Notes on reverse engineering an RDX removable media drive and media. The RDX drive appears as a USB mass storage device, vendor 0x03F0, product 0x0725. When access is attempted with no cartridge inserted, it returns a 'no medium' error. In this manner it is similar to many flash media card readers. Upon inserting a disk, the new media is detected: [ 1007.432024] sd 4:0:0:0: [sdc] Spinning up disk... [ 1008.450809] . [ 1009.474791] . [ 1009.476044] ready [ 1009.476532] sd 4:0:0:0: [sdc] 625134256 512-byte logical blocks: (320 GB/298 GiB) [ 1009.479181] sd 4:0:0:0: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA [ 1009.512184] sdc: sdc1 The disk appears to be a perfectly ordinary mass storage device, NTFS formatted. Though the medium was purchased on eBay, the filesystem is mostly zero bytes: It's either new, or has been overwritten with zeros and reformatted after previous use. The partition table is unremarkable. 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 |............... | 000001c0 21 00 07 fe ff ff 00 08 00 00 00 c0 42 25 00 00 |!...........B%..| 000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.| 00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| An RDX cartridge is nothing more than a plastic carrier with a light-pipe for the status indicator LED, some shock-absorbing material and a 2.5" HD or SSD inside. It can be opened using a T3-size Torx screwdriver (this may vary between manufacturers) and the drive inside removed. Upon inserting this drive into a USB dock, it is detected as: [ 203.326071] scsi 5:0:0:0: Direct-Access TOSHIBA MQ01ABD032 AX00 PQ: 0 ANSI: 5 [ 203.326558] sd 5:0:0:0: Attached scsi generic sg4 type 0 [ 203.326752] sd 5:0:0:0: [sdd] 625142448 512-byte logical blocks: (320 GB/298 GiB) Followed by a series of read errors: [ 203.328606] sd 5:0:0:0: [sdd] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE [ 203.328610] sd 5:0:0:0: [sdd] tag#0 Sense Key : Medium Error [current] [ 203.328613] sd 5:0:0:0: [sdd] tag#0 Add. Sense: Unrecovered read error [ 203.328618] sd 5:0:0:0: [sdd] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 08 00 Note that the drive is larger by 8192 blocks, or 4MiB - this suggests that the RDX drive is hideing 4MiB from the host, presumably for some internal use. I might speculate it contains media information or the flag to indicate WORM media. SMART reads normally though. Nothing unusual there. Hdparm reveals the reason for the inaccessibility: $hdparm -I /dev/sdd ... supported enabled locked not frozen not expired: security count supported: enhanced erase Security level high The drive is in security locked state, thus the read errors. This may be to prevent WORM media being disassembled and connected directly to a PC to bypass the WORM protection. Or it may, more cynically, be to prevent users from upgrading their cartridges by replacing the drive within, which would cost substantially less than buying new cartridges. It does not appear to be for security, as any RDX drive can read any RDX cartridge. Presumably the key is stored within the firmware of the RDX drive. For most users the only impact of the ATA lock will be to prevent data recovery efforts in the event of a fault. The cartridge used for testing is not WORM media, so all RDX cartridges are likely to contain drives locked in this manner. Recovery of the unlock key should be technically possible by intercepting the drive communications at the SATA interface using an FPGA chip and suitable programming, but this process would require both expensive equipment and a very high level of proficiency in FPGA development and hardware construction. As all RDA cartridges and drives must share a common key, it would only need to be performed once. Alternatively, Quantum has published firmware updates for their RDX drives in unencrypted form - it may be possible to extract the key by reverse-engineering these files.