Slide 2840: The GMR (giant magnetoresistive) head is the current head used on most hard drives. This head uses high end physics I do not claim to understand. The only major difference is the way the head has been changed to read perpendicular. The GMR head has four layers, a sensing layer, a conducting layer, a pinned layer and an exchange layer. It was discovered that if you took two magnetic layers and aligned them opposite each other with a soft layer between them that the magnetic force would align themselves in parallel. When a bit of data passes under the heads the electrons bounce around in the layers causing the pinned layer to spin.
For more info, read http://www.hitachigst.com/hdd/technolo/gmr/gmr.htm
Slide 2865: Hard drives have switched to Perpendicular Recording. I talked about the changes and previous versions last year and you can reference that speech for more info. The biggest change switching to perpendicular is that the data is written up and down instead of longitudinal. Because of this, changes had to be made to the platter so it would not interfere with reading and writing.
Slide 2885: The coatings have changed and the substrate on the bottom (the platter itself) was the biggest change. Almost every platter has converted to a glass ceramic platter. What this means to you in data recovery is that it is obvious when a scratch occurs. In most cases you will be able to see though the platter. Sometimes the rings that are created by the scratch are so smooth that they look like they are supposed to be there. I assure you that they are not. It should be silver from one edge to the other with no rings at all. So if you see a ring, in most cases the game is over or your recovery just got a lot harder.
Slide 3000: The data structure that is written to the sectors is important to understand if you are using any diagnostic software. Many of them use common nomenclature to discuss the types of errors.
Common Error Codes and Diagnostic Info from Most High End Software:
BSY – drive busy
DRDY – Drive ready to accept commands
ERR – The Last Result was an Error
DREQ -exchange data with host
WRFT – Write Fault
AMNF-Address Marker Not Found
IDNF- Sector ID Not Found
ABRT- Command Aborted
TONF – Track 0 not found
You will see the error codes here in almost all data recovery and diagnostic software. This particular block of data (slide 3259) is one single sector. It contains a 512 byte block of data. This is how on sector looks to every hard drive regardless of your operating system.
I could not possibly explain every error you will see, but I can give you the basics of the most common you will see doing diagnostics.
IDNF is the Address not found. If the sector that holds this information is corrupt there is no way for the hard drive to locate this sector and it will return the result IDNF.
AMNF is the Address Marker Not Found. This is similar to the IDNF but relates to the data. If there is an error and this marker is corrupt then the data for this sector cannot be located. The data in this area is 512 bytes of user data.
ECC is that there is a problem reading from ECC and it does not match. ECC is used to check the integrity of the data being read. When the data is read the drive calculates the ECC and compares. If there is an error the drive will retry until it cannot get a correct result and then will return the UNC error.
UNC will happen when the data is uncorrectable data error.
ABRT is an abort error and it will discontinue trying to read that block
Slide 3559: The preamp is a chip that amplifies the signal coming from the heads of the drive. Since the data that is read coming from the heads is similar to a wave form from a speaker, the preamp will amplify it and send it on to the electronics for decoding. There are two types of preamps, one is soldered on, and the second is glued on. It is often possible for a preamp to come loose due to heat expansion and not to have a good connection to the board. It is also possible for the preamp to fail. This is one of the causes of the click of death for the hard drive. It is often difficult to replace or fix this circuit and is more likely you can do a platter swap to a good drive, or replace the head stack assembly. The voice coil was mentioned in previous information at Defcon 14.
Click of Death and Hard Drives Safe Mode Notes
Errors cause the drive to constantly shutdown and recalibrate, this is a sound or movement that can usually be heard or seen and is known as the Click of Death for hard drives. If drive parts are good then rewriting the SA area is the part that needs repairing. The difficultly is in knowing if the rest of the parts are good. The SA can only be rewritten by a few devices. There are a few ways to get around this; one of the ways is a live PCB swap. Again the SA is not accessible over the interface without special tools.
Most hard drives have a specific recalibration routine they use to retry the SA area. Even though it cannot be read most drives will continue this routine. A few drives will, after a certain number of times automatically power down. The normal timing routine for this process is:
Two head clicks
two head clicks again
** Some drives will perform three head clicks before powering down.
Maxtor drives will test all heads from 0 to F; it must come out to level F, or stop the spindle. The problem of Quantum drives of all series (including last series — known as Maxtor D540X and D740X) can be detected by the specific sounds: after starting, there will be two loud clicks, then drive’s motor will increase its speed, and there will be 4 more clicks, after which the drive will become “ready”. For Western Digital a dead preamplifier is also detected by the specific sounds: after two loud clicks the drive will stop the spindle. If you have a clicking Maxtor then heads malfunctioning is characterized with a continuous clicking for over 30 seconds. Samsung drives with a dead preamplifier also click two times and then stop the spindle; however, for Samsung drives it can also mean problems with reading of the critical modules of the system area.
Hard Drives Safe Mode
Can be done by setting jumpers in case a module is damaged or some drives can detect it and go into safe mode itself. In safe mode the drive bypasses its own firmware and is waiting for firmware to be uploaded to ram. The RAM code is called the loader and will start the drive operations. It is possible for the hard drive to go into safe mode all by itself if it detects a problem. You will never know this is happening on purpose. Some software like MHDD might be able to tell you if your drive is in safe mode. You will never be able to recover data until this problem is solved and it is not running in safe mode. When it is running in safe mode it will sound like the Click of Death on most hard drives.
Diagnostic software called MHDD or Victoria
MHDD Software commands and functions:
Erase Waits:- It is better to use this for Drive Repair but it is data destructive
HPA :- Host Protected Area Functions
REMAP: – Try to recover bad sectors
Standby: – turn the motor off
PWD: – User Password INFO
Dispwd: – disable the password
Fdisk: can make one full size fat 32 drive