Host protected area

Last updated April 30, 2022

The host protected area (HPA) is an area of a hard drive or solid-state drive that is not normally visible to an operating system. It was first introduced in the ATA-4 standard CXV (T13) in 2001.^[1]

How it works

Creation of an HPA. The diagram shows how a host protected area (HPA) is created.
IDENTIFY DEVICE returns the true size of the hard drive. READ NATIVE MAX ADDRESS returns the true size of the hard drive.
SET MAX ADDRESS reduces the reported size of the hard drive. READ NATIVE MAX ADDRESS returns the true size of the hard drive. An HPA has been created.
IDENTIFY DEVICE returns the now fake size of the hard drive. READ NATIVE MAX ADDRESS returns the true size of the hard drive, the HPA is in existence. Hpacreate.png — Creation of an HPA. The diagram shows how a host protected area (HPA) is created.
IDENTIFY DEVICE returns the true size of the hard drive. READ NATIVE MAX ADDRESS returns the true size of the hard drive.
SET MAX ADDRESS reduces the reported size of the hard drive. READ NATIVE MAX ADDRESS returns the true size of the hard drive. An HPA has been created.
IDENTIFY DEVICE returns the now fake size of the hard drive. READ NATIVE MAX ADDRESS returns the true size of the hard drive, the HPA is in existence.

The IDE controller has registers that contain data that can be queried using ATA commands. The data returned gives information about the drive attached to the controller. There are three ATA commands involved in creating and using a host protected area. The commands are:

IDENTIFY DEVICE
SET MAX ADDRESS
READ NATIVE MAX ADDRESS

Operating systems use the IDENTIFY DEVICE command to find out the addressable space of a hard drive. The IDENTIFY DEVICE command queries a particular register on the IDE controller to establish the size of a drive.

This register however can be changed using the SET MAX ADDRESS ATA command. If the value in the register is set to less than the actual hard drive size then effectively a host protected area is created. It is protected because the OS will work with only the value in the register that is returned by the IDENTIFY DEVICE command and thus will normally be unable to address the parts of the drive that lie within the HPA.

The HPA is useful only if other software or firmware (e.g. BIOS or UEFI) is able to use it. Software and firmware that are able to use the HPA are referred to as 'HPA aware'. The ATA command that these entities use is called READ NATIVE MAX ADDRESS. This command accesses a register that contains the true size of the hard drive. To use the area, the controlling HPA-aware program changes the value of the register read by IDENTIFY DEVICE to that found in the register read by READ NATIVE MAX ADDRESS. When its operations are complete, the register read by IDENTIFY DEVICE is returned to its original fake value.

Use

At the time HPA was first implemented on hard-disk firmware, some BIOS had difficulty booting with large hard disks. An initial HPA could then be set (by some jumpers on the hard disk) to limit the number of cylinders to 4095 or 4096 so that the older BIOS would start. It was then the job of the bootloader to reset the HPA so that the operating system would see the full hard-disk storage space.
HPA can be used by various booting and diagnostic utilities, normally in conjunction with the BIOS. An example of this implementation is the Phoenix FirstBIOS, which uses Boot Engineering Extension Record (BEER) and Protected Area Run Time Interface Extension Services (PARTIES).^[2] Another example is the Gujin installer which can install the bootloader in BEER, naming that pseudo-partition /dev/hda0 or /dev/sdb0; then only cold boots (from power-down) will succeed because warm boots (from Control-Alt-Delete) will not be able to read the HPA.
Computer manufacturers may use the area to contain a preloaded OS for install and recovery purposes (instead of providing DVD or CD media).
Dell notebooks hide Dell MediaDirect utility in HPA. IBM ThinkPad and LG notebooks hide system restore software in HPA.
HPA is also used by various theft recovery and monitoring service vendors. For example, the laptop security firm CompuTrace use the HPA to load software that reports to their servers whenever the machine is booted on a network. HPA is useful to them because even when a stolen laptop has its hard drive formatted the HPA remains untouched.
HPA can also be used to store data that is deemed illegal and is thus of interest to government and police computer forensics teams.^[3]
Some vendor-specific external drive enclosures (e.g. Maxtor, owned by Seagate since 2006) are known to use HPA to limit the capacity of unknown replacement hard drives installed into the enclosure. When this occurs, the drive may appear to be limited in size (e.g. 128 GB), which can look like a BIOS or dynamic drive overlay (DDO) problem. In this case, one must use software utilities (see below) that use READ NATIVE MAX ADDRESS and SET MAX ADDRESS to change the drive's reported size back to its native size, and avoid using the external enclosure again with the affected drive.
Some rootkits hide in the HPA to avoid being detected by anti-rootkit and antivirus software.^[2]
Some NSA exploits use the HPA^[4] for application persistence.

Identification and manipulation

Identification of HPA on a hard drive can be achieved by a number of tools and methods.

Note that the HPA feature can be hidden by DCO commands (documentation states only if the HPA is not in use), and can be "frozen" (until next power-down of the hard disk) or be password protected.

Identification tools

ATATool by Data Synergy
The Sleuth Kit (free, open software) by Brian Carrier (HPA identification is currently Linux-only.)
EnCase by Guidance Software
Forensic Toolkit by Access Data

Identification methods

The Windows program ATATool can detect an HPA. For instance, to see if the first disk has an HPA use the command:

ATATOOL /INFO \\.\PhysicalDrive0

Using Linux, there are various ways to detect the existence of an HPA. Recent versions of Linux will print a message when the system is booting if an HPA is detected. For example:

 dmesg | less [...] hdb: Host Protected Area detected.     current capacity is 12000 sectors (6 MB)     native  capacity is 120103200 sectors (61492 MB)

The program hdparm (versions 8.0 and above) will detect an HPA on drive sdX when invoked with these parameters:

hdparm -N /dev/sdX

For versions of hdparm below 8, one can compare the number of sectors output from 'hdparm -I' with the number of sectors reported for the hard drive model's published statistics.

Manipulation methods

The Windows program ATATool can be used to create a HPA. For instance, to create a 10GB HPA:

ATATOOL /NONVOLATILEHPA /SETHPA:10GB \\.\PhysicalDrive1

The Linux program hdparm (version >= 8.0) will create an HPA when invoked with these parameters: (sdX: target drive, #: number of non-HPA visible sectors)

hdparm -N p# /dev/sdX

Related Research Articles

In computing, BIOS is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process. The BIOS firmware comes pre-installed on an IBM PC or IBM PC compatible's system board and exists in UEFI-based systems too. The name originates from the Basic Input/Output System used in the CP/M operating system in 1975. The BIOS originally proprietary to the IBM PC has been reverse engineered by some companies looking to create compatible systems. The interface of that original system serves as a de facto standard.

In computing, booting is the process of starting a computer as initiated via hardware such as a button or by a software command. After it is switched on, a computer's central processing unit (CPU) has no software in its main memory, so some process must load software into memory before it can be executed. This may be done by hardware or firmware in the CPU, or by a separate processor in the computer system.

Rootkit Software designed to enable access to unauthorized locations in a computer

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

Logical block addressing (LBA) is a common scheme used for specifying the location of blocks of data stored on computer storage devices, generally secondary storage systems such as hard disk drives. LBA is a particularly simple linear addressing scheme; blocks are located by an integer index, with the first block being LBA 0, the second LBA 1, and so on.

Multi-booting is the act of installing multiple operating systems on a single computer, and being able to choose which one to boot. The term dual-booting refers to the common configuration of specifically two operating systems. Multi-booting may require a custom boot loader.

dd is a command-line utility for Unix, Unix-like operating systems and beyond, the primary purpose of which is to convert and copy files.

The SRM firmware is the boot firmware written by Digital Equipment Corporation (DEC) for computer systems based on the DEC Alpha microprocessor. SRM are the initials of (Alpha) System Reference Manual, the publication detailing the Alpha AXP architecture and which specified various features of the SRM firmware.

The GUID Partition Table (GPT) is a standard for the layout of partition tables of a physical computer storage device, such as a hard disk drive or solid-state drive, using universally unique identifiers, which are also known as globally unique identifiers (GUIDs). Forming a part of the Unified Extensible Firmware Interface (UEFI) standard, it is nevertheless also used for some BIOS systems, because of the limitations of master boot record (MBR) partition tables, which use 32 bits for logical block addressing (LBA) of traditional 512-byte disk sectors.

hdparm is a command line program for Linux to set and view ATA hard disk drive hardware parameters and test performance. It can set parameters such as drive caches, sleep mode, power management, acoustic management, and DMA settings. GParted and Parted Magic both include hdparm.

INT 13h is shorthand for BIOS interrupt call 13_hex, the 20th interrupt vector in an x86-based computer system. The BIOS typically sets up a real mode interrupt handler at this vector that provides sector-based hard disk and floppy disk read and write services using cylinder-head-sector (CHS) addressing. Modern PC BIOSes also include INT 13h extension functions, originated by IBM and Microsoft in 1992, that provide those same disk access services using 64-bit LBA addressing; with minor additions, these were quasi-standardized by Phoenix Technologies and others as the EDD BIOS extensions.

In Linux systems, initrd is a scheme for loading a temporary root file system into memory, to be used as part of the Linux startup process. initrd and initramfs refer to two different methods of achieving this. Both are commonly used to make preparations before the real root file system can be mounted.

A live USB is a portable USB-attached external data storage device containing a full operating system that can be booted from. The term is reminiscent of USB flash drives but may encompass an external hard disk drive or solid-state drive, though they may be referred to as "live HDD" and "live SSD" respectively. They are the evolutionary next step after live CDs, but with the added benefit of writable storage, allowing customizations to the booted operating system. Live USBs can be used in embedded systems for system administration, data recovery, or test driving, and can persistently save settings and install software packages on the USB device.

In computing, error recovery control (ERC) is a feature of hard disks which allow a system administrator to configure the amount of time a drive's firmware is allowed to spend recovering from a read or write error. Limiting the recovery time allows for improved error handling in hardware or software RAID environments. In some cases, there is a conflict as to whether error handling should be undertaken by the hard drive or by the RAID implementation, which leads to drives being marked as unusable and significant performance degradation, when this could otherwise have been avoided.

Device configuration overlay (DCO) is a hidden area on many of today's hard disk drives (HDDs). Usually when information is stored in either the DCO or host protected area (HPA), it is not accessible by the BIOS, OS, or the user. However, certain tools can be used to modify the HPA or DCO. The system uses the IDENTIFY_DEVICE command to determine the supported features of a given hard drive, but the DCO can report to this command that supported features are nonexistent or that the drive is smaller than it actually is. To determine the actual size and features of a disk, the DEVICE_CONFIGURATION_IDENTIFY command is used, and the output of this command can be compared to the output of IDENTIFY_DEVICE to see if a DCO is present on a given hard drive. Most major tools will remove the DCO in order to fully image a hard drive, using the DEVICE_CONFIGURATION_RESET command. This permanently alters the disk, unlike with the host protected area (HPA), which can be temporarily removed for a power cycle.

Intel Rapid Storage Technology (RST), until 2010 called Matrix RAID, is a firmware-based RAID solution built into a wide range of Intel chipsets. As of 2020, it includes a RAID system capable of RAID levels 0, 1, 5, and 10, a block level SSD caching accelerator with support for write-back and write-through modes for speed or data protection of any disk or RAID array, and support for intelligent caching, speedy recovery from certain issues, and for PCI Express based drives. Intel RST comes in two variants, RST for desktops, and RSTe for enterprise scenarios, although for many chipsets, the user can choose as both variants will operate correctly.

In Unix-like operating systems, a device file or special file is an interface to a device driver that appears in a file system as if it were an ordinary file. There are also special files in DOS, OS/2, and Windows. These special files allow an application program to interact with a device by using its device driver via standard input/output system calls. Using standard system calls simplifies many programming tasks, and leads to consistent user-space I/O mechanisms regardless of device features and functions.

A trim command allows an operating system to inform a solid-state drive (SSD) which blocks of data are no longer considered to be 'in use' and therefore can be erased internally.

A master boot record (MBR) is a special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems and beyond. The concept of MBRs was publicly introduced in 1983 with PC DOS 2.0.

Absolute Home & Office is a proprietary laptop theft recovery software. The persistent security features are built into the firmware of devices. Absolute Home & Office has services of an investigations and recovery team who partners with law enforcement agencies to return laptops to their owners. Absolute Software licensed the name LoJack from the vehicle recovery service LoJack in 2005.

ATATool is freeware software that is used to display and modify ATA disk information from a Microsoft Windows environment. The software is typically used to manage host protected area (HPA) and device configuration overlay (DCO) features and is broadly similar to the hdparm for Linux. Recent versions include support for DCO restore and freeze operations, HPA security (password) operations and simulated bad sectors.

References

↑ "Host Protected Areas" (PDF). Utica.edu.
1 2 Blunden, Bill (2009). The rootkit arsenal: escape and evasion in the dark corners of the system. Plano, Texas: Wordware Pub. p. 538. ISBN 978-1-59822-061-2. OCLC 297145864.
↑ Nelson, Bill; Phillips, Amelia; Steuart, Christopher (2010). Guide to computer forensics and investigations (4th ed.). Boston: Course Technology, Cengage Learning. p. 334. ISBN 978-1-435-49883-9.
↑ "SWAP: NSA Exploit of the Day - Schneier on Security".

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Host Protected Areas" (PDF). Utica.edu.

[:0-2] 1 2 Blunden, Bill (2009). The rootkit arsenal: escape and evasion in the dark corners of the system. Plano, Texas: Wordware Pub. p. 538. ISBN 978-1-59822-061-2. OCLC 297145864.

[3] Nelson, Bill; Phillips, Amelia; Steuart, Christopher (2010). Guide to computer forensics and investigations (4th ed.). Boston: Course Technology, Cengage Learning. p. 334. ISBN 978-1-435-49883-9.

[4] "SWAP: NSA Exploit of the Day - Schneier on Security".

[1]

[2]

[3]

[4]