Ring ATA passwords

templates/pages/sega/software/security/index.html

@@ -32,6 +32,8 @@
 <p>This can be bypassed either by extracting the password used, or by first powering on the Ring* system with the drive
     connected, then hotplugging the SATA data cable on the drive while keeping the drive powered.</p>
 
+{% markdown %}{% include relative("~ata.md") %}{% endmarkdown %}
+
 <details>
     <summary>Why does this work?</summary>
     <p>The following is the sequence of possible security modes for an ATA drive:</p>

templates/pages/sega/software/security/~ata.md

@@ -0,0 +1,30 @@
+The ATA key is derived in the BIOS during boot, based on the 40-byte model number of the drive provided by the ATA identify device data command (0xEC). The 32-byte password is then calculated based on the following algorithm. This algorithm is consistent between RingWide, RingEdge and RingEdge2 (thanks to Darksoft for some info here). Happy unlocking!
+
+```py
+CHARSET = bytearray(b'/-AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789')
+
+def charset_index(x: int) -> int:
+    if x in CHARSET:
+        return CHARSET.index(x)
+    return 0x55
+
+def prepare_password(model: bytes) -> bytes:
+    assert len(model) == 40
+    password = bytearray(32)
+
+    for i in range(32):
+        a = charset_index(model[i])
+        b = charset_index(model[39 - i])
+
+        if i % 2 == 0:
+            password[i] = (((i ^ a) & 0x1f) << 3) ^ ((b & 0x2e) >> 1)
+        else:
+            password[i] = (((i ^ b) & 0x3b) << 2) ^ ((a & 0x66) >> 1)
+
+    return password
+```
+
+Some common disks:
+
+- `GBDriver RS2`: `7242525aba526a5aea726278ca42da4a2a223a2a0a221a2a6a027a0a5cce4a0a`
+- `GBDriver RS3`: `7242525aba526a5aea726278ca42da4a2a223a2a0a221a2a6a027a0a5cce4a0a`