Analysis of Samsung F3 firmware update

Research and Development. This is the place to report experimental stuff related to data recovery.
fzabkar
Contributor
Contributor
Posts: 550
Joined: Tue Apr 16, 2013 9:28 am
Location: Australia

Analysis of Samsung F3 firmware update

Postby fzabkar » Sun Nov 24, 2013 2:35 am

Analysis of Samsung F3 firmware update for AMD SB850 and Intel P67/H67 compatibility problem

Firmware patch/update for certain Samsung F3 and F3EG drives:
http://knowledge.seagate.com/articles/e ... Q/223631en

This patch code is released in order to solve the compatibilty problem between some motherboards (the AMD SB850 chipset and the Intel P67/H67 chipset) and Samsung-brand hard drives, F3 and F3EG models only.

This is relevant for Samsung-model internal drives with the following model numbers:

F3.exe - HD323HJ / HD502HJ / HD503HI / HD103SJ / HD105SI
http://www.seagate.com/staticfiles/supp ... ads/F3.exe

To get an idea of how Samsung's updates work, I examined earlier Dell updates for other Samsung models, eg ...

http://ftp.dell.com/ide/R139989.EXE

The update package includes the following:

Code: Select all

 1107.EST      - an encoded script file
 tk09m.DN2     - the firmware image
 sflash24.exe  - the flash utility
 UPDATE.BAT    - contains the line "sflash24 /run:1107.est /auto"


Here is the embedded documentation for Samsung's SFLASH firmware update utility:

Code: Select all

SFLASH V5.32  SAMSUNG Electronics Co., Ltd. (C)2000-2009
 
  ... HDD Microcode Download & Patch Tool for DOS
 
  [Usage]
    /SCAN           - To scan all PCI IDE HBAs and display them
    /P:<portindex>  - To scan all PCI IDE HBAs and select a specific HBA port
    /DETECT, /AUTO  - To detect all IDE/SATA drives
    /I:<index>      - To select a detected drive
    /COMPAT:xx      - To select a compatible port
      PM - Primary Master (Default)  SM - Secondary Master
      PS - Primary Slave             SS - Secondary Slave
    /RUN:<filename> - Run a script
 
  [Example]
    A:\SFLASH /RUN:SCR.EST /P:0       - Run SCR.EST to the scanned port 0
    A:\SFLASH /RUN:SCR.EST /AUTO      - Run SCR.EST to all detected drives


Samsung's SpinPoint F3 update appears to pack all the above files into a single EXE.

The first part of the executable (F3.exe) contains SFLASH code that performs the update.

At offset 0x4D800 there is an MFLASH_H header that lists the starting offset and size of 4 embedded firmware images.

Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0004D800  4D 46 4C 41 53 48 5F 48 00 00 04 00 00 D8 04 00  MFLASH_H.....Ø..
0004D810  00 CA 1A 00 D3 02 00 00 00 00 00 00 00 00 00 00  .Ê..Ó...........
0004D820  31 41 4A 45 34 4D 59 4D 2E 31 31 35 00 00 00 00  1AJE4MYM.115....
0004D830  00 00 00 00 00 00 00 00 00 DA 04 00 00 7C 05 00  .........Ú...|..
0004D840  31 41 4A 45 34 4D 59 4D 2E 31 31 36 00 00 00 00  1AJE4MYM.116....
0004D850  00 00 00 00 00 00 00 00 00 56 0A 00 00 7C 05 00  .........V...|..
0004D860  31 41 4A 45 34 4D 59 4D 2E 31 36 35 00 00 00 00  1AJE4MYM.165....
0004D870  00 00 00 00 00 00 00 00 00 D2 0F 00 00 7C 05 00  .........Ò...|..
0004D880  31 41 4A 45 34 4D 59 4D 2E 31 36 36 00 00 00 00  1AJE4MYM.166....
0004D890  00 00 00 00 00 00 00 00 00 4E 15 00 00 7C 05 00  .........N...|..


For example, the first firmware image is 1AJE4MYM.115. It begins at 0x04DA00 and has a size of 0x057C00 bytes.

I believe that the tail end of the EXE file has an encoded script file. It is located at the end of the 4th firmware image. The MFLASH_H entry in the above table points to the location of this file (0x001ACA00), and specifies its length (0x000002D3).

I believe the script file contains instructions for matching the various firmware images against the detected model numbers. Seagate also does it this way. I have managed to decipher Seagate's scripts, but I haven't been able to do the same for Samsung.

The firmware images contain the following HDD model numbers:

Code: Select all

1AJE4MYM.115  --  HD502HJ  --  2 heads, 7200 RPM, SATA 2
1AJE4MYM.116  --  HD103SJ  --  4 heads, 7200 RPM, SATA 2
1AJE4MYM.165  --  HD502HI  --  2 heads, 5400 RPM, SATA 2
1AJE4MYM.166  --  HD103SI  --  4 heads, 5400 RPM, SATA 2


How to interpret Seagate (and Samsung, Maxtor) model numbers:
http://knowledge.seagate.com/articles/e ... Q/204763en
Attachments
SpinPoint_F3_SB850_update.zip
(2.15 MiB) Downloaded 198 times

fzabkar
Contributor
Contributor
Posts: 550
Joined: Tue Apr 16, 2013 9:28 am
Location: Australia

Structure of firmware image file

Postby fzabkar » Sun Nov 24, 2013 3:35 am

Structure of firmware image file, eg 1AJE4MYM.115

Code: Select all

0x00000 - 0x00BFF  -  LFDR or FLDR
0x00A00 - 0x40BFF  -  256KB ROM image
0x40A00 - 0x57BFF  -  MOVLY001


The first 0xA00 bytes of each firmware image file contain what appears to be some kind of flash or firmware loader code. There is an "LFDR" string in the header section. I suspect that this is 16-bit little endian, in which case it would read "FLDR" (LDR = LoaDeR).

The next section appears to be a complete 256KB ROM image. Since the firmware update appears to update the entire ROM, this would suggest that F3 ROMs contain no adaptive data.

The last section appears to an image of SA firmware module MOVLY001. This is one of the modules loaded into RAM from the System Area after spinup.

User avatar
Spildit
Posts: 1554
Joined: Sat Apr 06, 2013 4:59 pm
Location: Portugal
Contact:

Re: Analysis of Samsung F3 firmware update

Postby Spildit » Sun Nov 24, 2013 4:56 pm

8-)
Thanks.
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)

fzabkar
Contributor
Contributor
Posts: 550
Joined: Tue Apr 16, 2013 9:28 am
Location: Australia

Re: Structure of firmware image file

Postby fzabkar » Mon Nov 25, 2013 9:37 pm

fzabkar wrote:The next section appears to be a complete 256KB ROM image. Since the firmware update appears to update the entire ROM, this would suggest that F3 ROMs contain no adaptive data.

The actual ROM has a size of 512KB. I had originally assumed that the second 256KB was full of 0xFF bytes, but on closer inspection there is a small amount of "FIPS" data between offsets 0x70000 - 0x703FF.

See viewtopic.php?f=19&t=643&p=2042#p2042

I don't know whether these data can be considered to be "adaptives".

fzabkar
Contributor
Contributor
Posts: 550
Joined: Tue Apr 16, 2013 9:28 am
Location: Australia

Analysis of checksums

Postby fzabkar » Tue Nov 26, 2013 1:54 am

fzabkar wrote:Structure of firmware image file, eg 1AJE4MYM.115

Code: Select all

0x00000 - 0x00BFF  -  LFDR or FLDR
0x00A00 - 0x40BFF  -  256KB ROM image
0x40A00 - 0x57BFF  -  MOVLY001


Each of the above components has a checksum of 0x0000. The sum is computed by adding the 16-bit words in little endian format.

The checksum bytes for MOVLY001 (0x5FC9) are located at the end of the module.

The checksum bytes for the 256K ROM image (0xEFD9) are also located at the end.

The FLDR appears to consist of two sections. The first is the loader code. The second section appears to identify those parts of the firmware that will be targeted by the update, in this case the ROM itself (TT ?) and the MOVLY001 SA module. Each section has its own 16-bit little endian checksum at the end (0xC65D and 0xABC2), and both sections sum to zero.


Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  E3 01 00 EA E2 01 00 EA E1 01 00 EA E0 01 00 EA  ã..êâ..êá..êà..ê
00000010  00 70 01 00 00 08 00 00 00 00 00 00 00 00 00 00  .p..............
00000020  4C 46 52 44 07 01 01 0D 00 00 00 00 00 00 00 00  LFRD............
........
000007E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
000007F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF 5D C6  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ]Æ



Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000800  54 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00  TT..............
00000810  00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00  ................
........
000008F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000900  4D 4F 56 4C 59 30 30 31 00 00 01 02 B9 00 00 00  MOVLY001....¹...
00000910  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
........
000009E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000009F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 C2 AB  ..............«


Return to “R&D - Experiments”

Who is online

Users browsing this forum: No registered users and 1 guest