Background:
I got some malware in Windows, possibly a rootkit or bootkit. I didn't want to take any chances, so foolishly wiped my drive with DBAN (PRNG, 8 pass). Later came to know that DBAN does not kill HPA (Host Protected Area) orand DCO (Drive Configuration Overlay) which are "hidden areas" used by some hard drives.
I saw that HDDErase made by CMRR can remove the HPA and DCO if present, but the project was stopped in 2005 or 2007. So, I came to Linux's hdparm
in the hope that it will wipe my HDD 100% clean so that I can install Windows again on a 100% clean hard drive. As an aside, I also looked at "BC Wipe Total Wipeout" which does HPA and DCO removal but costs $50.
I'm an average computer user with little Bash skill i.e I don't really know what I am doing.
Questions:
My drive is a 320GB 7200RPM Seagate drive.
The output of sudo hdparm --dco-identify /dev/sda
:
/dev/sda:
DCO Revision: 0x0001
The following features can be selectively disabled via DCO:
Transfer modes:
mdma0 mdma1 mdma2
udma0 udma1 udma2 udma3 udma4 udma5 udma6(?)
Real max sectors: 625142448
ATA command/feature sets:
SMART self_test error_log security HPA 48_bit
(?): selective_test conveyance_test write_read_verify
(?): WRITE_UNC_EXT
SATA command/feature sets:
(?): NCQ interface_power_management SSP
-
What does this output mean? How do I ensure that there is no possibility of malware remaining on the HPA DCO?
-
Is there a way to find out the size in terms of GB instead of sectors?
-
Will
hdparm
do a complete wipe of all malware that resides in the HPA and DCO?
I also saw this on the Wiki page and was a little worried:
hdparm has a more serious drawback: it can crash a computer and make data on its disk inaccessible if certain parameters are misused. Out of approximately sixty-seven parameters, several are dangerous and could result in "massive filesystem corruption" when used indiscriminately.
Best Answer
So we have a basic admission here the drive was wiped so therefore there is no partition table, file system or data on the drive. So, there can be no data corruption or file system corruption as neither exist, DBAN having ensured this and so the following HDPARM warning is not applicable.
Fire up your Linux boot disk and run
hdparm
To use HDPARM to clear the HPA
For x = device you're targeting, use the following HDPARM command to show if you have an HPA enabled.
It will spit back something like the following if you have an HPA defined:
To remove the HPA and expand the visible area out to the full size of the drive use the denominator in the above report (visible area/max sectors):
It will spit back a report that the visible area is equal to the max sectors and that the HPA is disabled.
To use HDPARM to check if a DCO is in place and set it back to factory defaults
Since the DCO is set up by the manufacturer, you must accept that messing with it will possibly brick the drive. But then that's the least of your problems if you think you got some sophisticated malware that could actually mess with it. To see the DCO, use the following HDPARM command.
In your example, it gave you:
So, your drive manufacturer uses DCO to define the allowable data transfer modes (MDMA, UDMA), the real size of the drive (max sectors), and ATA/SATA commands that can be disabled.
If you want to attempt reverting the DCO back to factory defaults, you can use the followning HDPARM command:
It will spit back at you the following warning that changing the DCO will cause total data loss. Think of it as changing the partition size or wiping out the partition table and restoring it with incorrect parameters. On a wiped disk, you already have lost the data, eh? Basically a Sorry you didn't back up your data before proceeding, you're SOL if the DCO doesn't match after the command's run and you think anything will be recoverable from the drive because of size reassignment.
Per the instructions, you add the following "I accept the consequences" switch:
And it tells you: