How to unlock a Seagate Drive (prior to F3).

by **Spildit** » Wed Apr 10, 2013 9:40 pm

This is a step by step guide on how to unlock a Seagate drive prior to the F3 arch.

Start by getting a TTL adaptor on ebay or somewhere else and connect the terminal to the seagate drive as you would normally do. If you see F3 T> when pressing CTRL+Z STOP as this set of instructions will not work for newer drives.

- Press CTRL +Z
- Input ?

Should display something like :

Code: Select all: RD:0000:10 WR:0010:10 AC:0027:FF AS:0126:63 SC:0189:FF DP:0027:FF BA:0023:03 ST:0026:01 logbps:0200 codebps:0200 uP:0FE8:18 FM:0020:03 AD:0020:06 RL:0F01:02 SL:0F1B:A5 AL:0F03:18

On my example :

RD:0000:10
WR:0010:10

RD is the Read Buffer - 0000
WR is the Write Buffer - 0010

You will need to jot down the ones that you have for your drive in reply to ? command.

You will have to check that first for each drive you need to unlock.

Now, without turning off the terminal neither the drive do :

CTRL+R - This will load the CERT code.
CTRL+Z - This will allow you to send commands at T level.

T>G1 - This will seek to the first firmware sector
T>/2 - This will change to level 2

And now I will post a list of sector number in vendor track where password is for each drive family :

U5 --- 5
BARRACUDA II --- 7
BARRACUDA III --- 5
BARRACUDA IV --- 5
BARRACUDA V --- 5
BARRACUDA 7200.7,8,9,10 --- 6
U SERIES 7 --- 5
MOMENTUS --- 6

What is the drive that you are trying to unlock ? Check label. Use the number on the table.

Let's say you want to unlock a Barracuda IV , sector would be 5, so try :

2>r,5,10

Please be careful to input lowercase r and 5 is the number for your drive family according to the table.

On my barracuda IV the reply on the terminal should be something like :

Code: Select all: Code - 43 Track 700C.1.007 Sns 007 Rty 9F73.2F.40FF Rtf 1860 LBA 002B94 C5

Now do :

2>C000,,10
2>B010

Note that I'm using the numbers from the Read Buffer to read the info on that sector and put it on the Write buffer. 000 and 010 from the Read and Write buffer for your drive.
Use upper case.

You should see something like :

buffer 0010 comparing to 0010 RD:0000:10:00 WR:0010:10:00
Addr 0 1 2 3 4 5 6 7 8 9 A B C D E F 10 1 2 3 4 5 6 7 8 9 A B C D E F
002000 01005365 61676174 65202020 20202020 20202020 20202020 20202020 20202020
002020 20204D61 72696C75 7A000000 00000000 00000000 00000000 00000000 00000000
002040 00000020 24020000 00000000 00000000 00000000 00000000 00000000 00000000
002060 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
002080 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0020A0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0020C0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0020E0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
002100 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
002120 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
002140 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
002160 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
002180 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0021A0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0021C0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0021E0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
002200 00000000 00000000 00000000 00000000 00000300 02000100 00000000 00000000

The numbers in RED indicate a bit set to 01 (password on) and the blue when converted from hex to ascii gives us "Seagate"

Now i would go here :

http://www.asciitohex.com/

and would input the letters on blue on the Hex Box .

That would return the password on the ascii box.

If you find out that you are on the WRONG SECTOR you can use CTRL+C to start again, this will re-set the firmware, like powering off/on the drive.

Now if the code can't be turned into text ..... Or the characters in the password are strange ones that can't be entered to unlock the drive ....

Just change the bit 01 (locked) to 00 (unlocked).

To do that, on my example :

Code: Select all: 2> 2>/1 1>U002000 Adr 02000 = 00 --> 00 Adr 02000 = 01 --> 1> 1>B010 buffer 0010 comparing to 0010 RD:0000:10:00 WR:0010:10:00 Addr 0 1 2 3 4 5 6 7 8 9 A B C D E F 10 1 2 3 4 5 6 7 8 9 A B C D E F 002000 00005365 61676174 65202020 20202020 20202020 20202020 20202020 20202020 002020 20204D61 72696C75 7A000000 00000000 00000000 00000000 00000000 00000000 002040 00000020 24020000 00000000 00000000 00000000 00000000 00000000 00000000 002060 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 002080 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 0020A0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 0020C0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 0020E0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 002100 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 002120 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 002140 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 002160 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 002180 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 0021A0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 0021C0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 0021E0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 002200 00000000 00000000 00000000 00000000 00000300 02000100 00000000 00000000 1> 1>/T T>G1 T>/2 2>w,5,10 2>

You would have to change the commands to use on your drive :

Explanation :

2>/1
1>U002000

Adr 02000 = 00 --> 00
Adr 02000 = 01 -->
1>

buffer 0010 comparing to 0010 RD:0000:10:00 WR:0010:10:00
Addr 0 1 2 3 4 5 6 7 8 9 A B C D E F 10 1 2 3 4 5 6 7 8 9 A B C D E F
002000 00005365 61676174 65202020 20202020 20202020 20202020 20202020 20202020
002020 20204D61 72696C75 7A000000 00000000 00000000 00000000 00000000 00000000
002040 00000020 24020000 00000000 00000000 00000000 00000000 00000000 00000000
002060 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
002080 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0020A0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0020C0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0020E0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
002100 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
002120 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
002140 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
002160 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
002180 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0021A0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0021C0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0021E0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
002200 00000000 00000000 00000000 00000000 00000300 02000100 00000000 00000000

And for the last part, to write back the sector to the drive with that bit changed :

1>/T
T>/G1
T>/2
2>w,5,10
2>

Remember to replace by the sector of your drive !!!

Also you should note that :

When editing buffer :

For example :

1>U81A00

Adr 81A00 = 01 --> 00

{Shift+Enter = Save and Edit byte again}
{Ctrl+Enter = Save and Edit Next byte}
{Enter = Finish}

When you have 01 and want to change to 00 you should :

1 - Input 00
2 - Press enter
3 - Press enter again on the next field to stop editing it.

Then you have to write the buffer to the drive again, using the last procedure.

by **Drforbin** » Thu Apr 11, 2013 7:48 pm

Great article....

One question though...
Why did you do the copy to the write buffer....It surely wasn't just to read contents with B command.
Was it in preparation for the eventual write back?

thanxs

by **Spildit** » Thu Apr 11, 2013 8:05 pm

Yes,
To edit the buffer and write it back.

by **Drforbin** » Fri Apr 12, 2013 3:06 am

Do you always just read 10 sectors off vendor track? (i.e. r5,10)?

by **Spildit** » Sat Apr 13, 2013 7:50 pm

Drforbin wrote:Do you always just read 10 sectors off vendor track? (i.e. r5,10)?

Yes. 10 sectors are enough to peek on the bits and see what it looks like. No need to read more at the same time.

by **Spildit** » Sun May 18, 2014 8:44 pm

While the above mentioned method works just fine for drives from the Barracuda family prior to F3 arch (except module based drives), the method it's a little bit "obsolete" now that it's very easy and cheap to obtain tools like STCom that allow the dump of the "Vendor Track" to a file, and back to the drive.

viewtopic.php?f=143&t=652

While the majority of the Seagate firmware tools will have a facility to remove the ATA password automatically, this is how you would dump the vendor track manually to look for the password with a Hex-Editor :

- On this example I'm using STCom, so load the software.

- Make sure that the TTL is correctly connected, press the connect button on the top of STCom 2 times to get the red signal on "port".

- Click on "Buffer Address" "Module Address" and "A" for the software to calculate the correct addresses of firmware on the platter.

- Move the R/W rate speed to something like 38400 . The lower the speed the better. Higher speeds will cause errors transferring the firmware and the software might jam. You want to use a speed that it's not to slow but also not to fast. The newer the drive is the faster it will be as well, in other words, it will allow to transfer data by the com port at a higher speed without errors or software hanging.

- Look for Ven: and press the R button. This will read the entire vendor track and save it to a file. If you later want to save it back (if you edit the vendor track to remove the password from it and you want to save it back) you do the same procedure up until this point but this time you click the W button to write the entire vendor track back to the drive.

- Open your vendor track with an hex editor and look for the passwords on it, as on my example (drive wasn't locked on my example and have the master password "Seagate"). You can now use something like MHDD or Victoria to unlock the drive or edit the vendor track to clear out the password and the bit that sets the password as "on".

- Now instead of downloading the entire vendor track you might as well download from the drive just a little portion of the entire vendor track, or a little component of it. Using STCom you click on Backup FW and you use the A button for STCom to figure out what drive you are using and select a path to save your firmware components. For this exercise you just need to checkmark the box with Vendor and select a speed on the baud rate that it's not too high, so that you don't have problems during the backup.

- This way you will retrieve a smaller file and the procedure will be faster. Open it with the Hex-Editor as explained above.

- Done !!!!

How to unlock a Seagate Drive (prior to F3).

How to unlock a Seagate Drive (prior to F3).

Re: How to unlock a Seagate Drive (prior to F3).

Re: How to unlock a Seagate Drive (prior to F3).

Re: How to unlock a Seagate Drive (prior to F3).

Re: How to unlock a Seagate Drive (prior to F3).

Re: How to unlock a Seagate Drive (prior to F3).

Who is online