{"id":50533174,"url":"https://github.com/daedalus/hdd-toolkit","last_synced_at":"2026-06-03T15:30:27.769Z","repository":{"id":358098665,"uuid":"1239951102","full_name":"daedalus/hdd-toolkit","owner":"daedalus","description":"A comprehensive Python toolkit for hdd dumping, analyzing, patching, etc...","archived":false,"fork":false,"pushed_at":"2026-05-23T05:11:17.000Z","size":429,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-05-23T05:25:34.940Z","etag":null,"topics":["ata","data-recovery","firmware","hardware-hacking","hdd","jtag","nvme","samsung","sas","sata","security-research","storage","western-digital"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/daedalus.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-05-15T16:00:41.000Z","updated_at":"2026-05-23T05:11:18.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/daedalus/hdd-toolkit","commit_stats":null,"previous_names":["daedalus/hdd-toolkit"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/daedalus/hdd-toolkit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daedalus%2Fhdd-toolkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daedalus%2Fhdd-toolkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daedalus%2Fhdd-toolkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daedalus%2Fhdd-toolkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/daedalus","download_url":"https://codeload.github.com/daedalus/hdd-toolkit/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daedalus%2Fhdd-toolkit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33872297,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-03T02:00:06.370Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ata","data-recovery","firmware","hardware-hacking","hdd","jtag","nvme","samsung","sas","sata","security-research","storage","western-digital"],"created_at":"2026-06-03T15:30:25.130Z","updated_at":"2026-06-03T15:30:27.754Z","avatar_url":"https://github.com/daedalus.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# HDD Firmware Toolkit\n\nA comprehensive Python toolkit for dumping, analyzing, patching, and\nhot-deploying HDD/SSD firmware via ATA passthrough and JTAG (OpenOCD).\n\nCovers WD, Seagate, Samsung (840 EVO MEX), Toshiba, NVMe, SAS, and USB\nbridge platforms.\n\n## Features\n\n- **Firmware Parsers:** WD LZHUF, Samsung nibble-swap, Seagate .lod,\n  Toshiba firmware images\n- **Firmware Deobfuscation:** Samsung bytewise + AES/shuffle transforms,\n  WD 513-byte XOR key decode, WDOSX packed executable extraction\n- **ATA Passthrough:** Linux sg_io and Windows DeviceIoControl for\n  direct drive communication\n- **WD VSC Protocol:** Read/write RAM, dump overlay modules,\n  deploy hot-patches via SMART LOG 0xBE\n- **JTAG (OpenOCD):** Memory dumps, breakpoints, register inspection,\n  GPIO/MCU interaction\n- **Samsung MEX (840 EVO):** Full MEX memory map, GPIO, NCQ, AES key\n  slots, DMA exfiltration, SAFE-mode UART, flash channel access\n- **NVMe Admin:** Identify, SMART, firmware download/activate, sanitize,\n  vendor-specific commands\n- **USB Bridge Detection:** Identify USB-SATA bridge chips from INQUIRY\n  strings and VID/PID\n- **Data Recovery:** Read retry escalation, bad sector handling,\n  defective sector pattern generation\n- **HPA/DCO:** Host Protected Area and Device Configuration Overlay\n  detection and command building\n- **NVMe Side-Channel:** Timing analysis, contention detection, covert\n  channel modelling\n- **eNVMe:** DMA attack descriptor building, platform compatibility,\n  kernel module injection modelling\n- **NVMe-oF:** CVE-2023-5178 double-free PoC, PDU parsing, kernel\n  vulnerability checking\n- **Firmware Identity Spoof Detection:** Xbox 360 / HDDHackr-style firmware-level\n  identity manipulation (Read et al., 2013) — security sector detection, IDENTIFY\n  string analysis, SMART serial cross-check, capacity plausibility\n- **Firmware Exploitation:** DOWNLOAD-MICROCODE offset overflow,\n  ASM2362 XRAM injection, Service Area hide/extract\n- **Patch Templates:** NOP sleds, data traps, exfiltration hooks,\n  SMART log redirect\n- **32 CLI Commands:** All features accessible from the command line\n\n## Installation\n\n```bash\n# Basic install (no optional deps)\npip install hdd-firmware-toolkit\n\n# With all optional dependencies\npip install \"hdd-firmware-toolkit[all]\"\n\n# Optional dependency groups\npip install \"hdd-firmware-toolkit[serial]\"   # pyserial (SAFE mode UART)\npip install \"hdd-firmware-toolkit[asm]\"      # keystone-engine (Thumb-2 assembly)\npip install \"hdd-firmware-toolkit[disasm]\"   # capstone (disassembly)\npip install \"hdd-firmware-toolkit[yaml]\"     # PyYAML (hot-patch config)\n```\n\n## Quick Start\n\n```bash\n# Parse a WD firmware image\nhdd-firmware-toolkit parse-firmware firmware.bin --format wd\n\n# Decode Samsung nibble-swap obfuscation\nhdd-firmware-toolkit decode-samsung firmware.bin -o decoded.bin\n\n# Scan for ASCII strings\nhdd-firmware-toolkit scan-strings firmware.bin\n\n# Check NVMe-oF kernel vulnerability\nhdd-firmware-toolkit nvmeof-check-kernel --kernel 6.7\n```\n\n## CLI Commands\n\n| Command | Description |\n|---------|-------------|\n| `parse-firmware` | Parse \u0026 extract firmware sections |\n| `decode-samsung` | Remove Samsung nibble-swap obfuscation |\n| `scan-strings` | Find ASCII strings in firmware |\n| `scan-fptables` | Heuristic ARM function-pointer table scan |\n| `diff` | Byte-level diff two firmware images |\n| `list-vscs` | Request VSC list from WD drive |\n| `read-ram` | Read drive RAM via WD VSC |\n| `write-ram` | Write file to drive RAM via WD VSC |\n| `hot-patch` | Deploy delay hook to live drive RAM |\n| `benchmark` | Timed read benchmark |\n| `dump-overlay` | Dump a WD service-area overlay module |\n| `dump-all-overlays` | Dump all overlay modules to directory |\n| `jtag-shell` | Interactive OpenOCD shell |\n| `jtag-dump` | Dump memory via JTAG |\n| `jtag-bp` | Set hardware breakpoint via JTAG |\n| `jtag-regs` | Read CPU registers via JTAG |\n| `samsung-memory-map` | Print MEX memory map |\n| `samsung-fw-history` | Print FW version history |\n| `samsung-gpio` | Read GPIO status via JTAG |\n| `samsung-ncq` | Dump NCQ buffers via JTAG |\n| `samsung-aes-info` | Read AES-XTS key slots via JTAG |\n| `samsung-dma-dump` | RAM to SATA via DMA |\n| `samsung-ftl-preload` | Pre-load FTL map |\n| `samsung-safe-shell` | Interactive SAFE-mode UART shell |\n| `samsung-safe-read` | Read via SAFE-mode UART |\n| `samsung-safe-write` | Write via SAFE-mode UART |\n| `parse-seagate` | Parse Seagate .lod firmware |\n| `sa-probe` | Probe Service Area size |\n| `sa-dump` | Full Service Area dump |\n| `sa-hide` | Hide data in SA module |\n| `sa-extract` | Extract hidden data from SA module |\n| `fwexploit-send` | Inject firmware via offset overflow |\n| `fwexploit-activate` | Activate injected firmware |\n| `nvme-bridge-sanitize` | Inject Sanitize via ASM2362 XRAM |\n| `patch-template` | Generate pre-built patch shellcode |\n| `toshiba-parse` | Parse Toshiba firmware image |\n| `toshiba-nand` | Show Toshiba NAND configuration |\n| `sat-cdb` | Build SCSI-ATA Translation CDB |\n| `patcher-apply` | Apply patches and fix checksums |\n| `patcher-fix` | Auto-fix firmware checksums |\n| `ata-sec-status` | Check ATA security status |\n| `nvme-identify` | NVMe Identify Controller |\n| `nvme-smart` | NVMe SMART / Health log |\n| `nvme-fw-download` | NVMe firmware download |\n| `nvme-fw-activate` | NVMe firmware activate |\n| `nvme-vendor` | NVMe vendor-specific command |\n| `usb-identify` | Identify USB-SATA bridge chip |\n| `usb-list` | List known USB-SATA bridge chips |\n| `dr-smart` | SMART quick test (data recovery) |\n| `dr-identify` | Identify device parameters |\n| `dr-native-max` | Read Native Max Address |\n| `dr-pattern` | Generate defective sector pattern |\n| `hpa-detect` | Detect HPA from IDENTIFY data |\n| `hpa-build-cmd` | Build HPA/DCO ATA command |\n| `hpa-parse-dco` | Parse DCO feature set descriptor |\n| `nvme-timing-baseline` | NVMe read latency baseline |\n| `nvme-timing-detect` | Detect NVMe timing contention |\n| `nvme-timing-gc` | Analyze NVMe GC events |\n| `envme-dma` | Build eNVMe DMA attack descriptor |\n| `envme-scan` | Model host memory scan |\n| `envme-compat` | Check eNVMe compatibility |\n| `nvmeof-check-kernel` | Check CVE-2023-5178 vulnerability |\n| `nvmeof-build-icreq` | Build NVMe-oF TCP ICReq PDU |\n| `nvmeof-poc` | Generate double-free PoC PDU |\n| `fw-identity-check` | Detect Xbox 360 / HDDHackr firmware identity spoofing |\n| `fwdetect-timing` | Detect FW via timing analysis |\n| `fwdetect-verify` | Verify firmware checksums |\n| `fwdetect-report` | Comprehensive integrity report |\n\n## Requirements\n\n- **Python** \u003e= 3.11\n- **Optional:** pyserial, keystone-engine, capstone, PyYAML\n\n### Platform-Specific\n\n- **Linux:** ATA passthrough via sg_io requires root + `/dev/sdX` or `/dev/sgX`\n- **Windows:** ATA passthrough requires Administrator privileges\n\n## Development\n\n```bash\npip install -e \".[all]\"\npre-commit install\npytest\nruff check src/\n```\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaedalus%2Fhdd-toolkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdaedalus%2Fhdd-toolkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaedalus%2Fhdd-toolkit/lists"}