Xbox:Drive Locking

From ConsoleMods Wiki
Jump to navigation Jump to search

ATA security allows disk drives to be placed into a "locked" state. This is imposed at the drive firmware level, and while actively locked, a HDD/SSD will simply ignore any I/O requests sent to it. Even a manufacturer provided low-level formatting tool will be unable to read or alter any of the contents. This feature is supported by most PATA/IDE disks, and probably all SATA disks.

Each disk may be locked with a "user" and/or a "master" level password. So long as the security system is enabled, one or the other of these passwords must be provided each time the drive powers up in order to unlock it and gain access to the storage area. That is to say, powering the disk down automatically secures it until such time as a correct password is provided again.

Entering an incorrect password for a drive multiple times will place it into a "frozen" state, after which it'll ignore further ATA security commands until power cycled. Some PCs automatically freeze their attached HDDs on boot, making it harder for malicious users to impose unwanted locks.

Drive Locks and Xboxes

Microsoft made use of ATA security locks to protect Xbox HDDs from tampering. Each system EEPROM contains a unique HDD key, which is algorithmically combined with the installed drive's serial to generate a user level password for the disk.

On boot, a stock Xbox will first check that its currently installed drive is locked (crashing to error 05 if it's not), and will then attempt to unlock it using the password derived from the visible EEPROM/drive serial combination (crashing to error 06 if the drive turns out to be using an incorrect user level password).

A softmodded console still boots via a stock BIOS before its exploits kick in, meaning that its drive must also be locked correctly in order for it to start without an error 05. Although they can't work around this restriction entirely, certain softmod installers (such as Rocky5's Xbox Softmodding Tool) do offer functions to change an Xbox's HDD key at the EEPROM level, switching it to all 1's (or all 0's, for older versions). If multiple Xboxes happen to have the same key, then any drives that're locked against them can at least be swapped at will.

A hardmodded Xbox (with either a flashed TSOP or an addon modchip) boots from a customised BIOS which usually skips the initial lock check. As with any console, it'll still be unable to boot if a drive with an incorrect user password is installed (error 06: the drive is locked against an incorrect HDD key), but it will accept a disk which has no lock in place at all (bypassing error 05). This freedom makes it significantly easier to upgrade your hard drive to one with a higher capacity, or to recover if your old HDD dies completely.

Master Passwords

Although every Xbox HDD requires a specific and unique user level password (as this password is a mix of the console's own HDD key and the drive's own unique serial), the secondary master level password can be set to most anything. Although Xboxes do not attempt to unlock their disks using master level passwords, they can be handy when working on such drives through a PC.

For some stock consoles with Seagate drives, the master password is "Seagate" followed by 25 spaces:


For some stock consoles with Western Digital drives, the password is 32 characters of "WDC":


Aftermarket drives installed using such software tools as XboxHDM or CHIMP most always have a master password of either XBOXSCENE or TEAMASSEMBLY.

Manipulating Drive Locks with an Xbox

Notes on ConfigMagic and other such tools should go here. Important to stress that you shouldn't be telling an Xbox software tool to "unlock" your disk unless you're hardmodded, as it'll actually go ahead and disable locking, softbricking you on error 05.

Manipulating Drive Locks with a PC

If your console boots to an error code in the range of 13 or above, odds are the issue can be fixed using a separate computer to re-write the file system. You may also be able to use a computer to completely disable the security on a drive, if you believe it's no longer required.

Complicating the matter, however, some PC BIOS types will automatically put hard drives into a "frozen" state during the boot process. While frozen, a HDD ignores locking commands - it must be powered down again in order to unfreeze. Usually this feature can be managed in the CMOS setup screens, though the process varies from machine to machine.

Using a USB adapter to connect a drive to your PC may also cause problems, as many are unable to pass on the ATA security commands needed to manage drive locks.

Often users have XboxHDM manage their drive locks, as this tool can also format Xbox drives and copy files to them. hdparm can be used to check whether your drive is frozen and whether locking commands are currently accepted (and of course to lock/unlock drives). The hotswapping technique can be used to work around freezing and adapter issues entirely, by having an Xbox unlock your drive before you even attach it to your PC in the first place.


See main article.

Guides for both the USB and non-USB versions should go into the actual XboxHDM page, whenever someone can be bothered to write them. XboxHDM includes a suite of tools for working with ATA security (as well as for formatting disks to FATX), although exactly which tools you get depends on which version you're using. Some can determine drive passwords automatically using an EEPROM backup (good for user level), some require manual code entry (good for master level). This stub should stay here as an explanatory note for as long as that content remains missing.


Available for a variety of platforms, although most users will likely want the win32 edition.

A command-line based tool that requires an administrative command prompt to run correctly (usually an option when right clicking the Windows Start menu button). Defaults to the use of master level passwords. Simply typing its name provides a list of supported parameters.

hdparm eg1: Identifying your drive
hdparm -I hda

Lists out information about your first connected HDD, such as the model number. "hda" refers to your first detected disk, "hdb" to your second, and so on. Drive model and serial are provided near the top of the listing, and the drive's current locking state is near the bottom.


             Master password revision code: ?????
             not     locked
             not     frozen
             not     expired: security count
                     supported: enhanced erase

The above is the Security info you'd expect to see for a drive which has locking *enabled* (passwords are required after powering up the disk), but with the lock currently *open* (a valid password has been provided since the disk last powered up).

If the command returns "Problem issuing security command: Function not implemented", then your drive is connected in a way that doesn't allow the use of ATA security commands. If you're using a USB adapter, try switching to a different model, or doing away with it entirely and instead connecting your HDD directly to your motherboard.

If a drive comes up as "frozen", then either you've tried to unlock it using the wrong password too many times (powering your PC off will reset the counter), or your PC automatically froze the drive on boot (check your CMOS setup screens to disable this feature, or take the computer in and out of standby mode). A disk cannot be unlocked while it's frozen.

hdparm eg2: Temporarily opening a drive lock
hdparm --security-unlock TEAMASSEMBLY hdb

Attempts to unlock your second connected HDD using a master password of TEAMASSEMBLY. It'll automatically relock during its next power cycle.

hdparm eg3: Completely disabling security
hdparm --security-disable "Seagate                         " hdc

Attempts to completely disable the security system on your third connected drive, using a master password of "Seagate" followed by 25 spaces. Don't use --security-disable unless you're sure you don't want your drive to automatically lock itself again - until a --security-enable command is issued, that is!


If neither a drive's user nor master password is known, and there's no easy method available with which to obtain the associated console's EEPROM data, a hotswap will likely allow you to gain read/write access anyway.

(So long as your Xbox can at least boot to the point of giving video output, at least. Although if it can't, then a file system rewrite isn't going to help you!)

This technique also works around issues with USB adapters which refuse to pass through ATA security commands.

Start with your Xbox and PC powered down, with the drive installed within the console as normal. Disconnect both cables attached to the DVD drive, and then start the Xbox: it should come to rest on an error 12 screen. In this state, the HDD is unlocked and the console won't attempt any further writes to it, making it safe to proceed.

Without turning the Xbox off or disturbing the drive's power lead (the disk must not power down!), disconnect the data cable and connect the drive to your PC instead. Booting your PC at this point should give you access to the drive's content through a FATX-compatible tool such as XboxHDM or FATXplorer.

Service/Technician mode unlocking

All HDDs store their ATA security status on the disk itself in a normally inaccessible area called the Service Area. This area also contains vital information such as drive firmware and modules needed for the drive to function, so special software and/or hardware is often needed to gain access in order to view or modify it's contents.

For many of them, unofficial unlocking options are available: while there are multiple for-profit enterprises pricing to people who do this full time, other sites - like HDDOracle and to a lesser extent HDDGuru - emphasize free options, if any.

In particular, for Xbox OEM and similar vintage Seagate disks, only a 3.3V serial interface is needed (cleaner method than that proposed in the article).