Some time ago, the OS/2 Museum obtained a 10 GB Seagate ST310014ACE hard disk (IDE 3.5″ low profile). The disk was unusable because it was locked. That is, it needed an unknown password to gain access to the medium.
After a few quick searches it turned out that this problem is surprisingly common. The particular model of hard disk was used in the first generation Xbox consoles and indeed it was locked there, which meant that after taking it out of the Xbox the disk was no longer usable.
Except there is a way to unlock these drives, using a serial terminal, a special adapter, and a couple of magic commands. How does that work?
For more than 20 years, Seagate (and other) drives have provided a way to talk to the drive for diagnostic and maintenance purposes through a serial port. IDE (and SCSI) drives have more or less always had some kind of onboard microprocessor and it’s not surprising that over time, those CPUs got more powerful. Hard disks also have the unique property that they have plenty of capacity available and aren’t limited by small ROMs/flash storage. So there’s enough room for fairly complex functionality.
I do not know which vendor first came up with the idea of using almost standard serial communication with their drives but Seagate has certainly been doing that for a while. Two of the jumper pins on IDE/SATA drives can be repurposed to function as RX/TX pins.
The complication is that the drives don’t quite conform to the RS-232 standard. RS-232, being rather old (1960), uses relatively high signaling voltage, typically +/-12V in PC equipment; in fact RS-232 is probably the biggest reason why ATX power supplies still provide a -12V line.
At any rate, the Seagate drives use lower voltages for serial communication and need an appropriate converter. In 3.5″ desktop drives, there actually is 12V power, but that is a) probably not available to the drive electronics (only the motor), and b) it’s not present in 2.5″ laptop drives. Note that there are 2.5″ SATA drives which require 12V power (typically enterprise drives) but 2.5″ IDE drives simply have no way to get 12V power.
It is possible to build an adapter from scrap parts. But in recent years, such adapters are plentiful and cheap because they also happen to be needed for Arduinos and similar devices which don’t have 12V power. I ordered one called ACAMPTAR MAX3232 on Amazon for 2.16 Euro including shipping (from China, so it took a while). The adapter also comes with a very handy connector wire which needs to be attached to the drive’s RX and TX pins (as shown e.g. here):
Now, all this has been done many times before. What I did differently is that I used an USB to IDE adapter which turned to be extremely convenient. The adapter has its own power supply (I did not have it plugged into a USB port at all) and can power a desktop hard disk with a Molex connector. More than that, it also has its own power switch. The USB adapter also has a connector for 2.5″ IDE drives which I used to power the serial adapter—it won’t function without a 5V supply. After connecting the VCC pin on the serial adapter to pin 41 on the 2.5″ IDE connector, the LED on the serial adapter lit up and the drive started talking. Here’s what the mess looked like:
Here’s the connection to the drive. Note that some people claim the disk has to be jumpered as master. I was able to communicate with it when the jumper was either in the Master or in the Cable Select position.
Here’s a close-up of the adapter with the MAX3232 chip:
I used PuTTY as the terminal but more or less anything should work. Seagate drives use standard 8 data bits, 1 stop bit, and no parity; older drives such as the ST310014ACE run at 9600 baud, newer ones run at 38400 baud.
When everything is wired correctly, the drive starts communicating over the serial interface almost as soon as it’s powered up. After the drive is initialized, the terminal looks like this:
After that, it’s necessary to press Ctrl-Z to get to the T prompt and then enter the following sequence of commands, with my comments based on this and especially this document; note that the command language is case sensitive:
T>/2 (change to diagnostic command level 2)
2>S006b (seek to logical cylinder/head, i.e. track 6Bh)
2>R21,01 (read sector 21h into buffer)
2>C0,570 (copy one sector from buffer 0 to buffer 570h)
2>W20,01 (write sector 20h)
It’s not clear to me why the ‘C’ command is needed or what purpose it serves. The unlocking is achieved essentially by reading a certain sector on the disk and copying it over the preceding sector.
After that is done, the drive should be unlocked. It can be powered down, installed in a machine, and used normally. It really does work.
It is an interesting question how those commands became public knowledge (and I don’t know the answer).
It is also a question how far back this diagnostic interface goes. I confirmed that it exists on a Seagate Medalist ST32510A from 1998, even though its command set is, unsurprisingly, more limited. It worked for me on every Seagate PATA drive with an 8-pin jumper block between the power and data connectors. Older drives have different jumper blocks and may not support the serial diagnostic interface.
Newer SATA drives have the diagnostic interface as well, but I couldn’t try that because I didn’t have appropriate wiring on hand (the connectors on the wires that came with the serial converter are too thick, designed for pins with 2.54 mm pitch, but SATA drives have jumpers with 2 mm pitch and very little space around them).
At any rate… another successful hack.
UART console was originally come from Conner. Shortly after Conner acquisition, Seagate original line of IDE drives was dropped and only Conner-derived technologies survive (so-called “ConnerGate” drives). Contrary, SCSI drives used Seagate original firmware codebase for a long time. Other acquisition (Quantum, Maxtor, Samsung, etc) had no comparable impact on Seagate product line.
Now, all mechanical drives from Seagate uses single firmware codebase.
I knew a lot of the Conners survived as Seagate models, but I didn’t know they took over the entire IDE line-up. Do you have any information about how to connect/use the serial console on old Seagate or even Conner drives?
I know some Quantum drives survived for quite a while under Maxtor (e.g. Atlas) but not sure how much was left by the time Maxtor was acquired by Seagate. (And I’m not sure if any Maxtors were rebranded as Seagate at all?). Some Samsung Spinpoint drives were likewise rebranded as Seagates but yeah, I think they basically died out once the ex-Samsung models were out of production. I have one ST2000LM003 drive which I found to be a rebranded Samsung.
Figuring out how drives went e.g. IBM -> Hitachi -> HGST -> WD can be quite a complex task.
Original Seagate IDE drive line ended somewhere around 1GB sizes, models like ST3660, ST3850A and so on. Later models (like ST32531A) are Conner-based.
Old Conner and “ConnerGate” drives used to use unusual UART speed, like 4800 or 7200 bps. Console commands was more or less same for long time. Somewhere around Barracuda SATA 7200.12 Seagate attempted to protect console from unauthorized access with locking, passwords and so on.
Maxtor, at the time of Quantum deal, had no any SCSI models, so Atlas survived. Fireball ATA family had some short continuation with D540 and D740 models (so-called “Quaxtor” or “DiamondBall” 🙂
I do not remember Maxtor models, rebranded as Seagate. But remember Seagate Barracuda 7200.11 drives, branded as DiamondMax 22.
Samsung-developed 2.5″ drives long lived hidden into Seagate USB boxes.
Yes, my SpinPoint is exactly in one of those Seagate branded external 2.5″ drives.
I found some documentation of the Conner diagnostic commands here and yes, it’s clearly a direct predecessor of the Seagate stuff. For reasons that are both surprising and obvious, most of the relevant documentation available online is in Russian.
Of cause, most Data Recovery engineers around the world are Russians 🙂 Documentation in Russian just a consequence.
Yes, but I suspect that’s not a coincidence. My guess is that in the late 1980s and early 1990s, Russia was in the unique position that it had no industry building PC hard disks but enough people with the education and experience needed to understand exactly how a hard disk works. Russians had enough money to buy PCs but not enough to just throw out failed components. Basically, Russia was probably one of the few places where a dead hard disk was worth repairing and there were people skilled enough to do it. In countries like the USA or Germany it simply wasn’t worth anyone’s time, and in 3rd world countries the skills (and perhaps even the needs) weren’t there. What’s more, Russians weren’t going to get sued if they reverse-engineered Seagate’s or WD’s firmware. Once the knowledge was there, it was easy to build on, especially because the language barrier probably effectively prevented many people from using the information in Russian, even if they could find it.
Your observation very close to reality. When my Fireball 2.1GB drive failed, it’s price was comparable to my per-month salary. I spent a lot of evenings to repair it. Thanks to Quantum Support staff, who provide me with a non-public firmware update utility (Yes, it was a good old time, when customer support actually supports customers). Utility does not helped me per se, but it’s internal working gives some important knowledge. To my surprise, repaired drive got additional ~400MB of space (2.1 -> 2.5GB). It was so cool!
Kinda weird that Conner “took over” Seagate’s lineup. I had always viewed Conner’s designs inferior in durability and reliability (hello glued on lids!) vs. Seagate’s at the time.
My recollection from the early 1990s (and it could be skewed) is that Conner and WD had most of the market. Seagates weren’t that common, although they probably had a good chunk of the high-end market, especially SCSI drives. Seagate must have liked what Conner was doing though I expect that they didn’t just throw out Seagate’s IDE drive know-how but rather combined it with Conner’s.
Conner was popular with OEMs because it was cheap! Apple loved stuffing their SCSI drives into PowerBooks and the Macintosh Portable. Low and midtier OEMs like AST, Packard Bell, and Acer would buy them by the truckload. Its clear that Seagate wanted that marketshare badly. Those drives weren’t all that reliable….or fast. Quantum seemed to get the bulk of Apple’s desktop drive business. I must have a dozen or so Apple ROM ProDrive LPS sitting around from stripped out Macs. The Bigfoot was an attempt to take a slide of Conner’s share in the OEM market towards the end.
Disk Trends covered the relevant time period of hard drive manufacturing in considerably detail. The one drawback of Disk Trends approach is that market segments were distinguished by capacity so a replacement SMD 14″ drive would be listed alongside a super svelte PCMCIA hard drive.
Using the 1994 issue, IBM was the biggest (though 75% of drives were sold with IBM hardware), Seagate was second, followed by Quantum, Conner, Maxtor, Western Digital, and a host of companies each with less than 5% share. Note that Toshiba, while not significant overall, did account for about 25% of all laptop drives.
Seagate was the dominant player in the greater than 1 GB market with Micropolis and the big iron makers (IBM, DEC, HP) accounting for much of the rest. In the smaller capacity markets, Seagate tended to have about a 20% share. Quantum and Conner had volume on the small cheap drives while Western Digital broke out of the pack thanks to the 420 MB drive being not yet replaced by the 540 MB. WD had a 30% share in 300-500 MB drives but was not given a detail line for 500 MB – 1 GB drives.
Consolidation to 3 major manufacturers seems to be the end state for all mature technologies.
How did they account for OEM drives? For example Seagate made tons of OEM drives and some of them were sold under the OEM brands, not obviously made by Seagate. Just the other day I found that DEC RZ25-E is in fact a Seagate drive, and I’m pretty sure some other DEC RZ drives were too. Did those count as DEC or Seagate?
I was not fully aware of, though I’m not surprised by it, how much Seagate was active in the high-end (i.e. SCSI) market. They had been in the SCSI market for a long, long time and for pretty much all of that time, SCSI meant high-end.
Disk Trends breaks over all drive sales into 4 categories (IBM captive, other captive, reseller, OEM) for each capacity group and drive physical size further split with US and non-US manufacturers but not specific manufacturer. Sometimes, it is easy to figure out the totals.
5.25″ drives with a capacity less than 100 MB.
800 IBM captive
400 Non-US captive
1,300 Non-US manufactured OEM
Seagate made 56,000 drives in this category; another US manufacturer produced 1,600 but it seems obvious that the bulk of the 36,000 reseller drives were Seagate.
Yeah, Seagate broke into the high end by acquiring Imprimis/CDC around 1989. Seagate and Imprimis were essentially polar opposites at the time- Seagate focused on cheap mass market stepper drives, whereas Imprimis’ product line was primarily large capacity MFM, ESDI, and SCSI drives with voice coil actuators.
Gee, I hadn’t heard of this before.
Is there something similar for Western Digital drives? I have an old, failing WD SATA drive whose contents just aren’t quite worth the exorbitant data recovery fees, but someone with a Deepspar was at least able to tell me it was a firmware issue.
Serial port on WD drives (and most other vendors) only used by firmware engineers for debug purposes. Nothing comparable to Conner/Seagate command-line interface. For repair/data recovery SATA connection used (with some undocumented functionality)
The FT232RL Board FTDI USB to TTL Serial Adapter also works for this.
Here’s some helpful information if you’d like to dig deeper! Links to diagnostics information:
https://docs.google.com/document/d/1X9YJdMUA1vZKSTEyvfA2OhaHScy0f6wzLk0nE7q9vLw/edit?usp=sharing
Rather than connecting multiple cables to a board, you might find it more useful to use a cable that combines everything into one convenient USB cable.
FTDI makes several versions of these, featuring different connectors and voltages. https://ftdichip.com/product-category/products/cables/usb-ttl-serial-cable-series/
For my own work (with various microcontrollers), I use one of the models that connects to 3.3v signals via a 6-pin connector (usually in conjunction with short jumper wires since my devices don’t usually put the pins in the same order on the connector). https://ftdichip.com/products/ttl-232r-3v3/
I know those things exist, but a) tend to be poorly documented, and b) I prefer something I can attach to a real serial port, so that I have the option of using it with an old PC and old terminal program. Probably a good option for many people though.
can a drive that has to be unlocked and locked by device (MyGig radios in recent automobiles) have this function disabled by opening these pins? There is a PATA/IDE SSD on the market (‘Kingspec’) that cannot be locked by software that is the usual replacement drive as it cannot be locked by the radios software, like that function was omitted or never implemented. If you were to remove the radios stock IDE drive you could not recover the contents as the drive locks on shutdown I suspect and unlocks when powered up with ‘linked to VIN’ password.
I’m sorry to say that I don’t know the answer…
Steven: If it’s a PATA/IDE drive I would think you could use a logic analyzer to capture the password that the device has to send to the drive when powering up.
Or is that communication encrypted in some way? I.E. the drive provides a public key?