|
发表于 2014-2-17 23:13:32
|
显示全部楼层
最下面是译文。
Some days ago, I wanted to start a project on modding HDD firmware code. After googling for a while, I quickly learned that technical information on this subject is VERY scarce. I found this site and forum. It contains SOME info, but still, also this board is clouded with a lot of mist. Of course, I can understand why: info is scarce and you'll need to do a LOT of work, spend a LOT of time to learn new things. However, it frustrates me to a certain extent that everybody has to go through a lot of work and trouble to 're-invent' the wheel and then letting others struggle too to reinvent the wheel AGAIN. It's almost like a child abuser, that was abused by its parents and now is inflicting the same pain on their child, that they experienced themselves
So, in other words, here's the summary of the things I learned. If you're a complete newbie, you can now obtain this 'newbie' knowledge in a few minutes, instead of spending a few full days of researching yourself, like I did So, enjoy !
* NEWBIE HDD INFO*
Modern harddisks feature an area that contains information that the CPU on the HDD logicboard uses to operate the drive. That area is called the "system area" ("SA"). This area contains for example the drive 'microcode' (a.k.a. firmware), HDD Configuration Tables, Defect sector tables, SMART information, Security info (drive passwords etc), Disk ID info (serial nr etc) and more. These categories of information are called 'modules'. So the SA contains a module for the firmware code, a module for the SMART info etc.
The SA is stored on 'negative cilinders' of the HDD and therefore is not accessible by normal read commands. However, the area can be accessed with other ATA commands. An example of a (more or less) 'standard' ATA command that can access info on the SA is the 'download microcode' ATA command, that can be used to update information in the firmware code module. However, most of the commands that can be used to access the SA are vendor specific. Since vendors (obviously) don't want users to mess around with the SA, these commands are generally not made public. However, these commands can be deduced by, for example, reverse engineering the firmware code itself.
This reverse engineering has been done and led to development of tools that can issue these (vendor specific) ATA commands and can read/write almost all sectors in the SA. One example of such tool is PC3000 ('PC3K'). A tool like this contains tables per HDD model, containing these vendor specific ATA commands and also tables with sector numbers on which the different modules are stored, also per HDD model. SA Sector numbers are counted in "UBA's". For example, one specific HDD might use UBA 4 to store the 'DISK ID' module, where another HDD model might use another sector for this module.
So in short, to create a tool that can read/write data in the SA, you need to:
A) know (and understand) the (vendor-) specific ATA commands that can be used to access this area and
B) know on which UBA sector the specific modules are stored.
If a drive has damaged data in the SA, for example in the firmware code module, it might become unusable. To repair these disks, the HDD can be switched to a so called 'safe mode', by setting specific jumpers on the drive. If the drive is operating in safe mode, it bypasses its own firmware. Instead, it wants the user to upload firmware to its ram. If the user uploads a correct 'temporary' firmware to RAM, it starts executing that firmware. If this uploaded RAM code (the 'loader') starts operating, the user can then start to issue ATA commands to the drive to modify the damaged modules.
Firmware files that you can find on a site like this, contain a lot of files. First, there is the 'loader' file (*.LDR). This file is the 'temporary' firmware code, that's being uploaded to the RAM (so, it's not being written to disk). Then, there are a lot of '*.RPM' files. These files represent the different modules, which can be written to the SA. The filenames consist of 8 numbers. The first 4 numbers specify the (hex) UBA and the second 4 numbers represent the hexadecimal module size in sectors (each sector normally contains 512 bytes, so for example, if a filename ends in 0002, then that module is 1024 bytes long). So, in short, after uploading the loader to RAM, the user can start replacing damaged modules by overwriting them with correct ones.
BTW, please note that the term 'firmware' for the packages on this site is symantically not very well chosen, since these packages contain all needed modules to repair a HDD and not just the firmware (=code) module.
Anyway, if you're looking for a specific firmware module, you can do 3 things:
1) rip the firmware modules from the SA of an identical HDD or
2) get these modules from a friend (or for example, from the files section on this site) or
3) use a firmware updater program from the vendor.
About this last option: firmware updates from vendors are pretty rare, since firmware code almost never needs to be replaced. However, Maxtor for example, had some problems with the firmware code on some Diamondmax HDD models. So, they issued a firmware update. This update consists of 2 files:
1) the executable file that issues the ATA 'download microcode' command to upload the firmware files to the HDD
2) The firmware code, consisting of the 'main' firmware code and 'overlay' code modules.
Firmware 'overlay' code are specific code functions. Why not just put all firmware code into one section ? Well, since the RAM in the drive is a limited resource, they've put some code into 'overlay files', so that this specific code can be swapped into RAM when that specific function is needed. When the fuction is not needed, it can be swapped out of ram and some other function can be swapped into it again.
The firmware update files from maxtor (I think the same goes for the other vendors) are not scrambled/encrypted/packed in anyway. In fact, you can find the exact same code in these files also in the '*.RPM' files that PC3K produces for example.
Maxtor distributes their firmware file in a so called ".DMC" file. This DMC file is a package of 4 files, a '.Bxx' file, a '.cxx' file, a '.bbr' file and a '.cbr' file. Like I mentioned, this DMC container is not packed or scrambled in anyway. You can just cut the files out of it. The first 0x150 bytes of this file is the header. This header contains the four filenames, the offsets at which bytes in the package these files can be found, the length of the files and a checksum (not 100% sure about the checksum though). The '.bxx' file is the biggest file and contains the overlay modules. You can find all code overlay modules by looking for 'MO' in the file. Right after this 2 byte string, you'll find the hexadecimal overlay module ID. The '.bbr' file contains the main firmware code. The last 2 files are very small, not sure what they contain, probably some checksums for the firmware and overlay modules.
Like said, the firmware code and overlay modules can also be found in the '*.RPM' files of course, since this represents the firmware code on disk. So, you can look through these RPM files and scan for the 'MO' string to find any specific overlay module.
So, in short, if a vendor has released a firmware uploader tool (most vendors have), BUT haven't released a firmware file for your specific drive type, you could create your firmware, if you have the dumped modules (for example, obtained from this site). You could rip the main code and overlay modules and paste them into an existing DMC package. However, since I don't know the checksum calculation and the meaning of these .cxx and .cbr files (probably checksums), you'd have to do more research, but in theory, it would be possible to create your own firmware files and flash them with such standard Vendor program to disk, so you wouldn't need to buy an expensive tool like PC3000 (at least not if your sole goal was to upload a new firmware).
Of course, you could also create your own flasher program, instead of using the one supplied by the vendor. However, since vendors use specific versions of the 'download microcode' ATA command, you'd have to do research into this.
Furthermore, you could create a program that does EVERYTHING that a tool like PC3000 does. However, like pointed out, you'll need very detailed information on the vendor specific ATA commands and the structure of the SA for that specific drive type and since this info is not made public by anyone, this means a LOT of work. "But hey, the PC3000 tool features a special hardware PCI card !". Yes, but as you'll understand by now, you can think of that card as nothing more than a copy protection. They could have perfectly created the tool without it, but I guess they would have sold quite some copies less So you really can't blame them for it, in fact, I think it's quite a smart move to stop piracy.
So, in short, if you want to mess around with the SA, you have 2 options: invest a lot of time and energy into learning or simply empty your pockets and buy a tool like PC3000.
I hope you enjoyed this information and if appreciated, I might write another document with a summary of my future research and findings
Aimtrading.
—————————————————————————————————————
前些日子,我想启动一个项目,改装硬盘的固件代码。 google搜索了一会儿后,我很快就学会了,对这个问题是非常稀缺的技术信息。我发现这个网站和论坛。它包含了一些信息,但是,也有很多薄雾笼罩板。当然,我可以理解为什么:信息是稀缺的,你需要做很多的工作,花费了大量的时间来学习新的东西。然而,这让我很沮丧到一定程度,每个人都有要经过大量的工作和麻烦“重新发明轮子,然后让别人奋斗太再次推倒重来。这几乎就像一个孩子的施虐者,是滥用其父母和现在造成同样的痛苦,他们的孩子,他们经历了自己:)
所以,换句话说,在这里我学到的东西的总结。如果你是一个完整的新手,你现在可以在几分钟内获得这个'新手'知识,而不是花几个整天研究自己,像我一样:)所以,享受!
新手硬盘知识
现代硬盘设有一个区域,包含在硬盘上logicboard的CPU操作驱动器的信息。该区域被称为“系统区”(“SA”)。此区域包含例如驱动器的“微代码”(又称固件)、硬盘配置表、缺陷扇区表、SMART信息、安全信息(驱动器密码等)、磁盘ID信息(串行NR等)以及更多信息。这些类别的信息被称为“模块”。所以SA的固件代码,包含一个模块一个模块的SMART信息等。
该SA上存储在HDD的“负磁道”,不能由正常的读命令访问。但是,该区域可被其他的ATA命令访问,例如“微码下载”ATA命令可以访问SA区的信息,用于更新固件中的代码模块的信息。然而,大多数是可以被用来访问该SA的特定的命令,由于厂家(显然)不希望用户操作SA区,所以这些命令通常不公开。但是,这些命令可以推导出,例如,逆向工程固件代码本身。
这种逆向工程已经完成,并导致发展出一些工具,可以发出这些(厂家专用)ATA命令,可以读/写在SA中几乎所有的行业。这样的工具的一个例子是PC3000的(PC3K“)。这样的工具包含每个硬盘型号的表,这些厂家特定的ATA命令,不同的模块存储扇区数,每个硬盘模块。SA扇区数记录在“UBA's”。例如,一个特定的硬盘驱动器可能会使用UBA 4存储“磁盘ID”模块,另一个硬盘驱动器模型可能使用此模块的另一个扇区。
因此,在短期,创建一个可以在SA中的数据读/写工具,你需要:
A)知道(了解)(厂家)特定ATA命令,可用于访问该区域
B)知道具体模块存储的UBA扇区位置。
如果一个驱动器在SA中的数据已损坏,例如固件中的代码模块,它可能导致硬盘无法使用。为了修复,硬盘驱动器必须通过跳线切换到“安全模式”。在安全模式下,硬盘绕过自己的固件,由用户上载固件到它的RAM。如果用户上传正确的“临时”固件到RAM,它开始执行该固件。如果此上传RAM代码('引导')开始工作。至此,用户可以发出ATA命令到驱动器修改已损坏的模块。
固件包含了很多文件。首先,有“引导”文​​件(*.LDR)。这个文件是“临时”的固件代码,被上传到RAM(所以,它没有被写入到磁盘)。然后,有很多的“*.RPM”文件。在这些文件中代表不同的模块,这些模块可以被写入到SA。文件名由8位数字组成的。开始4位(十六进制)定义UBA,后4位十六进制代表的模块扇区大小(通常每个扇区包含512个字节,所以,例如,如果一个文件名在0002结束,然后该模块的长度是1024字节)。因此,上传到RAM装载机后,用户可以用正确的模块覆盖损坏的模块。
一般,网上下的固件包包含所有需要的模块,不只是固件(代码)模块。
无论如何,如果你正在寻找一个特定的固件模块,你可以做3件事:
1)从相同的硬盘的SA区备份模块
2)从相似硬盘得到这些模块(网上的文件)
3)从厂家得到的固件更新程序。
关于这最后一个选项:从厂家的固件更新是相当罕见的,因为固件代码几乎从来没有需要更换。然而,例如迈拓,一些金钻硬盘机型的固件代码有一些问题。因此,他们发出的固件更新。此更新包含2个文件:
1)“下载微代码”可执行文件,上载固件文件到问题硬盘驱动器的ATA的命令
2)固件代码,由“main”固件代码和“overlay”代码模块。
固件“overlay”代码有具体的代码功能。为什么不干脆把所有的固件代码放到一段?由于驱动器中RAM空间有限,他们已经把一些代码放入“overlay文件”,所以当需要特定的功能时这个特定的代码可以被交换到RAM中时。当该功能不会需要,它可以退出内存,由其他一些功能再次载入RAM。
迈拓固件更新文件(我想其他厂商一样的)不(scrambled/encrypted/packed)加扰/加密/打包。事实上,你可以在这些文件中找到完全相同的代码,在PC3K中产生“*.RPM”文件就是例子。
迈拓固件文件分发所谓的“.DMC”文件。 DMC文件是4个文件组成的包:”.Bxx”文件。”.cxx”的文件,”.BBR”文件和”.CBR”文件。就像我前面提到的,这个DMC容器是没有包装或拼凑。你可以只切出需要的文件。文件开始0x150个字节是header。header头包含4个文件名,这些文件的偏移字节、文件的长度和校验(不一定100%校验通过)可以在header中找到。“.BXX”下载的最大的文件,包含“overlay”模块。你可以通过寻找文件中的'MO找到所有的代码“overlay”模块。这2个字节的字符串后,你会发现的十六进制“overlay”模块ID。 “.BBR”文件中包含的主要固件代码。在最后2个文件都非常小,不清楚他们是什么,可能是一些固件的checksums和overlay模块。
综上所述,firmware代码和overlay模块也可以在“*.RPM”文件被发现在,当然,因为这代表了在磁盘上的固件代码。所以,你可以看看通过这些RPM文件扫描“MO”字符串,找到任何具体的overlay模块。
因此,简而言之,如果厂家已经发布了固件上传工具(多数厂商有),但还没有公布一个特定的驱动器类型的固件文件,你可以创建你的固件,如果你有提取的模块(例如,从网站获得)。你可以分割出主要代码和叠加模块,并将其粘贴到现有DMC包。但是,因为我不知道这些.cxx和.cbr文件的校验计算含义。cxx的CBR文件(大概校验),你不得不做更多的研究,但在理论上,这将有可能创建自己的固件文件,并用标准的厂家程序flash他们到磁盘,这样你就不需要购买昂贵的工具,如PC3000(至少你的目标不是上传新的固件)。
当然,你也可以创建自己的FALSHER程序,而不是使用一个厂家提供的。然而,由于厂家使用特定版本的“下载微代码”ATA命令,你必须对它进行研究。
此外,你可以创建一个程序,做PC3000之类工具的一切工作。然而,如上所指,你需要厂家的特定ATA命令和特定驱动类型的SA结构的非常详细的信息,因为这个信息是不公开的,这意味着任何人都做了大量的工作。“但是, PC3000工具采用了特殊的硬件PCI卡!”。是的,但现在,你会明白,这个卡只是版权保护卡。他们可以完美的创建没有卡的工具,但我想他们会售出及少的工具产品)所以你真的不能责怪他们,其实,我觉得它是一个相当聪明的防止盗版的举动。
等等,总之,如果你想周围SA进行操作,你有2个选择:投入大量的时间和精力投入到学习,或者干脆掏空你的口袋,购买PC3000这样的工具。
我希望你喜欢这个信息,如果值得的话,我可能会写另一份文件,总结了我未来的研究和发现:) |
|