redumper icon indicating copy to clipboard operation
redumper copied to clipboard
verified publisher icon superg

improve drive::test with new functionality

Open superg opened this issue 8 months ago • 0 comments

[ehw] readbuff (3c)

E7:

        mmc.cmd[0] = 0xE7; // vendor specific command (discovered by DaveX)
        mmc.cmd[1] = 0x48; // H
        mmc.cmd[2] = 0x49; // I
        mmc.cmd[3] = 0x54; // T
        mmc.cmd[4] = 0x01; // read MCU memory sub-command
        mmc.cmd[6] = (unsigned char) ((offset & 0xFF000000) >> 24);    // address MSB
        mmc.cmd[7] = (unsigned char) ((offset & 0x00FF0000) >> 16);    // address
        mmc.cmd[8] = (unsigned char) ((offset & 0x0000FF00) >> 8);    // address
        mmc.cmd[9] = (unsigned char) (offset & 0x000000FF);        // address LSB
        mmc.cmd[10] = (unsigned char) ((block_size & 0xFF00) >> 8);    // length MSB
        mmc.cmd[11] = (unsigned char) (block_size & 0x00FF);        // length LSB

copied from friidump's source code because im lazy, but this is the cmd to test for you just want to read lba 0 onto cache to get the first block and check to see if PSN 30000 is on the cache, first four bytes in cache for the first block should be 00030000 i recommend also determining sector return size if you can as that can determine whats stored, since you store a block i just measure the distance from 00030000 to 00030001 now this is hitachis debugging opcode which is confirmed to work with the hitachi/lg gdr-816xb series of drives , and apparently, there can be variants with it. @crediar found a variant i think with the hitachi gd-2500 but i dont remember what the difference in the cdb was. i think it was just the sub command that was different

https://docs.google.com/spreadsheets/d/1pu3oXHRJ_qlyXrsHUyXOzD5mNp7dU8rgrfVuRBLyQFA/edit?gid=0#gid=0

[crediar]

What I have for that drive are these i.e. this is for dumping the FW of the drive:
    pscsi_in.Cdb[0] = 0xE7;
    pscsi_in.Cdb[1] = 'H';
    pscsi_in.Cdb[2] = 'I';
    pscsi_in.Cdb[3] = 'T';

    pscsi_in.Cdb[4] = 0x3C;
    pscsi_in.Cdb[5] = 0x01;

    pscsi_in.Cdb[9] = 0x02;
    pscsi_in.Cdb[10] = 0x00;
    pscsi_in.Cdb[11] = 0x40;
Write the FW:
    pscsi_in.Cdb[0] = 0xE7;
    pscsi_in.Cdb[1] = 'H';
    pscsi_in.Cdb[2] = 'I';
    pscsi_in.Cdb[3] = 'T';

    pscsi_in.Cdb[4] = 0x3B;
    pscsi_in.Cdb[5] = 0x04;
    pscsi_in.Cdb[6] = 0x00;
    pscsi_in.Cdb[7] = 0x00;

    pscsi_in.Cdb[8] = 0x00;
    pscsi_in.Cdb[9] = 0x02;
    pscsi_in.Cdb[10]= 0x00;
    pscsi_in.Cdb[11]= 0x40;
This for dumping the RAM:
    pscsi_in.Cdb[0] = 0xE7;
    pscsi_in.Cdb[1] = 'H';
    pscsi_in.Cdb[2] = 'I';
    pscsi_in.Cdb[3] = 'T';

    pscsi_in.Cdb[4] = 0x3C;
    pscsi_in.Cdb[5] = 0x00;

    pscsi_in.Cdb[9] = 0x04;
    pscsi_in.Cdb[10] = 0x00;
    pscsi_in.Cdb[11] = 0x80;
And this is basically something that disables EDC checks so you use that for dumping stuff:
    pscsi_in.Cdb[0] = 0xE7;
    pscsi_in.Cdb[1] = 'H';
    pscsi_in.Cdb[2] = 'I';
    pscsi_in.Cdb[3] = 'T';

    pscsi_in.Cdb[4] = 0x30;
    pscsi_in.Cdb[5] = 0x90;
    pscsi_in.Cdb[6] = 0x90;

    pscsi_in.Cdb[7]= 0xb1;

superg avatar Apr 14 '25 00:04 superg