
Hard drive hack provides root access, even after reinstall - pd0wm
http://spritesmods.com/?art=hddhack
======
ChuckMcM
This was a great read. One of the things we've done in the past is to modify
the firmware of the drive to be able to give errors on command. The purpose
was for testing RAID systems in real life scenarios. One can include a 'unit
test' drive in a RAID array which will run through a series of known bad disk
behaviours. From the simple like returning read failure, to the more complex
like returning the wrong block or returning a block that has been silently
corrupted (both things NetApp observed in the wild on 'real' drives), and my
personal favourite acknowledging a write but not actually writing the data
(nearly killed the Cisco relationship they had at the time)

~~~
stephengillie
I especially like the idea of cannibalizing old HDDs (with bad spindles but
good controllers) to become microcontrollers in new projects.

~~~
aray
Not a bad idea, but also nearly everything we interact with, technology-wise,
has microcontrollers of some form or another. The AVRs so adored by the
arduino community actually exist in large volumes in automobiles, and even
crappy USB keyboards and mice which we might throw out have microcontrollers
in them.

So I'm all for scavenging compute bits for future projects, but it is by no
means unique to HDDs.

~~~
ChuckMcM
The key is tools, and OpenOCD is one of them, which let you "talk" to these
systems. I picked up a Black Magic probe [1] and am building cables for it to
talk to one of my ARM boards. That kind of stuff makes the spelunking
possible.

[1]
[http://www.blacksphere.co.nz/main/blackmagic](http://www.blacksphere.co.nz/main/blackmagic)

------
WestCoastJustin
If you liked this, then you might like Travis Goodspeed's really cool talk
about "Writing a Thumbdrive from Scratch" (for antiforensics) [1] at the 29th
Chaos Communication Congress [29c3].

[1]
[http://www.youtube.com/watch?v=D8Im0_KUEf8](http://www.youtube.com/watch?v=D8Im0_KUEf8)

~~~
Florin_Andrei
At some point, computer systems will be more like biologic systems - they will
just carry a more or less permanent "flora" of parasites, that will have to be
tolerated unless they become explicitly hostile.

Any sufficiently complex system will exhibit this trait sooner or later.

~~~
Hellenion
That's an interesting way of looking at "parasitic" programs. Maybe we could
even get those parasites to work for us, like trapping them as the house pen-
tester. You could employ the constant barrage of attempted ssh logins as
remote connectivity check or something.

------
lsc
The thing that interests me, though, is the idea of modifying your hard drive
firmware for better performance.

My understanding is that the effective width of the write head is 10x the
width of the read head... E.g. with the right firmware, it should be possible,
if you are okay with a write-once medium, to write the outermost track, move
the write head in 1/10th what you'd normally move it, then write the next
track, etc... and get 10x the space out of the drive you normally would. In
theory, the read head wouldn't have trouble. (of course, this would be write
once storage, as the effective width of your write head is still pretty huge;
but for a bunch of things? I can totally work with that... if more than X% of
a drive was garbage data, I copy the good data to a new drive and reformat the
old one. Done.)

I hear rumors that both the major drive manufacturers are actually shipping
drives with this technology, but are only selling those drives to really big
players, for some reason.

Here's a reasonable reference to the 'shingle' technology, and he roadmap for
the rest of us:

[http://www.theregister.co.uk/2013/06/25/wd_shingles_hamr_roa...](http://www.theregister.co.uk/2013/06/25/wd_shingles_hamr_roadmap/)

but that's the thing, with the datasheets (and, well, a lot more skill than I
personally have) we should be able to setup something like shingling on the
cheap disks we have today.

Of course, from reading the article, I'm not sure I'm any closer to that
particular dream.

~~~
magila
Shingled writes require a special asymmetrical write head, you can't do it
with current drives. Actual shingled write drives are not yet shipping AFAIK.

~~~
lsc
I'm just using shingled writes as one example. Your kernel could, for example,
more efficiently reorder reads and writes with more information about the
physical drive layout. Hell, just removing the bad-sector remapping (and
moving it up to the kernel or the like) would help solve the performance
degradation that remapped sectors cause during apparently sequential
reads/writes.

~~~
AsymetricCom
I'm sure the people who make the drives are trying to get as much performance
as possible from the firmware. They're also working with information you won't
have.

~~~
lsc
>I'm sure the people who make the drives are trying to get as much performance
as possible from the firmware.

Huh. I think it's fairly common that companies engage in price discrimination
by producing a lot of the same hardware, then crippling the hardware sold to
the lower-end. Note, my example of hard drive manufactures doing this has to
do with the next bit of your quote:

>They're also working with information you won't have.

So the 'crippling' I whine the most about is the difference between 'consumer'
and 'enterprise' hard drives.

If you aren't running a hard drive in a raid, if it's just one drive in a
desktop, generally speaking, if there's a problem? you want the thing to keep
retrying, if there is any chance at all that it might be able to resolve the
problem.

If it's just one drive in a desktop, it's almost always best to do something
that will make the drive go slower than to cause the drive to fail.

My situation? where drives are sitting in a RAID? almost the exact opposite.

So yeah; me? I spend twice as much money to get "enterprise" drives that are
almost identical, mechanically, but come with slightly better firmware.
Firmware that just fails, rather than waking me up in the middle of the night.

(A friend of mine has been telling me: "Luke, a hung drive is just a special
case of a slow drive; You need to monitor read/write latency and proactively
fail slowish drives. check out blocktrace" \- and he's probably right.)

Note, WD has TLER, which they say you can change with WDTLER.exe. In my
experience? works on about half the drives you try, and even then those drives
are far more likely to get slow (but not completely hang) than an 'enterprise'
drive.

Now... let's talk about bad sectors. Filesystems have been handling bad
sectors, well, for most of my life now. they can do it fairly well.

The problem with letting the firmware handle bad sectors is that the OS doing
read/write reordering assumes that if you write sector 559 560 561, those are
physically sequential. Once the hardware firmware remaps sector 560 off into
the fucking boonies, my nice sequential read is now completely fucking
random... and way slower. My point is that something like ZFS can handle bad
sectors way better than the drive firmware, because it's got a lot more
information. A lot more information in the case of read errors... all the
firmware can do is hang you up retrying; the RAID layer could actively grab
that block from another drive.

So yeah, they have information I don't have... and my computer would go
dramatically faster if I could have that information. My pager

~~~
baruch
From what I know when a drive "reallocates a sector" it actually reallocates a
track or something very close to that. So that at least for the rotational
sequencing the performance will not change that much. Ofcourse, the track that
used to be just one track seek away now became further off.

There are also several places along the way where reallocations go to and the
drive tries to find the closest one to the reallocated tracks to avoid too
large seeks.

------
kabdib
My knee-jerk reaction was, why didn't WD sign the code and use on-chip fuses
and a secure boot path to verify the code before transferring control to
anything outside their boot ROM? (Many ARM-based systems-on-a-chip are capable
of doing this).

Adds cost, for one thing. But you can arrange for the unit to never run a byte
of code (even one loaded from the platter) that didn't come from WD.

~~~
achille2
The knee jerk reaction to secure boot-anything from the technical community
has been generally "No!", "It's a trap" etc.

~~~
venomsnake
The knee jerk reaction is not to secure boot but to who has the ability to set
the keys. The technical community likes to be in control of that.

~~~
aray
That is closely tied to "who gets to audit the source".

E.g. the FOSS community wasn't a fan of only-trusted-secure-boot when it was
microsoft holding the keys and the source and releasing neither.

------
munin
something I hadn't really considered about hard disk encryption, before
reading this, is how it could protect against compromised disk controllers. if
the OS encrypts the data stored on the disk, it would be a lot harder
(perhaps, with the right composition, impossible) for a malicious disk
controller to insert/change/modify important data (like code, or password
files) stored on the computer.

we think of the system as a holistic entity, but turned on its head, you can
see how the inside of a computer is just a network...

~~~
im3w1l
Maybe I misunderstood, but didn't the harddrive have direct memory access
(DMA)?

~~~
MBCook
The DMA mentioned in the article was internal to the drive, between the
hardware interfaces and it's internal cache. The drive did not have DMA access
to _system_ memory.

~~~
0x0
Even though it wasn't discussed in the article, I think firewire and
thunderbolt external drives DO have direct DMA access to system memory. Google
for SBP-2 and DMA, and a bunch of articles about protecting against firewire
attacks against full-disk-encryption (among other things) appear.

~~~
MBCook
I know you're right on FW. I believe DMA was designed in because they
recognized that the CPUs of the time weren't powerful enough to move
uncompressed full-resolution video from around. I don't know about
Thunderbolt, but I'd expect you're right.

~~~
fragmede
Thunderbolt is just pci-express in new clothes, so yes, it does.

~~~
MBCook
Good point.

------
gabriel34
Could this attack compromisse dedicated/rent servers? If so, the attacker
could rent, install the exploit on the hardware and terminate the contract.
What about cloud servers? Sure there are virtualization layers, but can't
those be breached? If so that would pose imense danger given the distributed
nature the hardware exploit could render the entire farm vulnerable

~~~
testbro
The attack could compromise other servers yes. I think the scenario you
describe is a possibility, although there are some technical feats that would
make wide-scale exploitation difficult - you need to know what you want to
modify ahead of time which would be difficult.

Virtualised environments that don't pass the vendor specific commands should
be immune to the attack though. As others have said, encryption would probably
allow tampered pages to be detected. I'd be interested to see if the modified
firmware could ignore new firmware...

~~~
cbhl
> encryption would probably allow tampered pages to be detected

Careful!

It _can_ , but doesn't always. For example, eCryptfs currently doesn't protect
against tampering; it uses Cipher Block Chaining (CBC) mode without a HMAC or
other signature.

(I'm working with some colleagues to add Galois/Counter Mode (GCM) support to
eCryptfs, which does provide some form of tamper-detection.)

------
wiredfool
Installing linux on a hard drive never sounded impressive before.

~~~
cupcake-unicorn
Well, to be fair, it's a bit of a pain with UEFI.

But this is really amazing. I'd love to see how it could be extended to other
OSes, if possible?

~~~
McGlockenshire
I'm not sure about the other controllers, but if this one has a Cortex M3,
then anything that runs on an M3 could hypothetically be ported.

One of the SE sites assembled a list. Shockingly, the question isn't closed
yet!

[http://electronics.stackexchange.com/questions/27594/what-
op...](http://electronics.stackexchange.com/questions/27594/what-operating-
systems-have-been-ported-to-cortex-m3)

~~~
0x0
The Feroceon CPUs are pretty hefty too. They're powering the Marvell Kirkwood
platform which is used in things like the Sheevaplug and some of the QNAP TS-*
NAS devices. Debian runs great on those. (2.0ghz CPU, 512mb ram). Probably the
biggest trouble here is the lack of an MMU (?) .

~~~
mcpherrinm
uclinux can run on mmu-less systems, so I do suspect you can run Linux on this
hard drive.

------
batiste
The first hack read on hacker new I have seen for a long time.

~~~
AsymetricCom
What? You don't consider "growth hacking" real hacking?

~~~
mindslight
That depends if you're just buying the pills from the spams or going to the
hardware store and building your own pumps etc.

------
quasque
A fascinating read, and an excellent piece of work.

It reminds me of a similar proof-of-concept hack on a common network card
firmware: [http://esec-lab.sogeti.com/post/2010/11/21/Presentation-
at-H...](http://esec-lab.sogeti.com/post/2010/11/21/Presentation-at-
Hack.lu-:-Reversing-the-Broacom-NetExtreme-s-firmware) (the slides linked from
that page have a good more technical overview that the blog post).

------
yuhong
I think some hard drives like some Seagates has a serial console in the
firmware that provides low level access that data recovery companies for
example use.

~~~
0x0
I'd love to read more info about this!

~~~
yuhong
[http://www.msfn.org/board/topic/128807-the-solution-for-
seag...](http://www.msfn.org/board/topic/128807-the-solution-for-
seagate-720011-hdds/)

[http://elabz.com/forums/electronics-repairs/list-of-
seagate-...](http://elabz.com/forums/electronics-repairs/list-of-seagate-
firmware-terminal-commands/)

~~~
0x0
Thanks for the links :)

~~~
jasomill
While I haven't written it up anywhere, it's also fun to point out that I've
had success talking to a Seagate drive by wiring the debug port directly to
the TTL serial pins on the debug header of a Linksys WRT54G router.

------
swang
Does a jellybean part just mean its very common?

~~~
dsr_
Yes, it means that you can buy them like jellybeans (and they're about the
same size, and black, which is either the best or worst flavor.)

------
wereHamster
> Because Linux caches the shadow file (like all files recently accessed), I
> have to generate a lot of disk activity for the file to be 'pushed out' of
> the cache

[http://linux-mm.org/Drop_Caches](http://linux-mm.org/Drop_Caches)

$ echo 3 > /proc/sys/vm/drop_caches

or as non-root

$ echo 3 | sudo tee /proc/sys/vm/drop_caches

~~~
DHowett
I do not believe that using _sudo_ exactly counts as "non-root".

~~~
switch007
They meant "when not root".

------
brudgers
Great article. But what I came away from it thinking was about how much money
is spent by state security institutions to prevent this sort of thing, and yet
secrecy breeches at scale are the Walkers, Mannings, and Snowdens using USB
sticks and DVD's and copiers.

------
x0054
This is some hard core hacking! Love it! First, as others mentioned, this is
why you should always encrypt your os drives. Second, it also got me thinking,
how many other devices are open to this kind of attack. Like a network switch,
perhaps? Say you buy 100 network switches, alter the firmware to call home and
maybe even load a Linux instance, and then resell them on amazon, eBay, or
even better, give a "good" cash deal to some local IT company. Then you just
seat back and wait for your 100 bots to call home for their new business class
Internet homes.

------
0x0
This is incredibly scary. Will HD vendors start implementing firmware code
signing anytime soon? Or will some enterprising hackers start working on an
open source firmware implementation?

------
b0rsuk
That's a whole world of spying opportunities. A government could make secret
deals with hard drive manufacturers. Perhaps not US government, but Taiwan
government, if it makes you happier... (I'm from neither country)

~~~
mariusz79
Could? How do you know they didn't do it already?

------
korethr
This is very cool. I have a pile of dead and old hard drives. I should see if
my local hackerspace has something that can connect to JTAG, and if so, see
what secrets the old drives contain.

------
vlr
I remember Dejan Kalijevik from them nokia s/w. Is he talking of the same
Dejan?

------
dnautics
what is that cortex-M3 chip doing? Did the NSA put it there?

