Hi,

I am currently working on HPA ( Host protected areas) , haven't done much work. BUt here is what I have found and I have some doubts:

Host protected area is basically that part on the Hard disk that has vendoer specific information. The vendor might store information about the diagnostic utilities etc...

The best way to find out whether the hard disk has a HPA or not can be done using the dmesg command (I have tried on RH 8.0 ) assuming that you have the latest version of the kernel. It might work with the older versions as well.

The other method would be to use the sleuth kit and autopsy along with it.

there is a diskstat tool in that which will give the same information as dmesg command.

The interesting part comes when you have the ability to access the HPA.

The HPA can be detected but cannot be accessed, so in order to access it you might want to use the setmax.c program written by Andries Brouwer

simply run the program using the gcc command and remove the HPA using the following command

./setmax --m X /hdb

remember that X is the no of sectors ( This should be the total no. of sectors except for sector 0) for that is the place where MBR is stored.

simulatneously you can set the HPA using ./setmax --d Y /hdb where y is the no of sectors

e.g. say for e.g. you have 1000 sectors ( Maximum user sectors and disk sectors) then the command

./setmax --d 50 will result in HPA getting set from 950 to 1000


NOTE: I might be wrong with the m option for it's quite some time that I have used this program.


Now that you know how to remove HPA we can try and store some data on to it. this can be done using lde (it is disk editing tool) simply compile and run lde ( make sure that there is no HPA )

compare the no. of sectors from dmesg and the no. that appears on lde . The tool is simple to use and any one can easily write data on any Inode ( these are part of blocks)

Now set the HPA back again and run lde , lde doesnot detect the HPA so if you had reserved 50 sectors (out of 1000 sectors) it will display 950 .

Now comes the question that I have to ask: where is the information about the sectors, the hard disk capacity stored ? by this I mean which sector or what location in the Hard disk is this information stored or is it stored some where else.

NOTE: I am not testing any one here , I want to really find out where this information is stored .

sources: http://www.sleuthkit.org/informer

There might be mistakes in the above information , do let me know if any..

Thanks,

MRG.