Sending ATA commands directly to device in Windows?
I’m trying to send ATA commands to a physical disk in Windows, and get the response from the device.
Note: In this case I want to send the
IDENTIFY DEVICE(0xEC) command. The device will respond with a 512-byte block of data. (In particular I’m interested in bit 0 of word 119 - the device’s support for theTRIMcommand).
I know that I need to use CreateFile to open the device:
handle = CreateFile(
"\\.\PhysicalDrive0", GENERIC_READ, FILE_SHARE_READ,
nil, // no security attributes
OPEN_EXISTING,
0, // flags and attributes
nil // no template file
);
But after this I’m stymied about what to do.
I thought about sending 0xEC using [DeviceIoControl][4]:
// const ATACommand_IdentifyDevice = 0xEC;
uint bytesReturned = 0;
DeviceIoControl(handle,
0xEC, // IO Control Code
nil, // input buffer not needed
0, // input buffer is zero bytes
@buffer, // output buffer to store the returned 512-bytes
512, // output buffer is 512 bytes long
out bytesReturned,
nil // not an overlapped operation
);
But this is completely wrong. An IoControlCode sent to DeviceIoControl must be a valid IO_CTL, which are built using the macro:
#define CTL_CODE(DeviceType, Function, Method, Access) (
((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method)
)
Looking at the SDK, there are a number of valid Disk Management Control Codes, e.g.:
- IOCTL_DISK_CREATE_DISK
- IOCTL_DISK_GET_DRIVE_GEOMETRY
- IOCTL_DISK_GET_DRIVE_GEOMETRY_EX
- IOCTL_DISK_GET_PARTITION_INFO
- IOCTL_STORAGE_QUERY_PROPERTY
But none of them are IDENTIFY DEVICE command, or return anything it returns.
So I believe I have to use some “raw” method of sending commands.
Searching around, I came across and undocumented IOCTL
#define DFP_RECEIVE_DRIVE_DATA 0x0007c088
Which when you break down the IOCTL pieces, means:
Custom: (0)
Device Type: (7) FILE_DEVICE_DISK
Required Access: (3) METHOD_NEITHER
Custom: (0)
Function Code: (34)
Transfer Type: (0)
But there is no documentation anywhere on what the inputBuffer must contain, its size, and what its outputBuffer will contain, or its required. Nor can I figure out what functionCode 34 (0x22) is.
My question: How do I send raw ATA commands (e.g. 0xEC) to an ATA device, and read its response?
See also
- IOCTL_ATA_PASS_THROUGH Control Code
- IOCTL_ATA_PASS_THROUGH_DIRECT Control Code
- ATA_PASS_THROUGH_EX Structure
Answer pieces
Open the drive with ReadWrite access:
handle = CreateFile(
"\\.\PhysicalDrive0",
GENERIC_READ or GENERIC_WRITE, // IOCTL_ATA_PASS_THROUGH requires read-write
FILE_SHARE_READ,
nil, // no security attributes
OPEN_EXISTING,
0, // flags and attributes
nil // no template file
);
Setup an ATA_PASS_THROUGH_EX structure as our input buffer to use with IOCTL_ATA_PASS_THROUGH IO control code:
ATA_PASS_THROUGH_EX inputBuffer;
inputBuffer.Length = sizeof(ATA_PASS_THROUGH_EX);
inputBuffer.AtaFlags = ATA_FLAGS_DATA_IN;
inputBuffer.DataTransferLength = 0;
inputBuffer.DataBufferOffset = 0;
// todo: put the ATA command (e.g. 0xEC) somewhere
uint inputBufferSize = sizeof(ATA_PASS_THROUGH_EX);
Setup an output buffer to hold our expected 512-byte response from the drive:
Byte[] outputBuffer = new Byte[512];
uint outputBufferSize = 512;
Call DeviceIoControl:
int ioControlCode = IOCTL_ATA_PASS_THROUGH; // or maybe IOCTL_ATA_PASS_THROUGH_DIRECT
uint bytesReturned = 0;
DeviceIoControl(handle, ioControlCode,
inputBuffer, inputBufferSize,
outputBuffer, outputBufferSize,
out bytesReturned,
nil // not an overlapped operation
);
Close the file handle:
handle.Close();
Answer
You need to use IOCTL_ATA_PASS_THROUGH/IOCTL_ATA_PASS_THROUGH_DIRECT, these are quite well documented. Also, you need GENERIC_READ|GENERIC_WRITE access for CreateFile.
Be aware that pre XP SP2 does not support these properly. Also, if you have a nForce based MB with nvidia drivers, your SATA drives will appear as SCSI and you can't use this passthrough.
In some cases, the SMART IOCTL's (e.g. SMART_RCV_DRIVE_DATA) will work on nForce drivers. You can use these to get IDENTIFY and SMART data, but not much else.
The open source smartmontools is a good place to start looking for sample code.
EDIT: Sample from an app talking to ATA devices.
EResult DeviceOperationManagerWin::executeATACommandIndirect(ATACommand & Cmd) {
const uint32 FillerSize = 0;
Utils::ByteBuffer B;
B.reserve(sizeof(ATA_PASS_THROUGH_EX) + 4 + Cmd.bufferSize());
ATA_PASS_THROUGH_EX & PTE = * (ATA_PASS_THROUGH_EX *) B.appendPointer(sizeof(ATA_PASS_THROUGH_EX) + FillerSize + Cmd.bufferSize());
uint8 * DataPtr = ((uint8 *) &PTE) + sizeof(ATA_PASS_THROUGH_EX) + FillerSize;
memset(&PTE, 0, sizeof(ATA_PASS_THROUGH_EX) + FillerSize);
PTE.Length = sizeof(PTE);
PTE.AtaFlags = 0;
PTE.AtaFlags |= Cmd.requiresDRDY() ? ATA_FLAGS_DRDY_REQUIRED : 0;
switch (Cmd.dataDirection()) {
case ddFromDevice:
PTE.AtaFlags |= ATA_FLAGS_DATA_IN;
break;
case ddToDevice:
PTE.AtaFlags |= ATA_FLAGS_DATA_OUT;
memcpy(DataPtr, Cmd.buffer(), Cmd.bufferSize());
break;
default:
break;
}
PTE.AtaFlags |= Cmd.is48Bit() ? ATA_FLAGS_48BIT_COMMAND : 0;
PTE.AtaFlags |= Cmd.isDMA() ? ATA_FLAGS_USE_DMA : 0;
PTE.DataTransferLength = Cmd.bufferSize();
PTE.TimeOutValue = Cmd.timeout();
PTE.DataBufferOffset = sizeof(PTE) + FillerSize;
PTE.DataTransferLength = Cmd.bufferSize();
PTE.CurrentTaskFile[0] = Cmd.taskFileIn0().Features;
PTE.CurrentTaskFile[1] = Cmd.taskFileIn0().Count;
PTE.CurrentTaskFile[2] = Cmd.taskFileIn0().LBALow;
PTE.CurrentTaskFile[3] = Cmd.taskFileIn0().LBAMid;
PTE.CurrentTaskFile[4] = Cmd.taskFileIn0().LBAHigh;
PTE.CurrentTaskFile[5] = Cmd.taskFileIn0().Device;
PTE.CurrentTaskFile[6] = Cmd.taskFileIn0().Command;
PTE.CurrentTaskFile[7] = 0;
if (Cmd.is48Bit()) {
PTE.PreviousTaskFile[0] = Cmd.taskFileIn1().Features;
PTE.PreviousTaskFile[1] = Cmd.taskFileIn1().Count;
PTE.PreviousTaskFile[2] = Cmd.taskFileIn1().LBALow;
PTE.PreviousTaskFile[3] = Cmd.taskFileIn1().LBAMid;
PTE.PreviousTaskFile[4] = Cmd.taskFileIn1().LBAHigh;
PTE.PreviousTaskFile[5] = Cmd.taskFileIn1().Device;
PTE.PreviousTaskFile[6] = 0;
PTE.PreviousTaskFile[7] = 0;
}
DWORD BR;
if (!DeviceIoControl(FHandle, IOCTL_ATA_PASS_THROUGH, &PTE, B.size(), &PTE, B.size(), &BR, 0)) {
FLastOSError = GetLastError();
LOG_W << "ioctl ATA_PT failed for " << Cmd << ": " << FLastOSError << " (" << Utils::describeOSError(FLastOSError) << ")";
return Utils::mapOSError(FLastOSError);
}
Cmd.taskFileOut0().Error = PTE.CurrentTaskFile[0];
Cmd.taskFileOut0().Count = PTE.CurrentTaskFile[1];
Cmd.taskFileOut0().LBALow = PTE.CurrentTaskFile[2];
Cmd.taskFileOut0().LBAMid = PTE.CurrentTaskFile[3];
Cmd.taskFileOut0().LBAHigh = PTE.CurrentTaskFile[4];
Cmd.taskFileOut0().Device = PTE.CurrentTaskFile[5];
Cmd.taskFileOut0().Status = PTE.CurrentTaskFile[6];
Cmd.taskFileOut1().Error = PTE.PreviousTaskFile[0];
Cmd.taskFileOut1().Count = PTE.PreviousTaskFile[1];
Cmd.taskFileOut1().LBALow = PTE.PreviousTaskFile[2];
Cmd.taskFileOut1().LBAMid = PTE.PreviousTaskFile[3];
Cmd.taskFileOut1().LBAHigh = PTE.PreviousTaskFile[4];
Cmd.taskFileOut1().Device = PTE.PreviousTaskFile[5];
Cmd.taskFileOut1().Status = PTE.PreviousTaskFile[6];
if (Cmd.dataDirection() == ddFromDevice) {
memcpy(Cmd.buffer(), DataPtr, Cmd.bufferSize());
}
return resOK;
}
EDIT: Sample without external dependencies.
IDENTIFY requires a 512 byte buffer for data:
unsigned char Buffer[512 + sizeof(ATA_PASS_THROUGH_EX)] = { 0 };
ATA_PASS_THROUGH_EX & PTE = *(ATA_PASS_THROUGH_EX *) Buffer;
PTE.Length = sizeof(PTE);
PTE.TimeOutValue = 10;
PTE.DataTransferLength = 512;
PTE.DataBufferOffset = sizeof(ATA_PASS_THROUGH_EX);
Set up the IDE registers as specified in ATA spec.
IDEREGS * ir = (IDEREGS *) PTE.CurrentTaskFile;
ir->bCommandReg = 0xEC;
ir->bSectorCountReg = 1;
IDENTIFY is neither 48-bit nor DMA, it reads from the device:
PTE.AtaFlags = ATA_FLAGS_DATA_IN | ATA_FLAGS_DRDY_REQUIRED;
Do the ioctl:
DeviceIOControl(Handle, IOCTL_ATA_PASS_THROUGH, &PTE, sizeof(Buffer), &PTE, sizeof(Buffer), &BR, 0);
Here you should insert error checking, both from DeviceIOControl and by looking at IDEREGS for device reported errors.
Get the IDENTIFY data, assuming you have defined a struct IdentifyData
IdentifyData * IDData = (IdentifyData *) (Buffer + sizeof(ATA_PASS_THROUGH_EX));