Hard disk hacking - Persistence

Welcome

• Hardware stuff
• Hacks
  • Hacking the VPx500
  • DMGPlus
  • Hard disk hacking
  • Hacking the Kodak Zx3
  • Frekvens LED box hack
  • Dumb to managed switch conversion
  • Magic Printer Cartridge Paintbrush
  • Snake on a Keyboard
  • Twittering vintage arcade game
  • Fluke 15B+ WiFi
  • LEDs replacing CCFL backlight
  • Laptop keyboard LED
  • Convert a SMC WSKP100 to use SIP
  • Optical mouse-cam
  • Use a cheap digital photoframe as a second display for your PC
  • Add USB to a Sweex LB000021 router
  • Standalone HPLJ display hack
  • Damocles' Swordfish
  • Cluster using WT-300s
• Console hacking
• Security
• Software
• Nabaztag
• About Spritesmods

Persistence

Ofcourse, I could make this into a full hack, but needing to use JTAG to poke it in RAM every time the hard disk boots would make it pretty useless. I needed to make it persistant, that is, I needed to store my modifications somewhere where it would be picked up again every time the hard disk powers on.

My location of choice was the flash rom. I could probably also have put it somewhere in the reserved sectors on the disk itself, but if I messed something up, I would have no way to recover my disk. The flash chip is just an eight-pin standard part, so I could easily take it out, flash it and put it in again. For that purpose, I desoldered it and put it on a bit of veroboard, so I could easily switch it between a programmer and the hard disk:

Now, what to put in the flash? Luckily, the format of what's stored in the chip already has been figured out: it consists of multiple blocks of data, with a table describing them at the very start. That table describes the location of the block in flash, how it's compressed (if it is compressed), the location where the block should be put in RAM and, for the final address, an execution point where the loader would jump to to start executing the program.

Unfortunately, I couldn't modify the code that was in the flash; the bits that contained the parts where I wanted to put my hooks was compressed with an unknown compression algorithm, so I couldn't modify that. What I however could do was add an extra block, and modify the execution address so that block would get executed before the rest. That made things a bit easier: when 'my' block got executed, I could just code it to insert the hooks in the now decompressed bits of code.

Ofcourse, I had to dis- and re-assemble the flash binary for this. I created a tool for that, unimaginatively called 'fwtool'. This tool can dump out the various blocks in the flash, plus translate the header into a text file for easy modification. You can then modify, delete or add a block and re-assemble everything into a single firmware file, ready to be re-flashed. I used that to add my custom bit of code to the image, flashed everything back to the chip, put the chip back into the HD, booted everything back up and this was the result:

The result isn't that shocking: it's exactly the same as I had before. The trick is that I didn't need the JTAG-rig to get it.

« Prev 5 Next »