xbox hard disk lock
I recently tried to unlock a xbox hard disk.
Here's what I learned :
- Recent ATA specs allow some hard disks to be "locked" (see t13.org for the gory details). A hard disk will report its "security" status in the last bits of the identify packet.
- A disk can be locked with a 32 bytes password. The locking will be effective after the next poweron of the disk (or the next ide reset ; I don't know exactly ; but rebooting the computer was enough).
- Once locked, the disk can't be accessed anymore. It's still detected and you can issue ATA commands, but it will respond with errors.
- You can unlock a disk, but you need the same 32 bytes password, and the unlocking is temporary. At next powercycle (or ide reset?) the disk will be locked again.
- Once the disk is unlocked, you can disable the password (you need the password again to do that) ; then security is disabled (and you won't need the password for the next boots).
- There's also a "master password", and a "security level". The master password is set at factory (there are defaults for each hard disk vendor ; google if you need factory master passwords). If the security level is "high", then the master password can be used to "break" the password. If the security level is "maximal", no can do.
- In all cases, there's a "blank media and forget passwords" command, allowing to turn back the hightech paperweight into a working hard disk (but losing the data on it).
The XBOX has an EEPROM holding a lot of things. Among misc things, there is a HDDKey, but IT IS NOT the password for the hard disk ! It's just a 16 bytes string. But, if you compute some SHA1 digest involving this string + the hard disk model + the hard disk serial number, and pad the result with zeroes, you get the hard disk password.
I don't know the exact formula, but you might be interested to know that the hard disk model and serial are used - that means that you CAN'T compute the password for a hard disk without the disk itself. That means that if you replace your xbox hard disk, then use evox (or something else) to get the hd password, to re-use the xbox hard disk in another computer, the hd password will be wrong. BUT, with the hddkey (given by evox) and the hard disk in another (linux) computer, you can compute the key !
Here are a couple of things to know : there is an small and useful program named "hdtool" (google hdtool xbox linux), you can fetch it from xbox-linux cvs tree. It allows to lock/unlock/disable-password, and you can provide either the disk password, or an xbox eeprom image. It can also be run from an xbox and extract all the needed information by itself. And finally, it's easy to patch it to accept a hddkey too ! (that's what I did.)
Second useful information : the security commands require "taskfile" access, which is generally disabled in stock linux kernels. You have to recompile your kernel enabling CONFIG_IDE_TASK_IOCTL, "Raw Access to Media" in the kernel configuration scripts. Also, I experienced kernel oopses with 2.4 series ; but it worked alright with 2.6 kernels (it might be due to buggy IDE chipset, or kernel specific version, etc. ; I was testing a 2.4.26 kernel and a 2.6.5 kernel on a i820 (piix) mobo).
Warning : with a 2.4 kernel, I could lock a hard disk but I was then unable to unlock it ... Happily 2.6 kernel could unlock it :-)
Comments