I am very curious about how long this hack took to complete. I write firmware for SSD controllers for a living, and this would probably take me many months of full-time work to pull off with an unknown controller (granted, I generally work on algorithms at a slightly higher abstraction layer in the firmware, and some of my colleagues who are more focused on the hardware interfaces could figure something like this out much faster than me). I am incredibly impressed by this effort.<p>Also, I want to mention that it's common to have multiple processors in storage controllers. I can't talk about the specifics of the drives that I work on, but for SSDs at least there are several layers of abstraction: the host interface to receive the data, a middle layer to perform management of the data (SSDs require things like wear leveling, garbage collection etc in the background, to ensure long life and higher I/O speeds), and a low level media interface layer to actually write to the media. These tasks are often done by different processors (and custom ASICs).
I think it's rather unfortunate that the workings of modern HDDs (and other storage devices, like SSDs, microSD cards, etc.) are all hidden behind a wall of proprietariness, as this is mainly a form of security through obscurity; and government agencies probably know about such means of access already, while not many others do.<p>Although they're largely obsolete today, for many years the most well-documented and open storage device that could be connected to a standard PC was the floppy drive. The physical format was standardised by ECMA, the electrical interface to the drive nothing more than analog read/write data and "dumb" head-positioning commands, the controller ICs (uPD765 and compatible) interfacing it to the PC were based on simple gate arrays (no need for any firmware), and all the processing was otherwise handled in software. The documentation for the earliest PCs included the schematics for the drive, and the ICs on it were documented elsewhere too - e.g. <a href="https://archive.org/details/bitsavers_westernDigorageManagementProductsHandbook_23366933" rel="nofollow">https://archive.org/details/bitsavers_westernDigorageManagem...</a> A lot of the technical details of early HDDs were relatively open too. I've interfaced a floppy drive to a microcontroller before, and being able to see how the whole system works, to understand and control how data is read/written all the way down to the level of the magnetic pulses on the disk, is a very good feeling.<p>(Many earlier systems that came before the PC, like the C64, also had more-or-less completely open storage devices, enabling such interesting things as <a href="http://www.linusakesson.net/programming/gcr-decoding/index.php" rel="nofollow">http://www.linusakesson.net/programming/gcr-decoding/index.p...</a> )
There were several amazing talks at hacker conferences last year about reprogramming storage devices so that they can tamper with their contents. This researcher's talk was one of those. Another significant one was<p><a href="http://events.ccc.de/congress/2013/Fahrplan/events/5294.html" rel="nofollow">http://events.ccc.de/congress/2013/Fahrplan/events/5294.html</a><p>and I think there were at least two others that I can't find right now (plus recent stuff on USB devices that attack their hosts in various ways). In light of these and other firmware and hardware-borne threats, a good overview of the bigger verification and transparency problems is<p><a href="http://www.slideshare.net/hashdays/why-johnny-cant-tell-if-he-is-compromised" rel="nofollow">http://www.slideshare.net/hashdays/why-johnny-cant-tell-if-h...</a>
Also might be of interest: Bunnie's hack of SD cards last year <a href="http://www.bunniestudios.com/blog/?p=3554" rel="nofollow">http://www.bunniestudios.com/blog/?p=3554</a><p>"An Arduino, with its 8-bit 16 MHz microcontroller, will set you back around $20. A microSD card with several gigabytes of memory and a microcontroller with several times the performance could be purchased for a fraction of the price. While SD cards are admittedly I/O-limited, some clever hacking of the microcontroller in an SD card could make for a very economical and compact data logging solution for I2C or SPI-based sensors."<p>"The embedded microcontroller is typically a heavily modified 8051 or ARM CPU. In modern implementations, the microcontroller will approach 100 MHz performance levels, and also have several hardware accelerators on-die."<p>Was discussed on HN, but Algolia search looks to be down at the moment.
Most people are surprised when I tell them that their computer is a lot of little computers working together on a sort of internal network.<p>This is why if your machine is compromised, and you have a threat model that involves serious (state or otherwise well funded) attackers, you really should just send it off to be recycled.
I learned today what a jellybean part was:<p><a href="http://en.wikipedia.org/wiki/J%E2%80%93Machine" rel="nofollow">http://en.wikipedia.org/wiki/J%E2%80%93Machine</a><p>"cheap and multitudinous commodity parts, each with a processor, memory, and a fast communication interface"<p>This reminds me of when I first went into business and bought some machinery. It actually surprised me (at that young age) to learn that the production machine I bought used standard parts that I could buy anywhere (bolts, screws and the like) and that if I needed one I didn't have to order it from the company that I bought the machine from. That seems obvious to me today but it wasn't obvious back then ("back then" was way before the web of course where info was not readily available)
The server is overwhelmed. Coral cache: <a href="http://spritesmods.com.nyud.net/?art=hddhack&page=1" rel="nofollow">http://spritesmods.com.nyud.net/?art=hddhack&page=1</a>
This reminds me of a quite wonderful talk at Oscon earlier this year: <a href="http://www.oscon.com/oscon2014/public/schedule/detail/33943" rel="nofollow">http://www.oscon.com/oscon2014/public/schedule/detail/33943</a> (slides available, but I don't recognize the file format)<p>The high point for me is where he installs Linux on the hard drive. In the sense that the hard drive itself is running Linux.<p>There are quite a few venues for attacks like these: A single computer is sprawling with processors.
Here is the previous discussion for those interested: <a href="https://news.ycombinator.com/item?id=6148347" rel="nofollow">https://news.ycombinator.com/item?id=6148347</a>
Similar project for Samsung SE-506CB external Blu-Ray<p><a href="https://github.com/scanlime/coastermelt/" rel="nofollow">https://github.com/scanlime/coastermelt/</a><p>very cool live hack video diary<p><a href="http://vimeo.com/channels/coastermelt/110257380" rel="nofollow">http://vimeo.com/channels/coastermelt/110257380</a><p><a href="http://vimeo.com/channels/coastermelt/111417458" rel="nofollow">http://vimeo.com/channels/coastermelt/111417458</a>
I really like his article about dumb to managed switch conversion. I wonder if more projects like this exist perhaps with some existing community. Would be really cool if one could buy a cheapo switch and hack it to a managed one in a similar fashion like you can flash OpenWrt on some cheap routers and make them 100x better.
Aw... Was reading, clicked to page 5:<p>>Warning: mysql_connect(): Can't connect to MySQL server on '127.0.0.1' (111) in /var/www/spritesmods/connectdb.php on line 2<p>Edit: seems to work again!
I wouldn't trust the data on a hard drive anyway, since the hard drive can be removed and the data changed. If you want to make sure you're reading _your_ /etc/shadow, it needs a message authentication code. If you want to prevent others from reading your disk, it needs to be encrypted.