HDD Firmware ?
I was researching earlier about HDDs and data recovery when I found several programs made by some russian companies for data recovery and firmware replacement. Then I decided to look at one of the FW packages, most specifically for the Maxtor Romulus drive (4D040H2 - Diamond MAX 540D) as it's one of the drives SCEI used on Playstations. I found this data on it's rom image :
0001F100 0A02 06E8 2606 A25B 1000 B1FF 1212 C417 8D71 1D30 BFFF BAFD 2002 5343 4557 7269 ....&..[.........q.0.... .SCEWri
0001F120 7465 4944 3A20 4661 696C 6564 0000 5343 4552 6561 6449 4400 0000 5343 4552 6561 teID: Failed..SCEReadID...SCERea
0001F140 6449 443A 2046 6169 6C65 6400 0000 5343 4557 7269 7465 4944 0000 5343 4557 7269 dID: Failed...SCEWriteID..SCEWri
0001F160 7465 4944 3A20 4661 696C 6564 0000 5343 4549 6465 6E74 6966 7944 7269 7665 4944 teID: Failed..SCEIdentifyDriveID
0001F180 0000 5343 4549 6465 6E74 6966 7944 7269 7665 4944 3A20 4661 696C 6564 0000 5343 ..SCEIdentifyDriveID: Failed..SC
0001F1A0 4549 6E73 7461 6C6C 4465 7649 4400 5343 4549 6E73 7461 6C6C 4465 7649 443A 2046 EInstallDevID.SCEInstallDevID: F
0001F1C0 6169 6C65 6400 5343 454C 6F63 6B49 6E73 7461 6C6C 4465 7649 4400 0000 0000 0000 ailed.SCELockInstallDevID.......
A hard disk contais firmware on both board and disk so having this firmware flashed to the drive logic board is not enough to make a PS2 accept it as a legitimate SCE drive. But I thought this data were un-dumpable ... lol
Is there anything known about this ? I don't think regular 4D040H2 drives have that data on it's roms. Also, is there any interest on this subject ? It's just curiosity on my part, here ...
Id think it only help people who use exploits or basic modchips rather than anyone one with a Matrix, Modbo, CC, DMS4 due to the fact that these chips have ATAD patching. Its very interesting though, I as well didn't think you can even do that.
I'd like to mention that now, after a little bit of research I'm capable of duplicating SCEI hard drive firmware and fingerprints ... lol
I have a stock Maxtor ROMULUS (4D040H2) as a identical clone of my 10k HDD.
It was way TOO EASY to hack this ... ; ;
I didn't try to figure out their fingerprint (DNAS ID) yet as I don't think doing this is very useful. I don't want or need to make thousand of copies of the drive anyway ... lol
Now if my PS2 HDD blows I won't be too angry as I'll be able to clone it over and over lol ...
:ups: Great news, you should post a tutorial as this might prove valuable to some people.
I would be one of those people interested in a tutorial. Besides the obvious use for Final Fantasy, I could also use the "hacked official" HDD for games like Street Fighter Alpha Anthology (Jap) that have support for cacheing the entire game to the HDD, or new map storage for the SOCOM games.
Thanks for figuring this stuff out!
Where XX is the Serial no. as shown on the drive sticker (SCEI serial number, not actual drive manufacturer serial. It's 32bit signed) and YY area seems to be authentication data. I have no idea if it's unique, per drive.
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 53 6F 6E 79 20 43 6F 6D 70 75 74 65 72 20 45 6E Sony Computer En
00000010 74 65 72 74 61 69 6E 6D 65 6E 74 20 49 6E 63 2E tertainment Inc.
00000020 53 43 50 48 2D 32 30 34 30 30 00 00 00 00 00 00 SCPH-20400......
00000030 20 20 34 30 00 00 00 00 00 00 00 00 00 00 00 00 40............
00000040 XX XX XX XX 00 00 0D 01 02 20 00 00 01 03 11 01 XXXX..... ......
00000050 YY YY YY YY YY YY YY YY YY YY YY YY YY YY YY YY YYYYYYYYYYYYYYYY
00000060 YY YY YY YY YY YY YY YY YY YY YY YY YY YY YY YY YYYYYYYYYYYYYYYY
00000070 YY YY YY YY YY YY YY YY YY YY YY YY YY YY YY YY YYYYYYYYYYYYYYYY
As of putting a tuto together on how to perform this hack, I'm afraid it's going to be tough because I had to dig a certain russian commercial tool used for drive repair and data recovery, my own original SCEI drive (has unique data which can be used to track me down so I won't post it's firmware) and theres a large room for user mistake which can turn the "victim/guinea pig" HDD into a nifty door stop.
I will post the details regarding the 4D040H2 drive on this thread once I get back home from work.
This is interesting, now if only I had the space to backup one of my sony's official hdd...
its sounding much more of a lie if you dont want let out the extra at least realese the image or what so ever you call it
but i do smell a lie
Well,that's kinda useful.
But what would be really nice is to get this workign on a 120 gig drive. :)
I won't leak my firmware as it has my serial number in it but I can tell you how to hack a maxtor drive if you feel like copying this. I'll explain here how the HDD works so you understand how and why the hack work.
Originally Posted by jetlee
A HDD is composed of two large parts:
The PCB (Printed Circuit Board) and a HDA (Head and Disk Assembly).
The PCB is designed to fit on different kinds of HDAs which are what really
vary on all HDDs of the same family. On the case of the Sony HDD we have a stock HDA with a PCB from another family of drives. It's same PCB as the stock model 80 gig in the "Romulus" family.
Since the board is designed to work with several different HDAs it seems logical to store the major chunk of the firmware on the HDA itself and have the FW loaded to the PCB RAM on power on. So on the PCB CPU there's just a basic bootloader.
With a special software and custom vendor commands one can rewrite FW, perform "translator repair/restoration", real low level format, rebuilding tracks and recovering bad blocks caused by media corruption (power off during a sector write) etc etc ...
What I did was connect the sony drive to a PC with the russian program and dump it's fw. Then I dumped the FW on the retail drive.
After I had both FWs I had a good look at them. Since the CPU on the Sony drive has a diferent loader program in it's internal ROM (but is the same processor) I decided to put it on the stock HDD and upload the sony FW to it.
Obviously it worked. There were no reason for it to not work but it was just a mirror copy of my own HDD. Then I wrote back the media specific data from the stock drive and a part of it's original FW. I kept the loader and kernel of the sony fw on it and returned the boards to the respective drives (undo swap). To my surprise both drives were now being detected as valid by a non modded PS2.
Basically I could not overwrite the FW on the stock drive with it's original board due to loader code. I bet it's a protection on the FW loader, but I easily bypassed that by using the Sony drive PCB to perform the mod.
The funny thing is that the PCB used on the Sony drive seems to be stock on other model of HDD.
All the information about the russian program were available on google
The company who makes the program is called Ace Laboratories.
The program is called "PC3000" and is used mostly for HDD data recovery and as aid for computer forensics work.
It can make a damaged HDD spin even if it has a broken head...