Posts Tagged ‘foremost’

A disk on the shelf

Wednesday, February 25th, 2009

Some days ago a friend came by late at a Friday night and brought a hard disk. He did not know what was wrong with it, but told me, that he was not able to access the data but he needs it within six days. As I was just about to develop a nice cold that evening and only wanted to hide in my bed that weekend I just put the disk on my shelf and promised him to look at it by Sunday evening.

I tought it was some partitioning problem or filesystem corruption that could be repaired. In the worst case I thought I needed to do an image of the disk and dig for files manually or try to find some data with foremost which is a nice tool to recover files from storage media that got deleted. It will walk though the complete media and look for known file headers and dump the data. This works quite nice. I restored a friend’s holiday pictures of a deleted memory card that way last year .

The cold came and so did the headache. Saturday came and passed by. But on Sunday evening when I opened the box with the hard disk and saw the manufacturer label I directly understood the problem. It was a Seagate drive. I remembered that a few weeks ago I read about a firmware bug on Seagate drives in the IT news here and here.

This firmware bug can turn the drive unusable. When I connected this drive to my computer in an external HDD case it was not detected. Connecting the drive with a SATA cable directly with the mainboard even prevented the bios from completing its hardware probes. Meanwhile I found a firmware upgrade boot CD on the Seagate support website but either I could boot from CD without connecting the defective drive or the drive was connected and my machine wasn’t able to boot anything.

After some googling I found out what happened to the drive. It ran into the firmware bug, it detected the malfunction on is own and deactivated itself in order to not loose any data. The bad thing about that was, that for a firmware update the drive had to start which was prevented due to the self protection of deactivating itself. Nice deadlock. Ok, the data was still there and could be recovered by data recovery companies like Ontrack. As the regular service would have taken too long and the 24-hour service was too expensive there was only one way left. Hack the drive yourself!

When I was searching for more information on the topic I found two posts about a team that successfully hacked the firmware and reactivated multiple drives after they ran into this bug. Find them here and here. In the next post I will describe how we did it (my friend came by on Monday and helped me).