Background -
Malware in windows (yes), possibly rootkit/bootkit. Don't want to take any chances. So, wiped drive with DBAN foolishly (PRNG, 8 pass). Later came to know that DBAN does not kill HPA (host protected area) and DCO (Drive configuration overlay) which are "hidden areas" (if present) in a hard drive. Saw that HDDErase made by CMRR can remove DCO and HPA, if present. But project was stopped in 2005 or 7. So, I came to HDPARM of linux in the hope that it will wipe my HDD 100% clean so that i can install crappy windows again on a 100% clean hard drive. As an aside, I also looked at "BC Wipe Total Wipeout" which does HPA and DCO removal @ $50.
Current setup - Ubuntu 11 on 3.6GB usb flash/stick drive. My HDD has no operating system.
Me - Average computer user with little bash skill, i.e I don't really know what I am doing.
Questions -
If you want to see the presence of HPA, you have use
hdparm -N /dev/sda. It shows me the number of sectors and that HPA is disabled.What is this /dev/sda ? Is it my hard drive or USB stick drive on which I have ubuntu ? I guess its the hard drive because I tried a command and saw the description of a hard drive in the results. I tried
sudo hdpamr -I /dev/sda. Here is some of the output -ATA device, with non-removable media Model Number: ST320LT007-9ZV142
Its a Seagate 320GB, 7200RPM drive.
Output of sudo hdparm --dco-identify /dev/sda
/dev/sda:
DCO Revision: 0x0001
The following features can be selectively disabled via DCO:
Transfer modes:
mdma0 mdma1 mdma2
udma0 udma1 udma2 udma3 udma4 udma5 udma6(?)
Real max sectors: 625142448
ATA command/feature sets:
SMART self_test error_log security HPA 48_bit
(?): selective_test conveyance_test write_read_verify
(?): WRITE_UNC_EXT
SATA command/feature sets:
(?): NCQ interface_power_management SSP
What does this DCO output mean ? How do I ensure that there is no possibility of malware on the DCO ?
Is there a way to find out the size in terms of GB instead of sectors ?
Will hdparm do a 100% hdd wipe to kill malware that reside in HPA and DCO ? I saw this in the wiki page and was a little worried -
hdparm has a more serious drawback: it can crash a computer and make data on its disk inaccessible if certain parameters are misused. Out of approximately sixty-seven parameters, several are dangerous and could result in "massive filesystem corruption" when used indiscriminately.
Answer
So, wiped drive with DBAN foolishly (PRNG, 8 pass). Later came to know that DBAN does not kill HPA (host protected area) and DCO (Drive configuration overlay)
So we have a basic admission here the drive was wiped so therefore there is no partition table, file system or data on the drive. So, there can be no data corruption or file system corruption as neither exist, DBAN having ensured this and so the following HDPARM warning is not applicable.
hdparm has a more serious drawback: it can crash a computer and make data on its disk inaccessible if certain parameters are misused. Out of approximately sixty-seven parameters, several are dangerous and could result in "massive filesystem corruption" when used indiscriminately.
Fire up your Linux boot disk and run hdparm
To use HDPARM to clear the HPA
For x = device you're targeting, use the following HDPARM command to show if you have an HPA enabled.
# hdparm -N /dev/sdx
It will spit back something like the following if you have an HPA defined:
/dev/sdx:
max sectors = 78125000/78165360, HPA is enabled
To remove the HPA and expand the visible area out to the full size of the drive use the denominator in the above report (visible area/max sectors):
# hdparm -N p78165360 /dev/sdx
It will spit back a report that the visible area is equal to the max sectors and that the HPA is disabled.
/dev/sdx:
setting max visible sectors to 78165360 (permanent)
max sectors = 78165360/78165360, HPA is disabled
To use HDPARM to check if a DCO is in place and set it back to factory defaults
Since the DCO is set up by the manufacturer, you must accept that messing with it will possibly brick the drive. But then that's the least of your problems if you think you got some sophisticated malware that could actually mess with it. To see the DCO, use the following HDPARM command.
# hdparm --dco-identify /dev/sdx
In your example, it gave you:
/dev/sda:
DCO Revision: 0x0001
The following features can be selectively disabled via DCO:
Transfer modes:
mdma0 mdma1 mdma2
udma0 udma1 udma2 udma3 udma4 udma5 udma6(?)
Real max sectors: 625142448
ATA command/feature sets:
SMART self_test error_log security HPA 48_bit
(?): selective_test conveyance_test write_read_verify
(?): WRITE_UNC_EXT
SATA command/feature sets:
(?): NCQ interface_power_management SSP
So, your drive manufacturer uses DCO to define the allowable data transfer modes (MDMA, UDMA), the real size of the drive (max sectors), and ATA/SATA commands that can be disabled.
If you want to attempt reverting the DCO back to factory defaults, you can use the followning HDPARM command:
# hdparm --dco-restore /dev/sdx
It will spit back at you the following warning that changing the DCO will cause total data loss. Think of it as changing the partition size or wiping out the partition table and restoring it with incorrect parameters. On a wiped disk, you already have lost the data, eh? Basically a Sorry you didn't back up your data before proceeding, you're SOL if the DCO doesn't match after the command's run and you think anything will be recoverable from the drive because of size reassignment.
/dev/sdx:
Use of --dco-restore is VERY DANGEROUS.
You are trying to deliberately reset your drive configuration back to
the factory defaults.
This may change the apparent capacity and feature set of the drive,
making all data on it inaccessible.
You could lose *everything*.
Please supply the --yes-i-know-what-i-am-doing flag if you really want this.
Program aborted.
Per the instructions, you add the following "I accept the consequences" switch:
# hdparm --yes-i-know-what-i-am-doing --dco-restore /dev/sdx
And it tells you:
/dev/sdx:
issuing DCO restore command
No comments:
Post a Comment