mirror of
https://gitea.tendokyu.moe/eamuse/docs.git
synced 2024-11-28 00:20:52 +01:00
Ring ATA passwords
This commit is contained in:
parent
75926b268a
commit
9fd61d1453
@ -32,6 +32,8 @@
|
||||
<p>This can be bypassed either by extracting the password used, or by first powering on the Ring* system with the drive
|
||||
connected, then hotplugging the SATA data cable on the drive while keeping the drive powered.</p>
|
||||
|
||||
{% markdown %}{% include relative("~ata.md") %}{% endmarkdown %}
|
||||
|
||||
<details>
|
||||
<summary>Why does this work?</summary>
|
||||
<p>The following is the sequence of possible security modes for an ATA drive:</p>
|
||||
|
30
templates/pages/sega/software/security/~ata.md
Normal file
30
templates/pages/sega/software/security/~ata.md
Normal file
@ -0,0 +1,30 @@
|
||||
The ATA key is derived in the BIOS during boot, based on the 40-byte model number of the drive provided by the ATA identify device data command (0xEC). The 32-byte password is then calculated based on the following algorithm. This algorithm is consistent between RingWide, RingEdge and RingEdge2 (thanks to Darksoft for some info here). Happy unlocking!
|
||||
|
||||
```py
|
||||
CHARSET = bytearray(b'/-AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789')
|
||||
|
||||
def charset_index(x: int) -> int:
|
||||
if x in CHARSET:
|
||||
return CHARSET.index(x)
|
||||
return 0x55
|
||||
|
||||
def prepare_password(model: bytes) -> bytes:
|
||||
assert len(model) == 40
|
||||
password = bytearray(32)
|
||||
|
||||
for i in range(32):
|
||||
a = charset_index(model[i])
|
||||
b = charset_index(model[39 - i])
|
||||
|
||||
if i % 2 == 0:
|
||||
password[i] = (((i ^ a) & 0x1f) << 3) ^ ((b & 0x2e) >> 1)
|
||||
else:
|
||||
password[i] = (((i ^ b) & 0x3b) << 2) ^ ((a & 0x66) >> 1)
|
||||
|
||||
return password
|
||||
```
|
||||
|
||||
Some common disks:
|
||||
|
||||
- `GBDriver RS2`: `7242525aba526a5aea726278ca42da4a2a223a2a0a221a2a6a027a0a5cce4a0a`
|
||||
- `GBDriver RS3`: `7242525aba526a5aea726278ca42da4a2a223a2a0a221a2a6a027a0a5cce4a0a`
|
Loading…
Reference in New Issue
Block a user