Talk:Predesktop Area

From ThinkWiki
Jump to: navigation, search

Use the HPA for GNU/Linux?

More interesting than removing the HPA (which includes a.o. Acces IBM Predesktop Area, some other tools and a backup of the pre-installed OS) would be to use this area for GNU/Linux too. At least, removing the HPA only saves 3,5 GB on my 60 GB hard disk. It would be worth a try to see whether the backup of the pre-installed OS on the largest PSA could be replaced by a backup of your favourite GNU/Linux distribution.

Elaborating on my ideas a few days later, I'd guess the following could be tried:

  • see whether GRUB can be made to boot the Access IBM Predekstop Area (I guess by "chainloading" the bootsector of its PSA). Right now GRUB refuses to load sectors outside the partioned area. I've got absolutely no idea if it's possible to write a hack to overcome that restriction. Need to contact the GRUB people about that ...
  • write some userspace tools for the HPA/the SPAs (things like: dumpbeer, printDoS).

It should be clear these are basically random ideas. Still feedback would be appreciated ...


interesting ideas, but i'd only see a point in it if one could keep Win and Linux rescue stuff in the HPA. That means it would need to be expandable or fit the stuff for both systems. Wyrfel 20:03, 15 Mar 2005 (CET)


Short answer: that should be possible.

Long answer: I see little in the specs (as I understand them now) to stop one from adding (say) an extra 3 GB GNU/Linux-rescue PSA or something like that. We might try to do that first by changing the BEER and DoS manually. (Not sure whether Phoenix added some proprietary stuff to keep you from booting it. The PSA should always be accesable with the proper BIOS setting.) It might be mandatory to put it on a FAT filesystem. The hard part probably is to have it show up in the Access IBM Predesktop Area. (My guess is you need to regenerate the FirstSight "graphical shell". If that's correct we probably only can use the FirstWare tools "hidden" on their little PSA. That's no fun. Well it might a little fun if we try FreeDOS).

Paul Bolle (not logged in)

Update: a trivial patch to grub allows it to also work outside the partioned area:

--- /var/tmp/rpm/BUILD/grub-0.95/stage2/disk_io.c.oud   2004-05-23 18:35:24.000000000 +0200
+++ /var/tmp/rpm/BUILD/grub-0.95/stage2/disk_io.c       2005-03-18 22:38:30.050907408 +0100
@@ -297,8 +297,8 @@
    *  Check partition boundaries
   if (sector < 0
-      || ((sector + ((byte_offset + byte_len - 1) >> SECTOR_BITS))
-         >= part_length))
+      /*|| ((sector + ((byte_offset + byte_len - 1) >> SECTOR_BITS))
+         >= part_length)*/)
       errnum = ERR_OUTSIDE_PART;
       return 0;

I made a grub CD with a grub patched with the above. Now I can "cat" the bootsector of the Predesktop Area from the grub shell (when booting of that grub CD). But I haven't yet managed to boot the Predesktop Area (dangerous stuff!) To be continued ...

Paul Bolle Fri Mar 18 22:42:43 CET 2005

Update: a quick test with the current development version of grub2 (grub-1.93) showed that grub2 can chainload a block outside the partitioned area "out of the box". That's nice. I still haven't been able to get passed the error messages generated by the boot sectors of the bootable PSAs. My guess is the BIOS provides those boot sectors with some (special) settings that grub doesn't use ...

Paul Bolle 00:40, 5 April 2006 (CEST)

GRUB cannot be expected to (chain)load the Predesktop Area. When showing the Predesktop Area the BIOS runs in a special mode (more specifically: using some very specific interrupts, behaving differently under normal circumstances). So this seems to be not something to merit further investigation.

Paul Bolle 19:01, 11 June 2006 (CEST)

Hey there - I hope to be welcome here to since I've no ThinkPad but an Samsung X20 notebook. This notebook uses also the HPA for some kind of a predesktop area - a linux based multimedia system called "AVStation Now" which is hidden there. I used dd to dump the hpa and read the BEER table to find out what is hidden inside.

What I found out:

  • the first partition (ext3) contains the rootfilesystem (funny, cause they use libdvdcss for dvd playback)
  • the second partition (ext3) contained a /boot partition with a special kernel with the possibility to mount this partition (seems they use a special liloversion for booting)
  • the third partition (fat?) - some html files - the firstware menu
  • and at last a fourth partition i was unable to mount

A dump of my BEER ;-)

Does someone know weather it would be possible mounting souch an hpapartition without using dd - maybe kernelsupport for the BEER? - since im nither a C nor a kernelhacker im unable to continue, but there must be some kind of support cause this multimediasystem knows howto handle it.

If you need some more information you could send me an email to

Christoph Müller

I've been playing around with the predesktop area tonight. I was simply trying to just leave the diagnostics stuff and remove the windows part. I wrote some programs to read/write the BEER data and stuff, but I wasn't able to get the system to boot it, it kept erroring "Authentication of System Services failed" (or something along those lines). I will play around with this some more later

Tim Nordell

A quick look with a hexeditor gave me two instances of "Application authentication has failed!" in the FirstSight application. Does that sound familair?

Paul Bolle Fri Apr 1 19:35:30 CEST 2005

Actually it wasn't that. I did a search of that too, the message itself was not in the predesktop area at all. What also is interesting is the fw*.exe utilities for manipulating the predesktop area, contains the string "MD5" which makes me wonder if there is an md5 hash of each "predesktop" partition. I know on the IBM whitepaper it states there being a signature so that non-signed applications can not be run. Could a simple "md5" be the signature?

Tim Nordell 12:01, 3 Apr 2005 (CEST)

  • What is it that you were trying to do (what did trigger the error you saw)?
  • About ten of the fw*.exe utilities contain the phrase "MD5 Checksums do not match". So they could very well be using MD5 sums for some sort of validation. But they could use the MD5 sums in a lot of ways actually, so I won't yet speculate ...

Paul Bolle Sun Apr 3 15:11:10 CEST 2005

OK, roughly two years later I finally found the courage to really mess with the BEER in my T41. Copied the BEER and the few related sections at the end of /dev/hda (using dd), analyzed those (I have some unreleased code to parse the BEER and the DOS stuff) _hand edited_ the BEER to "remove" the OS backup data, checked again, and copied the new BEER etc. to /dev/hda (using dd again, extremely tricky!). That worked like a charm: my new HPA is now about 3G smaller. No complaints whatsoever (even when booting my T41 is "secure" mode).

So, I can't really reproduce Tims problems.

Paul Bolle 01:24, 4 January 2007 (CET)

Predesktop Area

I made a program that takes the BEER record at the end, parses it out to a ".cfg" file, lets you modify it, recalibrate the start spots for the records, and write it out to disk again. It doesn't directly access hda, 'cept for reading the original beer record. It makes a script file to go with the files you have, to read in the HPA data, and to write it out again with the new record.

Anyways, I tried simply removing the last record from the BEER, which is the windows recovery partition. It didn't like that.

Did you update the two's complement checksum at the end of the BEER?

Paul Bolle

Yep, I updated that. If I don't update that, it doesn't even say that failed message. I also made a seperate program to update the checksum so you can also modify the beer record by hand with a hex editor and have valid checksums.

Linux kernel support

research and add to article
  • Add a section on dmesg and hdparm -I output:
       Enabled Supported:
          *    Host Protected Area feature set
               SET MAX security extension
               Address Offset Reserved Area Boot
  • Recent (2.6.10 and up?) kernels disable HPAs automatically (in drivers/ide/ide-disk.c). Dmesg example:
hda: Host Protected Area detected.
       current capacity is 110194034 sectors (56419 MB)
        native  capacity is 117210240 sectors (60011 MB)
hda: Host Protected Area disabled.

This should be (further researched and) added to this section (maybe with some pointers to the unexpected consequences of this new approach ...)

Paul Bolle 22:06, 6 Sep 2005 (CEST)

In 2.6.11, I was able to re-enable HPA by commenting out the section in drivers/ide/ide-disk.c under the comment "Some maxtor support LBA48 but not accept LBA48 set max...". I suppose that wouldn't be a good idea with a Maxtor drive but it worked fine for my R50.

--Robert Kilian 21:13, 22 March 2006 (CET)


In the PSA used by the Predesktop Area I found a "hidden" executable: SRCMOS24.EXE (it is not mentioned in the FAT). This executable can capture and update CMOS data. It might only be used by the FirstSight program to display (part of) the BIOS info. It might be nice to see what it can do and if similar things are possible under GNU/Linux.

Paul Bolle 22:01, 7 Sep 2005 (CEST)

Newer thinkpads don't use Phoenix Firstware?

On my T42 that arrived yesterday, the predesktop area looks a lot like MS Windows. The widget set, the fonts, even the boot sequence looks exactly like Windows 2000. Debian-installer indentified it as "Microsoft Windows NT/2000/XP", while it identified my XP partition as "Microsoft Windows XP Professional"

Has Lenovo/IBM changed their system, or is this Phoenix stuff really just Windows?

-- Evan.Heidtmann


Could it be that you're talking about the preinstalled version of Windows here? As far as I know (using information to be found on the internet, not personal research) the preinstalled OS will reformat its partition from FAT32 to NTFS at first boot. That could explain the difference in the identification by the Debian installer (which I never really used).

Moreover the Predesktop Area is part of the HPA and the HPA is not an partition. It seems unlikely that the Debain installer notices the HPA. As far as I know there are at present no GNU/Linux tools with a (useful) support of HPAs.

Paul Bolle 15:43, 4 Aug 2005 (CEST)

My T42P (model 2373HSG) is using a cut-down version of Windows XP as the pre-desktop area. I'm not sure whether it's a special IBM thing or just a Windows PE (preinstallation environment) setup. It includes Java and Python, which are used by some of the IBM tools, and the Opera web browser.

It's no longer an HPA but a 487MB hidden FAT32 called IBM_SERVICE located at the end of the disk.


Rescue and Recovery via grub?

Did anyone get the Rescue and Recovery partition to boot via grub on recent models? On a T43 with

rootnoverify (hd0,1)
chainloader +1

the Rescue and Recovery partition starts booting nicely and then, a few seconds in the R&R loading sequence, chokes with a

STOP: c000021a {Fatal System Error}
The Session Manager Initialization system process terminated unexpectedly with a status of 0xc000003a (0x00000000 0x00000000).
The system has been shut down. 

The problem started right after installing grub into the MBR (I couldn't get the preinstalled MBR to boot grub from an active primary partition). It seems oblivious to the Predesktop BIOS setting.

The same problem has been reported by others with other models (for example here for a T42).

Thinker 11:35, 30 Sep 2005 (CEST)

Your "Rescue and Recovery partition" seems not to be a HPA (which isn't a partition). Maybe we should open a new page for that system.

Paul Bolle 21:54, 30 Sep 2005 (CEST)

It may very well not be an HPA , but the BIOS stil calls it a "Predesktop Area". Anyway, the partition is actually a VFAT partition (even though it has type 0x12, "Compaq Diagnostics"). It seems to boot into PC-DOS (using NTDETECT.EXE so it looks like Windows startup) and then its AUTOEXEC.BAT runs a fancy GUI. --Thinker 23:31, 30 Sep 2005 (CEST)

Right, there has been a lot of confusion about this, we should have a separate page. Introduced an edit link (called Rescue and Recovery) on the ThinkPad Technologies page for that purpose.

Suggestions for projects

I'd guess it would be rather nice to have GNU/Linux tools (like sfdisk and parted) HPA aware. The most urgent change would be to have those programs at least recognize and respect a HPA (e.g.: do not write in or otherwise use the HPA area; unless the user gives a --force option or something similar).

As for now, I realize I caused this error: ENOPATCH.

Paul Bolle 22:56, 5 Nov 2005 (CET)

Keeping functionality of the blue AccessIBM button

Somebody figured out to keep the AccessIBM functionality when installing Linux, quite easy fix. How come nobody thought about it before? :) (link got from Installing_Ubuntu_5.04_on_a_ThinkPad_T43_(1875) here)

--Micampe 17:39, 9 Dec 2005 (CET)

The relevant part of that page:

Set the IBM Predesktop Area (in the BIOS) to “Secure”. Boot using the SUSE DVD. Shrink the Windows partition as required. Follow the instructions and go through the regular installation process. Create a primary partition for /boot (the other stuff can go into the extended partitions) and when the time comes to install GRUB (you do prefer GRUB to LILO, don’t you?), make sure you install it into the boot sector of the boot partition. Set this partition as active. Leave the MBR alone.

That's the first thing I tried on my T43. Didn't work: setting the active partition to /boot had no effect, it was still booting the first (Windows) partition. So I had to install Grub into MBR, thereby killing R&R. Anyway, there's another solution in the article page (didn't try it since I saw it only after purging my R&R partition).

--Thinker 19:18, 9 Dec 2005 (CET)

Parsing the HPA information (BEER/DOS)

I too have been writing a program to parse the BEER and DOS info. Sample output:

beer.signature: 0xBEEF
beer.size: 128
beer.flags: 41
Read Only:
Generated Record:
Use Reserved Area Boot Code Address: yes
Configuration Time Stamp is valid:
Device Supports LBA: yes
Directory of Services is Present
Formatted Geometry Valid
Reported Geometry Valid yes
beer.reported_cylinders: 16383
beer.reported_heads: 16
beer.reported_sectors: 63
beer.reported_bytes_sector: 512
beer.reported_sectors_device: 117210240
beer.formatted_cylinders: 16383
beer.formatted_heads: 16
beer.formatted_sectors: 63
beer.formatted_bytes_sector: 512
beer.formatted_sectors_device: 117210240
year: 2004
day: 313
beer.timestamp: 1426063684
beer.device_index: 0x80
beer.hpa_start: 110194034
beer.boot_code_address: 117002545
beer.num_entries: 8
beer.dir_length: 64
beer.revision: 0
dev_name: HTS726060M9AT00
beer.checksum: -26982
dos[0].flags: 3
Service area is available as B:
Diagnostic Service:
Service Area is Read Only:
This Boot:
Empty Service Area:
Hidden Service Area: yes
Service Area is bootable as A: yes
dos[0].service_area_start: 117005431
dos[0].service_area_size: 204800
dos[0].load_sectors: 1
dos[0].load_address: 0x7:C000
dos[0].service_area_id: 0
dos[0] id_str: FirstWare Reserved Area
dos[0].checksum: -22271

Very rough code. Send me an e-mail (at the address found at my user page) if you want a (GPL'd) copy, but only if you're willing to test and improve the code.

Paul Bolle 01:15, 24 January 2006 (CET)

SET MAX Security Extensions

I've hacked Andries Brouwer's setmax tool (see: Google) to support the SET MAX security extensions (SET MAX SET PASSWORD, SET MAX LOCK, SET MAX UNLOCK, SET MAX FREEZE). Very rough code once again. Mail me if you're willing to brick your HDD.

A few random observations:

- secure mode: the Phoenix BIOS probably sets a SET MAX password in the HDD, does a non-volatile SET MAX and LOCKs (or FREEZEs) the HDD.

- normal mode: the Phoenix BIOS might set a SET MAX password in the HDD, does a (volatile?) SET MAX but does not LOCK the HDD. The HDD will accept another SET MAX, a new SET MAX SET PASSWORD, etc.

- normal mode: Linux 2.6.x disables the HPA in normal mode (by doing a volatile SET MAX to maximum native address). After a suspend the HDD reenables the HPA (by returning to the latest non-volatile value of SET MAX). It thus treats the suspend cycle as a power cycle (it also discards a SET MAX password, unlocks or unfreezes the HPA etc). I'm not sure whether that is a correct implementation of the ATA spec. (The HDD doesn't do this in secure mode. I would like to know how the Phoenix BIOS and/or Hitachi HDD people have managed this.)

This can lead to some problems if a partition ends within the limits of the HPA (which is then actually (partly) overwritten by that partition). Maybe the best solution would be to have the kernel do a non-volatile SET MAX to the native maximum address. Then a resume from suspend will in effect not reenable the HPA.

Paul Bolle 01:40, 20 February 2006 (CET)


I've written a (read only) FUSE for the hpa: hpafs. Current release is hpafs-0.1.0 (24 February 2007, alpha, developers only). It can be found at .

hpafs will only work if the Predesktop Area is disabled (but that is more or less obvious). It basically turns each PSA into a file:

$ sudo hpafs /dev/hda /mnt/hpa -o allow_other
$ ll /mnt/hpa/
total 0
-r--r--r-- 1 root root 2097152 Jan 1 1970 BIOSWORKAREA
-r--r--r-- 1 root root 7710720 Jan 1 1970 Create Diagnostic Diskettes
-r--r--r-- 1 root root 104857600 Jan 1 1970 FirstWare Reserved Area
-r--r--r-- 1 root root 7710720 Jan 1 1970 Rec Boot
-r--r--r-- 1 root root 3459252224 Jan 1 1970 Rec Data
-r--r--r-- 1 root root 1476096 Jan 1 1970 Restore from backup
-r--r--r-- 1 root root 7710720 Jan 1 1970 Run Diagnostics
-r--r--r-- 1 root root 1477632 Jan 1 1970 SIGHT

This FUSE file can easily be copied with basic GNU tools (cat, dd, etc). Even more fun is to loop mount such a FUSE file (if the corresponding PSA is a bootable image). Then the PSA is a (read only) part of your mounted filesystems. So now you do not need to use dd on /dev/hda to copy the Predesktop Area: you can just mount it!

$ sudo mount -o loop,ro,users /mnt/hpa/Rec\ Data /mnt/tmp
$ ll /mnt/tmp/
total 1454
-rwxr-xr-x 1 root root 64 Sep 27 2002 bootcat.bin
-rwxr-xr-x 1 root root 1474560 Oct 3 2002 bootimg.bin
drwxr-xr-x 2 root root 2048 Mar 13 2004 country
drwxr-xr-x 2 root root 2048 Mar 13 2004 ibmwork
drwxr-xr-x 3 root root 8192 Mar 13 2004 recovery

Check the README for further information.

Paul Bolle 14:12, 24 February 2007 (CET)

Contradiction? HPAs or no?

The article states "The Hidden Protected Area was introduced with the R40, T40 and X30 series of ThinkPads. Current ThinkPads do not have Hidden Protected Areas." If current ThinkPads don't have HPA, what does "current" mean? If they don't have HPA, then what do they have? I'm considering a T61 for personal use and would like to be sure I can re-install the delivered config in case of HD crash, etc.

--Rcrowley 18:44, 17 August 2007 (UTC)Richard Crowley 11:34, 17-Aug- 2007 (PDT)