Jules Richardson wrote:
indeed - I'm just curious about IBM's
statement that it would need
replacing with another drive, as though the machine somehow 'breaks' the
old drive (implying it won't even work in a different machine, or can't
just be reformatted and restored from backups).
The drive CAN be used in another system. The catch is, the system in question
needs to support an oft-unimplemented part of the ATA specification.
Basically, most modern ATA (and SATA too, if memory serves) hard drives
support a few additional commands related to password-based security. These
have been part of the ATA standard since ATA-ATAPI 3:
- Set Password
- Unlock
- Erase Prepare
- Erase Unit
- Freeze Lock
- Disable Password
The spec calls for two 32-character passwords (the User and Master passwords)
and two security levels (High and Maximum). In High security mode, either the
User or Master password will unlock the device. In Maximum security mode, only
the User password will unlock the device. Generally speaking, the Master
password is set by the disk manufacturer at the factory, the user password
isn't set, and the lock is disabled. Both the Master and User passwords can be
changed at-will with the Set Password command.
Freeze Lock is intended to stop someone maliciously setting a password on an
unlocked drive. The system BIOS/bootloader/whatever is *supposed* to detect
drives that support ATA Security on boot, and send a Freeze command to them.
Most PC BIOSes.... don't do this. Big surprise.
Disable Password turns the lock mode off. That is to say, once you send it to
the device (assuming the password is correct), it nulls out the User password
and disables lock mode.
There are two ways to unlock the drive:
- Unlock it
- Reformat it
In High security mode, you can unlock or format the drive with the User or
Master password. In Maximum security mode, you need the User password to
unlock, but can reformat the drive with the Master password. If you haven't
got either password, the drive is "as useful, and as entertaining, as a brick."
For bonus points, there's also a "retry counter". The drive counts (or at
least is *supposed* to count) how many times you've sent a password. If it
exceeds a predetermined maximum (and the spec doesn't say what that is) then
you have to power-cycle the drive to try again.
As for the Thinkpad, most models of TP have two passwords -- a Supervisor
password (stored in the EEPROM) and a User password (usually stored in the
CMOS). The catch is, if the CMOS copy of the User password gets hosed, the
machine will lock up and demand the Supervisor password... This applies even
if the User password is disabled -- if a supervisor password is set, you're
going to need it as soon as the CMOS dies.
I don't know if this happens on all Thinkpads, but I've seen it happen on a
few, and this little "quirk" is the one single solitary reason I have both
passwords turned off. In any case, I set them both to passwords I have long
since committed to memory, *then* disabled them...
--
Phil.
classiccmp at philpem.me.uk
http://www.philpem.me.uk/