Hidden Protected Area
General information about the HPA
As opposed to Recovery Partitions, Protected Service Areas (PSAs) such as the HPA are (let's say) images of partitions written to the end of a harddisk. They are only accessible through their BEER. The general idea is that, under control of the BIOS, the PSAs are totally hidden from all ordinary software, including malware (viruses, trojans, spyware). They are only accessible when permitted by the BIOS, and even then only through special HPA-aware tools. Under GNU/Linux they are only accessible with low level tools like dd.
The HPA is based on Phoenix FirstWare. FirstWare is (in short) an implementation of two technologies: BEER and PARTIES. (Yes, those names are correct!) BEER (Boot Engineering Extension Record) and PARTIES (Protected Area Run Time Interface Extension Services) are described in this T13 working draft. There is a more general introduction to PARTIES on the IBM site. FirstWare depends on certain ATA-5 commands, so it won't work with lower ATA level (earlier) drives or even with all ATA-5 drives. Unfortunately, there is no public HPA compatibility tester or list of compatible drives.
Basically, what's going on is that the Phoenix BIOS commands the drive to hide the last few gigabytes of the hard disk (the HPA). The to non-HPA aware software, the drive appears to have a smaller size. Note that this is just a setting in the BIOS and can be disabled. The HPA can be accessed by pressingor at boot time. The BIOS will then parse the BEER (128 bytes, situated in the last sector of 512 bytes of the harddisk) and the "Directory of Services" (consisting of directory entries of 64 bytes each, starting in the last sector and spilling over into the previous sectors) to see what part of the HPA should be launched. In (most?) ThinkPads the BEER tells the BIOS to launch the Access IBM Predesktop Area. The system will then actually be booting into a (minimal) DOS environment which is able to launch a graphical shell (called Phoenix FirstSight). IBM has simply rebranded this graphical shell to the Access IBM Predesktop Area. From this graphical shell one can launch several tools (BIOS Setup Utility, diagnostic tools, recovery tools).
Three BIOS options
The BIOS has three settings for the "IBM Predesktop Area" (in the Security category):
- Secure: No user or SW-initiated changes; Contents hidden from OS
- Normal: Change allowed; Contents hidden from OS
- Disabled: Not Usable; Visible and Reclaimable
Normal is the default setting. One can boot into the Predesktop Area when either Secure or Normal is set. When Disabled is set the Predesktop Area will not boot. According to the Predesktop Area white paper the HPA is both "locked"1 and "hidden" when Secure is set and only "hidden" when normal is set. In practice the result seems to be that the HPA is totally unavailable to the Linux kernel (and therefore all applications) when Secure is set. (The HPA should be unavailable in "Secure mode" for all operating systems, MS Windows included.) One would expect the HPA to be only accessable to HPA aware tools when Normal is set. However, recent kernels disable the HPA by default when Normal is set. Note that recent threads on linux-ide suggest that the ThinkPad will reenable the HPA on resume and thus causing (possibly serious) conflicts with the GNU/Linux system (that assumes the HPA is still available).
With Disabled you should be able to safely reclaim the area used by the HPA (to GNU/Linux it basically is unallocated space on the harddisk).
Details of the HPA
Fabrice Bellet describes a technique he used to explore the HPA of his ThinkPad T40, using GNU/Linux tools. This technique is only for the more curious or more careless people. It uses "dd" to copy the sectors on the harddisk containing the HPA from "/dev/hda" to a new file: when using "dd" on "/dev/hda" you are only one small typo away from an unrecoverable disaster!
Here follows a more detailed description of the HPA on a ThinkPad T41 (60 GB harddisk) to contrast his findings.
On this ThinkPad T41 the HPA is 3,4 GB in size. It contains 8 consecutive PSAs (Protected Service Areas). Six of those start with an x86 boot sector.
- The first PSA is 3,2 GB in size. The OEM-ID of the boot sector is: "IBM 7.1". It seems to hold a copy of the preloaded OS and everything needed to generate a bootable DVD-ROM for it, even an El Torito boot image and a boot catalog: see Backing up the preloaded OS.
- The second PSA is exactly 2 MB in size. According to its entry in the Directory of Service it's the "BIOSWORKAREA".
- The third PSA is only 7,4 MB in size. The OEM-ID of the boot sector is: "MSWIN4.1". It seems to be an image of a 1,44 MB bootable floppy disk (with MS DOS) and a directory containig 6 MB of FirstWare tools. It will be launched by the "Recover to factory contents" tool of the Predesktop Area. Those "factory contents" should be the data on the first PSA.
- The fourth PSA is only 1,4 MB in size. The OEM-ID of the boot sector is: "IBM 7.1". It too seems to be an image of a (sort of) 1,44 MB bootable floppy disk. It will be launched by the "Restore your backups" tool of the Predesktop Area.
- The fifth PSA is again 7,4 MB in size. The OEM-ID of the boot sector is: "IBM 7.0". It will be launched by the "Run diagnostics" tool of the Predesktop Area.
- The sixth PSA is also 7,4 MB in size and the OEM-ID of the boot sector also is: "IBM 7.0". It will be launched by the "Create diagnostic disks" tool of the Predesktop Area. It contains a copy of a (sort of) bootable 1,44 MB floppy disk, some tools and compressed copies of the diagnostic disks.
- The seventh PSA is only 1,4 MB in size. The OEM-ID of the boot sector is "PHOENIX". It seems to be a copy of a (sort of) 1.44 MB bootable floppy disk too and only contains a (minimal) DOS and the FirstSight application. Basically, this is the Access IBM Predesktop Area.
- The eigth PSA is 101 MB in size. It doesn't have a boot sector. It contains the FirstWare Reserved Area. That probably is some sort of swap space for the FirstWare system.
Accessing the HPA from Linux
While Fabrice Bellet's method, described in the previous section, works in many cases, it has some serious flaws. The most important one -- is that each PSA has to be formated (i.e. has to posses a filesystem), and the size this filesystem has to be equal to the size of the PSA. If the HPA has some sort of a swap partition, or the filesystem size is a few megabytes less than the PSA's size, then we will not be able to find any following PSA(s).
A more systematic approach would be just to use the BEER record to find the exact LBA addresses of all PSA(s). The idea is to use the T13 working draft of the BEER specs. There is some serious discussion on this matter going on in Talk:Predesktop_Area, but so far they didn't release any code to the public. As an interim solution, we can use a free open-source clone of the Phoenix utility fwdir. If we first disable the "IBM Predesktop Area" in BIOS (which, essentially, sends appropriate SETMAX command to the harddrive), then the whole harddrive will be accessible from the userspace. Now, if we run fwdir, a typical output of this utility would look like
# ID Name 1st Sector Sectors Sec Icon Flag
0 0000h FirstWare Reserved Area 234231736 204800 0 00h 03h 1 0001h CONSOLE 234170510 61226 0 FCh 01h 2 0140h Recover Pro 234088523 81987 0 00h 01h 3 0104h Factory Restore 234085638 2885 0 03h 03h 4 0120h RADA Data 234020102 65536 0 00h 02h 5 0108h Factory Data 230026502 3993600 0 00h 02h 6 0141h Recover Pro Records 229616902 409600 0 00h 02h
Once we know all the LBA addresses of the first sectors of all PSA(s) and their sizes, we can extract any particular PSA. E.g. the "Factory Data" PSA in this example can be extracted with
dd if=/dev/hda of=/tmp/FacDat.img skip=230026502 count=3993600
But if we are only interested in the contents of this PSA partition, there is no need to extract it to a file and later mount it through a loop-device. It can be done right away with
mount /dev/hda /mnt/fwdata -t vfat -o ro,offset=`expr 512 "*" 230026502`
Of course, there is no way to know in advance which particular filesystem each PSA has (if any). This still has to be found by trial and error (because "mount -t auto" does not always work). In the above example, the "CONSOLE" PSA is formated in ext2.
How to reclaim the HPA
After disabling the "IBM Predesktop Area" (with the BIOS option "Disabled", see above) it's possible to reclaim the area used by the HPA. Then one can include that area in a partition with standard tools (i.e. fdisk, mkfs) as it will be treated just as regular free space of the hard disk.
It might be possible to use the FirstWare tools included in the HPA to make the HPA more useful for GNU/Linux purposes. For instance, the copy of the preloaded OS could be replaced with an emergency backup of your GNU/Linux distribution. Maybe the Predesktop area could be even used to boot into a GNU/Linux rescue system. Whether the Phoenix proprietary tools really allow alternative uses and whether those tools do not make it too hard to accomplish those cannot yet be said. It seems realistic to assume that the benefits of those alternative uses aren't worth the effort to accomplish them. Still, it might be fun (altough possibly hazardous to your system) to try ...
Problems caused by the HPA
As of Linux 2.6.18, having a HPA may cause errors when resuming the laptop from suspend-to-RAM or suspend-to-disk. See the section called "SectorIdNotFound disk errors when laptop is resumed" in ACPI suspend problems.
- Predesktop Area white paper
- Predesktop Aministrator Utility (DOS)
- Protected Area Run Time Interface Extension Services (PARTIES) ANSI INCITS 346-2001 ($30)
- The latest free draft of ANSI INCITS 346-2001 (BEER specs)
- Phoenix FirstWare White Paper
- Section 11 of the Large Disk HOWTO (Clipped disks)
Models featuring this Technology
- ThinkPad R40, R40e, R50, R50e, R50p, R51, R52
- ThinkPad T40, T40p, T41, T41p, T42, T42p, T43, T43p
- ThinkPad X31, X32, X40, X41, X41 Tablet
- ThinkPad Z61m
- Presumably by having the BIOS use the SET MAX security extension. The BIOS seems to set a password for the HPA at boot (using the SETMAX-SET PASSWORD command) and after that use that password to issue a SETMAX-LOCK command. Since the password is unknown (and most likely changes at every Secure boot) the HPA is inaccessable to all programs running on the ThinkPad.
Something similar would be possible running in Normal mode. Then a program could issue the SETMAX-SET PASSWORD command. At the moment there's no program running under GNU/Linux capable of doing that. Of course this is possibly less secure: it's (theoretically) possible that other (rogue) programs get hold of that password.