What are the differences between Host Protected Area (HPA), Device Configuration Overlay (DCO), and service area of a HDD/SSD?
I'm confused about the differences between the Host Protected Area (HPA), Device Configuration Overlay (DCO), and the service area of a HDD or SSD. From what I gather on the wiki pages, disks can have the HPA, DCO, or even both, but it's not clear to me why have both. They seem to serve the same function. And then there's the service area, which I think is the firmware of the drive controller.
What are the differences between the HPA, DCO, and service area?
Solution 1:
A service area is a logical area on the hard-drive (residing on the platters) set aside by hard-drive vendors for internally managing the drive. These areas are outside the hard-drive's Logical Block Address (LBA) space and as such are non-addressable and inaccessible via the standard ATA commands. The service area contains both code and data modules, such as defect management modules, SMART data modules, self-test modules and much more.
Here's an overview of the disk areas:
In order to access the service area, Programmable IO must be used to send commands directly to the hard-drive's IO port. These commands are unique to the hard-drive vendor and are not publicly disclosed, used rather by vendor tools and some sophisticated viruses such as Stuxnet.
Disk Firmware Area (DFA)
In most cases this area is the one that is called service area.
The firmware is composed of a series of modules. Examples are: SECU (Security System Module), P-List, G-List, T-List, SMART Attributes, and U-List (Firmware Zone Translator). See also Bad sector remapping.
A portion of the disk firmware usually resides on the drive, loaded on power up by code located on the controller board of the hard-drive and managing the disk until the disk is shutdown, or sometimes residing in flash memory located on the disk controller chip.
Host Protected Area
The Host Protected Area (HPA) is used for holding diagnostics and other utilities required by the manufacturer such as the boot sector, the exact content depending upon the manufacturer. It may contain information about the user addressable sectors, start of the reserved area, and code for booting.
Device Configuration Overlay
A Device Configuration Overlay (DCO) is similar to the HPA, but is used by manufacturers to configure drive sizes and may exist in addition to the HPA.
Its purpose is to allow the PC manufacturers to purchase one disk and market it as different models of different sizes. It can also be used to enable and disable features on the disk.
References:
- The Impact of Hard Disk Firmware Steganography on Computer Forensics (PDF)
- Hiding Data in Hard-Drive's Service Areas (PDF)
- Hidden Disk Areas: HPA and DCO (PDF)
- Wikipedia Data recovery
- How the NSA's Firmware Hacking Works and Why It's So Unsettling
- How to conceal data on a hard disk and dodge (almost) any forensic examination without using encryption or steganography