While Trying to UnLock ST3120026A A SeaGate HdD, I wrote some notes of my research :

TODO

KNOWN INFORMATION

Generation: 7200.7

Before HackIng on UarT :

hdparm -i /dev/sdb

/dev/sdb:

 Model=ST3120026A, FwRev=3.06, SerialNo=5JT1GGXH
 Config={ HardSect NotMFM HdSw>15uSec Fixed DTR>10Mbs RotSpdTol>.5% }
 RawCHS=16383/16/63, TrkSize=0, SectSize=0, ECCbytes=4
 BuffType=unknown, BuffSize=8192kB, MaxMultSect=16, MultSect=16
 CurCHS=4047/16/255, CurSects=16511760, LBA=yes, LBAsects=234441648
 IORDY=on/off, tPIO={min:240,w/IORDY:120}, tDMA={min:120,rec:120}
 PIO modes:  pio0 pio1 pio2 pio3 pio4
 DMA modes:  mdma0 mdma1 mdma2
 UDMA modes: udma0 udma1 *udma2 udma3 udma4 udma5
 AdvancedPM=no WriteCache=enabled
 Drive conforms to: ATA/ATAPI-6 T13 1410D revision 2:  ATA/ATAPI-1,2,3,4,5,6

 * signifies the current active mode
______   ________________      _____________________________
| PW |  |  2  (4)  6 (8) |    |  ATA        -  CONNECTOR    |
\____/  |  1  (3)  5  7  |    |____________| |______________|
        |________________|

1 : GND
2 : GND
3 : TXD
4 : RXD
5 : open?
6 : open?
7 : open?
8 : 5V?

Using RpI as UarT ConsolE :

screen /dev/ttyAMA0


4096k x 16 buffer detected 
ALPINE - 1_Disk    M.14  01-16-03 11:51

Buzz  - Head Mask 0000 - Switch to full int.
              Spin Ready
3.06  10-21-03 15:53
(P)PATA Reset
Slave

SHELL

Now hit Ctrl + z

T>  AT Interface Registers
ec00: 01 00 00 01 00 00 01 00  0f 3f fe 04 50 92 42 68 
ec10: 00 00 00 00 00 00 00 10  00 00 00 01 00 00 0a 00 
ec20: 00 01 ff ff a0 00 10 04  00 00 01 c6 50 40 ff 18 
ec30: 00 00 00 00 00 00 00 80  00 0a 07 45 01 00 00 00 
ec40: 00 00 00 00 00 00 00 00  c0 c0 c0 00 01 00 e6 fc 

  Data Manager Registers
ed00: 0003  0000  0000  1000   0000  0000  0001  0000  
ed10: 6400  0210  fce6  0000   0000  0000  0000  0000  

  Buffer Controller Registers
ed30: fce6  0000  0000  0200   0000  3ffe  3ffe  3ffe  
ed40: 0000  0200  080c  0a06   f00c  0000  0000  0000  
ed50: 00fb  00fb  0000  0000   fce6  235c  8aa2  0000  
ed60: 0000  0000  0000  0000   fce6  fce6  fce6  fce6  

  Disk Sequencer Registers
eb00: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 

  Cache Hardware Registers
ef00: 00 00 00 00 00 00 00 00  3f 00 00 00 37 00 00 00 
ef10: 00 00 00 00 00 00 

Ctrl + letter : commands ?

  • a : Eng Rev = .M67
  • c : View Firmware Revision : FirmWare : Slave3.06 10-21-03 15:53
  • d : ?
  • e : CurrentCHS=3fff/10/3f MltSiz=10 DMAMod=02
  • f : dump stuff : ACHD Hardware
  • g : dump stuff : WSAV 0000 WSAD 0000 WCSAD 0003 WSIZE 1000 HPRE 0200
  • i : dump stuff : AT Interface Registers
  • k : DST Status=00 Test=01
  • l : View PLatform Information : RoM InfO
  • n :
  • p :
  • r : Online Mode : ceRt : ALID Cert Disk Code Detected - Revision # .137
  • t : reseT ? : ALPINE - 1_Disk M.14 01-16-03 11:51
  • u : View raw cUrent At stUff : dump Part #: 100268841
  • w : Rd/Wr Stats On
  • x : User Activity : dT(ms) Cmd Cnt LBA | LBA Cmd Cyl Hd Sct Cnt Start Sz Ofs
  • y : DST Status=00 Test=01
  • z : Enter Terminal Diagnostics : T> shell

Control Codes 7200.10

● ^Z: Enter Terminal Diagnostics
● ^A: View Firmware Revision
● ^B: View Temperature
● ^C: Reset
● ^D/^N: Set Tracing Bits up/down
● ^L: View Platform Information
● ^U: View raw AT Stuff 

Letters :

  • . (dot)
  • ; (semicolon)
  • %
  • ?
  • k [ENTER] : Command Inactive - No VALID Cert Code Detected
  • y [ENTER] (wait few seconds)

CommandS :

  • /2 B : The /2 B command will display the contents of a buffer block note - you use the Blk number not the BufAddr, Another percularity of the B command is it compares blocks, so to actually see the contents you have to compare it with itself.
  • The A command shows the current mode and the available modes
  • Rx,1 reads the sector into the read buffer (where x is sector number if in sector mode)
  • Wx,1 writes the sector from the write buffer . only the 200 hex data bytes are written, and fresh set of final 4 byte crc/id bytes is written
  • C : Copy : copy the read buffer to the write buffer
  • /1 U : edit ?

ID

Interface task reset
4096k x 16 buffer detected 
ALPINE - 1_Disk    M.14  01-16-03 11:51
nterface task reHead Mask 0000 - Switch               Spin Ready
3.06  10-21-03 15:53
(P)PATA Reset
Slave

Stuff

Stuff Was Unreadable
T>F
SetStuff->ASCIFE 
Setting stuff to defaults

Ctrl+U :

AT Stuff
0000: 0c5a  3fff  0000  0010   0000  0000  003f  0000  
0008: 0000  0000  004a  5431   4747  5848  2020  2020  
0010: 2020  2020  2020  2020   0000  4000  0000  332e  
0018: 3036  2020  2020  5354   3144  6973  6b31  4865  
0020: 6164  2020  2020  2020   2020  2020  2020  2020  
0028: 2020  2020  2020  2020   2020  2020  2020  8010  
0030: 0000  2f00  0000  0200   0200  0007  3fff  0010  
0038: 003f  0000  0000  0010   ffff  0fff  0000  0007  
0040: 0003  0078  0078  00f0   0078  0000  0000  0000  
0048: 0000  0000  0000  0000   0000  0000  0000  0000  
0050: 001e  0000  306b  4001   4000  0063  0000  0000  
0058: 003f  0000  0000  0000   0000  4b00  0000  0000  
0060: 0000  0000  0000  0000   ffff  ffff  0000  0000  
0068: 0000  0000  0000  0000   0000  0000  0000  0000  
0070: 0000  0000  0000  0000   0000  0000  0000  0000  
0078: 0000  0000  0000  0000   0000  0000  0000  0000  
0080: 0107  0000  0000  ffff   ffff  2020  0002  02b6  
0088: 0000  198a  3c24  3c02   ffff  07c6  0100  0800  
0090: 06c0  0500  0002  0000   0000  0000  0000  0000  
0098: 0000  0000  0000  0000   0000  0000  0020  000b  
00a0: 000e  0019  0002  0000   0032  0014  0032  0024  
00a8: 000e  001e  0032  0000   0012  00c1  0032  0014  
00b0: 0022  0000  001a  0000   0012  0000  0010  0000  
00b8: 003e  0000  0000  0000   0032  0000  0000  0000  
00c0: 0000  0000  0000  0000   0000  0000  0000  0000  
00c8: 0000  0000  0000  0000   0000  0000  0000  0000  
00d0: 0000  0000  0000  0000   0000  0000  0000  0000  
00d8: 0000  0000  0000  0000   0000  0000  0000  0000  
00e0: 0000  0030  0003  07d0   1770  3c0a  0000  0000  
00e8: 0000  07d0  03e8  ffff   00bd  0000  0006  0096  
00f0: 0000  0000  0000  0000   0000  0000  0000  0000  
00f8: 0000  0000  0000  0000   0000  0000  0000  0000  



Not configured-0

Hints ?

Model is ST3120026A, lets encode it

printf 'ST3120026A                      ' | xxd
0000000: 5354 3331 3230 3032 3641 2020 2020 2020  ST3120026A      
0000010: 2020 2020 2020 2020 2020 2020 2020 2020                  
echo "0x:5354333132303032364120202020202020202020" | xxd -r # will show : 'ST3120026A      '
ST3120026A 
Key3C,83 : 4BB10DF9
Key1B : 5354333132303032364120202020202020202020 2020202020202020202020202020202020202020

So If I understood right it will be something like : Ctrl+Z :

T> F
SetStuff-> ASCI1B5354333132303032364120202020202020202020
# Stuff key 1b -> 53 54 33 31 32 30 30 32 36 41 20 20 20 20 20 20 20 20 20 20 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
T> F
SetStuff-> ASCI834BB10DF9
# Stuff key 83 -> 4b b1 0d f9 
T> F
SetStuff-> ASCI3C4BB10DF9
#

T># 
Enter Drive S/N  5JT1GGXH
Enter Packwriter S/N 
T>W

HdParm :

sudo hdparm -i /dev/sdb

/dev/sdb:
SG_IO: bad/missing sense data, sb[]:  70 00 05 00 00 00 00 0a 00 00 00 00 24 00 00 c0 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 HDIO_GET_IDENTITY failed: Invalid argument



sudo hdparm -I /dev/sdb

/dev/sdb:
SG_IO: bad/missing sense data, sb[]:  70 00 05 00 00 00 00 0a 00 00 00 00 24 00 00 c0 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00

ATA device, with non-removable media
        Model Number:       ��ޭ ޭO�����j�3����
        Serial Number:      ����
        Firmware Revision:  ��m`�▒��
        Media Manufacturer: ����r�g����
Standards:
        Likely used: 4
Configuration:
        Logical         max     current
        cylinders       0       34818
        heads           0       65535
        sectors/track   34818   28000
        --
        bytes/track: 39376      bytes/sector: 13368
        CHS current addressable sectors: 4294934810
        Logical/Physical Sector size:           512 bytes
        device size with M = 1024*1024:     2097136 MBytes
        device size with M = 1000*1000:     2199006 MBytes (2199 GB)
        cache/buffer size  = unknown
        Nominal Media Rotation Rate: 33050
Capabilities:
        IORDY(may be)(cannot be disabled)
        Buffer size: 6653.5kB   bytes avail on r/w long: 34818
        Standby timer values: spec'd by Vendor
        R/W multiple sector transfer: Max = 0   Current = 255
        DMA: not supported
        PIO: unknown
             Cycle time: no flow control=57005ns  IORDY flow control=19968ns
                Removable Media Status Notification feature set supported
Security: 
        Master password revision code = 256
        not     supported
        not     enabled
        not     locked
        not     frozen
        not     expired: security count
        not     supported: enhanced erase
Logical Unit WWN Device Identifier: 00db000000000000
        NAA             : 0
        IEEE OUI        : 0db000
        Unique ID       : 000000000

WIP : LBA

LBAsects=234441648 ; printf "LBAsects_hex=0x%x\n" $LBAsects
LBAsects_hex=0xdf94bb0
printf "%d" 0x4BB10DF9
1269894649

MORE

alpine.txt · Last modified: 2014/09/04 22:05 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki