Jump to content


Photo

Locking Hdd With Usb-(s)ata Adapter.


  • Please log in to reply
42 replies to this topic

#1 ldotsfan

ldotsfan

    X-S Messiah

  • Dev/Contributor
  • PipPipPipPipPipPipPip
  • 3,100 posts
  • Xbox Version:v1.1
  • 360 version:unknown

Posted 15 April 2011 - 04:26 PM

For a long time, I believed it was impossible to lock and unlock the xbox hdd with a USB-(S)ATA adapter. But apparently somebody has done it with JMicron chipset and it is also supported in Cypress chipset.

p-eak's comment on honzaf's patch to hdparm revealed he did a security erase which is indicative of use of the ATA security features. I did some work on incorporating hdparm stuff into hdtool - I am hoping I can recall enough of that stuff and use honzaf's patch in hdtool.

This requires further investigation. It will open up another avenue of doing hdd upgrades if successful as hdtool is the key component in xboxhdm2.X hdd lock/unlocking.

#2 spliff721

spliff721

    X-S Senior Member

  • Members
  • PipPip
  • 239 posts
  • Location:seattle, WA
  • Xbox Version:v1.6
  • 360 version:unknown

Posted 15 April 2011 - 05:08 PM

Appreciate your efforts. Let me know if you need any help testing.

#3 ldotsfan

ldotsfan

    X-S Messiah

  • Dev/Contributor
  • PipPipPipPipPipPipPip
  • 3,100 posts
  • Xbox Version:v1.1
  • 360 version:unknown

Posted 16 April 2011 - 05:21 AM

I just locked a sata hdd over JMicron usb/sata adapter with a patched hdparm 9.35.

CODE

# ./hdparm --security-set-pass password /dev/sdc
# ./hdparm -I /dev/sdc

/dev/sdc:

ATA device, with non-removable media
    Model Number:       Hitachi XXXXXXXXXXXXXXXXXX                
    Serial Number:      XXXXXXXXXXXXXXXXX
    Firmware Revision:  V54OA7EA
Standards:
    Used: ATA/ATAPI-7 T13 1532D revision 1
    Supported: 7 6 5 4 & some of 8
Configuration:
    Logical        max    current
    cylinders    16383    16383
    heads        16    16
    sectors/track    63    63
    --
    CHS current addressable sectors:   16514064
    LBA    user addressable sectors:  268435455
    LBA48  user addressable sectors:  625142448
    Logical/Physical Sector size:           512 bytes
    device size with M = 1024*1024:      305245 MBytes
    device size with M = 1000*1000:      320072 MBytes (320 GB)
    cache/buffer size  = 15315 KBytes (type=DualPortCache)
Capabilities:
    LBA, IORDY(can be disabled)
    Queue depth: 32
    Standby timer values: spec'd by Standard, no device specific minimum
    R/W multiple sector transfer: Max = 16    Current = 0
    Advanced power management level: disabled
    Recommended acoustic management value: 128, current value: 128
    DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 *udma4 udma5 udma6
         Cycle time: min=120ns recommended=120ns
    PIO: pio0 pio1 pio2 pio3 pio4
         Cycle time: no flow control=120ns  IORDY flow control=120ns
Commands/features:
    Enabled    Supported:
            SMART feature set
       *    Security Mode feature set
       *    Power Management feature set
       *    Write cache
       *    Look-ahead
       *    Host Protected Area feature set
       *    WRITE_BUFFER command
       *    READ_BUFFER command
       *    DOWNLOAD_MICROCODE
            Advanced Power Management feature set
            Power-Up In Standby feature set
            SET_FEATURES required to spinup after power up
            Address Offset Reserved Area Boot
            SET_MAX security extension
       *    Automatic Acoustic Management feature set
       *    48-bit Address feature set
       *    Device Configuration Overlay feature set
       *    Mandatory FLUSH_CACHE
       *    FLUSH_CACHE_EXT
       *    SMART error logging
       *    SMART self-test
            Media Card Pass-Through
       *    General Purpose Logging feature set
       *    WRITE_{DMA|MULTIPLE}_FUA_EXT
       *    64-bit World wide name
       *    URG for READ_STREAM[_DMA]_EXT
       *    URG for WRITE_STREAM[_DMA]_EXT
       *    Segmented DOWNLOAD_MICROCODE
       *    Gen1 signaling speed (1.5Gb/s)
       *    Gen2 signaling speed (3.0Gb/s)
       *    Native Command Queueing (NCQ)
       *    Host-initiated interface power management
       *    Phy event counters
            Non-Zero buffer offsets in DMA Setup FIS
            DMA Setup Auto-Activate optimization
            Device-initiated interface power management
            In-order data delivery
       *    Software settings preservation
       *    SMART Command Transport (SCT) feature set
       *    SCT Long Sector Access (AC1)
       *    SCT LBA Segment Access (AC2)
       *    SCT Error Recovery Control (AC3)
       *    SCT Features Control (AC4)
       *    SCT Data Tables (AC5)
Security:
    Master password revision code = 65534
        supported
        enabled
        locked
    not    frozen
    not    expired: security count
    not    supported: enhanced erase
    Security level high
    128min for SECURITY ERASE UNIT.
Logical Unit WWN Device Identifier: XXXXXXXXXXXXXXXXX
    NAA        : 5
    IEEE OUI    : 000cca
    Unique ID    : XXXXXXXXXX
Integrity word not set (found 0x0000, expected 0xf9a5)


The next step is to see if this locking logic can go inside hdtool.

QUOTE(spliff721 @ Apr 16 2011, 12:08 AM) View Post

Appreciate your efforts. Let me know if you need any help testing.

Thanks. As I have a JMicron adapter, I'll be able to test. Are you familiar with Linux?

#4 ldotsfan

ldotsfan

    X-S Messiah

  • Dev/Contributor
  • PipPipPipPipPipPipPip
  • 3,100 posts
  • Xbox Version:v1.1
  • 360 version:unknown

Posted 16 April 2011 - 07:52 AM

I uploaded the patched version of hdparm to here.

An interim measure for using hex passwords with hdparm:
CODE

./hdparm --security-set-pass `echo -e "\xA\xB"` /dev/sdX


Where A is the hex value of password, B is second hex value and so on. X will be device location of hdd.



#5 obcd

obcd

    X-S Hacker

  • Moderator
  • PipPipPipPipPipPip
  • 2,737 posts
  • Xbox Version:v1.0
  • 360 version:none

Posted 16 April 2011 - 09:26 AM

Good to hear there finally is a way.

Do you think it would be possible to use the alternative method for unlocking
(reading the system area of the disk) as well?

I am suprised no one already cleaned up that stuff yet with the proper area for the xbox 8Gig and 10Gig stock harddisks.

It would mean you could take the harddisk out of the xbox and connect it to the usb adapter.
You could then unlock it, mod it and lock it again. No more dangerous and unreliable hotswap.

As Hannibal Smith (A team) would say: "I love it when a plan comes together."

regards.


#6 ldotsfan

ldotsfan

    X-S Messiah

  • Dev/Contributor
  • PipPipPipPipPipPipPip
  • 3,100 posts
  • Xbox Version:v1.1
  • 360 version:unknown

Posted 16 April 2011 - 10:32 AM

QUOTE(obcd @ Apr 16 2011, 04:26 PM) View Post

Good to hear there finally is a way.

For some strange reason, I wasn't able to get hdtool to work. Instead I patched hdtool's eeprom functions into hdparm instead tongue.gif
Here's the patched hdparm. This worked under Ubuntu Maverick for me.

QUOTE(obcd @ Apr 16 2011, 04:26 PM) View Post

Do you think it would be possible to use the alternative method for unlocking
(reading the system area of the disk) as well?

I am suprised no one already cleaned up that stuff yet with the proper area for the xbox 8Gig and 10Gig stock harddisks.

It would mean you could take the harddisk out of the xbox and connect it to the usb adapter.
You could then unlock it, mod it and lock it again. No more dangerous and unreliable hotswap.

That's beyond my capability at the moment. Somebody else could try it jester.gif
I am only aware of the MHDD 4.5 method for WDC hdd - is there a publicly known method for Seagate hdd? And I barely understand the method - let along code it in Linux. tongue.gif But I will give it some thought in the future.

#7 obcd

obcd

    X-S Hacker

  • Moderator
  • PipPipPipPipPipPip
  • 2,737 posts
  • Xbox Version:v1.0
  • 360 version:none

Posted 16 April 2011 - 12:03 PM

It was my understanding that every harddisk has a system area.
It's a zone of the disk that is no part of the normal disk area used to store data.
The ata command set also has commands to read and modify data in that zone.
Most harddisks seem to have the locking password somewhere in that zone as well.
So basically, you could lock a disk with a known password, and read that zone. Afterwards, you can change the password and read that zone again. By comparing the 2 reads, you might be able to find the location of the hdd password. (I bet it will be encrypted.) If you would change that area to a known password, you could unlock the harddisk afterwards, since you know the password.

This is all very nice in theory, but it is very well possible that the password isn't saved as a continue chain of bytes to improve protection. There probably is a byte to enable / disable password protection as well, but that will be hard to find as well. If you mess with the wrong bytes in that zone, you will probably brick your harddisk with no way of recovery.

It looked like an interesting way of doing things, specially if you know that there are only 2 models of stock harddisks in the xbox 1.

I downloaded the links to give it a try some day, but time is working against me. mad.gif

regards.



#8 ldotsfan

ldotsfan

    X-S Messiah

  • Dev/Contributor
  • PipPipPipPipPipPipPip
  • 3,100 posts
  • Xbox Version:v1.1
  • 360 version:unknown

Posted 17 April 2011 - 08:42 AM

QUOTE(ldotsfan @ Apr 16 2011, 05:32 PM) View Post

Here's the patched hdparm. This worked under Ubuntu Maverick for me.

The earlier version will boot to error 6 in xbox. This version corrects that and does a swapping of bytes for the model and serial no.

Some basic documentation:
CODE

./hdparm --security-help

ATA Security Commands:
Most of these are VERY DANGEROUS and can destroy all of your data!
Due to bugs in older Linux kernels, use of these commands may even
trigger kernel segfaults or worse.  EXPERIMENT AT YOUR OWN RISK!

--security-freeze           Freeze security settings until reset.

--security-set-pass PASSWD  Lock drive, using password PASSWD:
                                  Use 'NULL' to set empty password.
                                  Drive gets locked if user-passwd is selected.
--security-unlock   PASSWD  Unlock drive.
--security-disable  PASSWD  Disable drive locking.
--security-eeprom-lock eepromfilename  Lock drive, using password generated from eeprom file:
                                  Use 'NULL' to set empty password.
                                  Drive gets locked if user-passwd is selected.
--security-eeprom-unlock   eepromfile  Unlock drive.
--security-eeprom-disable  eepromfile  Disable drive locking.
--security-erase    PASSWD  Erase a (locked) drive.
--security-erase-enhanced PASSWD   Enhanced-erase a (locked) drive.

The above four commands may optionally be preceeded by these options:
--security-mode  LEVEL      Use LEVEL to select security level:
                                  h   high security (default).
                                  m   maximum security.
--user-master    WHICH      Use WHICH to choose password type:
                                  u   user-password (default).
                                  m   master-password


1. To lock, issue security-eeprom-lock.
2. To unlock,issue security-eeprom-unlock followed by security-eeprom-disable.
3. hdparm -I to check status. hdparm -i doesn't work for usb/(s)ata adapter.

#9 ldotsfan

ldotsfan

    X-S Messiah

  • Dev/Contributor
  • PipPipPipPipPipPipPip
  • 3,100 posts
  • Xbox Version:v1.1
  • 360 version:unknown

Posted 18 April 2011 - 02:33 PM

A little howto on how to use this with Ubuntu to prepare a new xbox hdd or alternatively an upgraded hdd.

Tools needed:
1. Ubuntu installed to pc hdd. Ubuntu Maverick is the tested version.
2. xboxhdm2.3 pack. This packaged the xboxhdm 1.9 kernel, initrd, hdparm executable and the empty C and E folders in a particular folder structure along with fatx folder which xboxhdm1.9 expects. Grab the file from here.
3. qemu. We will install via Ubuntu Software Center or apt command later.
4. eeprom.bin. Place this file in the same folder as the hdm2.3 pack.
5. JMicron based usb/(s)ata adapter. Any of these models should work:
a.JMicron JM20329 (USB->SATA)
b.JMicron JM20336 (USB+SATA->SATA, USB->2xSATA)
c.JMicron JM20337/8 (USB->SATA+PATA, USB+SATA->PATA)
d. JMicron JM20339 (USB->SATA)
Cypress may work as well since Ubuntu Maverick uses the cypress_atacb kernel module. But it is untested.

Steps:
1. Install qemu. Do this from Ubuntu Software Center or use this command
CODE

sudo su
apt-get install qemu

2. Unpack the xboxhdm2.3 pack into a folder. eeprom.bin to be copied here too.
3. Copy C files into hdm/C folder. Select all files/folder in C folder , right click and compress to tar.gz format. We do this step to avoid truncation of filenames later when qemu uses virtual fat to mount the hdm folder. Let's rename/call the file c.tgz
4. Start a terminal at the folder.
5. Type this command to invoke qemu to run xboxhdm1.9 under Ubuntu.
CODE

sudo su
qemu -kernel hdmboot/fatxImage -initrd hdmboot/initrd.gz -append 'load_ramdisk=1 prompt_ramdisk=0 ramdisk_size=24000 rw root=/dev/ram pci=biosirq' -hda /dev/sdc -hdc fat:hdm/

You need to ensure that xbox hdd is really at sdc. Double check before executing this line. We ask qemu to use virtual fat to see the hdm folder as hdc. You can check with the output from
CODE

./hdparm -I /dev/sdc

Otherwise amend sdc accordingly to sdb or sdd and so on.
6. Once xboxhdm1.9 boots, type this command at the prompt.
CODE

mount -o bind /xbox /xboxhdm

This is to allow xboxhd script to see the contents of hdc as a cdrom drive.
7. Run xboxhd. You use steps 1 to 5 to prepare the hdd.
CODE

xboxhd

8. Quit from xboxhd, and run xbrowser
CODE
xbrowser

9. Navigate to PriMas/C folder. Type this command.
CODE

tar zxf c.tgz

This extract the contents of C folder which we compressed in step 3
10.Exit from xbrowser.
11. Type
CODE

poweroff
to exit from qemu.
12. Back in ubuntu terminal, type this command to lock the hdd.
CODE

chmod a+x hdparm
./hdparm --security-eeprom-lock eeprom.bin /dev/sdc

13. Check that hdd is locked
CODE

./hdparm -I /dev/sdc


EDIT:
1. Testing by xboxmods2977 confirmed that Ubuntu installed to hdd is required and execute permission to be granted to hdparm executable.

Edited by ldotsfan, 15 May 2011 - 11:23 AM.


#10 xboxmods2977

xboxmods2977

    X-S Freak

  • Members
  • PipPipPipPipPip
  • 1,156 posts
  • Xbox Version:v1.0
  • 360 version:none

Posted 18 April 2011 - 07:45 PM

QUOTE(ldotsfan @ Apr 18 2011, 03:33 PM) View Post

sudo su
qemu -kernel hdmboot/fatxImage -initrd hdmboot/initrd.gz -append 'load_ramdisk=1 prompt_ramdisk=0 ramdisk_size=24000 rw root=/dev/ram pci=biosirq' -hda /dev/sdc -hdc fat:hdm/

I'm getting a framebuffer error:
(!) DirectFB/FBDev Error opening framebuffer device!
(!) DirectFB/FBDev Use 'fbdev' option or set FRAMEBUFFER environment variable.


#11 xboxmods2977

xboxmods2977

    X-S Freak

  • Members
  • PipPipPipPipPip
  • 1,156 posts
  • Xbox Version:v1.0
  • 360 version:none

Posted 18 April 2011 - 11:02 PM

Nevermind. I got it to start. Intrepid Ibex (backtrack 4).

hdparm is killed as a buffer overflow tho when I try to run it. I guess I will try it in a live cd environment of 10.10 smile.gif

#12 ldotsfan

ldotsfan

    X-S Messiah

  • Dev/Contributor
  • PipPipPipPipPipPipPip
  • 3,100 posts
  • Xbox Version:v1.1
  • 360 version:unknown

Posted 21 April 2011 - 04:01 PM

QUOTE(xboxmods2977 @ Apr 19 2011, 06:02 AM) View Post

Nevermind. I got it to start. Intrepid Ibex (backtrack 4).

hdparm is killed as a buffer overflow tho when I try to run it. I guess I will try it in a live cd environment of 10.10 smile.gif

Looking forward to hearing from you.

QUOTE(ldotsfan @ Apr 18 2011, 09:33 PM) View Post

5. JMicron based usb/(s)ata adapter. Any of these models should work:
a.JMicron JM20329 (USB->SATA)
b.JMicron JM20336 (USB+SATA->SATA, USB->2xSATA)
c.JMicron JM20337/8 (USB->SATA+PATA, USB+SATA->PATA)
d. JMicron JM20339 (USB->SATA)
Cypress may work as well since Ubuntu Maverick uses the cypress_atacb kernel module. But it is untested.

This is optional. If somebody just want to use a lean version of xboxhdm2.X usb without the SLAX dependency from their favorite linux distro and connect the hdd to the motherboard IDE connection, the addon with hdparm included and qemu is good to go too.

#13 ldotsfan

ldotsfan

    X-S Messiah

  • Dev/Contributor
  • PipPipPipPipPipPipPip
  • 3,100 posts
  • Xbox Version:v1.1
  • 360 version:unknown

Posted 28 April 2011 - 03:09 PM

QUOTE(obcd @ Apr 16 2011, 07:03 PM) View Post

It looked like an interesting way of doing things, specially if you know that there are only 2 models of stock harddisks in the xbox 1.


I'm starting to understand this.

From hdparm's sgio.h:
CODE

struct taskfile_regs {
    __u8    data;
    __u8    feat; //0x57
    __u8    nsect; //0x44
    __u8    lbal; //0x43
    __u8    lbam; // 0x00
    __u8    lbah; // 0x00
    __u8    dev; // 0xa0
    __u8    command; //0x8a
};

This will activate the vendor command "WDC_SUPER_ON" for WDC hdd. I have a locked WDC stock hdd without the eeprom contents to experiment on.

I hope to report some progress soon.

Alternative I will use the SCT command instead if that doesn't work.
CODE

0x45 0x0b 0x00 0x44 0x57 0xa0 0x80




#14 xboxmods2977

xboxmods2977

    X-S Freak

  • Members
  • PipPipPipPipPip
  • 1,156 posts
  • Xbox Version:v1.0
  • 360 version:none

Posted 29 April 2011 - 01:40 AM

Got it working good in a live CD environment of 10.10. As far as hdparm, when I run this:

./hdparm --security-eeprom-lock eeprom.bin /dev/sdc

It lists hdparm usage

When I run this:

./hdparm -I /dev/sdc

I get "HDIO_DRIVE_CMD(identify) failed: Invalid exchange"

This is using an IDE xbox HD with the JMicron JM20337/8 (USB->SATA+PATA, USB+SATA->PATA) adapter.

I'm gonna try some more experimenting on a computer tho now.

Edited by xboxmods2977, 29 April 2011 - 02:18 AM.


#15 ldotsfan

ldotsfan

    X-S Messiah

  • Dev/Contributor
  • PipPipPipPipPipPipPip
  • 3,100 posts
  • Xbox Version:v1.1
  • 360 version:unknown

Posted 12 May 2011 - 03:45 PM

QUOTE(xboxmods2977 @ Apr 29 2011, 08:40 AM) View Post

I get "HDIO_DRIVE_CMD(identify) failed: Invalid exchange"

This is using an IDE xbox HD with the JMicron JM20337/8 (USB->SATA+PATA, USB+SATA->PATA) adapter.

I'm gonna try some more experimenting on a computer tho now.

A quick Google seems to suggest kernel config problem, seems like live version of 10.10 and hdd install of 10.10 use different kernel .config?

This is the lsusb output for my adapter:
CODE

Bus 001 Device 005: ID 152d:2338 JMicron Technology Corp. / JMicron USA Technology Corp. JM20337 Hi-Speed USB to SATA & PATA Combo Bridge


Is yours the same?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users