Even if he hadn’t done any firmware hacking on this hard drive [Sprite_TM’s] digital exploration of the controller is fascinating. He gave a talk at this year’s Observe, Hack, Make (OHM2013) — a non-commercial community run event in the Netherlands and we can’t wait for the video. But all the information on how he hacked into the three-core controller chip is included in his write up.
[Sprite_TM] mentions that you’re not going to find datasheets for the controllers on these drives. He got his foot in the door after finding a JTAG pinout mentioned on a forum post. The image above shows his JTAG hardware which he’s controlling with OpenOCD. This led him to discover that there are three cores inside the controller, each used for a different purpose. The difference between [Sprite_TM’s] work and that of mere mortals is that he has a knack for drawing surprisingly accurate conclusions from meager clues. To see what we mean check out the memory map for the second core which he posted on page 3 of his article.
Using JTAG he was able to inject a jump into the code (along with a filler word to keep the checksum valid) and run his own code. To begin the firmware hacking portion of the project he pulled the flash ROM off of the board and installed it on that little board sticking out on the left. This made it easy for him to backup and reflash the chip. Eventually this let him pull off the same proof of concept as a firmware-only hack (no JTAG necessary). He goes onto detail how an attacker who has root access could flash hacked firmware which compromises data without any indication to they system admin or user. But we also like his suggestion that you should try this out on your broken hard drives to see if you can reuse the controllers for embedded projects. That idea is a ton a fun!
When we were poking around the OHM2013 website (linked above) we noticed that the tickets are sold out; good for them! But if you were still able to buy them they take Bitcoin as one payment option. Are there any other conferences that allow Bitcoin for registration?