You can try this trick: solder the flash back, but short some of it's signals with tweezers during power on - this should get you into the same mode as w/o flash (so the drive will be detected), but the flash will be available for fw update. Never tried this on this particular model, but it's a common trick to bypass corrupted firmwares.
It is an SPI flash. If I short any of the relevant pins it will not detect so I will end up in the unsoldered state. My problem is that I cannot get the drive to a state where the uploader tool could rewrite the flash.
I see two more possibility:
Social engineering: The tool itself is written in Qt, by an Indian programmer.
The following itresting string can be found in the binary:
update.ocz.com
http://%s/firmware/tools.xmltools.xml
minver
http://%s/firmware/fum.php?d=%s&f=%s&v=%sfwinfo.xml
http://%s/firmware/flood.php?d=%sPick one preferably unique string: the "fum.php?d="
Do a google search and you will get one result:
http://www.overclock.net/t/1330730/ocz-firmware-2-25-trim-doesnt-work-bug-regression-bad-ocz-experienceThe folks over that forum are trying to downgrade a firmware by mimicing the update.ocz.com.
Ah and they shared a link to a working fum.php url:
http://update.ocztechnology.com/firmware/fum.php?d=latest&f=22853&v=2.22Check that XML. Do a quick google search for the "release/sf/ppro" string.
You will have two results the forum above and a qtcentre.org forum entry:
http://www.qtcentre.org/threads/51057-How-to-parse-this-xml-fileIf you check his/her posts on the forum: there are a lot of SATA and sql related posts.
So that (s)he should know how the web backend should work, so how could I download my drive's firmware. I have written a PM to him, but he have not answered. He does not seems to be active anymore on that forum.
The second way is the good old reveng:
Disassembling of the updater tool to get out the resource files contents and hope that:
- The actual hardware - firmware association is stored in some kind of db (xml, sqlite, etc.)
- The firmware files are not encrypted and can be written to the flash raw.
The Qt has a resource system to store files in the binary itself. The binwalk shows a lot of LZMA compressed headers which is the same algorithm what is used by the qrc files.
Any idea or more experienced reverse engineering hints are welcome.