al-khaser icon indicating copy to clipboard operation
al-khaser copied to clipboard
verified publisher icon LordNoteworthy

ATA IDENTIFY checks

Open gsuberland opened this issue 7 years ago • 8 comments

We can issue an ATA IDENTIFY command to the disk and see if the returned parameters match known ones from VMs.

gsuberland avatar Jul 11 '18 18:07 gsuberland

I'm working on this. I've got some code dumping the entire IDENTIFY_DEVICE_DATA struct now. This should give me plenty of artifacts to cross-examine against real machines and VMs. I'll almost certainly end up having the IDENTIFY command run as a function and then have a bunch of different checks off the back of that, rather than one single check.

Here's the IDENTIFY dump from my laptop's SSD:

GeneralConfiguration.Reserved1 = 0
GeneralConfiguration.Retired3 = 0
GeneralConfiguration.ResponseIncomplete = 0
GeneralConfiguration.Retired2 = 0
GeneralConfiguration.FixedDevice = 1
GeneralConfiguration.RemovableMedia = 0
GeneralConfiguration.Retired1 = 0
GeneralConfiguration.DeviceType = 0
NumCylinders = 16383
SpecificConfiguration = 51255
NumHeads = 16
Retired1 = 00000014CDAFF488
NumSectorsPerTrack = 63
VendorUnique1 = 00000014CDAFF48E
SerialNumber = S1ZKNXAG814819
Retired2 = 00000014CDAFF4A8
Obsolete1 = 0
FirmwareRevision = EMT04L0Q
ModelNumber = SAMSUNG MZ7LN512HCHP-000L1
MaximumBlockTransfer = 16
VendorUnique2 = 128
TrustedComputing.FeatureSupported = 0
TrustedComputing.Reserved = 8192
Capabilities.CurrentLongPhysicalSectorAlignment = 0
Capabilities.ReservedByte49 = 0
Capabilities.DmaSupported = 1
Capabilities.LbaSupported = 1
Capabilities.IordyDisable = 1
Capabilities.IordySupported = 1
Capabilities.Reserved1 = 0
Capabilities.StandybyTimerSupport = 1
Capabilities.Reserved2 = 0
Capabilities.ReservedWord50 = 16384
ObsoleteWords51 = 00000014CDAFF4E6
TranslationFieldsValid = 7
Reserved3 = 0
FreeFallControlSensitivity = 0
NumberOfCurrentCylinders = 16383
NumberOfCurrentHeads = 16
CurrentSectorsPerTrack = 63
CurrentSectorCapacity = 17826043
CurrentMultiSectorSetting = 255
MultiSectorSettingValid = 1
ReservedByte59 = 7
SanitizeFeatureSupported = 1
CryptoScrambleExtCommandSupported = 1
OverwriteExtCommandSupported = 1
BlockEraseExtCommandSupported = 1
UserAddressableSectors = 458752
ObsoleteWord62 = 3
MultiWordDMASupport = 120
MultiWordDMAActive = 0
AdvancedPIOModes = 120
ReservedByte64 = 0
MinimumMWXferCycleTime = 120
RecommendedMWXferCycleTime = 120
MinimumPIOCycleTime = 3840
MinimumPIOCycleTimeIORDY = 0
AdditionalSupported.ZonedCapabilities = 0
AdditionalSupported.NonVolatileWriteCache = 0
AdditionalSupported.ExtendedUserAddressableSectorsSupported = 0
AdditionalSupported.DeviceEncryptsAllUserData = 0
AdditionalSupported.ReadZeroAfterTrimSupported = 0
AdditionalSupported.Optional28BitCommandsSupported = 0
AdditionalSupported.IEEE1667 = 0
AdditionalSupported.DownloadMicrocodeDmaSupported = 0
AdditionalSupported.SetMaxSetPasswordUnlockDmaSupported = 0
AdditionalSupported.WriteBufferDmaSupported = 0
AdditionalSupported.ReadBufferDmaSupported = 0
AdditionalSupported.DeviceConfigIdentifySetDmaSupported = 0
AdditionalSupported.LPSAERCSupported = 0
AdditionalSupported.DeterministicReadAfterTrimSupported = 0
AdditionalSupported.CFastSpecSupported = 0
ReservedWords70 = 00000014CDAFF510
QueueDepth = 6
ReservedWord75 = 6
SerialAtaCapabilities.Reserved0 = 0
SerialAtaCapabilities.SataGen1 = 0
SerialAtaCapabilities.SataGen2 = 1
SerialAtaCapabilities.SataGen3 = 1
SerialAtaCapabilities.Reserved1 = 6
SerialAtaCapabilities.NCQ = 1
SerialAtaCapabilities.HIPM = 0
SerialAtaCapabilities.PhyEvents = 0
SerialAtaCapabilities.NcqUnload = 0
SerialAtaCapabilities.NcqPriority = 0
SerialAtaCapabilities.HostAutoPS = 0
SerialAtaCapabilities.DeviceAutoPS = 0
SerialAtaCapabilities.ReadLogDMA = 0
SerialAtaCapabilities.Reserved2 = 0
SerialAtaCapabilities.CurrentSpeed = 0
SerialAtaCapabilities.NcqStreaming = 0
SerialAtaCapabilities.NcqQueueMgmt = 1
SerialAtaCapabilities.NcqReceiveSend = 1
SerialAtaCapabilities.DEVSLPtoReducedPwrState = 0
SerialAtaCapabilities.Reserved3 = 0
SerialAtaFeaturesSupported.Reserved0 = 0
SerialAtaFeaturesSupported.NonZeroOffsets = 0
SerialAtaFeaturesSupported.DmaSetupAutoActivate = 1
SerialAtaFeaturesSupported.DIPM = 1
SerialAtaFeaturesSupported.InOrderData = 1
SerialAtaFeaturesSupported.HardwareFeatureControl = 1
SerialAtaFeaturesSupported.SoftwareSettingsPreservation = 1
SerialAtaFeaturesSupported.NCQAutosense = 1
SerialAtaFeaturesSupported.DEVSLP = 1
SerialAtaFeaturesSupported.HybridInformation = 1
SerialAtaFeaturesSupported.Reserved1 = 0
SerialAtaFeaturesEnabled.Reserved0 = 1
SerialAtaFeaturesEnabled.NonZeroOffsets = 0
SerialAtaFeaturesEnabled.DmaSetupAutoActivate = 0
SerialAtaFeaturesEnabled.DIPM = 1
SerialAtaFeaturesEnabled.InOrderData = 1
SerialAtaFeaturesEnabled.HardwareFeatureControl = 1
SerialAtaFeaturesEnabled.SoftwareSettingsPreservation = 0
SerialAtaFeaturesEnabled.DeviceAutoPS = 0
SerialAtaFeaturesEnabled.DEVSLP = 0
SerialAtaFeaturesEnabled.HybridInformation = 0
SerialAtaFeaturesEnabled.Reserved1 = 0
MajorRevision = 29803
MinorRevision = 32001
CommandSetSupport.SmartCommands = 1
CommandSetSupport.SecurityMode = 1
CommandSetSupport.RemovableMediaFeature = 0
CommandSetSupport.PowerManagement = 0
CommandSetSupport.Reserved1 = 0
CommandSetSupport.WriteCache = 1
CommandSetSupport.LookAhead = 1
CommandSetSupport.ReleaseInterrupt = 0
CommandSetSupport.ServiceInterrupt = 1
CommandSetSupport.DeviceReset = 0
CommandSetSupport.HostProtectedArea = 0
CommandSetSupport.Obsolete1 = 0
CommandSetSupport.WriteBuffer = 0
CommandSetSupport.ReadBuffer = 0
CommandSetSupport.Nop = 1
CommandSetSupport.Obsolete2 = 0
CommandSetSupport.DownloadMicrocode = 1
CommandSetSupport.DmaQueued = 0
CommandSetSupport.Cfa = 0
CommandSetSupport.AdvancedPm = 1
CommandSetSupport.Msn = 0
CommandSetSupport.PowerUpInStandby = 1
CommandSetSupport.ManualPowerUp = 1
CommandSetSupport.Reserved2 = 0
CommandSetSupport.SetMax = 0
CommandSetSupport.Acoustics = 0
CommandSetSupport.BigLba = 1
CommandSetSupport.DeviceConfigOverlay = 0
CommandSetSupport.FlushCache = 1
CommandSetSupport.FlushCacheExt = 1
CommandSetSupport.WordValid83 = 1
CommandSetSupport.SmartErrorLog = 1
CommandSetSupport.SmartSelfTest = 0
CommandSetSupport.MediaSerialNumber = 0
CommandSetSupport.MediaCardPassThrough = 0
CommandSetSupport.StreamingFeature = 0
CommandSetSupport.GpLogging = 0
CommandSetSupport.WriteFua = 0
CommandSetSupport.WriteQueuedFua = 0
CommandSetSupport.WWN64Bit = 0
CommandSetSupport.URGReadStream = 0
CommandSetSupport.URGWriteStream = 1
CommandSetSupport.ReservedForTechReport = 3
CommandSetSupport.IdleWithUnloadFeature = 1
CommandSetSupport.WordValid = 2
CommandSetActive.SmartCommands = 1
CommandSetActive.SecurityMode = 1
CommandSetActive.RemovableMediaFeature = 0
CommandSetActive.PowerManagement = 0
CommandSetActive.Reserved1 = 0
CommandSetActive.WriteCache = 1
CommandSetActive.LookAhead = 1
CommandSetActive.ReleaseInterrupt = 0
CommandSetActive.ServiceInterrupt = 1
CommandSetActive.DeviceReset = 0
CommandSetActive.HostProtectedArea = 0
CommandSetActive.Obsolete1 = 0
CommandSetActive.WriteBuffer = 0
CommandSetActive.ReadBuffer = 0
CommandSetActive.Nop = 1
CommandSetActive.Obsolete2 = 0
CommandSetActive.DownloadMicrocode = 1
CommandSetActive.DmaQueued = 1
CommandSetActive.Cfa = 1
CommandSetActive.AdvancedPm = 1
CommandSetActive.Msn = 1
CommandSetActive.PowerUpInStandby = 1
CommandSetActive.ManualPowerUp = 1
CommandSetActive.Reserved2 = 0
CommandSetActive.SetMax = 0
CommandSetActive.Acoustics = 0
CommandSetActive.BigLba = 0
CommandSetActive.DeviceConfigOverlay = 0
CommandSetActive.FlushCache = 0
CommandSetActive.FlushCacheExt = 0
CommandSetActive.Resrved3 = 1
CommandSetActive.Words119_120Valid = 0
CommandSetActive.SmartErrorLog = 1
CommandSetActive.SmartSelfTest = 0
CommandSetActive.MediaSerialNumber = 0
CommandSetActive.MediaCardPassThrough = 0
CommandSetActive.StreamingFeature = 0
CommandSetActive.GpLogging = 0
CommandSetActive.WriteFua = 0
CommandSetActive.WriteQueuedFua = 0
CommandSetActive.WWN64Bit = 0
CommandSetActive.URGReadStream = 0
CommandSetActive.URGWriteStream = 0
CommandSetActive.ReservedForTechReport = 0
CommandSetActive.IdleWithUnloadFeature = 0
CommandSetActive.Reserved4 = 0
UltraDMASupport = 4
UltraDMAActive = 0
NormalSecurityEraseUnit.TimeRequired = 0
NormalSecurityEraseUnit.ExtendedTimeReported = 0
EnhancedSecurityEraseUnit.TimeRequired = 32766
EnhancedSecurityEraseUnit.ExtendedTimeReported = 1
CurrentAPMLevel = 0
ReservedWord91 = 0
MasterPasswordID = 0
HardwareResetResult = 0
CurrentAcousticValue = 0
RecommendedAcousticValue = 0
StreamMinRequestSize = 0
StreamingTransferTimeDMA = 0
StreamingAccessLatencyDMAPIO = 0
StreamingPerfGranularity = 1000215216
Max48BitLBA = 00000014CDAFF54C
StreamingTransferTime = 16384
DsmCap = 0
PhysicalLogicalSectorSize.LogicalSectorsPerPhysicalSector = 2
PhysicalLogicalSectorSize.Reserved0 = 0
PhysicalLogicalSectorSize.LogicalSectorLongerThan256Words = 1
PhysicalLogicalSectorSize.MultipleLogicalSectorsPerPhysicalSector = 0
PhysicalLogicalSectorSize.Reserved1 = 1
InterSeekDelay = 21389
WorldWideName = 00000014CDAFF55C
ReservedForWorldWideName128 = 00000014CDAFF564
ReservedForTlcTechnicalReport = 0
WordsPerLogicalSector = 00000014CDAFF56E
CommandSetSupportExt.ReservedForDrqTechnicalReport = 0
CommandSetSupportExt.WriteReadVerify = 0
CommandSetSupportExt.WriteUncorrectableExt = 0
CommandSetSupportExt.ReadWriteLogDmaExt = 0
CommandSetSupportExt.DownloadMicrocodeMode3 = 0
CommandSetSupportExt.FreefallControl = 0
CommandSetSupportExt.SenseDataReporting = 0
CommandSetSupportExt.ExtendedPowerConditions = 0
CommandSetSupportExt.Reserved0 = 0
CommandSetSupportExt.WordValid = 0
CommandSetActiveExt.ReservedForDrqTechnicalReport = 0
CommandSetActiveExt.WriteReadVerify = 0
CommandSetActiveExt.WriteUncorrectableExt = 0
CommandSetActiveExt.ReadWriteLogDmaExt = 0
CommandSetActiveExt.DownloadMicrocodeMode3 = 0
CommandSetActiveExt.FreefallControl = 0
CommandSetActiveExt.SenseDataReporting = 0
CommandSetActiveExt.ExtendedPowerConditions = 0
CommandSetActiveExt.Reserved0 = 0
CommandSetActiveExt.Reserved1 = 0
ReservedForExpandedSupportandActive = 00000014CDAFF576
MsnSupport = 0
ReservedWord127 = 0
SecurityStatus.SecuritySupported = 0
SecurityStatus.SecurityEnabled = 0
SecurityStatus.SecurityLocked = 0
SecurityStatus.SecurityFrozen = 0
SecurityStatus.SecurityCountExpired = 0
SecurityStatus.EnhancedSecurityEraseSupported = 0
SecurityStatus.Reserved0 = 0
SecurityStatus.SecurityLevel = 0
SecurityStatus.Reserved1 = 0
ReservedWord129 = 00000014CDAFF586
CfaPowerMode1.MaximumCurrentInMA = 0
CfaPowerMode1.CfaPowerMode1Disabled = 0
CfaPowerMode1.CfaPowerMode1Required = 0
CfaPowerMode1.Reserved0 = 0
CfaPowerMode1.Word160Supported = 0
ReservedForCfaWord161 = 00000014CDAFF5C6
NominalFormFactor = 0
ReservedWord168 = 514
DataSetManagementFeature.SupportsTrim = 0
DataSetManagementFeature.Reserved0 = 4112
AdditionalProductID = 00000014CDAFF5D8
ReservedForCfaWord174 = 00000014CDAFF5E0
CurrentMediaSerialNumber = 00000014CDAFF5E4
SCTCommandTransport.Supported = 0
SCTCommandTransport.Reserved0 = 0
SCTCommandTransport.WriteSameSuported = 0
SCTCommandTransport.ErrorRecoveryControlSupported = 0
SCTCommandTransport.FeatureControlSuported = 0
SCTCommandTransport.DataTablesSuported = 0
SCTCommandTransport.Reserved1 = 0
SCTCommandTransport.VendorSpecific = 0
ReservedWord207 = 00000014CDAFF622
BlockAlignment.AlignmentOfLogicalWithinPhysical = 0
BlockAlignment.Word209Supported = 0
BlockAlignment.Reserved0 = 0
WriteReadVerifySectorCountMode3Only = 00000014CDAFF628
WriteReadVerifySectorCountMode2Only = 00000014CDAFF62C
NVCacheCapabilities.NVCachePowerModeEnabled = 0
NVCacheCapabilities.Reserved0 = 0
NVCacheCapabilities.NVCacheFeatureSetEnabled = 0
NVCacheCapabilities.Reserved1 = 0
NVCacheCapabilities.NVCachePowerModeVersion = 0
NVCacheCapabilities.NVCacheFeatureSetVersion = 0
NVCacheSizeLSW = 1
NVCacheSizeMSW = 0
NominalMediaRotationRate = 0
ReservedWord218 = 0
NVCacheOptions.NVCacheEstimatedTimeToSpinUpInSeconds = 0
NVCacheOptions.Reserved = 0
WriteReadVerifySectorCountMode = 127
ReservedWord220 = 16
ReservedWord221 = 0
TransportMajorVersion.MajorVersion = 0
TransportMajorVersion.TransportType = 0
TransportMinorVersion = 0
ReservedWord224 = 00000014CDAFF644
ExtendedNumberOfUserAddressableSectors = 00000014CDAFF650
MinBlocksPerDownloadMicrocodeMode03 = 0
MaxBlocksPerDownloadMicrocodeMode03 = 0
ReservedWord236 = 00000014CDAFF65C
Signature = 0
CheckSum = 0

gsuberland avatar Jul 11 '18 21:07 gsuberland

Using the new tool I've dumped some more results:

Some obvious places to check for VirtualBox:

  • ModelNumber is "VBOX HARDDISK"
  • SerialNumber matches regex ^VB[0-9a-f]{8}-[0-9a-f]{8}$
  • FirmwareRevision is "1.0"
  • CommandSetSupport.DownloadMicrocode is 0 but CommandSetActive.DownloadMicrocode is 1 (seems to be a VBox specific mistake in the data)

Some more generic checks, which I'll need to validate further:

  • WorldWideName is all zeroes.
  • CommandSetSupport.SmartCommands is 0
  • CommandSetSupport.WriteCache is 0
  • WordsPerLogicalSector[0] and WordsPerLogicalSector[1] are both 0
  • NVCacheSizeLSW is 0
  • CurrentMultiSectorSetting and MultiSectorSettingValid are both 0
  • InterSeekDelay is 0

gsuberland avatar Apr 12 '19 01:04 gsuberland

Got some additional dumps from friends, resulting in KVM / QEMU detection:

  • ModelNumber is "QEMU HARDDISK"
  • SerialNumber is "QM00001"

Their dumps verify that the generic checks also work on other hardware, although I have found one example of a real disk where NVCacheSizeLSW is 0 so that rules that check out.

gsuberland avatar Apr 12 '19 16:04 gsuberland

Looking for help from folks on this one. Please run ATAIdentifyDump on your machines, both on bare metal and in VMs, and reply here with:

  • Output from the tool attached as a text file.
  • The edition and version of your host OS (e.g. Windows 10 Pro 1909 or Ubuntu 20.04)
  • If running the tool under a VM, the edition and version of your guest OS
  • If running the tool under a VM, the VM platform and version (e.g. VirtualBox 6.1.16)
  • Any additional info (e.g. are you using a hypervisor? any interesting disk info?)

gsuberland avatar Oct 20 '20 18:10 gsuberland

Running on physical machine:

  • Output.log
  • OS Name: Microsoft Windows 10 Pro for Workstations - Version: 10.0.19041 Build 19041
  • Any additional info: Virtualbox is running on my host.

ayoubfaouzi avatar Oct 20 '20 22:10 ayoubfaouzi

Running on a VM

  • output.log
  • Host OS: Name: Microsoft Windows 10 Pro for Workstations - Version: 10.0.19041 Build 19041
  • Guest OS: Microsoft Windows 10 Pro - Version: 10.0.19041 Build 19041
  • Hypervisor VirtualBox - Version 6.1.14 r140239 (Guest Tools Available).

ayoubfaouzi avatar Oct 20 '20 23:10 ayoubfaouzi

Running on a VM

  • output.log
  • Host OS: Name: Microsoft Windows 10 Pro for Workstations - Version: 10.0.19041 Build 19041
  • Guest OS: Name: Microsoft Windows 7 Home Basic - Version: 6.1.7601 Service Pack 1 Build 7601
  • Hypervisor VMWare Workstation - Version: 15.5.6 build-16341506 (Guest Tools Available).

ayoubfaouzi avatar Oct 20 '20 23:10 ayoubfaouzi

Running on a VM

  • output.log
  • Host OS: Name: Microsoft Windows 10 Pro for Workstations - Version: 10.0.19041 Build 19041
  • Guest OS: Name: Microsoft Windows 7 Ultimate - Version: 6.1.7601 Service Pack 1 Build 7601
  • Hypervisor VirtualBox - Version 6.1.14 r140239 (Guest Tools Available).

ayoubfaouzi avatar Oct 20 '20 23:10 ayoubfaouzi