogExtData: 80 00 50 00 00 00 00 00 00 00 00 00 00 00
(( VALID Cert Disk Code Detected - Revision # .019

AT Stuff
0000: 0c5a  3fff  c837  0010   0000  0000  003f  0000 
0008: 0000  0000  2020  2020   2020  2020  2020  2020 
0010: 3550  5730  3437  594e   0000  1000  0004  332e 
0018: 3031  2020  2020  5354   3932  3032  3137  4153 
0020: 2020  2020  2020  2020   2020  2020  2020  2020 
0028: 2020  2020  2020  2020   2020  2020  2020  8010 
0030: 0000  2f00  4000  0200   0200  0007  3fff  0010 
0038: 003f  0000  0000  0010   2980  0254  0000  0007 
0040: 0003  0078  0078  00f0   0078  0000  0000  0000 
0048: 0000  0000  0000  0000   0502  0000  0040  0040 
0050: 00fe  0000  346b  7d01   6003  0061  3c00  4003 
0058: 003f  0000  0f0f  fefe   fffe  0000  fe00  0000 
0060: 0000  0000  0000  0000   2980  0254  0000  0000 
0068: 0000  0000  0000  0104   0000  0000  0000  0000 
0070: 0000  0000  0000  0000   0000  0040  0f41  0000 
0078: 0000  0000  0040  0000   0440  0400  0280  0180 
0080: 0001  2980  0254  2980   0254  2020  0002  c2b6 
0088: 0002  0000  01ff  3cff   ffff  07c6  0100  0000 
0090: 090b  0500  0002  0080   0000  0000  00a0  0000 
0098: 0000  0000  0000  0000   0000  0000  0d00  000b 
00a0: 000f  0022  0003  0000   0032  0014  0033  0024 
00a8: 000f  001e  0032  0000   0013  0022  0032  0014 
00b0: 0032  0000  003a  0000   0022  002d  0032  0000 
00b8: 0032  0000  0022  0000   001a  0000  0012  0000 
00c0: 0010  0000  003e  0000   0000  0000  0032  0000 
00c8: 0000  0000  0000  0000   0000  0000  0000  0000 
00d0: 0000  0000  0000  0000   0000  0000  0000  0000 
00d8: 0000  0000  0000  0000   0001  0002  ffff  ffff 
00e0: 0000  0000  0000  03fc   2134  0015  0025  0000 
00e8: 0000  0000  0000  0000   0000  0000  0000  0096 
00f0: 0001  0000  0000  0000   0001  0000  0000  0000 
00f8: 0000  0000  0000  0690   0000  0000  0000  0000 

Configured-1
Part #: 100374044       
Interface task reset
1024k x 16 buffer detected
MLITE - 1_Disk    3.00  03-
Buzz  - 15-05 20:16
Head Mask FFFF - Switch to full int.
              Spin Ready
3.01  03-15-05 20:19
(P)SATA Reset
(H)SATA Reset

Buzz  - Head Mask FFFF - Switch to full int.
              Spin Ready

It looks like I'll be up all night

Addition:
I was looking at some of the hex it output and noticed 3 interesting things. my serail, firmware revision, and model number contained within what the terminal output.
5PW047YN
3.01
ST920217AS
 i am still trying to figure out these commands. i hope i don't mess up the drive. i am trying to stay away from write commands and keep it on the reading side. I have a full image backup of the drive just in case i currupt something on that part of the drive.

I am going to shop around for a good price on a Seagate ST910021AS 2.5" 100GB 7200RPM 8MB Buffer SATA then see if i can figure out how to fiddle with Model,Serial, Firmware stuff.

doing CTRL-T within the ST Mem Win when connected to the harddrive with give you a prompt T>
haren't found what the terminal prompt is for exactly but its all very interesting to me but i feel like i am poking a dinosaur with a stick and expecting it to have a conversation with me.

Wow i am blazed out of my skull too many cannaboids in my system. Its a great feeling. i think i will go actually sleep a bit.

[TheSpecialist]

Ok, here are the first ATA commands of the 360 powering on (regards to N.) :

EF:  set features
EC:  identify device
C8:  read dma - 1 sector  lba address 0x000010
C8:  read dma - 6 sectors lba address 0x000011
C8:  read dma - 8 sectors lba address 0x987580
C8:  read dma - 8 sectors lba address 0x987588
C8:  read dma - 8 sectors lba address 0x987590
C8:  read dma - 8 sectors lba address 0x987598
C8:  read dma - 8 sectors lba address 0x9875a0
C8:  read dma - 8 sectors lba address 0x9875a8
...

Assuming 512 byte sectors, this matches perfectly the 'drive contents' table from our friends at free60 => sector 10h = adress 2000h = Plain text hard disk info. So in these first 7 sectors it reads, we find stuff like the plain text hard disk info, the hash info and the MS logo.
The identify command returns stuff that is also in that 'plain text hdd info' => serial number, firmware rev and and drive model.

If MS would just verify a hash with this *complete* 'identify string', then why would they put that plain text info on the HD ? So I'm guessing it just checks the hash (signature) with the plain text info on disk and if this is correct, it compares the plain text info to 'idenfity string'. If correct, it boots.

Meaning, that if we find a way to modifiy this identify string in the FW (which is either on chip or disc) of the HDD, to match the plain text info on disc, there's a good chance it will boot in my opinion

[MODFREAKz]

Hi,

here some links that I have found. I do not understand everything, but there are many important points!

http://72.14.203.104/search?q=cache:-3gfP9rysYYJ:www.experts-exchange.com/Programming/Programming_Languages/Pascal/Q_20585823.html+HDD+Firmware+Serial+Number+&hl=de&gl=de&ct=clnk&cd=4

http://72.14.203.104/search?q=cache:eFhxbXZ-tV4J:www.experts-exchange.com/Programming/Programming_Languages/Cplusplus/Q_20461553.html+%22Any+experts+can+help+me+to+get%22&hl=de&gl=de&ct=clnk&cd=3

http://vogons.zetafleet.com/viewtopic.php?t=11237&sid=333f1e1c2ec0fee08f8f0133c34257ca

http://www.browsedatabase.com/hdd.html

http://ata-atapi.com/

http://walk.to/doors    then IdeWork.

http://www.programurl.com/hdd-firmware-serial-number-source-code.htm

[TheSpecialist]

You should keep in mind that a 'HDD serial number' is something DIFFERENT than a 'Volume serial number'. That volume serial number is created by the OS at the format of the disk. Everytime you format a disk, it gets another 'volume serial number'. You can see the 'volume serial number' in a dos prompt for example, by typing 'dir' => it will say: 'volume serial number is ...' You can also change it, see: http://www.codeproject.com/system/change_drive_sn.asp

Anyway, I think in this thread, they're not talking about the HDD serial number, but about that 'volume serial number' =>

http://72.14.203.104/search?q=cache:eFhxbXZ-tV4J:www.experts-exchange.com/Programming/Programming_Languages/Cplusplus/Q_20461553.html+%22Any+experts+can+help+me+to+get%22&hl=de&gl=de&ct=clnk&cd=3

[TheSpecialist]

Here you can download a tool that seems to be able to dump samsung's FW: http://files.hddguru.com/index.php?direction=0&order=&directory=SAMSUNG&SID

[BlueCop]

sorry about the image but the text wasn't selectable from the manual so i took a screen shot. It is from the Salvation Seagate HDD Repairer manual. They have specialized utilities for other drive manufactors as well but i don't know if this model/serial change stuff is possible with them.

That program connects to the drive using the same terminal interface. we now know its possible to change the information we want with this seagate terminal but just not the commands to do it.

I have a demo of the Salvation Seagate HDD Repairer but it says it will only run in Windows 98 in safe mode with command prompt. I think i am going to take an old cheap pc and just build it as a terminal for the program to run then connect it to my kvm.

I hope the demo will do the Serial/Model stuff i haven't run it yet so i don't know its restrictions

Edit:
I just had an idea. Setup a PC as a monitor between the computer running HDD Repairer and the serial cable connected to the harddrive. I have some old pc with dual serial ports. perhaps it is possible to monitor all commands sent so as to make it possible to run the same commands from hyperterminal or other such program within windows

I also found a simple RS232 monitor on the site below

http://www.riccibitti.com/quickdesigns.htm

[BlueCop]

It seems an attempt to upgrade the harddrive to anything larger will fail. loser informed us in another thread that at 0x2058 it contains the sector count. This is part of the hashed area for the 256bit key. so even if we clone the needed items to a disk it still wouldn't increase the available capacity..

[TheSpecialist]

It seems an attempt to upgrade the harddrive to anything larger will fail. loser informed us in another thread that at 0x2058 it contains the sector count. This is part of the hashed area for the 256bit key. so even if we clone the needed items to a disk it still wouldn't increase the available capacity..

Daaamn... That sucks Well, good job of course by MS and exactly the way they should do it, but still, no fun for us hackers here, hehe I was just making *some* progress at finding out how to flash the Hitachi: I found out you should use the ATA 92h command: 'download microcode' for it... But I guess there's not much use for a flasher now anymore ...

[Arakon]

still would be useful to be able to have a backup or just replace the original HD, even if it can't be any bigger.

edit: nevermind, just saw in the other thread that all info is hashed.

[MacDennis]

It seems an attempt to upgrade the harddrive to anything larger will fail. loser informed us in another thread that at 0x2058 it contains the sector count. This is part of the hashed area for the 256bit key. so even if we clone the needed items to a disk it still wouldn't increase the available capacity..

BlueCop, first of all, very nice work! I'm following this thread with much interest. Well, did anyone actually believe we could really attach a bigger HDD to the console by cloning/faking some data? M$ is not that stupid.  It seems we will have to wait for bigger original drives to arrive. Then we have in theory an option to replace such a drive with a cheaper version. Otherwise we will have to 'break' the 256-byte signature. Ohhh just noticed the comments of loser in another thread. Our only option for now is to wait for bigger HDD's .. 

[loser]

just to remind everyone, 'breaking' that 256byte (2048bit) signature is the same as breaking the one required to let us to sign our own xex files or edit xbox dvd security sectors.

(ie probably not going to happen )

[parasven]

(ie probably not going to happen )

dont forget the quantum computers

[TheSpecialist]

Well, did anyone actually believe we could really attach a bigger HDD to the console by cloning/faking some data?

Yes, me I think it looked promising, mainly because of the cleartext info on the HD. I figured that if they had signed the complete ID string, that they wouldn't need that clear text info at all (just the signature would have been enough). Well, it seems this was correct, too bad there was some additionial info with that 'cleartext' info

M$ is not that stupid. 

First of all, I don't consider this a valid argument anymore Secondly, it really is not easy to 'flash' microcode to the hitachi HDD for example. There is absolutely NO info available and it is a lot more complex than creating a flasher for the DVD drive for example ... But it seemed like a nice challenge, especially with quotes like this:

I asked Meister if it is possible to access the firmware area of a hard drive from the regular IDE channel. "Yes, if you knew the secret sauce, yes. There are back doors if you will that allow us to get into places that the operating system can't go through the IDE connector," he replied.

So is it only a matter of time before a virus comes out that destroys a hard drive by attacking the firmware area? "With enough time and energy they could figure out how to get into the drive," he says. Doing so requires hacking through the operating system and the disk drive, which would be challenging. But he adds, "Since it's just a bunch of digital logic they could probably figure out a way to get through it.

From: http://www.computerworld.com/blogs/node/1099. BTW, I hope I'm not giving some ppl ideas here about writing viruses Seriously, I never understood ppl that do so ... Idiots.

Anyway, too bad that a fun project like this can't come to a 'happy ending' ...

[MODFREAKz]

Hallo together!!

My 60GB Hitachi HDD is there and you will not believe it. 

The logicboard is completely identical.
here are the pics
HDD front    http://www.freepler.de/userdaten/38928917/bilder/xbox360/60gb_hitachi.jpg
logicboard   http://www.freepler.de/userdaten/38928917/bilder/xbox360/logicboard60gb.jpg
backside     http://www.freepler.de/userdaten/38928917/bilder/xbox360/backside_h60.jpg

U6 EEPROM data:  very interesting
http://www.freepler.de/userdaten/38928917/download/xbox360/93c66b_60gb.rar

Hitachi Firmware rev.
xbox360 HDD  MB10C60D    http://www.freepler.de/userdaten/38928917/bilder/xbox360/5.gif
60GB              MB30C60D    http://www.freepler.de/userdaten/38928917/bilder/xbox360/6.gif
Probably it was specially changed for M$

I have also done first tests:
I changed the boards, no boot and recognition. So then swappped the EEPROMs and all works fine! I don´t kwon how about the timings in SDRAM but at the moment I have no problems.


xbox360_HDD + 60GB_loagicboard + xbox360_eeprom  = works fine in xbox360 and PC
60GB_HDD + xbox_logicboard + 60GB_eeprom              = works fine in PC but no recognition in xbox360

each hardware unit keeps the Firmware and serialnumber. That means that this information in on the disk (data disk).

I have also found this post in another german forum.
"Hdd's store all inrormationen on the disc, there are no FlashRam's or something like that on the board. If a hard disk does not announce itself on the startup of the PC's, that can be that the writing and reading head are not adjusts properly. Then the hard disk can not load the Firmware (is also on the disc) any more, and so the drive does not know what she has to do."

[Geremia]

Just played with my 360 samsung hd, the pin near the sata connector is TX, the next is RX, boudrate 57600 8N1, but now?!! ehehhe, don't know absolutely what to do

 1.5G Limited
               SPW 1.5G Link Ok! 
IndS=+00002
Spn OK
 H: +00000
 Load
 SK C: 0000080E
ENG>SRV>
  SvoTbl Loaded
  BD
ENG>

Tried the flash tool found on hddguru files store, named Samsung Hdd-Firmware Rq100-06.zip with a sata-pata converter, doesn't seems to work with this drive, i'll rechk later

[TheSpecialist]

Just played with my 360 samsung hd, the pin near the sata connector is TX, the next is RX, boudrate 57600 8N1, but now?!! ehehhe, don't know absolutely what to do

Tried the flash tool found on hddguru files store, named Samsung Hdd-Firmware Rq100-06.zip with a sata-pata converter, doesn't seems to work with this drive, i'll rechk later

Did a bit of research and it seems that most of these flash tools require a very specific setup: most of them want you to connect the HD on the secundary controller, no other device on that controller, only the HD and the jumpers need a specific config too. Furthermore, if you're not using a sata/pata converter, there are a lot of more things you should keep in mind and it seems that only some SATA controllers are able to update a HDD firmware ... So the process of 'flashing' (and probably dumping too) is not exactly 'plug and play'

Here's an example how to setup your drive if you want to use it with 'AFF repair station' (a program that can read and modify you hdd's firmware) =>
http://www.hdd-tools.com/products/rrs/howto/

[Geremia]

I'm using a sat-pata converter because my motherboard is VA chipset and can't remap to primary and secondary channels.
The other 2 jumpers are one connected directly to the main Marvell chip, the other to the motor driver by a resistor and a capacitor, i'll try it later.

btw:

ENG>HELP
DC MC BT PK DM MM SD SM VU CC EP EC SV XN XW XR
XS XC XF XH XT XD XL XP XA HE RT D  DP DB DW DF
DI M  MD MB MW MP MI FB FW SB CA RC BI DN DU LW
LP LD FI BD BS BC GO R2 T2 SS NS DA DR MR
ENG>
ENG>BD
  BREAKPOINTS AT:
ENG>FW
E:0003 - Req Prm
ENG>GO
E:0004 - Dbg Cmd
i'll have a dead hd next to a dead 360 soon

[anita999]

well, I told everyone that all info are on the disks, but you guys still want to try it out..
check this link and you'll probably find more..

www.PC3000PCI.com

it's a low level HDD repair tool, which is so powerful that you can modify the serial and model name of some HDDs. but not the FW revision.
you can also apply the SetMaxLBA command to cheat the system with the LBA you want. So the sector counts shall be the same...

I have this tool, so I know it's working...

for some HDD models, you can download the FW, patch it, and then upload it. .in most case, you can only download the FW, but not upload...
in order to download/upload the FW, you need to set the HDD in "SAFE" mode, that will require a specific jumper setting...which is different for each model..

There are terminal mode for Samsung HDDs, too. and there are special AT command for each HDD to access the FW... unfortunately I am not so familiar with these command.

I have succeeded in faking the ATA indetify string to replace a HDD with a different HDD. but that will only ended with the same capacity...
The only good I got is to have a cheap replacement HDD and backup storage... I use this device to enlarge the recording capacity for my HDTV HDD recorders.
so the problem will be, whether we can break the hash or not.... maybe it's not that difficult... even in 360 DVD drive authentication, it uses only 16 bytes key, not 256 bytes... maybe 16 bytes is the "root" key we need to break...

[uberfry]

xbox360_HDD + 60GB_loagicboard + xbox360_eeprom  = works fine in xbox360 and PC
60GB_HDD + xbox_logicboard + 60GB_eeprom              = works fine in PC but no recognition in xbox360

Could you please try:

60GB_HDD + 60GB_loagicboard + xbox360_eeprom?

I wonder what results you will get...