Hard disk, he is the hard drive, not such a simple device, how can it seem at first glance. In the history of its existence, since 1956, the drives have undergone a huge number of changes. Now it is not just a plate and reading heads, but a whole system with its logic and software, and therefore, with its features and secrets. In this article, we will try to figure out what modern hard disk represents, as well as try to expand its standard opportunities for their hacker purposes.

Warning

All information is provided solely for informational purposes. Neither the editors nor the author are responsible for any possible harm caused by the materials of this article.

Electronics HDD.

The design of the hard drive to some extent is known to everyone. In essence, these are several plates that rotate at a speed of 15,000 rpm, a positioning device and a control unit of control electronics. We will add to this S.R.R.T Selfontrol system. And other intelligent attributes. In short, we won't understand without half a liter, the more the technology of individual elements is a commercial secret.

High accuracy of positioning, recording density and other intricacies of modern HDD can be devoted not one dozen articles, but we, without deepening in the mechanics of disk and physics of processes, consider the most interesting part for us - electronics.

Info.

In the old hard drive models, part of the control electronics features took on the MFM or RLL-controller of the computer. But with time, due to the high data rate, it was necessary to reduce the data transfer path, and the developers abandoned this idea.

A patient

So, in front of us a Typical Western Digital WD5000AAKX WD5000AAKX Hard Disk (Fig. 1). What we have:

1. DRAM microcircuit. Interest as such does not represent, manual can easily be found on the net. The memory of these chips ranges from 8 to 64 MB and correspond to the size of the hard disk cache.
2. Spindle engine controller. Responsible for controlling mechanics, regulates power and has some analog / digital channels. There are no manuals on the Smooth L7251 chip 3.1, but you can try to look similar to the microcircuits.
3. Flash memory. There is no microcircuit on some hard drives, but flash memory is embedded in the disk controller chip. It usually has a size ranging from 64 to 256 kb. Used to store the program from which the hard disk controller is loaded.
4. And the most curious thing for us is a hard disk controller. They produce Marvell, St, Lsi and others. Some companies producing hard drives make their own controllers, such as Samsung and Western Digital.

The hard disk controller is designed to control the transformation and data exchange operations from read / write heads to the drive interface. Unfortunately, Marvell does not want to lay out the documentation for its products in open access. Well, let's try to figure it out.

Shine deeper

Our overseas colleague Jeroen "Sprite_tm" Domburg found an interesting way out of this situation - for the research controller, he used the JTAG interface (from English. Joint Test Action Group). This interface is intended for testing and debugging printed circuit boards. That is, with JTAG, we can safely connect to the device you are interested in that supports the IEEE 1149 standard. Test port is integrated into the chip (TAP - Test Access Port), consisting of four or five conclusions: TDI, TDO, TMS, TCK and, possibly, TRST. The location of these conclusions for the Marvell controller found some dex., kindly shared results on the forum HDDGURU.

Jeroen found out that Western Digital controllers have an ARM core available through the JTAG port. As well as a serial port, which is usually not used, but can be useful for our purposes.

For the study of the hard disk controller, the FT2232H fee was used, which can be ordered online for 30 euros. It supports JTAG, communication through a serial port, as well as SPI. OpenOCD program was used to work with it.

As a result, it turned out that the microcircuits have as many as three cores. Two Feroceon, which are pretty strong ARM9-like nuclei, and Cortex-M3, which is slightly weaker. All nuclei have a different purpose:

• Feroceon 1 processes the physical read / write to the hard disk;
• Feroceon 2 is a SATA interface, cache and converts LBA in CHS;
• Cortex-M3 - Purpose is unknown. You can just stop it, but the hard disk will continue to work.

Welcome, or an extraneous entry is prohibited

Since we set ourselves the goal to use a hard drive for your insidious purposes, then it's time to think about the modernization of its firmware. The easiest and probably difficult to find a way to change the data on the fly. To do this, you need to find a suitable core - a core that has access to data traveling between the disk and the SATA cable.

For access to the kernel, you can use the DMA mode (Direct Memory Access). This is such a mode when the data exchange occurs directly from the reading head into memory, without the active participation of the processor. The same applies to the SATA port: the processor only needs to specify where the data and the DMA logic will take care of reading information directly from memory.

The source of information in this case will serve as a Winchester cache memory due to its good location: data read from the disk will be in the cache, so they can be copied directly from there.

The method is quite complicated - it is inconvenient every time to connect via JTAG and picks up in the Keshe during the hard disk operation. Instead, to save access without connecting an additional charge, you can reflash the flash memory chip, dropping and connecting to the programmer.

However, it would be difficult to upgrade the code due to an unknown compression algorithm, instead you can simply change the execution address and add a special block that will be read before. This makes the situation a little easier.

As a result of his research, Jeroen created the FWTool tool, which can reset various blocks in the flash and translate the code into a text file. Then you can change, delete or add a block and again collect all in one firmware file, which is then calmly loaded into the flash.

Change the firmware

Similar manipulations with a hard disk require considerable effort, and it is unlikely that anyone will voluntarily give their drive to hack. Therefore, it would be nice to find the way of flashing the hard drive without any extraneous devices or the removal of the chip.

Western Digital has special software utilities to work with a hard disk - these are tools working under DOS, which can load a new firmware of the controller, flash memory chips or service partition. Tools use the so-called Vendor Specific Commands (VSC), however, about it a little later.

There is also a set of tools called IDle3-Tools, which can be used to modify the hard disk firmware. It also uses VSC using Linux SCSI Passthrough IoCtls. Jeroen took this code, changed it and integrated into FWTOOL. After this modification, FWTOOL learned to read and write on the flash memory chip.

Now if a hacker can somehow be able to use the FWTOOL on a remote machine, it will be possible to reset the disk flash memory, change it and "sew" back. True, in the end, the owner finds out about hacking and, probably reinstalling the system, but the attacker can introduce something that will manifest itself after reinstalling. For example, wait until the machine reads from the / etc / shadow /, where all passwords are stored in UNIX / Linux systems, and change the contents. After that, it will be possible to just enter your password.

By the way, the described technique can serve not only for underground experiments, but also for protection purposes. For example, you can create an unconnerable hard disk that will work normally if the sector access template is usually random. If the hard drive is only available sequentially, the data will be corrupted, which will make the clone different from the original.

Info.

Terminal hard disk mode

When working in terminal mode, the user can interact with a hard disk by diagnostic commands. This method is used to diagnose and repair SEAGATE and TOSHIBA drives, in Western Digital there is such an opportunity due to the complexity of the connection. The terminal mode actually provides a complete root - control of the mechanics and logic of the device. With it, you can also update or restart the firmware of the hard drive. The list of commands for most drives can be viewed on the Internet. And on the hard disk board there is a special connector for connecting through a serial port.

To access the terminal mode, you will need an adapter device required to convert RS-232 signals to TTL levels (such adapters are available, but you can collect and yourself - all the necessary schemes are in free access, and you can take some models as the basis Arduino). We will take the finished FTDI chip that converts a USB to a serial interface for the ATMEGa microcontroller. You need to connect GND and RESET, and to connect to use RX and TX contacts.

To work with the COM port, we use any program you like - for example, Putty or Hiperterminal. Select the connection type, enter the COM port number and other settings:

Speed: 9600 Data Bits: 8 STOP BITS: 1 PARITY: NONE FLOW CONTROL: NONE

To check the performance of the circuit, you need to close RX and TX with each other. As a result, all type characters are displayed in double quantities. This is due to the fact that the data entered will be transmitted along the TX line, and then they will return along the RX line. This is done like this: turning off the SATA cable, connect the TX output of the disk with the input of the adapter Rx, and vice versa is the RX adapter with the TX disk. We connect the power. After pressing the keys , We get the T\u003e (or F\u003e invitation for defective HDD) and enter the command. To obtain a list of commands, enter / C, and then Q.

Due to the large number of teams, Seagate engineers divided their structure to levels. Commands such as reading, writing, searching, log error, available immediately at several different levels. To switch the hard drive to work at another level, you need to use the / x command.

Level T - certification tests. Level 1 - Memory Management Commands. Level 2 - Drive Mechanics Settings. Level 3 - Search teams. Level 4 - servomotor tracking commands. Level 5 - used only in factory conditions. Level 6 - Adaptive Management Commands. Level 8 - Special recording settings commands. Level 9 - Defect Control System Modes.

In addition to these nine levels, there are two more additional command sets: Network and General. The main purpose of network commands is to display changes in the current state of the system. General commands are used to access registers, buffer memory and data.

In general, the terminal regime provides many interesting features. For example, a low-level formatting command can not only carry data to the cleaner without the possibility of recovery, as well, if during formatting someone will turn off the power, the hard drive will be able to "preform" it yourself when it is turned on. In general, this is a topic worthy of a separate article. We are moving on.

Record information to HDD service sections

In any hard disk there are service sections. They are designed to store hard drives of hard drive, such as S.M.A.R.T., Early error detection modules, self-diagnosis modules, and so on. Fortunately, all this data does not occupy a dedicated place completely, and therefore, with the right approach, we can use this bonus space. Service sections should not be confused with DCO or HPA, which can be easily detected and accessible through standard ATA commands.

Unlike other methods of hiding information, recording to the service section does not reserve any traces and invisible for special search programs that law enforcement agencies enjoy. In a word, this place is ideal for storing text files with addresses, passwords, jaws and other things.

To access information from service partitions, standard ATA commands will not be suitable, instead of recording and reading are used by special VSC commands (Vendor Specific Commands). As a rule, manufacturers keep these commands secretly, but sometimes produce utilities to work with service sections - for example, the WDIDle3.exe program from Western Digital and its opening analogue of the IDle3-Tools. Another example for WD is the HDDHACKR program, changing entries in HD system sections.

Warning

Data in service sections are very important for the proper operation of the Winchester. Damage to the recorded information leads to the loss of disk performance. It will be not so easy to restore it - to overwrite data in service sections, you will need specialized programs (for example, Ace Laboratory PC3000).

The volume of the service partition depends on the model of the hard drive. For example, in the WD2500KS-00MJB0 disk of the Hawk family of 250 GB (02aec firmware) in the service section, two copies of files are written, about 6 MB each. The size of the zone on each surface is about 23 mb (64 tracks of 720 sectors on each). Since this disk has six surfaces (heads from 0 to 5), the modules of service partitions are located on the spot compared with the heads 0 and 1, and the location assigned to the heads of CO 2 to 5 is reserved, but not used. Thus, the reserved section takes about 141 MB, of which 12 MB is in use.

For comparison: the WD10EACS-00ZJB0 model, a container in terabyte and with eight surfaces, has a reserved space of 450 MB, of which 52 MB is employed. Ariel Berkman (Ariel Berkman) from Recover Information Technologies LTD wrote an article about working with HDD service departments, as well as posted a POC code for recording 94 MB of information to the Western Digital 250GB Hawk service department. This is done as follows:

• We learn your SATA IO address using LSPCI -V.
• To compile, use the GCC -Wall -O -G -G -o SA-Cover-POC SA-COVER-POC.C command.
• Create a random file (94 MB in size) and calculate its MD5-hash.
• Write the file to the service section.
• We clean the hard drive using the dd-ing / dev / zero command, which should be extended to the entire hard disk (or on a separate part, previously blocking access to the rest). It is enough to drive this code once to destroy the data is irretrievably.
• We read the contents of the service partition, calculate its hash and make sure the integrity of the data. [Email Protected]: ~ / SA # DD if \u003d / dev / urandom count \u003d 184320\u003e Random-file; MD5SUM Random-File [Email Protected]: ~ / SA # ./sa-cover-poc -p 0x0170 -w ./random-file [Email Protected]: ~ # DD if \u003d / dev / zero of \u003d / dev / sdb bs \u003d 1m [Email Protected]: ~ / SA # ./sa-cover-poc -p 0x0170 -R After-Dding-DeV-Zero [Email Protected]: ~ / SA # md5sum after-dding-dev-zero

HDD Recovery Programs

With low-level experiments, it is possible to face such a closer as a breakdown of the hard drive. It is not necessary to immediately resort to dragon measures and format the disk, you can try to restore it with the help of some programs.

1. TestDisk is the simplest and most effective program for HDD recovery. Designed to search and reconstruct lost partitions, boot sector, deleted files; Corrects partition table. Works with a large number of file systems. Works in console mode than a high speed is achieved.
2. Acronis Disk Director is a whole software package that includes a considerable number of tools to work with HDD. Contains the Acronis Recovery Expert utility, which serves to reconstruct files and sections. Unlike the previous program, it has a graphical interface, but works with fewer file systems.
3. Paragon Partition Manager - a free program from domestic developers, can almost all the same as Acronis, but terribly slow.

Conclusion

However, it is time to climb. In this article, I tried to show the uncharted corners and the capabilities of the hard disk. Without deepening in the code, we looked at the method of draining information from the drive. Even even slightly raise this curtain, a huge field opens for a fantasy flight. You can, for example, reflash the controller to hide from extraneous eyes a particularly important section. Or spoil the data when trying to clone a hard disk, configuring itself in this way from criminalistic utilities. In short, there are many options, so how to use a hard drive - a choice for you.

How to flash or HDD WD - Simple Instruction

How to flash HDD WD?

HDD is not such a simple device as it seems. From the moment of creation, they continuously evolved - if earlier it was the simplest devices, now these are very complex devices with a difficult algorithm of work, for which you can, anyway, influence. In this manual, we will look at the methods by which you can expand the functional of the hard drive. We are faced with the task - set up a drive for non-standard tasks, so it makes sense to think about flashing.

So how to flash HDD WD?

In order to gain access to the kernel, we can use the mode when the exchange of data between the device and the main memory is happening without the participation of the CPU (Direct Memory Access) - it will be necessary in order to reflash the HDD WD. The place where the service data is stored, in this case there will be a hard disk cache due to the possibility of high-speed access - the information read with HDD will be there, so it will be possible to get immediate access, and then copy it.

But the method is not easy - it is not particularly comfortable to continue to "connect" with JTAG and look for something in the cache. To simplify the process without using additional devices, it is possible to change the firmware in the flash memory microcircuit by soldering and connecting the programmer. Fortunately, there is a simpler way.

Using the FWTOL utility, you can edit the firmware file, and then upload to flash memory. The set of commands can be viewed in the manual, which is accompanied by this program.

Change the firmware HDD WD?

The above methods are not simple and require multiple televitations. For this reason, I want to find a more affordable way to flash the hard disk WD, without mechanical intervention. For HDD from Western Digital, there are software packages for solving such tasks - they work from the command line and you can reflash the controller or edit cells in flash memory. There is also a set of utilities, which is called the IDle3-Tools, with which the Flash HDD is modified, all this functionality is now available in FWTool, thanks to it, it is possible to rewrite the data on the flash memory chip.

Using the FWTOOL utility, you can edit the flash memory of the hard drive, and in time, considering information from there - there is a chance to get accounting data if the machine is running Linux / Unix. The described method can also be used in order to protect against a similar option of hacking - for this you will need to create a non-cloned HDD section with a random sector access template. In case of exceptionally serial operation when you try to access, the data will be damaged. To interact with the drive using diagnostic commands, you need to switch to the terminal mode. This mode is designed to prevent malfunctions and fix them in the hard drives of different manufacturers, but there is no similar mode in WD.

Working with HDD service partition

All hard drives have service sections. There are service programs (for example, SMART utility and other diagnostic utilities), they occupy not all space, at our disposal some part remains.

Service section - the most reliable place to store confidential information, law enforcement officers can hardly access her, so that you can store text documents with logins and passwords. To access this secret storage in HDD Western Digital, you can use the wdidle3.exe utility or alternative freely distributed IDle3-Tool.exe. There is also a HDDHACKR software package to edit records in such sections. A WARNING! Information that is present on the service section is necessary for the normal functioning of the hard disk. By destroying or damaging important data, you risk withdrawing your drive out of order, and the recovery process is not obtained from simple - the Ace Laboratory PC3000 utility is activated in it. The size of the service section for various HDD models is different, you need to have this in mind.

Probably radio amateurs and beginner masters of the electronics repairmen engaged in this for their own pleasure, not everyone has a profile education in electronics - radio mechanics, regulators, or an electronics engineer. But most of them still have any other attitude towards electrical engineering.

In my surroundings there are even electric welders involved in the minor repair of electronics, most often in the replacement of banal discontinued capacitors on motherboards and power blocks, and without having no necessary devices, nor theoretical training. Anything more seriously can put them in a dead end. Seeing this and remembering himself at this stage, years after the moment you have decided to purposefully study the electronics you see that this decision was right and knowledge in this area - the theory, closely linked to practice, will always be in demand by society. And this is a bright example.

Some time ago, I am one familiar engineer electronics engineer gave a hard disk that was not defined in the BIOS and computer hung for a minute, at the stage of defining hard drives when the computer starts. Google on the Internet, and the hard drive was Maxtor 500 GB SATA 2, found that this problem was relevant for the hard disks of the Maxtor and Seagate brands released several years ago.

HDD MacStore-Sigate

It was connected with the glitch firmware firmware of the hard disk BIOS and most of the disks of this problemary series, there were several lines, demanded a mandatory flashing otherwise at one fine moment refused to be determined in the BIOS motherboard, when the computer starts. The problem was that it is possible to flash a hard drive only when he is visible in the BIOS. Like any person who has a programmer, it first climbed to look for a firmware dump, deciding to remove the hard drive and having a special clip for flashing connected to the programmer, just roll the firmware.

Clip for flashing by the programmer

But everything was much harder here: it was impossible to take a firmware dump firmly merged with a different hard disk, even a similar model, and stupidly rewrite the binary firmware file. This method works with any other technique, such as motherboards, routers (conditionally, about the same MAC address will be silent), monitors, video cards, but not suitable for flashing hard drives. The fact is that the firmware is stored, we call them conditionally, the calibration data is data on the surface of the hard disk, Smart, BAD blocks, mechanics, etc.

PC3000 hard drive recovery complex

Therefore, reflash the hard disk undefined in the BIOS without having very expensive special equipment for diagnosing and reanimation of hard drives was unrealistic. So at the initial stage, we need our hard drive to be at least visible to BIOS. To do this, we need to remove the problem having in the environment of specialists and simply the Aytichnikov name "Fly CCC" (SS). Where did this name come from?

Message about the mistake of Fly Czc

The fact is that by connecting to the hard disk terminal using the USB-UART adapter with which we use the Putty or Hyperterminal program preset in Windows XP but not included in the Windows 7 distribution, we see the load interruption and the diagnostic message in which there are Letters "SS". The message text itself is such as on the screen above.

Putty interface

This means that you are a happy hard disk owner from this problem series. Briefly describe (in detail the process was described in the previous article), how to connect such a USB-UART converter, which is also called another USB-TTL. We must definitely connect the common land running from the USB-UART adapter and "crossing" Pins RX and TX by connecting Rx with TX, and TX with Rx. These pins are located on the back of the hard disk housing next to SATA and power connectors.

USB-TTL CH340G adapter

As already written in the last article dedicated to the use of this USB-UART adapter, for flashing, or rather controlling the process of flashing the router, we will need to correctly experimentally select the speed of Som Port, usually these speeds 33600, 57600, and 115200 baud (other speeds did not meet) console. Otherwise, if the speed is chosen incorrectly, we will see as in the case of flashing the router Krakozyabry, instead of ordinary English text.

Errors in console

So, we set up the console correctly. Rightly chosen in the terminal the required COM port.

Let me remind you that this USB-Uart adapter costs only about 40 rubles per aliexpress and may have in its composition various chips, all of them are listed in the previous article. For those who do not have the ability to purchase this adapter, there are options for connecting to the console using a DATA cable for flashing ancient phones.

Theoretically (after all, we are electronics, and not the IT, at least most of us) we can reflash the hard drive without having any adapter, having coordinated with the help of resistors RX and TX logical levels, going with the port COM, (powered with the port COM We do not recommend carrying out the port because of the risk), which is on each ancient system unit. But there is one nuance, why I do not recommend this method of novice.

USB-TTL 3.3 Volta

1. The fact is that the supply voltage from the adapter we need strictly 3.3 volts - no more and no less, and although in case of security purposes, it is not recommended to take from the adapter from the adapter, but to use native meals from the PC power supply, deviation in the quantity in the quantity is fraught with The way out of our hard disk.
2. The second important point is that the logical levels of the COM port of system units and laptops of various releases have different stresses - from 7 to 12 volts, if not mistaken, and select the value of the current-limiting resistor providing the desired voltage drop, we will have to measure the measurements by a multimeter, The obtained levels of RX and TX are, so this method is suitable only for people who know how to confidently keep the soldering iron in their hands, for all others it turns out the Council from the category of harmful.

Gromova programmer

This is the reason that everyone's favorite (and me, including) the Gromov programmer for the AVR MK, collected several years ago, refuses to work with some relatively modern motherboards and laptops, because applying the resistors of the standard nominal for this scheme we get Logic levels are too low in voltage, no longer corresponding to a logical unit for a voltage, when programming the AVR microcontrollers, and, accordingly, our programmer gives either a logical zero instead of a unit, or in general garbage that is not always correctly identified when flashing the microcontroller.

Program shell firmware code

The same thing, garbage when writing the firmware in memory of the microcontroller, we can get using long unshielded cables or wires, such as SOM or LPT for homemade programmers, or from the programmer to the microcontroller. For the same reason, when I see on video, for example, on YouTube, a wire 30-40 cm long and longer, from a similar USB-Uart adapter or self-made programmer MK AVR or Flash or EEPROM memory, then I am surprised at the technical illiteracy of people who do not understand the consequences of their actions.

Flash memory BIOS DIP-8 housing

WHO If we need to immediately flash the microcontroller AVR of any self-catering, and if we need to reflash the motherboard with a homemade programmer, the BIOS is on which it is very difficult to find on the Internet, even on specialized sites - we can lose a chance to restore our motherboard with your native firmware, if Found dump for some reason is not suitable.

Error verification MK

In this case, you must complete the verification of the stored dump with the firmware in the microcircuit's memory, although if you are written, the garbage is read, it is likely to be errors, even with a properly saved dump. In general, it is better to prevent. In the case of if in our terminal, incomprehensible symbols pop up, this is just a reason to think about what the connecting wires are needed.

Long Wires from USB-TTL Adapter

Anyone, already having a previously dealing with microcontrollers or reflashing the BIOS before any technique, any Chinese programmer will say: 30 cm is approximately the standard length of the loop of the programmer to the microcontroller. The fact is that in such factory loops, if you noticed, there is always more lives than the pins on the programmer's block. This is due to the fact that each signal core has parallel with it going down the "earth" wire.

Differences of IDE loops

This is a professional solution used in the computer technician (remember at least IDE loops, 40 and 80 lived, Ata 33, and AtT 66-100 and having the same number of 40 contacts) and any other, where interference is unacceptable, and allows you to use longer loops and wires With no shielding. So, now when we deviate from the topic of the article disassembled all these nuances, let us back again to our topic - the process of removing the Fly Czc.

USB-UART connection

Just seeing both schoolchildren and even more adult people, teach the masses in the video on YouTube and in the articles to work incorrectly with the flashing chip flashing - I allowed my deviation from the topic. So, you have a hard drive with a definition problem in the BIOS: MAXTOR or Seagate, hard disks of other manufacturers such problems do not seem to have.

Hard disk - work in the console

You need to first type the list of models of problem hard drives, and they are not so much, if your hard disk is included in their number - you need to go to the official website of the manufacturer and the serial number of the hard disk is finally ensured that this is your case, And the problem is not related to any other software and hardware breakdown. The second stage should be confirmed in the terminal after connecting the USB-UART adapter and power supply to the Winchester appearance of an inscription with the letter "SS".

Connecting an adapter when flashing

Then it will be necessary to google, depending on your model of the hard drive and the manufacturer, which manipulations should be made with a hard disk in order to get the ability to type text in the console. As far as I remember, there are only three or four options. To do this, we first need to stop the hard disk engine. How can I do that?

Closure points on the hard drive board

For each subspecies of problem hard drives there are their ways, in my case it was necessary to close two small five, contact pads on the board, in another case, it may be necessary to slip a piece of office paper for contacts going from the control board on the engine (not glossy (!), To avoid closure).

Winchester model prone to Fly Cz

After that, it was necessary to type a specific text in the console. Having tried to close these pyataks, in my case, Introduces, I realized that this is a dead number and I still have to be fired to the pyataks with a thin wire MGTF. This wire knocked down the node and glued to the hard drive to the free from the contacts, the place of the thermoclayer. Because restoring these small five-acts - this is another problem, and it was possible to tear them very easily, making one awkward movement in a hurry. To the wires of MGTF, soldered to the pyataks, connected jumpers - jumpers "Dad" and "Mom" used in the design of Arduino. Then it remained only to wait for the desired moment after switching on and closed our jumpers to stop the engine.

Jumpers Arduino for adapter

Everything, typing text in the console has become possible, the floor of the case is done. Then I found a certain sequence of commands on a specialized site, which one after another needed to be entered in the terminal. Nothing difficult did not represent this - the only thing that this sequence was a bit different for each subspecies of the platforms. At the end of the article, I will give a full text from the article from the article on which teams were gained, limiting it with a brief description of the recovery process, in general terms.

List of Winchesters prone to Fly Cz

So, we have gained a certain sequence of teams and finally received a message that the hard drive came to normal, then turn off the power, open our jumper, which can be replaced in principle, with any switch, toggle switch, or a fixation button, or at worst, just quickly twice End of MGTF wires. All, now we removed the Fly Czc.

Tsz fly on the screw

Now our hard drive must already be visible in the BIOS motherboard. What are we convincing, with the sinking of the heart) - were our works were not wondered? Turn on the PC, the hard disk is defined in the BIOS, in my case the loading further boota request did not go, it is understandable - the differences in the PC hardware, it should have been. For the sake of interest loaded from my hard disk, there seems to be even a password on Windows and all the files were visible, although when there is a desire, it does not even become a problem, connecting the reanimated tight second and climbed the strange files, nothing valuable for yourself, however, not found.

Winchester Firmware from Disk Image

But this is another floor of the case, the Winchester is still on the verge of risk, as it has an old firmware, a problem, and at any moment everything can repeat. But now he is visible to the BIOS and alter it will not be difficult, looking for a disk image with a firmware on which there will no longer be similar problems released by a specially producer. You can take it on the official website or specialized forums.

Victoria - choose Reym

Turn on the boot from the CD-ROM in the BIOS and selecting the desired model from the list, and all other hard drives, to avoid errors, it is better to disable disconnecting the loop, click: flash our hard drive. And here it is waiting for another possible problem - after flashing the smart hard disk, it will be clean, which means that we do not record when working hard disk, files for non-marked sectors with possible BAD blocks, failed sectors, we need to boot from the disk image with the Victoria program or similar, and choose in it scanning and advanced Remap.

Trouble blocks when scanning a disc Victoria

In this way, we will receive an idea of \u200b\u200bthe surface and state of the mechanics of our hard disk, in my case it was big lucky, there was not only a single failure sector, there was not even a single slow sector - the surface was almost ideal. Here, as written on the forums in the topics of the restoration of Winchesters, it sometimes expects a very unpleasant surprise, after flashing in a small percentage of cases a lot of blocks of blocks, failed sectors appear, but in my case lucky.

Renovated Macstore 500 GB

Now I have a second hard drive of 500 GB, which risked and installed the system, has passed for quite a long time and the problems in work is not noticed. This Winchester for the speed record \\ reading is much surpassed by the new in 2011 with a computer with a computer with a 250 GB hard drive, also seagate, but fortunately not from the problem line. The cost of this hard disk, repaired b \\ y, on the forum of our city is about 1000-1200 rubles, depending on the state of the surface and brand, and even wishing to buy it with me, but I want to say it: such a cow is needed :)

Let's summarize the work done

This case proves that the repair of electronics is not boring and difficult, or is available only to specialists - professionals, in the area of \u200b\u200brepair or recovery of information, but on the contrary, it is possible to independently make each nicely neat radio amateur or home master, who knows how to combine pleasant with useful. The archive with the source of the article on which you restored your hard drive you can download here. All successful repairs! Especially for the portal - AKV.

Discuss an article by flashing BIOS Winchester HDD

Converter

The converter can be bought (there is a USB-TTL and COM-TTL on sale) or make it yourself (I give several schemes below).

For those who have Arduino: connect GND. and Reset.Using contacts RX and TX..

To check the scheme you can close RX and TX.- As a result, everything we introduce should return.

Connection

Connect RX and TX.As in the figure below, we turn off the SATA cable, connect the power.

To work with the COM port, I used Putty, your favorite program will also perfectly cope with the task. So, open Putty, choose the connection type SerialIntroduce the port and other settings:

Speed.	38400
Data Bits.	8
Stop Bits.	1
Parity.	None
Flow Control	None

Open the terminal window, click Ctrl + Z. And we see the invitation:
F3 T\u003e
To see the list of commands and the description to them for your hard disk, you must enter / C., and then Q..

Restoration

It's time to start recovery.

Important: Observe the register when entering the teams!

1. We turn to level 1 by typing /1
2. Clean S.m.a.r.t. Team N1.
3. Turn off the power and wait when the engine stops (~ 10 seconds)
4. Turn on the power and press again Ctrl + Z.
5. Clean the List of Bad Blocks: We enter i4,1,22
6. We repeat the paragraphs 3-4
7. We enter in the console: m0,2,2,0,0,0,0,22. (for hard disks "Made in China" - m0,2,2,22.)
8. Go to level 2: /2
9. Stop the engine: enter Z.
10. Turn off the power

After all manipulations, the hard drive was determined in the BIOS. In order not to encounter a problem again, update according to the hard drive. This procedure is quite simple: a boot image is downloaded from the manufacturer's site, which is recorded on the blank. Next - download and update firmware in step-by-step mode, just follow the instructions on the screen.

Now I described the situation when everything works, as it should, but it turns out rarely. In the process of recovery, there were several difficulties with which I am sure you will also have to face. Therefore, everyone has anything from anyone, look for a solution in the last section of this article.

About what remains behind the scenes

Since this article is the result of its own experiments based on various materials on the restoration of HDD, then I will describe the problems faced by itself.

Problem	Decision
Noise in console	Connect contact GND. To "Earth" on the power supply. I used the key from the power key. Also pull the jumper SATA I. From the hard disk.
On the screen after clicking Ctrl + Z. Nothing appears	Most likely are incorrectly connected RX and TX..
When you first turn on, LED error appears: 000000CC FADDR: 0025BF67 or LED: 000000CC FADDR: 0024A7E5	First, let's try to turn off the heads. To do this, we unscrew the board (at the same time you can clean the contact with the Eraser: I had a lot of dirt there), we put the insulator (paper, tape, etc.) to the contacts leading to the heads, and feed the board (not all screws, and So that there is meals on the motor). Turn on the power, click Ctrl + Z.Introduce /2 , later Z.. We are waiting for a successful stop message. Spin Down Complete Elapsed Time 0.138 MSECS without turning off the power, unscrew the board, reach our insulator and screw back the board, enter the engine start command: U.. If you did not help the disconnection method, you need to close the contacts on the board with a sharp tweezers or thin wiring. In the photo (available on the links below) shows the point of closure on different hard drives.

ARTEM MAKAROV AKA ROBIN

09.11.2013

Another difficult problem with Sigates, which was able to solve with the help of the so-called HDD Seagate firmware (Loading the microcode on the interface).

This time - a laptop HDD ST9500325As when power is applied to a rumor is recalled, hanging in BUSY, the diagnostic port gives only:

RST 0x08m

And that's it. The terminal functional after the start is not, as the disc hangs. Before me, the disk was elsewhere, where he changed the head of the heads (usually so always, if they do not understand what the hard drive is not so, immediately change the heads - just in case). Of course, in the recovery of user files, the replacement of goals of reading \\ records in this situation did not help and the disk brought to the Hardmaster to SC.

The terminal functionality on this line of drives is laid by the manufacturer in the ROM code, turns on after power supply to the interface. It looks like this here here:

RST 0x08m RW CMD 002F REQ \u003d 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 18 F0 9F E5 00 00 A0 E1 OPTS \u003d 00000000 RW ERR \u003d 84150180 ASCII DIAG MODE F3 T\u003e

Those. Positioning error for servometers, stopping the spindle engine and readiness in registers readily respond to terminal requests. In such a position, you can promote the engine to promote the engine, lift from the DIAG OVL surface and read all the modules described by ID, as well as all the modules described in System Volume. All modules were considered without mistakes, and at first glance did not contain anything crazy, which could lead to the hang of the drive at a regular start.

Immediately there was a suspicion of failure in the broadcast tables, but the attempted recalculation led to such a result:

Max WR Retries \u003d 00, Max RD Retries \u003d 00, Max ECC T-LEVEL \u003d 14, Max Certify Rewrite Retries \u003d 2DF8 DIAGERROR 0000500D User Partition Format Failed - Elapsed Time 0 MINS 00 SECS R / W SENSE 00000002, R / W ERROR 843200A2 , File Error 00000000 BLK ADDR AD6F0001, BLK ADDR TYPE D0, CYL FFFF0000, HD EC

Those. Ended with a mistake. After some thought, the solution was made cardinal. Given that all necessary parts of the official information were successfully reserved, I decided to fully format the official area. Having received at the end of the process:

System Partition Format Successful - Elapsed Time 2 MINS 00 SECS

i shook meals, and the disc was ready with the "empty" passport. In such a position, any read-to-write operation of the service information leads to a report on the negotiability to the process, due to the lack of "extended" teams in the "Basic" microcode of the ROM.

Unable to Load Diag Cmd Processor Overlay

In order to obtain the full functionality in such a situation, it is required to record overlences to the surface so that the disc believes them. And in order to be able to record on the surface, the disk should read them earlier. Vicious circle. How to find a way out of such a situation?

Option, given that, in a formatted service, the disk is ready to read the interface, one - using the id92h command to download to HDD Loader, i.e. The microcode package containing the required overlays, and thereby, as they say, reflash the seagate hard drive.

After this operation, the translator translated successfully

Max WR Retries \u003d 00, Max Rd Retries \u003d 00, Max ECC T-LEVEL \u003d 14, Max Certify Rewrite Retries \u003d 2DF8 User Partition Format Successful - Elapsed Time 0 MINS 00 SECS

And, the final barcode is a recording of a previously saved translator (ID2BH). After the power recipiency, the disk issued the usual:

RST 0x08m (P) SATA Reset

and full access to all LBA described in the passport. If before the disk came to me, the inquisitive handles would not get into Hermonon, then using the manipulation described above, it would be possible to repair a hard disk with the preservation of information.