For years, the firmware of most HDDs was open and made easily accessible by just using a serial connection and the right ATA commands. This enabled data recovery technicians to perform essential pre-recovery housekeeping tasks, such as G-List, P-List and SMART clearing. It also allowed technicians to read and write modules to the ROM. However, with the latest multi-terabyte electro-mechanical disks, manipulation is becoming a little trickier due to manufacturer locked firmware. This fairly recent trend of locked disk firmware can partly be explained by explosive revelations made by Kaspersky Lab in 2015. They discovered a strain of malware dubbed EquationDrug and GrayFish that is capable of dropping a customised installer into an operating system. This enables the installation of a modified controller code onto a person’s hard disk that would act as a persistent backdoor, allowing data exfiltration without triggering any alerts in conventional security controls. Given that governments and corporations throughout the world tend to use standardised equipment, this vulnerability was seen by many security and privacy experts as a grave threat to data integrity and confidentiality. In response to this threat, manufacturers such as Seagate have introduced features like their “Locked Diagnostics Port”, which aims to thwart users from accessing or modifying the disk’s firmware. Seagate has also introduced digital signing of firmware modules.
However, there is another, albeit more commercial reason why disk manufacturers are eager to lock their firmware. Most of the disks’ secret sauce, such as algorithms for error correction servo-track control and thermal-fly height control, are stored in this area of the disk. Not wanting their extensive R&D efforts to be stolen by their competition reverse engineering their disks, manufacturers increasingly just lock down their firmware modules.
For the data recovery technician, this can be exasperating. You’re about to perform a firmware repair only to be greeted with the “Diagnostic Port Locked” message… argh!
The side-effect of this development is that data recovery technicians sometimes encounter a brick wall when trying to remedy firmware issues. Moreover, developers of professional data recovery equipment who could previously analyse firmware modules and develop sophisticated disk repair tools are now being thwarted by manufacturer-locked firmware. Not in all cases however.
To circumvent locked firmware modules, some wily data recovery tool developers have designed “special extensions” to the ROM code which can be saved via a boot code and written back to the HDD. Once applied, terminal commands magically start working on the disk again.
Last week, we got this Seagate Ultra Slim Portable drive in with some serious firmware issues. The disk inside, a Mobile HDD ( ST2000LM007), uses Seagate’s Rosewood firmware and was not even recognisable to the BIOS. This means that under normal circumstances, very little could be done to repair the disk and access the data. However, using the aforementioned tools, we added a modifed ROM extension to the disk. This enabled us to repair the disk’s corrupt firmware modules and access the user area of the disk containing .CR2 (Canon raw),.DWG (created with DraftSight) and Microsoft Office files. The customer was happily reunited with all their data again. This proves the truism that everything is indeed hackable…
Drive Rescue are based in Dublin, Ireland. We offer a complete data recovery service for Seagate Ultra Slim Portable and Seagate Mobile HDD drives. We have experience of successfully recovering from models such as the ST500LM034 ST200LM007, ST1000LM0048, ST1000LM0035 and ST2000LM0015. We can help you if your Seagate Ultra Slim or Mobile HDD disk is no longer recognised by your PC or Mac. Or, if your disk has been accidentally dropped. Call us on 1890 571 571.