Welcome

Conclusion

So, there you have it. While the hard disk controller is a beast without much data known about it, it's still perfectly well possible to reverse engineer it and to write custom code for it. The unknown-ness of the controller does make it harder to write generic hacks, which makes me doubtfull that a thing like the evil firmware patch will ever be seen in the wild: it's much easier to just get another zero-day software exploit than reverse engineer the firmware of every single hard disk every server you stumble upon has.

I also hope to have proven that a broken hard disk is something you can still use. While the mechanics of a broken HD probably are shot, the PCB still contains an usable embedded system, which actually is pretty powerful considering you can usually get broken hard disks for free.

Releasing the source-code for a security project always is a nasty subject. I want to release code, but I do not want to be responsible for a lot of permanently hacked servers... I decided to compromise: you can download the code I used here, but I removed the shadow-replacement code. Make note: I'm not going to support the process to get all this running in any way; it's a hack, you figure it out.

« Prev 8 

Last 10 comments Show all

pctek9 wrote at 21 Mar 2015, 18.14:

The United States is the only superpower supporting freedom and democracy. Now that we know nsa uses this through equation group, just imagine what those brilliant little chinese electronic designers have at their disposal? or even the russians? I bet MSS and FSB have firmware rewriters that have not been discovered yet. Isn't it really time for antivirus that scans firmware, and firmware signing, or even a physical r/w switch to update firmware?

E:V:A wrote at 3 Mar 2015, 12.27:

BTW. I assume you've probed for additional serial interfaces? Because all M3's are specified to use both JTAG and SW (serial) interfaces for debug purposes, which probably mean you should see some dmesg-like output during bootup, somwhere...

Casey wrote at 1 Mar 2015, 20.33:

Interesting article. Sounds like you had some fun working all this out. My laptop has killed two HD's so far in less than a year. The errors reported by the drive is confusing if not crashing the USB modules in Linux making standard recovery rather difficult. I'm thinking that your code might help in recovering some of the data off the drives.

Black wrote at 28 Feb 2015, 15.07:

"The unknown-ness of the controller does make it harder to write generic hacks, which makes me doubtfull that a thing like the evil firmware patch will ever be seen in the wild" How dangerously ignorant. Such unknown-ness is *exactly* the reason why groups like the NSA would use such evil 'patches'. And as it is known now, they've been using it for 15 or more years. (If not just from the start, when harddisks where common devices.)

Steve Dupuis wrote at 20 Feb 2015, 20.34:

Hi .. The disk drive hacking is so far my favorite article on your site. It has helped me learn a lot more about storage and file systems. What is your background? Do you have a CV online? I'm just curious to know how you got into this. Regards, Steve Dupuis Ottawa, Canada

Sokolum wrote at 20 Feb 2015, 16.11:

One question, can an modified HD firmware prevent, when doing a full format: 'darik's boot and nuke', some hardrive sectors to be formated (beeing skipped during format)?

byteme wrote at 19 Feb 2015, 13.17:

<<<The unknown-ness of the controller does make it harder to write generic hacks, which makes me doubtfull that a thing like the evil firmware patch will ever be seen in the wild>>> It's in the wild, I believe the firmware, of eleven major Hard Drive Makers, has been hacked already by a group known as Equation. http://threatpost.com/inside-nls_933w-dll-the-equation-apt-persistence-module/111128 http://www.zdnet.com/article/beyond-stuxnet-and-flame-equation-group-most-advanced-cybercriminal-gang-recorded/?tag=nl.e539&s_cid=e539&ttag=e539&ftag=TRE17cfd61

CraigB wrote at 19 Feb 2015, 9.56:

use PPM / PWM to make the SATA port give you audio directly. Just add a cap to remove the DC and you have music!

vimtut0r wrote at 18 Feb 2015, 18.48:

http://www.heise.de/security/news/foren/S-Equation-Group-Hoechstentwickelte-Hacker-der-Welt-infizieren-u-a-Festplatten-Firmware/forum-292282/list/

@Disceater wrote at 18 Feb 2015, 14.46:

@Disceater, ofcourse, the cost will be performance.

Leave a comment:

Your name:

What does this picture say?
Sorry, this is a captcha

Your comment:


© 2006-2014 Sprite_tm - Contact