This post is a little pause in my vacuum reversing trilogy. It is half about electronics, half about digital forensics but somehow it is still 100% of my hobbies ;-)
A friend of mine had faced a harddrive failure recently and wanted her data back. So she sent me the drive instead of giving away one month of salary to an expensive data rescuing company.
Most of the time, replacing the controller board of the harddrive is enough to get your data back. Hopefully some companies like HDDzone allows you to order the exact model of the PCB you want to replace.
One week later, the PCB was in my mail box. Great.
Feeling lucky, I simply unscrewed the original PCB, replaced it by the new one and tried powering up that drive. Heard a small *click* and… nothing. The motors never started to spin, nothing happened. Damned!
In fact, there is a little flash EEPROM on the PCB that contains the drive firmware and the parameters and those on the new board were not the good ones for that drive. If one follows the online guides from HDDZone for replacing harddrive PCBs, it is said that you should swap those components before swapping the PCB. Of course I have a hot air gun for that purpose, but I am not feeling comfortable with that stuff at the moment. I still need some practice.
Moreover, with RoHS reglementation, manufacturers now use lead-free solder and that requires a higher temperature to melt. And overheating a component has some risks: you could damage the component.
Finally, it is quite hot in Paris nowadays (at least from my point of view) so I was not very motivated to get hot air at 280°C with the gun while I already have 28°C in my appartment!
So I decided to do… well, differently!
You might have already guessed it, my idea was of course to swap the content of the EEPROM instead of swaping the component. And that’s why I consider it dirty: I am going to power up the flash directly, without desoldering it and therefore without isolating the other components from the current/voltage I am going to put on the board. That may damage other surrounding components. But I am pretty comfident we are not dealing with high voltage/current and components on a computer harddrive might be protected a little bit and might be able to deal with that without consequences.
The replacement PCB uses a SOIC package so it is very easy to put grips on the pins and plug those to a GoodFET to read/write that chip. But the original one has a QFN package so I still need to solder wires to the pads before being able to interact with it.
According to the datasheet of the Windbond chip (the one on the original PCB) it is somehow protected and the SPI bus requires all the 8 pins to be wired if I want to write on it: the extra ones are for !WP (Write Protect) and !HOLD (inhibits the chip). Those two extra wires need to be connected to VCC.
Here is a picture of the PCB with all the wires soldered:
Now, is the GoodFET able to talk to that flash?
$ goodfet.spiflash info Ident as Winbond W25X40L Manufacturer: ef Winbond Type: 30 Capacity: 13 (524288 bytes)
Yeeha! Time to dump that memory:
$ goodfet.spiflash dump original-board.seagate.bin Dumping code from 000000 to 080000 as original-board.seagate.bin. Dumped 000000. […] Dumped 080000.
The replacement board is far more easy do deal with. Here, I am using the mini grips from my Saleae Logic analyzer:
The picture here-above does not show the whole setup but some grips are connected directly together (!HOLD, VCC and !WP).
By the way, looking at the board with binoculars to double check I have not made any short circuit with the grips revealed that the EEPROM was badly soldered. Simply putting the grips lifted slightly the pins so there was no contact anymore with the PCB. I just left GND pin soldered to keep the chip in place.
Again, just a quick check that the chip is talking to the GoodFET:
$ goodfet.spiflash info Ident as Numonyx/ST None Manufacturer: 20 Numonyx/ST Type: 20 Capacity: 13 (524288 bytes)
I also took the opportunity to dump the content of it before overwriting it, just in case:
$ goodfet.spiflash dump replacement-board.seagate.bin Dumping code from 000000 to 080000 as replacement-board.seagate.bin. Dumped 001000. […] Dumped 080000. $ goodfet.spiflash erase $ goodfet.spiflash flash original-board.seagate.bin Flashing code from 000000 to 080000 with original-board.seagate.bin. FIXME This might fail if the file is of an odd size. Flashed 001000. […] Flashed 080000. $ goodfet.spiflash verify original-board.seagate.bin Verifying code from 000000 to 080000 as original-board.seagate.bin. Verified 000000. […] Verified 080000. `
Worked like a treat!
Seven screws later, the hard drive was spinning… but I was wrong on my first diagnosis as the hard drive is still not showing up. The failure seems to be related to the plates or the magnetic heads.
Yet, the idea to flash the firmware instead of swapping the chips was a success and again the versatile GoodFET platform was very helpful :-)