I suspect that both my HDD and SSD may be infected. Is it possible to take an image of the firmware? How do I go about doing it?
-
Not sure if this is still true, but a few years ago EnCase was the clear market leader. Wikipedia has a [list of digital forensics tools](https://en.wikipedia.org/wiki/List_of_digital_forensics_tools) – paj28 Oct 29 '18 at 14:02
-
1From Seagate on the topic of firmware: "External, Serial ATA, and ATA drives are not designed for field firmware updates by end users." http://knowledge.seagate.com/articles/en_US/FAQ/206091en This would lead me to believe there are no public interfaces and probably require special tools (e.g. firmware flash from a proprietary connector and/or accessible by disassembling the body). I don't know this though. – thepip3r Oct 29 '18 at 15:00
-
1Here is a good start https://www.malwaretech.com/2015/04/hard-disk-firmware-hacking-part-1.html & http://forum.hddguru.com/viewtopic.php?f=13&t=31127 – Soufiane Tahiri Oct 29 '18 at 15:56
2 Answers
There is a standard to write firmware, the ATA DOWNLOAD_MICROCODE
command and the segmented version (transfer protocol 3), but there is no standard for reading the firmware back. As another answer says, some manufacturers may add their own vendor-specific techniques to do so.
There is another reliable way to access firmware, but it cannot be done from software. Opening the drive to see the controller will expose the firmware chip (flash or EEPROM) which can be read directly using specialized hardware designed to interface with the chip, such as a SPI reader. Sometimes, the controller chip has internal flash, meaning there is no external chip to read, which would mean attaching a JTAG probe to the chip is the likely solution to obtaining the firmware.
There are two excellent resources showing what it takes to read the firmware so it can be modified and replaced which I know of. Specifically, an incomplete (?) write-up on HDD firmware-based MBR rootkits from Malwaretech and the classic Linux port to an HDD by SpritesMods. An image from the latter showing the flash chip which you'd need to directly interface with to read is below.
- 64,616
- 20
- 206
- 257
There aren't tools readily available to read/dump a SSD firmware (except for a few specific cases). Each manufacturer implements their hardware and firmware however they want. This means there's no standard protocol to dump a SSD firmware.
The only way we get a tool to dump a specific vendors firmware is if they release it, or someone reverse engineers one. Reverse engineering a firmware dumper can be difficult, and doesn't necessarily apply to all drives from a manufacturer since they could change chipsets, or protocols for firmware interaction on new models at any time.
- 5,110
- 1
- 14
- 24