Forensic Internals ATATool v1.4.0.

210 Readme (April 2023)

=========================================================

Purpose
-------

ATATool can be used to display and modify ATA disk information from a
Microsoft Windows environment. We believe this is a unique technical capability
thatis not available in any other known tool.

Current features include:

a. List attached ATA devices (both legacy PATA and SATA)

b. Display device information including model/serial number, HPA and DCO status
c. Modify and reset HPA device status (SETHPA and RESETHPA commands)
d. Enable, lock, unlock and freeze HPA device security (password)
e. Modify, reset and freeze DCO device status (SETDCO and RESETDCO commands)
f. Force Windows device re-detect following HPA/DCO status change
g. Generate 'bad' sectors (corrupt ECC) and fix them

ATATool has the following requirements:

a. Windows 7 SP1 or later (32-bit or 64-bit)

b. Administrator rights (e.g. elevated)
c. (S)ATA device connected to a *real* (S)ATA controller. USB bridges are not
supported

ATATool is distributed with both x86 (32-bit) and x64 (64-bit) builds.
These are feature identical and the 32-bit build can be used on most 64-bit
systems.
The 64-bit build is provided for pure 64-bit environments (such as Windows PE).

ATATool supports both decimal and hexadecimal numeric formats. To use hexadecimal
prefix values with '0x'.

Syntax
------

ATATOOL action [options] [device]

Where action may be:

/LIST - List all detected ATA devices (default)

/INFO - Display summary ATA information for device
/DETAIL - Display detailed ATA information for device
/SETHPA:size[MB][GB][TB] - Set maximum number of sectors or capacity (HPA)
/RESETHPA - Restore default device maximum capacity (HPA)
/PASSWORDHPA:password - Set new HPA password (maximum 16 characters)
/UNLOCKHPA:password - Unlock HPA with existing password
/LOCKHPA - Lock HPA with existing password
/FREEZELOCKHPA - Freeze lock HPA until hardware reset / power-off
/SETDCO:size[MB][GB][TB] - Set maximum number of sectors or capacity (DCO)
/RESTOREDCO - Restore default device maximum capacity (DCO)
/FREEZELOCKDCO - Lock DCO until next hardware reset / power-off
(DCO)
/FORCEREDETECT - Force hardware redetect by OS
/ADVANCED - Display additional detailed syntax
/HELP or /? - Display syntax
Capacity may be specified using MB, GB or TB suffix. e.g. 500GB
Numeric values may be decimal or hexadecimal. Prefix hexadecimal with '0x'

Additional actions (Experimental):

/VERIFY:sector - Verify specific sector is readable (and has

valid ECC)
/READ:sector - Read specific sector (normal)
/WRITE:sector - Wipe specific sector (normal). Also fixes ECC.
/BADECC:sector - Corrupt ECC on sector (Requires WRITE
UNCORRECTABLE EXT)
/FIXECC:sector - Repair ECC on sector (Requires WRITE
UNCORRECTABLE EXT)

The /BADECC and /FIXECC commands can be used to simulate 'bad' sectors with
corrupt ECC data. This feature requires WRITE UNCORRECTABLE EXT which
was added in ATA-8 (~2008). It will probably do nothing on older devices

Further actions for older devices (Experimental):

/READLONG:sector - Read specific sector (ignore ECC)

/WRITELONG:sector - Wipe specific sector (including ECC). Also
breaks ECC.
/BADECCLONG:sector - Corrupt ECC on sector (make bad sector)
/FIXECCLONG:sector - Repair ECC on sector (fix bad sector if
possible)

The xxxLONG commands should be used very cautiously because they rely on a feature
that was obsoleted in ATA-4 (~1998). In practice, on some modern devices (e.g.
Seagate)
they continue to work but abort on other devices. Particular problems may occur
using
/WRITELONG and /BADECCLONG on devices with physical sector sizes > 512 bytes
because the ECC data on the underlying physical sector may be corrupted.
In this case, it may be possible to carefully fix the problem by applying
/FIXECCLONG to each logical sector within the underlying physical sector.

It is possible (but unlikely) that SATA / M.2 SSD disks will support the /FIXECC
command.
This is because SSD disks do not use on-disk ECC bytes in the same way as
traditional disks.
It is very unlikely that NVMe / M.2 SSD disks will support the /FIXECC command
because
these use a completely different command set which is unrelated to traditional
disks.

Options:

/NONVOLATILEHPA - /SETHPA and /RESETHPA changes are permanent

Default is for changes to be discarded on power-off
/NOHPA - Use with /SETDCO to permanently disable HPA features (if
supported)
/NO48BIT - Use with /SETDCO to permanently disable 48-bit addressing (if
supported)
When used with other actions this option disables 48-bit
addressing and
forces 28-bit addressing. This may result in unexpected
behaviour or
 data corruption (due to address wrapping) on devices >128GB

Additional options (used with extra care):

/NOREDETECT - Disable device re-detection for HPA and DCO commands.

This option is required to make changes to system drive.
and should be used with extreme caution as the system
may be unstable after reducing drive size. Re-detection
is enabled by default but may be disabled with care to
workaround specific problems.

/NODMLEGACY - Do not attempt to dismount volumes (legacy method)

/NODMWIN7 - Do not attempt to dismount volumes (Win7 and later)

Known limitations:

Some DCO capable devices may not support /NOHPA and /NO48BIT. On such devices
these additional options will have no effect. This software can only manage
(S)ATA devices which are directly connected. It does not currently support
devices connected via a USB bridge, forensic write-blocker or similar

Warning:

This software should be used with great care. It is not recommended to

make changes to disks that contain live file systems or open file handles.
Windows may behave unexpectedly or even crash if a live disk changes size
or becomes inaccessible. A reboot may be required for changes to take effect.
A reboot will always be required when making changes to the system/boot drive.
DCO changes are always permanent until changed again. The author accepts no
responsibility for damage caused by this software. Use with *extreme* care!

Examples:

ATATOOL /LIST
ATATOOL /INFO \\.\PhysicalDrive1
ATATOOL /DETAIL \\.\PhysicalDrive1
ATATOOL /SUPPORTDUMP \\.\PhysicalDrive1
ATATOOL /SETHPA:1000MB \\.\PhysicalDrive1
ATATOOL /SETHPA:0x100000 /NODMWIN7 \\.\PhysicalDrive1
ATATOOL /RESETHPA /NONVOLATILEHPA \\.\PhysicalDrive1
ATATOOL /FORCEREDETECT \\.\PhysicalDrive1
ATATOOL /SETDCO:10GB /NOHPA \\.\PhysicalDrive1
ATATOOL /VERIFY:0x1 \\.\PhysicalDrive1

Notes about 'bad' sectors

-------------------------

There are two methods to simulate 'bad' sectors. Each has limitations:

1. /BADECC and /FIXECC- This uses the WRITE UNCORRECTABLE EXT command which is
available from ATA-8 and present in many
drives from ~2007 onwards.

2. /BADECCLONG and /FIXECCLONG - This uses the WRITE LONG command which was
present in ATA-3 (~1997) but removed
in ATA-4. This command continues to be supported by many drives but not all.

It is recommended that you try /BADECC first. If this works then the procedure to
simulate a bad sector is:

ATATOOL /BADECC:sector \\.\PhysicalDriveX

ATATOOL /VERIFY:sector \\.\PhysicalDriveX - This will fail!
ATATOOL /FIXECC:sector \\.\PhysicalDriveX
ATATOOL /VERIFY:sector \\.\PhysicalDriveX - This should complete ok

If the drive does not support /BADECC then you may like to try the /BADECCLONG
command. The basic procedure is the same as
above but *beware* of the following limitations:

1. The command may not be supported and will abort (without making any change)
2. The command will complete and the 'damage' must be fixed with /FIXECCLONG as
above
3. The command will complete but 'damage' multiple sectors. This can occur when
the underlying physical sector
size is larger than the logical sector size. For instance, advanced format
disks may have 4KB physical sectors
but present 512byte logical sectors. In this case, all related logical sectors
are 'damaged' and must be fixed
individually. For instance, if sector 0 was damaged the commands would be:

ATATOOL /FIXECCLONG:0 \\.\PhysicalDriveX

ATATOOL /FIXECCLONG:1 \\.\PhysicalDriveX
ATATOOL /FIXECCLONG:2 \\.\PhysicalDriveX
ATATOOL /FIXECCLONG:3 \\.\PhysicalDriveX
ATATOOL /FIXECCLONG:4 \\.\PhysicalDriveX
ATATOOL /FIXECCLONG:5 \\.\PhysicalDriveX
ATATOOL /FIXECCLONG:6 \\.\PhysicalDriveX
ATATOOL /FIXECCLONG:7 \\.\PhysicalDriveX

Change History
--------------

v1.0.0.8 July 2015 Initial public release

v1.1.0.15 May 2017 Updated beta release
v1.2.0.18 June 2017 Added DCO support, simulated "bad" sectors and options for
hardware redetection
v1.3.0.20 October 2017 Major update. See recent change list below
v1.4.0.70 June 2021 Re-release under "Forensic Internals" branding. Some new
features (see below)
v1.4.0.110 July 2021 Fixed broken /READLONG command and added ACS/TRIM support

Recent Changes
--------------

Release v1.4.0 made the following changes:

1. Added support for ATA8-ACS, ACS-2 and ACS-3

2. Added detection of TRIM and TRIM behavior (and if can be disabled by DCO)
3. Added detection of AMAX (ACS-3)
4. Added device media serial number#

Release v1.3.0 made the following changes:

1. Fixed crash on some Windows 7 and later systems when unmounting disk following
setting of HPA/DCO
2. Added commands to set HPA security password, lock, unlock and freeze
3. Added /DEBUG command to report detailed ATA registers for investigating
problems
4. Report if DCO appears frozen (e.g. empty). May be set by BIOS during startup
5. Report if HPA security feature (password) is enabled. May be set by BIOS during
startup
6. Simplified basic syntax help. Use /ADVANCED now displays more information

Website
-------

Please visit www.forensicinternals.com for further information on this tool.

Tips for working with "frozen" devices

--------------------------------------

Both the DCO and HPA configurations may be "frozen" until the next device power-
cycle.
It is quite common for systems to freeze the configuration during start-up and thus
prevent the
HPA and DCO from being easily modified. This can usually be overcome on a non-
system disk
by briefly powering off the device. One method to do this is to sleep the PC for a
few seconds.
Alternatively, this can be done by briefly disconnecting the device power whilst
the system is running.
Please note that SATA is not designed to support this feature and your results may
vary.
This operation should always be done with great care and only by a suitably
qualified person.
Modification of a system disk is more difficult and it may be necessary to boot the
system
from another disk (or Windows PE) to modify it.

Tips:

a. If /SETDCO command fails to work, try using /RESTOREDCO first

b. If /SETDCO still fails to work, try sleeping the PC or momentarily
disconnecting the SATA power
c. Similarly, if /SETDCO or /RESTOREDCO commands appear to work but drive capacity

is not changed in Windows, try sleeping the PC or momentarily disconnecting the

SATA power

Reporting Problems
------------------

ATATool remains experimental software. If you have problems please contact us using
the address below.
Please provide a complete description of what you are attempting to do and what
happens.

Support/Suggestions
-------------------

If you have any questions or suggestions please contact [email protected]

WARNING
-------

This software can be used to permanently modify the configuration (including size)
of a device. This may prevent access to data that was previously accessible
and may result in permanent data loss. This tool should be used with great care
and Data Synergy accepts no liability for any loss resulting from the use of this
software.

DISCLAIMER
----------

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.