Analysis of Western Digital ROYL firmware MOD 02

Research and Development. This is the place to report experimental stuff related to data recovery.
fzabkar
Contributor
Contributor
Posts: 550
Joined: Tue Apr 16, 2013 9:28 am
Location: Australia

Analysis of Western Digital ROYL firmware MOD 02

Postby fzabkar » Sat Mar 01, 2014 11:50 pm

Analysis of Western Digital ROYL firmware MOD 02

This tutorial is my attempt to understand the structure of WD's ROYL firmware MOD 02.

MOD 02 is purely a data module that contains information relating to the identity and feature set of the drive.

It consists of three main sections ...

    header
    index of data records
    data records

Here is the header section:

Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  52 4F 59 4C 01 00 30 00 02 00 03 00 09 5A D8 B3  ROYL............
00000010  30 30 30 38 30 30 30 30 07 07 07 00 00 00 00 00  00080000........
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................


Code: Select all

Location          data        description
-----------------------------------------
0x0000 - 0x0003   "ROYL"      header
0x0008 - 0x0009   0x0002      MOD ID
0x000A - 0x000B   0x0003      size in sectors
0x000C - 0x000F   0xB3D85A09  32-bit checksum
0x0010 - 0x0017   "00080000"  MOD version

The checksum bytes are chosen so that the 32-bit little endian sum of all the 32-bit double words, including the checksum bytes, is 0x00000000.

Offsets 0x30 - 0x31 hold the number of data records (0x001E = 30) in the table/index that follows. The entry for each record defines its location within the MOD and its length in bytes.

Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000030  1E 00 AA 00 17 00 C1 00 18 00 D9 00 33 00 0C 01
00000040  33 00 D8 01 0C 00 E4 01 12 00 08 02 06 00 0E 02
00000050  06 00 14 02 13 00 27 02 11 00 38 02 27 00 5F 02
00000060  12 00 71 02 20 00 91 02 39 00 CA 02 0D 00 D7 02
00000070  0E 00 E5 02 44 00 29 03 46 00 6F 03 48 00 3F 01
00000080  33 00 72 01 33 00 F6 01 12 00 B7 03 10 00 C7 03
00000090  0E 00 D5 03 56 00 2B 04 1A 00 45 04 1D 00 A5 01
000000A0  33 00 62 04 12 00 74 04 02 00


Code: Select all

 record    location   location
 number    in table   in MOD     size       description
-----------------------------------------------------------

  1        0032       00AA       0017       serial number
  2        0036       00C1       0018       capacity in LBAs
  3        003A       00D9       0033
  4        003E       010C       0033
  5        0042       01D8       000C
  6        0046       01E4       0012
  7        004A       0208       0006
  8        004E       020E       0006
  9        0052       0214       0013
 10        0056       0227       0011
 11        005A       0238       0027
 12        005E       025F       0012
 13        0062       0271       0020
 14        0066       0291       0039
 15        006A       02CA       000D
 16        006E       02D7       000E
 17        0072       02E5       0044       model number
 18        0076       0329       0046       DCM (?) & manufacture date (?)
 19        007A       036F       0048       user & master password
 20        007E       013F       0033
 21        0082       0172       0033
 22        0086       01F6       0012
 23        008A       03B7       0010
 24        008E       03C7       000E
 25        0092       03D5       0056
 26        0096       042B       001A       family identifier / customer ID
 27        009A       0445       001D
 28        009E       01A5       0033
 29        00A2       0462       0012
 30        00A6       0474       0002

MOD 02 copies from different drives appear to be consistent in some aspects and different in others. In particular, the total number of data records in the table may vary, but the records appear to be numbered consistently. For example, the model number appears to always occupy record #17 and the passwords are always in record #19. However, the location of each record in the body of the module may vary, as may its size.


Serial Number

Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

000000A0                                00 01 57 44 2D 57            ..WD-W
000000B0  43 41 56 32 30 30 39 31 36 32 38 00 00 00 00 00  CAV20091628.....
000000C0  00   
.

Capacity in LBAs

Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

000000C0     00 01 10 3F 00 00 00 00 AF EA 42 25 AF EA 42
000000D0  25 AF EA 42 25 AF EA 42 25


There are four capacities. WDMarvel refers to them as ...

    Max LBA
    Destroke Max LBA
    DCO Max LBA
    Host Max LBA

Each has a value of 0x2542EAAF which represents the maximum LBA (= capacity - 1).

Therefore the capacity of the drive is ...

(0x2542EAAF + 1) x 512 = 320 072 933 376 bytes

If the drive has had its capacity limited by a HPA or DCO, then this will be reflected in this record.

Model Number

Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

000002E0                 00 01 57 44 43 20 57 44 33 32 30       ..WDC WD320
000002F0  30 41 41 4B 53 2D 30 30 4C 39 41 30 20 20 20 20  0AAKS-00L9A0   
00000300  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 
00000310  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 
00000320  20 20 20 20 20 20 20 00 00


DCM (?) and Manufacture (?) Date (MM-DD-YYYY)

Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000320                             00 01 53 7C 42 7C 4C           ..S|B|L
00000330  44 50 37 4D 4B 48 37 43 41 52 52 56 4E 4B 59 55  DP7MKH7CARRVNKYU
00000340  46 00 20 20 20 20 20 20 20 20 20 20 20 20 20 31  F.             1
00000350  31 2D 32 32 2D 32 30 30 38 00 00 00 00 00 00 00  1-22-2008.......
00000360  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00     ...............


User and Master Password

Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000360                                               00                 .
00000370  01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000380  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000390  00 00 00 57 44 43 57 44 43 57 44 43 57 44 43 57  ...WDCWDCWDCWDCW
000003A0  44 43 57 44 43 57 44 43 57 44 43 57 44 43 57 44  DCWDCWDCWDCWDCWD
000003B0  43 57 00 08 40 FE FF                             CW.....


The master password is "WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW".

There is no user password.

Here is an example from a different drive with and without a user password. Each user and master password occupies 32 bytes.

Code: Select all

00000130              00 01 07 00 54 68 69 73 20 69 73 20       ....This is
00000140  74 68 65 20 55 73 65 72 20 50 61 73 73 77 6F 72   the User Passwor
00000150  64 00 00 00 00 00 00 00 57 44 43 57 44 43 57 44   d.......WDCWDCWD
00000160  43 57 44 43 57 44 43 57 44 43 57 44 43 57 44 43   CWDCWDCWDCWDCWDC
00000170  57 44 43 57 44 43 57 00 08 00 FE FF               WDCWDCW.....


Code: Select all

00000130              00 01 01 00 00 00 00 00 00 00 00 00       ............
00000140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00000150  00 00 00 00 00 00 00 00 57 44 43 57 44 43 57 44   ........WDCWDCWD
00000160  43 57 44 43 57 44 43 57 44 43 57 44 43 57 44 43   CWDCWDCWDCWDCWDC
00000170  57 44 43 57 44 43 57 00 08 00 FE FF               WDCWDCW.....

There are flag bits in the 3rd byte which appear to indicate whether a password has been set.

The last word (0xFFFE) appears to be related to Identify Device word 92 -- Master Password Revision Code.

Family Identifier / Customer ID

Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000420                                   00 00 00 01 30             ....0
00000430  30 4C 39 30 30 30 30 01 00 12 00 01 00 00 00 00  0L90000.........
00000440  00 00 00 00 00 
.....

This number ("00L90000") also exists in MOD 115, along with other similar numbers.

The text string appears to be divided in two parts:

    00L9 = Family Identifier
    0000 = Customer ID

A WD3200BUDT-62DPZY0 model has "0DPZ0062" in the same record.

    0DPZ = Family Identifier
    0062 = Customer ID

The following document provides an explanation:
http://www.acelab.ru/dep.pc/doc.pc3000d ... in-N-2.pdf

Here is an English translation:
http://translate.google.com/translate?h ... in-N-2.pdf
Attachments
0002.zip
(743 Bytes) Downloaded 97 times

fzabkar
Contributor
Contributor
Posts: 550
Joined: Tue Apr 16, 2013 9:28 am
Location: Australia

Re: Analysis of Western Digital ROYL firmware MOD 02

Postby fzabkar » Sat Mar 01, 2014 11:55 pm

The following records look like they may have time related data. Perhaps they represent APM settings, eg 1000, 2500, 5000 milliseconds???

Record #27

Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000440                 00 01 02 05 C4 09 00 00 E8 03 00
00000450  00 00 00 E8 03 00 00 88 13 00 00 1E 00 00 00 05
00000460  C8 00


Record #29

Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000460        00 01 00 64 64 00 88 13 03 00 00 00 00 00
00000470  00 00 00 00


    0x09C4 = 2500
    0x03E8 = 1000
    0x1388 = 5000
    0xC8 = 200
    0x64 = 100

Record #7

Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000200                          00 01 01 01 64 32


Record #8

Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000200                                            00 01
00000210  14 64 00 00


Record #9

Code: Select all

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000210              00 01 64 00 00 64 00 00 81 00 18 05
00000220  01 7A 02 00 64 00 00


    0x32 = 50
    0x64 = 100
    0x14 = 20

User avatar
Spildit
Posts: 1554
Joined: Sat Apr 06, 2013 4:59 pm
Location: Portugal
Contact:

Re: Analysis of Western Digital ROYL firmware MOD 02

Postby Spildit » Sun Mar 02, 2014 3:21 pm

Thanks for sharing this nice info !!!!
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)

fzabkar
Contributor
Contributor
Posts: 550
Joined: Tue Apr 16, 2013 9:28 am
Location: Australia

Re: Analysis of Western Digital ROYL firmware MOD 02

Postby fzabkar » Sat May 24, 2014 6:56 am

Record #27 (offset 0x9A) appears to contain settings that define the drive's defect management behaviour.

See viewtopic.php?t=848&p=3414

fzabkar
Contributor
Contributor
Posts: 550
Joined: Tue Apr 16, 2013 9:28 am
Location: Australia

Re: Analysis of Western Digital ROYL firmware MOD 02

Postby fzabkar » Sat May 24, 2014 7:08 am

A WD user has informed me that WD's model number field appears to be limited to 24 bytes, even though the ATA standard provides for 40 characters. When he tried to edit this field in MOD 02 with a model number longer than this, the ATA Identify Device command reported only the first 24 characters.

LarrySabo
Registered User
Registered User
Posts: 69
Joined: Thu May 16, 2013 9:32 pm

Re: Analysis of Western Digital ROYL firmware MOD 02

Postby LarrySabo » Sat May 24, 2014 2:51 pm

Excellent tutorial, as usual. Thanks so much! I wish you and Spildit would collaborate on a "DR for Beginners" book. Much of it has already been written by you two and just needs consolidation/organization of your tutorials. This stuff is so hard to come by elsewhere, so may The HDD Oracle live forever!

User avatar
Spildit
Posts: 1554
Joined: Sat Apr 06, 2013 4:59 pm
Location: Portugal
Contact:

Re: Analysis of Western Digital ROYL firmware MOD 02

Postby Spildit » Sat May 24, 2014 3:00 pm

LarrySabo wrote:Excellent tutorial, as usual. Thanks so much! I wish you and Spildit would collaborate on a "DR for Beginners" book. Much of it has already been written by you two and just needs consolidation/organization of your tutorials. This stuff is so hard to come by elsewhere, so may The HDD Oracle live forever!


Thanks !
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)

fzabkar
Contributor
Contributor
Posts: 550
Joined: Tue Apr 16, 2013 9:28 am
Location: Australia

Re: Analysis of Western Digital ROYL firmware MOD 02

Postby fzabkar » Tue Jul 15, 2014 10:52 am

A WD user has done some detective work in the following thread:
http://community.wd.com/t5/Desktop-Mobi ... 262#M16907

He has determined that WD's idle3 timer is stored at byte offset 0x16 in section 13 (= 0x0D) of MOD 02.

Attached is a small utility to parse MOD 02. I have tested it with ROYL and Marvell (pre-ROYL) models. I have included the FreeBASIC source code (I am not a programmer, so it will probably look ugly to someone who is).
Attachments
MOD2DUMP.7z
(79.44 KiB) Downloaded 86 times

fzabkar
Contributor
Contributor
Posts: 550
Joined: Tue Apr 16, 2013 9:28 am
Location: Australia

Extracting user and master passwords from MOD 02

Postby fzabkar » Wed Jul 16, 2014 5:29 pm

The following MHDD script extracts the user and master passwords from a WD ROYL or Marvell drive.

It relies on the following Vendor Specific Commands (VSC):

    2A 00 01 00 02 00 13 00 04 00 20 00
    2A 00 01 00 02 00 13 00 24 00 20 00

For example, the first command reads 20h bytes at offset 04h in section 13h of MOD 02h. The section numbers begin counting from 1.

The script has been tested on a WD2500BB.

Code: Select all

; VSC enable

reset
waitnbsy
regs = $45 $0b $00 $44 $57 $a0 $80
waitnbsy

; read user password in module 02

regs = $d6 $01 $be $4f $c2 $a0 $b0
waitnbsy
checkdrq
sectorsfrom = rd_user.bin
waitnbsy
regs = $d5 $01 $bf $4f $c2 $a0 $b0
waitnbsy
checkdrq
sectorsto = userpwd.bin

; read master password in module 02

waitnbsy
regs = $d6 $01 $be $4f $c2 $a0 $b0
waitnbsy
checkdrq
sectorsfrom = rd_mastr.bin
waitnbsy
regs = $d5 $01 $bf $4f $c2 $a0 $b0
waitnbsy
checkdrq
sectorsto = masterpw.bin

; end of script

Code: Select all

rd_user.bin

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  2A 00 01 00 02 00 13 00 04 00 20 00 00 00 00 00
........
000001F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Code: Select all

rd_mastr.bin

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  2A 00 01 00 02 00 13 00 24 00 20 00 00 00 00 00
........
000001F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Code: Select all

userpwd.bin

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  54 45 53 54 50 57 44 00 00 00 00 00 00 00 00 00  TESTPWD.........
00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
........
000001F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Code: Select all

masterpw.bin

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  57 44 43 57 44 43 57 44 43 57 44 43 57 44 43 57  WDCWDCWDCWDCWDCW
00000010  44 43 57 44 43 57 44 43 57 44 43 57 44 43 57 00  DCWDCWDCWDCWDCW.
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
........
000001F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Code: Select all

Section 19     Length 76 bytes

Addr  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

0000  00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0020  00 00 00 00 57 44 43 57 44 43 57 44 43 57 44 43  ....WDCWDCWDCWDC
0030  57 44 43 57 44 43 57 44 43 57 44 43 57 44 43 57  WDCWDCWDCWDCWDCW
0040  44 43 57 00 08 00 FE FF 00 00 00 00              DCW.........

Setting the value at offset 0x02 to 0x00 results in the drive reporting that the security feature set is not supported, even after a password has been set.
Attachments
WDCPWD.7z
(491 Bytes) Downloaded 85 times


Return to “R&D - Experiments”

Who is online

Users browsing this forum: Google [Bot] and 1 guest