How hard disk locking works

We've all seen it on the forums (about 3 times a week or more on X-S) "Hey, my Xbox hard drive is locked and I want to use it in my PC, but I don't have the box any more. How do I unlock the drive?".

Well the short answer is you dont. (there is a way around this though). For the way around this nagging problem read on!

The long answer (and the way around the problem) lies in how hard disk locking mechanisms work. You disk drive consists of two major components: the head disk assembly (HDA) and the logic board. First we are going to cover the physical electronics of a drive before we cover the logic behind the password protection.

In this picture you can see both the logic board and the spindle motor of the hard disk drive. What you can not see is the connection to the drive heads, as this is on the back side of the logic board.

The chip in the cyan colored box is the flash memory which contains the software for the chip in the green box. This flash memory is not upgradeable and often has a read only bit permanently set.

The green box: This chip interfaces with the IDE bus, the heads in the HDA and the amplifier chip in the red box

The red box: this chip is an amplifier. It takes the really week signals from the heads in the HDA and makes them a high enough level for the chip in the green box.

Yellow box: the last of the major components, this chip controls the speed of the platters in the HDA. Barely visible in the picture is the multi pin wide leads attaching to the PCB. These leads are used as heat sinks for the H bridge in the chip.

Blue boxes: these are simple power regulators and steering diodes to provide the right ammount of power to the components on the board. Many of the components operate at far less than 12 and 5 volts so these regulators are required so that we don't have ATX sized power connectors for our drives.

Now on to the tricky part: how the drive locking mechanism works:

Initially the drive is unlocked. It is locked by sending a lock command followed by the key across the IDE bus. The drive then stores the KEY and lock status (locked or not) on the hard disk platter. This in stored in a non addressable sector on the disk. In other words the drive cannot be commanded to go to a particular sector and read the data to you.

Now we have a locked drive. Assuming the BIOS supports the IDE drive locking standard (not all controllers implement this) you will be prompted for an unlock code. When you input the code the MB sends an unlock drive command followed by the code. This code is compared to the code on the drive and if they match the controller (green box) now allows for reads and writes to the rest of the drive (that is the really important part).

Once either of two things happen the drive is again considered locked and requires the unlock sequence to be run. Either 1: the power is removed from the drive, or 2: the drive is reset. The first of these is obvious but the second may not be. A drive is reset on any of the following conditions: the BIOS scans the drives, the OS sends a LOCK command to the drive, or the OS installs the drivers for the IDE controller.

Of special attention is the part about when the OS sends the LOCK command. When a LOCK command is sent it is sent in one of two ways, either LOCK with the key already on the disk, or LOCK with the key that follows (just like when the key is set the first time). If you have the proper hardware and electronic equipment, you can take a drive with a known key and unlock it with a BIOS which supports that function. Then after you have booted to a NON PAGING operating system you can remove the drive from the controller board, remove power from the spindle motor and attach a new HDA. Mechanical alignment and rapid insertion of the control electronics is not good enough


I can not make the above clear enough. Without the right equipment you don't stand a chance of successfully doing this, but hey if you want to destroy a couple of drives and likely your motherboard as well be my guest.

Hopefully this clarifies for many of you why you can't simply swap logic boards and have a working drive. I am in the process of acquiring the equipment required to run this procedure on Seagate drives. I will pay $10.00 per locked drive so that I can test this out.

I am no longer buying drives as someone else has found out how to bypass the security on the drives by flashing the firmware. Note that if you do this your drive will not support locking at all in the future