While Trying to UnLock ST3120026A A SeaGate HdD, I wrote some notes of my research :
* http://rzr.online.fr/q/alpine# How to reset #SeaGate #HdD #ST3120026A (#AlpinE) and #UnLock #MaxSecurity activation , #HdParm fails to rd
===== TODO =====
* http://darthcircuit.com/2012/07/05/hacking-a-seagate-hard-drive-to-work-in-the-xbox-360/
* http://tlvps.tomvanleeuwen.nl/~tom/wordpress/?p=7
===== KNOWN INFORMATION =====
* http://www.seagate.com/support/internal-hard-drives/desktop-hard-drives/barracuda/?sku=ST3120026A&q=ST3120026A
* http://www.seagate.com/files/docs/pdf/datasheet/disc/ds_barracuda_7200_9.pdf
Generation: 7200.7
Before HackIng on UarT :
hdparm -i /dev/sdb
/dev/sdb:
Model=ST3120026A, FwRev=3.06, SerialNo=5JT1GGXH
Config={ HardSect NotMFM HdSw>15uSec Fixed DTR>10Mbs RotSpdTol>.5% }
RawCHS=16383/16/63, TrkSize=0, SectSize=0, ECCbytes=4
BuffType=unknown, BuffSize=8192kB, MaxMultSect=16, MultSect=16
CurCHS=4047/16/255, CurSects=16511760, LBA=yes, LBAsects=234441648
IORDY=on/off, tPIO={min:240,w/IORDY:120}, tDMA={min:120,rec:120}
PIO modes: pio0 pio1 pio2 pio3 pio4
DMA modes: mdma0 mdma1 mdma2
UDMA modes: udma0 udma1 *udma2 udma3 udma4 udma5
AdvancedPM=no WriteCache=enabled
Drive conforms to: ATA/ATAPI-6 T13 1410D revision 2: ATA/ATAPI-1,2,3,4,5,6
* signifies the current active mode
==== DONE : ATA / SERIAL LINK =====
______ ________________ _____________________________
| PW | | 2 (4) 6 (8) | | ATA - CONNECTOR |
\____/ | 1 (3) 5 7 | |____________| |______________|
|________________|
1 : GND
2 : GND
3 : TXD
4 : RXD
5 : open?
6 : open?
7 : open?
8 : 5V?
Using RpI as UarT ConsolE :
screen /dev/ttyAMA0
4096k x 16 buffer detected
ALPINE - 1_Disk M.14 01-16-03 11:51
Buzz - Head Mask 0000 - Switch to full int.
Spin Ready
3.06 10-21-03 15:53
(P)PATA Reset
Slave
{{http://nt4.com/ss/seagate-diagnostic-uart-pata.png}}
===== SHELL =====
Now hit Ctrl + z
T> AT Interface Registers
ec00: 01 00 00 01 00 00 01 00 0f 3f fe 04 50 92 42 68
ec10: 00 00 00 00 00 00 00 10 00 00 00 01 00 00 0a 00
ec20: 00 01 ff ff a0 00 10 04 00 00 01 c6 50 40 ff 18
ec30: 00 00 00 00 00 00 00 80 00 0a 07 45 01 00 00 00
ec40: 00 00 00 00 00 00 00 00 c0 c0 c0 00 01 00 e6 fc
Data Manager Registers
ed00: 0003 0000 0000 1000 0000 0000 0001 0000
ed10: 6400 0210 fce6 0000 0000 0000 0000 0000
Buffer Controller Registers
ed30: fce6 0000 0000 0200 0000 3ffe 3ffe 3ffe
ed40: 0000 0200 080c 0a06 f00c 0000 0000 0000
ed50: 00fb 00fb 0000 0000 fce6 235c 8aa2 0000
ed60: 0000 0000 0000 0000 fce6 fce6 fce6 fce6
Disk Sequencer Registers
eb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Cache Hardware Registers
ef00: 00 00 00 00 00 00 00 00 3f 00 00 00 37 00 00 00
ef10: 00 00 00 00 00 00
Ctrl + letter : commands ?
* a : Eng Rev = .M67
* c : View Firmware Revision : FirmWare : Slave3.06 10-21-03 15:53
* d : ?
* e : CurrentCHS=3fff/10/3f MltSiz=10 DMAMod=02
* f : dump stuff : ACHD Hardware
* g : dump stuff : WSAV 0000 WSAD 0000 WCSAD 0003 WSIZE 1000 HPRE 0200
* i : dump stuff : AT Interface Registers
* k : DST Status=00 Test=01
* l : View PLatform Information : RoM InfO
* n :
* p :
* r : Online Mode : ceRt : ALID Cert Disk Code Detected - Revision # .137
* t : reseT ? : ALPINE - 1_Disk M.14 01-16-03 11:51
* u : View raw cUrent At stUff : dump Part #: 100268841
* v : EchoInterfaceCmds: On
* w : Rd/Wr Stats On
* x : User Activity : dT(ms) Cmd Cnt LBA | LBA Cmd Cyl Hd Sct Cnt Start Sz Ofs
* y : DST Status=00 Test=01
* z : Enter Terminal Diagnostics : T> shell
* http://events.ccc.de/congress/2010/Fahrplan/attachments/1776_slides_DRT.pdf
Control Codes 7200.10
● ^Z: Enter Terminal Diagnostics
● ^A: View Firmware Revision
● ^B: View Temperature
● ^C: Reset
● ^D/^N: Set Tracing Bits up/down
● ^L: View Platform Information
● ^U: View raw AT Stuff
Letters :
* . (dot)
* ; (semicolon)
* %
* ?
* k [ENTER] : Command Inactive - No VALID Cert Code Detected
* y [ENTER] (wait few seconds)
* http://forum.hddguru.com/viewtopic.php?f=1&t=26132&view=previous
CommandS :
* /2 B : The /2 B command will display the contents of a buffer block note - you use the Blk number not the BufAddr, Another percularity of the B command is it compares blocks, so to actually see the contents you have to compare it with itself.
** http://forum.hddguru.com/viewtopic.php?f=13&t=27119
* The A command shows the current mode and the available modes
* Rx,1 reads the sector into the read buffer (where x is sector number if in sector mode)
* Wx,1 writes the sector from the write buffer . only the 200 hex data bytes are written, and fresh set of final 4 byte crc/id bytes is written
* C : Copy : copy the read buffer to the write buffer
* /1 U : edit ?
* http://forum.hddguru.com/viewtopic.php?f=1&t=6411
===== ID =====
Interface task reset
4096k x 16 buffer detected
ALPINE - 1_Disk M.14 01-16-03 11:51
nterface task reHead Mask 0000 - Switch Spin Ready
3.06 10-21-03 15:53
(P)PATA Reset
Slave
===== Stuff =====
Stuff Was Unreadable
T>F
SetStuff->ASCIFE
Setting stuff to defaults
Ctrl+U :
AT Stuff
0000: 0c5a 3fff 0000 0010 0000 0000 003f 0000
0008: 0000 0000 004a 5431 4747 5848 2020 2020
0010: 2020 2020 2020 2020 0000 4000 0000 332e
0018: 3036 2020 2020 5354 3144 6973 6b31 4865
0020: 6164 2020 2020 2020 2020 2020 2020 2020
0028: 2020 2020 2020 2020 2020 2020 2020 8010
0030: 0000 2f00 0000 0200 0200 0007 3fff 0010
0038: 003f 0000 0000 0010 ffff 0fff 0000 0007
0040: 0003 0078 0078 00f0 0078 0000 0000 0000
0048: 0000 0000 0000 0000 0000 0000 0000 0000
0050: 001e 0000 306b 4001 4000 0063 0000 0000
0058: 003f 0000 0000 0000 0000 4b00 0000 0000
0060: 0000 0000 0000 0000 ffff ffff 0000 0000
0068: 0000 0000 0000 0000 0000 0000 0000 0000
0070: 0000 0000 0000 0000 0000 0000 0000 0000
0078: 0000 0000 0000 0000 0000 0000 0000 0000
0080: 0107 0000 0000 ffff ffff 2020 0002 02b6
0088: 0000 198a 3c24 3c02 ffff 07c6 0100 0800
0090: 06c0 0500 0002 0000 0000 0000 0000 0000
0098: 0000 0000 0000 0000 0000 0000 0020 000b
00a0: 000e 0019 0002 0000 0032 0014 0032 0024
00a8: 000e 001e 0032 0000 0012 00c1 0032 0014
00b0: 0022 0000 001a 0000 0012 0000 0010 0000
00b8: 003e 0000 0000 0000 0032 0000 0000 0000
00c0: 0000 0000 0000 0000 0000 0000 0000 0000
00c8: 0000 0000 0000 0000 0000 0000 0000 0000
00d0: 0000 0000 0000 0000 0000 0000 0000 0000
00d8: 0000 0000 0000 0000 0000 0000 0000 0000
00e0: 0000 0030 0003 07d0 1770 3c0a 0000 0000
00e8: 0000 07d0 03e8 ffff 00bd 0000 0006 0096
00f0: 0000 0000 0000 0000 0000 0000 0000 0000
00f8: 0000 0000 0000 0000 0000 0000 0000 0000
Not configured-0
Hints ?
* http://www.slideshare.net/er0080/pc-seag-bara p84
* http://www.rom.by/forum/Imeem_seagate_barracuda_st340016a_-_bios_nahodit_bez?page=2
* http://darthcircuit.com/2012/07/05/hacking-a-seagate-hard-drive-to-work-in-the-xbox-360/
Model is [[ST3120026A]], lets encode it
printf 'ST3120026A ' | xxd
0000000: 5354 3331 3230 3032 3641 2020 2020 2020 ST3120026A
0000010: 2020 2020 2020 2020 2020 2020 2020 2020
echo "0x:5354333132303032364120202020202020202020" | xxd -r # will show : 'ST3120026A '
ST3120026A
Key3C,83 : 4BB10DF9
Key1B : 5354333132303032364120202020202020202020 2020202020202020202020202020202020202020
So If I understood right it will be something like :
Ctrl+Z :
T> F
SetStuff-> ASCI1B5354333132303032364120202020202020202020
# Stuff key 1b -> 53 54 33 31 32 30 30 32 36 41 20 20 20 20 20 20 20 20 20 20 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
T> F
SetStuff-> ASCI834BB10DF9
# Stuff key 83 -> 4b b1 0d f9
T> F
SetStuff-> ASCI3C4BB10DF9
#
T>#
Enter Drive S/N 5JT1GGXH
Enter Packwriter S/N
T>W
HdParm :
sudo hdparm -i /dev/sdb
/dev/sdb:
SG_IO: bad/missing sense data, sb[]: 70 00 05 00 00 00 00 0a 00 00 00 00 24 00 00 c0 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HDIO_GET_IDENTITY failed: Invalid argument
sudo hdparm -I /dev/sdb
/dev/sdb:
SG_IO: bad/missing sense data, sb[]: 70 00 05 00 00 00 00 0a 00 00 00 00 24 00 00 c0 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ATA device, with non-removable media
Model Number: ��ޭ ޭO�����j�3����
Serial Number: ����
Firmware Revision: ��m`�▒��
Media Manufacturer: ����r�g����
Standards:
Likely used: 4
Configuration:
Logical max current
cylinders 0 34818
heads 0 65535
sectors/track 34818 28000
--
bytes/track: 39376 bytes/sector: 13368
CHS current addressable sectors: 4294934810
Logical/Physical Sector size: 512 bytes
device size with M = 1024*1024: 2097136 MBytes
device size with M = 1000*1000: 2199006 MBytes (2199 GB)
cache/buffer size = unknown
Nominal Media Rotation Rate: 33050
Capabilities:
IORDY(may be)(cannot be disabled)
Buffer size: 6653.5kB bytes avail on r/w long: 34818
Standby timer values: spec'd by Vendor
R/W multiple sector transfer: Max = 0 Current = 255
DMA: not supported
PIO: unknown
Cycle time: no flow control=57005ns IORDY flow control=19968ns
Removable Media Status Notification feature set supported
Security:
Master password revision code = 256
not supported
not enabled
not locked
not frozen
not expired: security count
not supported: enhanced erase
Logical Unit WWN Device Identifier: 00db000000000000
NAA : 0
IEEE OUI : 0db000
Unique ID : 000000000
==== WIP : LBA ====
LBAsects=234441648 ; printf "LBAsects_hex=0x%x\n" $LBAsects
LBAsects_hex=0xdf94bb0
printf "%d" 0x4BB10DF9
1269894649
* https://en.wikipedia.org/wiki/Logical_block_addressing
===== MORE =====
@TaG: UnLock