Hard Disk Firmware Hacking (Part 3)

Before we get started with part 3, I have a few updates regarding part 1 & 2.

I’ve found that the reset pad on the JTAG header is not actually a system reset (SRST) but a TAP reset (TRST), which isn’t very useful for debugging. Here is the updated layout with the system reset signal added (this will allow the ‘reset halt’ command to break on the reset vector, before any instructions are executed).

In my case there wasn’t a test pad for the SRST line, but there was a very small exposed bit of copper underneath the serial sticker, which was connected to the SRST pin of the CPU.

Ceriand on Reddit pointed out that the JTAG header matches the footprint of a MICTOR connector (38 or 40 pin one usually), so if you don’t want to do any soldering you could get yourself a MICTOR connector and cable.

MICTOR 38 connector

I’ve also found out the hard way that older PSUs don’t like to be used at extremely low voltage (components inside them tend to explode), so I recommend buying a decent AC to Molex power adapter (don’t get the cheap ones, they die after a day).

Apparently glass fuses like to explode and send shards flying everywhere

Lastly: because the JTAG header has an RTCK connector, you should be able to set adapter_khz in the openocd config to 0. The JTAG can then use adaptive clocking, which should prevent any timeout errors.

Bootstrap & Bootloader

After some reversing I’m now convinced that the bootstrap code in Part 2 is not used during a normal boot. On execution it waits for some data on a port (most likely the serial port), then acts accordingly. If no data is found, the code goes into an infinite loop and the drive never boots.
On this CPU the 0x1C00A000 – 0x1C00AFFF range appears to be mapped to various ports and test pads all around the PCB. Now, because I don’t have the money for an oscilloscope or decent logic analyzer I’m going to have to pass up on mapping these ports, even though it would make things easier.
All this code does is read some kind of switch which enters the system into a specific mode based on the value:
  • 4 – Not sure, but it waits infinitely for a value on some port. My assumption is this code probably allows developers to read/write/erase the processor’s internal flash.
  • 3 – Jumps to the address in R4 (in my case this is 0, but that could be by design)
  • 6 – A serial console which looks for ASCII bytes (r, w, j, h) on the serial port, allowing the developer to send read, write, jump, and halt commands.
I’m not familiar with how ports are mapped to memory, but 0x1C00A030 is always 0 while 0x1C00A03A is always 0xFFFF (which I assume means one is constant at a low voltage and the other constant at a high voltage).
Interestingly if we set a hardware breakpoints on “cmp R1, #3” and set R1 to 3, the code will jump to address 0 and boot normally (this is why I think 0 doesn’t mean uninitialized). Let’s see what’s at address 0.
Address 0 is usually RAM, but there’s already valid code here, so it’s quite likely the CPU temporarily maps address 0 to some area of the internal ROM during boot. This is a standard ARM IVT, which you’d see at the boot address of any ARM devices; making me think the bootstrap at 0xFFFF0000 is only executed if the CPU detects a JTAG is attached. Until I can buy a decent logic analyzer and figure which port allows us to control the bootstrap mode switch, the only apparent way to boot the disk normally with a JTAG attached is to perform a “reset halt” then manually set R1 to ‘3’ just before the check.
In this case the boot code is all over the place with massive gaps between sections, my next step will be to map, dump, and reverse it. I’d probably have done that already, but my power adapter didn’t arrive until yesterday. 
Best Languages to Learn for Malware Analysis

One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful. I’ll focus on native malware (malware which does not require …

Investigating Command and Control Infrastructure (Emotet)

Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and explain my process of identifying …

Creating a Simple Free Malware Analysis Environment

Computer Requirements: A CPU with AMD-V or Intel VT-x support (pretty much any modern CPU). 4 GB RAM (more is better). Make sure Virtualization (AMD-V or Intel VT-x) is enabled in the BIOS. To do this, you’ll need to google “enable virtualization” along with your bios or motherboard version, then …