Came across it looking how to deal with multiple different samsung drives caught in bad states due to shitty firmware. My original salty post warning about vendor branded Samsung drives on eBay is here: https://news.ycombinator.com/item?id=37165189
alecco 1 days ago [-]
This deserves its own blog post and HN submission. Since SSDs have been 2x to 4x prices people are now more likely to buy used and could get burned.
BTW thank you for raising this.
ornornor 22 hours ago [-]
Samsung has lost any credibility they had as a competent manufacturer years ago. Their other products are beyond junk (fridges, washing machines…), their customer service is abysmal (they managed to “repair” my mp3 player and smartphone by returning it even more broken than they got it, and I’ve seen how the company works from the inside when they bought a startup I was working at. I know many people with Samsung fridges failing after a few years (or having too little coolant in them so that they make loud popping sounds when running and Samsung saying you’re holding it wrong)
From these experiences, I’m going out of my way to never buy anything made by Samsung.
ike____________ 19 hours ago [-]
You forget exploding devices or the decision of selling it's crap exynos thing in Europe
ornornor 17 hours ago [-]
Right. And their complete contempt for user privacy on their smart TVs. Anyway, as far as I'm concerned, I'll even pay extra to buy anything but a Samsung device.
UltraSane 13 hours ago [-]
The Galaxy smartphones are still some of the best.
ornornor 10 hours ago [-]
That’s your opinion. I’ll never get one and I absolutely don’t trust Samsung with my personal data.
tosti 10 hours ago [-]
They don't do VoLTE when rooted. Their own stock ROM is on par with iPhone-level unworkable UI garbage. Apps that work on everything but not Samsung Galaxy. The only ROMs you can feasibly get on most models are limited to GSI builds.
"The best" must be quite a low bar.
UltraSane 2 hours ago [-]
"Apps that work on everything but not Samsung Galaxy."
This is interesting, what are some examples?
edrobap 15 hours ago [-]
[dead]
saagarjha 17 hours ago [-]
How do I know if I have a drive in this situation?
Modified3019 9 hours ago [-]
In my case, the drive suddenly only shows having 1GB of read only space available. The firmware version will be reported as “ERRORMOD” (meaning, error mode). There are no warning signs, it just happens.
All data is lost the moment you see ERRORMOD, there is no recovery of data that I am aware of. It is sometimes possible to clear the drive and recover function for the now untrustworthy drive: https://forums.servethehome.com/index.php?threads/pm9a3-firm...
It’s not the only way a drive can fail, but it’s the most immediately obvious one.
Other ways of the firmware failing result in no drive showing up at all, or data corruption. Physical failures can also happen, like breakage of the solder balls under the chips (which fixable enough to get data off it).
turpentine 1 days ago [-]
The obfuscation hardware vendors do is so trivial, why do they even bother?
One of the current vendor provided consumer SSD firmware update utilities for Linux as a live-usb decrypts the firmware and writes it out to disk decrypted before uploading it, so simply using seccomp to fail a rmdir syscall nets you the decrypted version without having to reverse engineer any of the updater/decryption code.
I deleted my own negative rant about SSD manufacturers not opting in to lvfs/fwupd when drives have a high risk of bricking without firmware updates.
stronglikedan 11 hours ago [-]
> The obfuscation hardware vendors do is so trivial, why do they even bother?
The lock on your front door is so trivial to bypass, yet deters the vast majority of people from entering your house without your permission.
superxpro12 13 hours ago [-]
Mostly so they can check the box of "we implemented readback protection" and move on to more important aspects of the job.
The goal is not to produce cryptographically secure code, its to make it annoying enough so most people dont bother.
pixl97 24 hours ago [-]
>why do they even bother
So when you start publishing their code they can DMCA you.
AnthonyMouse 18 hours ago [-]
Except that DMCA 512 (notice and takedown) is a different section than DMCA 1201 (anti-circumvention) and you don't have to be using any DRM of any kind to use the former because they're unrelated.
Also, wouldn't someone trying to distribute "illicit copies" just distribute the original unmodified file since it's a self-extracting binary with no license check? And what reason would anyone have to do that when they already publish it for free on their own site, and why should they care if someone did?
morpheuskafka 1 days ago [-]
This article might be handy for someone interviewing at that firm (Red Balloon) that sends you a "weird" hard drive as the interview CTF? I still have it sitting around but it arrived around finals season so I never really looked at it, but since they bothered to send a whole drive and SATA-USB adapter, it obviously must have something to do with the drive itself.
If someone had a ton of money, it would be funny to just send the thing to a data recovery lab, have them swap the platters onto an unmodified model and get a raw image of the data to work with. (Or maybe the key is hidden inside the drive firmware chip itself?)
jareklupinski 1 days ago [-]
i still have mine too! managed to talk to the microcontroller and dump its firmware, but didn't know enough about how to make it arbitrarily run code without worrying about ruining it all
red_balloon 1 days ago [-]
Appreciate the (unaffiliated) shout out! No comment on the drive recovery idea...
The fundamentals in the article are all relevant to the hard drive challenge, though the actual multi-step solution to our CTF is rather different.
If hacking hard drives sounds intriguing to you, we're hiring reverse engineers and security researchers! See our whoishiring posts and careers page for details:
As a data point for anyone curious, they're US based ("Midtown West in New York City") and their careers page mentions the roles are all in-office ones.
Ah well. ;)
busterarm 13 hours ago [-]
They opened/are-opening a northern virginia office, according to their HN posts.
But yeah, as much as I would love to work with them, I have zero desire to ever move out of the southeastern US and especially back to NY. The nature of what they do does kind of require in-office work though.
justinclift 13 hours ago [-]
Heh, I'm not even in the US. ;)
busterarm 1 days ago [-]
I'm glad you all are still doing this challenge. Ang handed one to me at Defcon 6 or 7 years ago and it's one of the most interesting challenges I've ever attempted.
Didn't finish it but learned a ton.
For anyone reading, Red Balloon is a great place with great people and I highly recommend anyone remotely interested give them a look.
HDBaseT 1 days ago [-]
The Red Balloon website looks AI generated.
busterarm 1 days ago [-]
1) so what?
2) evidence?
3) it's very obviously a wordpress site using elementor
4) the content really hasn't changed a ton in the last 10 years or so as far as I can tell
5) again, so what?
superxpro12 12 hours ago [-]
Lol the careers page is itself a candidate screener. Love it.
dmitrygr 1 days ago [-]
May I have a challenge drive just for the challenge (not interested in switching jobs)?
system7rocks 22 hours ago [-]
One of my favorite things to do is update the firmware of devices. I know it is often ill-advised because if it is working fine, why risk something going wrong? But it’s kind of fun to imagine gaining tiny speed increments with optimizations. I like to do it on Fridays - Firmware Fridays - vacuum cleaners, hard drives, motherboards, ip cameras, Apple IIGS expansion cards, Bluetooth scales, and on and on.
fuzzfactor 14 hours ago [-]
>I know it is often ill-advised because if it is working fine, why risk something going wrong?
Well, if you want more mayhem than was expected . . .
boricj 1 days ago [-]
There's also another very good series of articles about hacking the firmware of a HDD, with modifications of /etc/shadow hashed passwords: https://spritesmods.com/?art=hddhack
Sounds like a punishment. Extra-paranoid work culture and be mistrusted by your counterparts on the outside.
1 hours ago [-]
ElenaDaibunny 1 days ago [-]
The fact that vendors still ship firmware with trivial obfuscation in 2026 is wild. I wonder how many data recovery shops already reverse-engineer these routinely but just don't publish.
pixl97 24 hours ago [-]
Not publishing is the point of why they {{{encrypt}}} it.
Start publishing it and it's a good chance you'll get a DMCA notice in short order.
UomoNeroNero 12 hours ago [-]
I feel like a Neanderthal watching a sixteen-year-old fiddling around on a smartphone. Incredible. Maximum respect.
fuzzfactor 14 hours ago [-]
For anybody involved with research of any nature, you don't need to be interested in HDDs or SSDs or even hacking hardware or software of any kind.
This says a lot right here:
>One of my initial ideas was to modify the HDD firmware to introduce a delay of a few hundred milliseconds when a specific sector is read from the drive, which would give enough time for the exploit to trigger successfully.
>As it would later turn out I found other ways to dial in my race condition attack and ended up not needing to modify the HDD firmware at all.
The result is a remarkable paper documenting outstanding milestones that is outstanding on its own, and was completely unintentional to begin with, and with subject matter that was also unintentional if not a completely unrelated subject than the direction that the initial ambition was leading toward.
If your research leaders or techniques don't allow for excursions like this, you'd probably be better off getting some.
monocasa 1 days ago [-]
Since this is xb360, this is SATA rather than IDE, but in a similar vein I am really looking forward to my PicoIDE to play with adversarial hdd controllers in real systems.
rasz 19 hours ago [-]
You can put picoide behind SATA_IDE bridge too
spr-alex 20 hours ago [-]
how can i upvote this twice?
ezconnect 10 hours ago [-]
I am surprised he didn't try to lower the clock of the MCU of HDD first if he just wanted to delay the reply.
Came across it looking how to deal with multiple different samsung drives caught in bad states due to shitty firmware. My original salty post warning about vendor branded Samsung drives on eBay is here: https://news.ycombinator.com/item?id=37165189
BTW thank you for raising this.
From these experiences, I’m going out of my way to never buy anything made by Samsung.
"The best" must be quite a low bar.
This is interesting, what are some examples?
All data is lost the moment you see ERRORMOD, there is no recovery of data that I am aware of. It is sometimes possible to clear the drive and recover function for the now untrustworthy drive: https://forums.servethehome.com/index.php?threads/pm9a3-firm...
It’s not the only way a drive can fail, but it’s the most immediately obvious one.
Other ways of the firmware failing result in no drive showing up at all, or data corruption. Physical failures can also happen, like breakage of the solder balls under the chips (which fixable enough to get data off it).
One of the current vendor provided consumer SSD firmware update utilities for Linux as a live-usb decrypts the firmware and writes it out to disk decrypted before uploading it, so simply using seccomp to fail a rmdir syscall nets you the decrypted version without having to reverse engineer any of the updater/decryption code.
I deleted my own negative rant about SSD manufacturers not opting in to lvfs/fwupd when drives have a high risk of bricking without firmware updates.
The lock on your front door is so trivial to bypass, yet deters the vast majority of people from entering your house without your permission.
The goal is not to produce cryptographically secure code, its to make it annoying enough so most people dont bother.
So when you start publishing their code they can DMCA you.
Also, wouldn't someone trying to distribute "illicit copies" just distribute the original unmodified file since it's a self-extracting binary with no license check? And what reason would anyone have to do that when they already publish it for free on their own site, and why should they care if someone did?
If someone had a ton of money, it would be funny to just send the thing to a data recovery lab, have them swap the platters onto an unmodified model and get a raw image of the data to work with. (Or maybe the key is hidden inside the drive firmware chip itself?)
The fundamentals in the article are all relevant to the hard drive challenge, though the actual multi-step solution to our CTF is rather different.
If hacking hard drives sounds intriguing to you, we're hiring reverse engineers and security researchers! See our whoishiring posts and careers page for details:
- https://news.ycombinator.com/item?id=47977643
- https://redballoonsecurity.com/careers/
Be sure to mention Hacker News if you apply.
Ah well. ;)
But yeah, as much as I would love to work with them, I have zero desire to ever move out of the southeastern US and especially back to NY. The nature of what they do does kind of require in-office work though.
Didn't finish it but learned a ton.
For anyone reading, Red Balloon is a great place with great people and I highly recommend anyone remotely interested give them a look.
Well, if you want more mayhem than was expected . . .
* https://www.cbc.ca/news/science/nsa-hid-spying-software-in-h...
* https://www.wired.com/2015/02/nsa-firmware-hacking/
:)
Start publishing it and it's a good chance you'll get a DMCA notice in short order.
This says a lot right here:
>One of my initial ideas was to modify the HDD firmware to introduce a delay of a few hundred milliseconds when a specific sector is read from the drive, which would give enough time for the exploit to trigger successfully.
>As it would later turn out I found other ways to dial in my race condition attack and ended up not needing to modify the HDD firmware at all.
The result is a remarkable paper documenting outstanding milestones that is outstanding on its own, and was completely unintentional to begin with, and with subject matter that was also unintentional if not a completely unrelated subject than the direction that the initial ambition was leading toward.
If your research leaders or techniques don't allow for excursions like this, you'd probably be better off getting some.