Data recovery from an external hard drive Seagate FreeAgent Go
The external hard drive Seagate FreeAgent Go 500Gb faithfully served its owner, but one of the not very good days for him became a victim of human emotions when the owner threw the device into the object that caused her great irritation - to her husband in the heat of the family drama. My husband was not seriously injured, but things were worse with the drive. When connected to a USB port of a computer, the drive made a low humming sound and did not start the rotation of the shaft.
rice one
In this state, an external hard drive entered our data recovery lab. Visual inspection does not reveal any deformations of the box itself. Considering that the prehistory contains a blow, such a drive is subject to mandatory opening in the conditions of a laminar box without any attempts to turn on in order to avoid further damage. The hard drive is removed from the box Seagate ST9500325AS (Momentus 5400.6), a representative of the Wyatt family. The hard drive case without deformations and dents on the cover. We carry out measures to remove dust from all possible places and go to the laminar box. Removing the cover, we find that the block of magnetic heads is outside the parking ramp.
rice 2
')
With the use of pullers carry out the withdrawal of BMG on the ramp. Next, remove the BMG and carefully inspect all 4 slider and suspension under the microscope for deformation and the presence of foreign particles. We also inspect the recirculation filter and the surface of the upper plate at the sticking point of the BMG. In our case, it has been established that there are no deformations of the suspensions, there is no pollution of the sliders. On the surface of the plate there is a “stain” with damage that cannot be seen with the naked eye. There are no metal particles on the recirculation filter. There is no damage to the plastic parking ramp; there is no disc skew.
According to the results of this inspection, it was established that it is permissible to attempt to read the original block of magnetic heads, but it is necessary to take into account the presence of damage at the outer edge of the plates. Install the magnetic heads unit back to the drive and collect. Knowing that the drive has undergone a shock load, we will replace the original PCB 100536286 Rev E with a known-good board of the donor drive with transfer of the ROM. This measure is recommended in order not to get unpleasant surprises due to potentially possible microcracks.
We connect the drive to the SATA port and terminal and supply power. In our case, the drive began to rotate the shaft without any beating. The normal sound of the calibration test was heard and after a few seconds the drive reported its readiness to exchange data in the registers.
rice 3
The terminal also has a normal drive start log with additional event logging disabled.
Rst 0x08M
(P) SATA Reset
Immediately in the drive's RAM, you need to find the HDD configuration module (ID = 0x2A) and remove all the keys that are responsible for starting the offline scanning, autonomous and deferred defects procedures, and disable the auto reallocation procedures during reading and writing. This measure is necessary so that the drive, when it detects problems, does not try to start the defect maintenance procedures, as they will lead to a long delay of the BMG over the problem area, which can provoke an avalanche-like destruction (zapilivanie plate). The structure of the 0x2A module (system file FC36608F) is quite simple (the order in which the parameters are written is fairly obvious). In the study (studies were carried out and continue to be carried out for all drives F3 architecture) the main difficulty was to establish the purpose of each of the parameters and acceptable values. The use of modern versions of the PC3000 complex greatly simplifies the procedure for editing values.
We reserve the firmware of the drive (ROM, modules, “system files”). We check on test modules that are not important for the functioning of the drive, the ability to write and read the recorded each of the heads. Having ascertained the correct operation of all heads, we proceed to assessing the quality of their reading in the user area. To do this, we construct a map of the zone distribution within the boundaries of the entire logical space (from 0 to 976 773 167 of the LBA sector). Assessing the size of mini-zones, it can be concluded that to assess the readability of the heads in this instance, it is enough to read about 300,000 sectors at the end of the logical space, about 450,000 sectors in the middle and about 600,000 at the beginning of the disk (knowing about the presence of damage to the plates, We do not test the beginning of the disk).
Making sure that all the heads can read, we configure the read parameters: UDMA mode, read operation timeout no more than 500 milliseconds, in the absence of readiness a soft reset and mini-zone skip. Having constructed the list of mini-zones in reverse order, we proceed to the sequential reading of mini-zones (creating a sector copy).
rice four
99% of the logical space was read without any difficulty. Starting with LBA 6,541 xxx on the head number 1, the first delay was discovered. The reading was immediately interrupted and the drive was sent to sleep mode (parking the heads on the ramp, stopping the shaft, but the firmware remains loaded into the RAM of the hard disk. Reconstruct the list of zones in a straightforward manner and proceed to sequential reading.
rice five
With LBA 2 518 xxx, there was also a delay in reading on the head â„–1. Also quickly send the drive to sleep. We make a rough estimate of the boundaries of the defective zone and the size is 6,541,000 - 2,518,000 = 4,023,000, which is approximately equal to 2 GB.
Further analysis is carried out exclusively copies on the serviceable drive. Evaluate the contents of LBA 0.
rice 6
The value 0x07 at offset 0x1C2 tells us that the partition type is NTFS (or ExFAT).
The value 0x00000800 at offset 0x1C6 informs that the partition starts from sector 2 048.
The value 0x3A384800 at offset 0x1CA says that the section length is 976,766,976 sectors.
Moving on to sector 2,048
rice 7
From the parameters of NTFS we see that the sector is 512 bytes, there are 8 sectors in cluster, the cluster size is 512 * 8 = 4096 bytes. The MFT is located from the cluster 0x00000000000C0000 (786 432) or from the sector 6 293 504 (786 432 * 8 + 2048). MFT Mirror is in the cluster 0x0000000000000002 (2) or originates from the sector 2 064 (2 * 8 + 2048).
Knowing the boundaries of defect formation, we can see that defects with a high probability will fall on the area with the MFT. To do this, we estimate the first MFT record (in the MFT Mirror, which duplicates the first 4 MFT records as it is read). In our case, this file is located in one fragment, starting with sector 6,293,504 and with a length of 277,092 sectors.
rice eight
Note that the main difficulties in reading were recorded on the head number 1, so we will start reading from the zone on the head number 0. Wake up the drive from sleep mode and read the MFT fragment on the zero head. In this case, it did not cause difficulties and allowed to get more than 75% of the most important structure. Next, we use PIO mode to better control read operations and try to read the remaining 68,400 sectors from the problem area. By manipulating the size of the jumps, timeouts, wait for readiness, block size when reading in several passes, we read the problem area. In the MFT area, there are 18 unread sectors that are repetitive in their location (cyclicality corresponds to SPT for these zones), which indicates a scratch on this plate.
Again sending the drive to sleep mode, we will analyze the MFT records on the copies and evaluate the location of the files in order to understand which of them fall into the defective area. About 50 affected files are detected. We check the technical task and find out that more than 35 files can be discarded from the script. For the rest, we will build chains of their location and sort them in the order they follow.
When reading, we note that in addition to problems on the surface readable by the first head, problems are detected on the surface readable by head No. 3. We exclude reading chains on problematic surfaces and read sections on surfaces 0 and 2.
Next, we will try to resume reading the problematic chains with heads No. 1 and No. 3, and in less than 30 seconds a rather loud knock is heard from the drive. We are trying to file a reset, but the drive does not respond and continues to knock. We make the decision to turn off the power. Re-power on begins with a knock from the drive. Turning off the power and make a conclusion about the development of degradation processes due to reading the damaged area.
Go to the laminar box and inspect what happened. The upper surface looks perfect, but under the microscope the beginning avalanche-like process of the plate destruction (gash) is detected. The presence of metal particles on sliders â„–1 and â„–3 specifies the diagnosis.
From the sector copy, we create a file copy with the transfer of files with unread fragments into a separate folder (with the original hierarchy). We also refine the MFT analysis in order to understand what the loss of 18 sectors has led to. From the damage analysis, it is possible to unambiguously establish that no more than 7 files have been lost. Unfortunately, Bitmap is also in the defective area, and its contents cannot be used for analysis.
When accepting the result, the owner of the disk was satisfied with the result (more than 99.9% of the required data) and considered that there is no need to conduct additional analysis of regular expressions to search for missing files due to damage to the MFT.
As a conclusion, I want to draw the attention of many users that not everything is so simple in the case of drives in which the “heads” are stuck outside the parking ramp. And how dangerous are the proposals of people far from understanding the principles of the hard disk drive to open the device and remove the heads by themselves, and then using dd from Linux or WinHex under Windows to perform a “safe” sector-by-sector copy. If such measures were applied to the drive described in the publication, it would become a corpse without the possibility of data recovery when reading the second gigabyte.
Next story: Is it always safe to encrypt or recover data from an external hard drive Prestigio Data Safe II
Previous publication: A bit of reverse-engineering USB flash on the SK6211 controller
Publishing outside of habrahabr: Recovering data from a faulty HDD WD4000FYYZ-01UL1B1
rice one
In this state, an external hard drive entered our data recovery lab. Visual inspection does not reveal any deformations of the box itself. Considering that the prehistory contains a blow, such a drive is subject to mandatory opening in the conditions of a laminar box without any attempts to turn on in order to avoid further damage. The hard drive is removed from the box Seagate ST9500325AS (Momentus 5400.6), a representative of the Wyatt family. The hard drive case without deformations and dents on the cover. We carry out measures to remove dust from all possible places and go to the laminar box. Removing the cover, we find that the block of magnetic heads is outside the parking ramp.
rice 2
')
With the use of pullers carry out the withdrawal of BMG on the ramp. Next, remove the BMG and carefully inspect all 4 slider and suspension under the microscope for deformation and the presence of foreign particles. We also inspect the recirculation filter and the surface of the upper plate at the sticking point of the BMG. In our case, it has been established that there are no deformations of the suspensions, there is no pollution of the sliders. On the surface of the plate there is a “stain” with damage that cannot be seen with the naked eye. There are no metal particles on the recirculation filter. There is no damage to the plastic parking ramp; there is no disc skew.
According to the results of this inspection, it was established that it is permissible to attempt to read the original block of magnetic heads, but it is necessary to take into account the presence of damage at the outer edge of the plates. Install the magnetic heads unit back to the drive and collect. Knowing that the drive has undergone a shock load, we will replace the original PCB 100536286 Rev E with a known-good board of the donor drive with transfer of the ROM. This measure is recommended in order not to get unpleasant surprises due to potentially possible microcracks.
We connect the drive to the SATA port and terminal and supply power. In our case, the drive began to rotate the shaft without any beating. The normal sound of the calibration test was heard and after a few seconds the drive reported its readiness to exchange data in the registers.
rice 3
The terminal also has a normal drive start log with additional event logging disabled.
Rst 0x08M
(P) SATA Reset
Immediately in the drive's RAM, you need to find the HDD configuration module (ID = 0x2A) and remove all the keys that are responsible for starting the offline scanning, autonomous and deferred defects procedures, and disable the auto reallocation procedures during reading and writing. This measure is necessary so that the drive, when it detects problems, does not try to start the defect maintenance procedures, as they will lead to a long delay of the BMG over the problem area, which can provoke an avalanche-like destruction (zapilivanie plate). The structure of the 0x2A module (system file FC36608F) is quite simple (the order in which the parameters are written is fairly obvious). In the study (studies were carried out and continue to be carried out for all drives F3 architecture) the main difficulty was to establish the purpose of each of the parameters and acceptable values. The use of modern versions of the PC3000 complex greatly simplifies the procedure for editing values.
We reserve the firmware of the drive (ROM, modules, “system files”). We check on test modules that are not important for the functioning of the drive, the ability to write and read the recorded each of the heads. Having ascertained the correct operation of all heads, we proceed to assessing the quality of their reading in the user area. To do this, we construct a map of the zone distribution within the boundaries of the entire logical space (from 0 to 976 773 167 of the LBA sector). Assessing the size of mini-zones, it can be concluded that to assess the readability of the heads in this instance, it is enough to read about 300,000 sectors at the end of the logical space, about 450,000 sectors in the middle and about 600,000 at the beginning of the disk (knowing about the presence of damage to the plates, We do not test the beginning of the disk).
Making sure that all the heads can read, we configure the read parameters: UDMA mode, read operation timeout no more than 500 milliseconds, in the absence of readiness a soft reset and mini-zone skip. Having constructed the list of mini-zones in reverse order, we proceed to the sequential reading of mini-zones (creating a sector copy).
rice four
99% of the logical space was read without any difficulty. Starting with LBA 6,541 xxx on the head number 1, the first delay was discovered. The reading was immediately interrupted and the drive was sent to sleep mode (parking the heads on the ramp, stopping the shaft, but the firmware remains loaded into the RAM of the hard disk. Reconstruct the list of zones in a straightforward manner and proceed to sequential reading.
rice five
With LBA 2 518 xxx, there was also a delay in reading on the head â„–1. Also quickly send the drive to sleep. We make a rough estimate of the boundaries of the defective zone and the size is 6,541,000 - 2,518,000 = 4,023,000, which is approximately equal to 2 GB.
Further analysis is carried out exclusively copies on the serviceable drive. Evaluate the contents of LBA 0.
rice 6
The value 0x07 at offset 0x1C2 tells us that the partition type is NTFS (or ExFAT).
The value 0x00000800 at offset 0x1C6 informs that the partition starts from sector 2 048.
The value 0x3A384800 at offset 0x1CA says that the section length is 976,766,976 sectors.
Moving on to sector 2,048
rice 7
From the parameters of NTFS we see that the sector is 512 bytes, there are 8 sectors in cluster, the cluster size is 512 * 8 = 4096 bytes. The MFT is located from the cluster 0x00000000000C0000 (786 432) or from the sector 6 293 504 (786 432 * 8 + 2048). MFT Mirror is in the cluster 0x0000000000000002 (2) or originates from the sector 2 064 (2 * 8 + 2048).
Knowing the boundaries of defect formation, we can see that defects with a high probability will fall on the area with the MFT. To do this, we estimate the first MFT record (in the MFT Mirror, which duplicates the first 4 MFT records as it is read). In our case, this file is located in one fragment, starting with sector 6,293,504 and with a length of 277,092 sectors.
rice eight
Note that the main difficulties in reading were recorded on the head number 1, so we will start reading from the zone on the head number 0. Wake up the drive from sleep mode and read the MFT fragment on the zero head. In this case, it did not cause difficulties and allowed to get more than 75% of the most important structure. Next, we use PIO mode to better control read operations and try to read the remaining 68,400 sectors from the problem area. By manipulating the size of the jumps, timeouts, wait for readiness, block size when reading in several passes, we read the problem area. In the MFT area, there are 18 unread sectors that are repetitive in their location (cyclicality corresponds to SPT for these zones), which indicates a scratch on this plate.
Again sending the drive to sleep mode, we will analyze the MFT records on the copies and evaluate the location of the files in order to understand which of them fall into the defective area. About 50 affected files are detected. We check the technical task and find out that more than 35 files can be discarded from the script. For the rest, we will build chains of their location and sort them in the order they follow.
When reading, we note that in addition to problems on the surface readable by the first head, problems are detected on the surface readable by head No. 3. We exclude reading chains on problematic surfaces and read sections on surfaces 0 and 2.
Next, we will try to resume reading the problematic chains with heads No. 1 and No. 3, and in less than 30 seconds a rather loud knock is heard from the drive. We are trying to file a reset, but the drive does not respond and continues to knock. We make the decision to turn off the power. Re-power on begins with a knock from the drive. Turning off the power and make a conclusion about the development of degradation processes due to reading the damaged area.
Go to the laminar box and inspect what happened. The upper surface looks perfect, but under the microscope the beginning avalanche-like process of the plate destruction (gash) is detected. The presence of metal particles on sliders â„–1 and â„–3 specifies the diagnosis.
From the sector copy, we create a file copy with the transfer of files with unread fragments into a separate folder (with the original hierarchy). We also refine the MFT analysis in order to understand what the loss of 18 sectors has led to. From the damage analysis, it is possible to unambiguously establish that no more than 7 files have been lost. Unfortunately, Bitmap is also in the defective area, and its contents cannot be used for analysis.
When accepting the result, the owner of the disk was satisfied with the result (more than 99.9% of the required data) and considered that there is no need to conduct additional analysis of regular expressions to search for missing files due to damage to the MFT.
As a conclusion, I want to draw the attention of many users that not everything is so simple in the case of drives in which the “heads” are stuck outside the parking ramp. And how dangerous are the proposals of people far from understanding the principles of the hard disk drive to open the device and remove the heads by themselves, and then using dd from Linux or WinHex under Windows to perform a “safe” sector-by-sector copy. If such measures were applied to the drive described in the publication, it would become a corpse without the possibility of data recovery when reading the second gigabyte.
Next story: Is it always safe to encrypt or recover data from an external hard drive Prestigio Data Safe II
Previous publication: A bit of reverse-engineering USB flash on the SK6211 controller
Publishing outside of habrahabr: Recovering data from a faulty HDD WD4000FYYZ-01UL1B1
Source: https://habr.com/ru/post/330120/
All Articles