In this issue, data recovery experts from the Key Laboratory of Sichuan Province will explain their research on file recovery and extraction technology for WD hard disk with bad sectors. A more efficient method for firmware bad sector restoration is introduced to address the problems of inaccessibility of WD hard disk.
The latest China Hard Disk Market Research Report in Feb. 2016 revealed that Western Digital (WD) hard disks are one of the most popular hard disks on the market. Problems that investigatorsencounter during investigations often include inaccessibility caused by bad sectors, which greatly affects the efficiency of case solving. Thus, researches on techniques to address this problem and repair firmware bad sectors bear great importance for digital forensics.
WD ranked 2nd in brand awareness
1. What is firmware?
Firmware is the software solidified inside the hard disk.
1.1 Firmware makes hard disks ‘running’
Hard disks are small-sized computers and, just like cellphone software ensures smooth operation of cellphones, hard disks also need software to operate. The part that has software function in the hard disk, therefore, is called firmware.
Firmware shoulders the following responsibilities: manage storage location for hard disk data; record damaged or flawed sectors to avoid their usage during operation; keep track of temperature of the hard disk during operation; and record defects that occurred. A hard disk without firmware is just a pile of mechanical and electronic components.
1.2 Firmware program: a combination of main firmware and secondary firmware
Hard disk manufacturers divide tracks into two categories, the ones that store hard disk firmware and the ones that record user data. The former is the reserved zone (firmware zone, also referred to as negative sector by some people) of the disk that demands specific code or password to access, and cannot be accessed or managed by normal systems such as WINDOWS operating system.
Firmware program contains two identical parts, main firmware and secondary firmware, and the latter can be used to operate or repair when error or missing occurs. These two parts are stored in the disk based on disk capacity and track distribution, normally one at the 0 head and the other 1 head. Different functions are further divided into groups by the manufacturer to manage the firmware more efficiently and provide high-speed data reading.
For firmware, tracks include groups and blocks, the more specific executive function is contained in a group. If a track is compared to a book, then the groups are chapters and blocks are paragraphs in each chapter.
1.3 Types of Bad Sectors
Firmware files are getting increasingly larger with the development in hardware technology, which makes ROM space on circuit board insufficient to hold those files. Firmware was held on circuit board previously, then partially on circuit board and partially on disk, and entirely on disk by now. Depending on different brands, some disks are holding partial firmware files on circuit board of the chip and partial on negative tracks (tracks before zero track), and others entirely on negative tracks. Bad sectors of hard disks usually fall into two categories: physical bad sectors and logical bad sectors.
Physical bad sectors Scratches or magnetic wakening will result in reading failure when accessing a certain sector on a hard drive.
Logical bad sector: ECC validation errors will also lead to failure in accessing a certain sector on a hard drive.
Sector erasing can be used to address logical bad sector problems, and sector remapping (replacing of the damaged sector with back-up sector provided by the manufacturer) for physical bad sectors.
2. Operating Principle for Firmware
Mapping block is the most important one among all blocks. Working parameters will indicate the exact location of the corresponding mapping block when the hard drive is powered on and in operation.
The relationship between mapping blocks and ROM chips are as such: mapping blocks are the initiator of a WIMDORS operating system; and when failure occurs in establishing proper connection between mapping blocks and the hard drive, the WIMDOWS system cannot be initiated and thus no application based on the system can be used.
Mapping blocks record the mapping structure of firmware storage, which includes the positioning of most key blocks but not that of some hidden modules.
3. Methods for Restoration of Firmware Bad Sectors
Locate the mapping block in the firmware zone through configuration information in ROM, and conduct remapping of bad sectors within the block.
3.1 ROM Structure
WD hard disk ROM chip information contains boot code and multiple modules (configuration information) that are differentiated through serial numbers. The following picture shows the header of ROM firmware module in a WD hard disk.
ROYL is the header and 0x0D the serial number of this module
The 0xOB block is the mapping block of ROM and records offset addresses of all modules, including mapping blocks, in ROM, as in the picture.
0x012E5B is the UBA of module 0x01 (mapping module on the disk)
3.2 Structure of Mapping Blocks
Each block catalog of the mapping blocks consists 0x12 bytes and has the following structure, shown in the picture: length of the module (1)+number of backup (2)+serial number of the module (2)+ size of the module (2)+unknown(4)+UBA of main module (4)+UBA of secondary module (4).
Structure Data of Mapping Module
The remapping of firmware sectors is realized by changing the starting position of the block that contains the bad sector in the mapping block.
This technique has the following advantages and abilities: to parse mapping block in the hard disk and access the hardware module through UBA; to complete verification and address the double erasure problem for logical bad sectors by using low-lattice operation area; and to realize restoration through block offset realized by changing modules for physical bad sectors. This technique can provide solutions to problems of inaccessibility of firmware in the hard disk and is currently applied in SalvationDATA DRS(Data Recovery System). Readers interested in related technology are welcomed to join our discussion.
Click HERE to learn more about DRS.