WD1007V Commands

While researching material for a previous article, I wanted to examine the only AT-compatible ESDI controller I have, a Western Digital WD1007V-SE2. My board was made in 1990, the firmware is from 1989, and the controller was likely introduced in 1988 judging by the copyright date on the PCB.

There is no real technical documentation for this controller. That is to say, the core chip, the WD42C22A ‘Venus’ is reasonably well documented, but the one thing this otherwise very capable chip does not do is process AT task file commands. That’s all handled by a separate microcontroller/firmware.

Under normal circumstances, I would first try to probe the controller from the host side and see what commands it responds to, but without a functioning ESDI drive that is not an option, and finding a working ESDI drive for a sane price appears to be no longer possible. Reverse engineering it is, then.

As luck would have it, this controller uses an Intel 80C188 SoC to run the firmware, and the actual code is on a standard EPROM chip. So I pulled the firmware chip out, popped it into my PROM reader, read out the contents, and loaded the resulting file into IDA.

The firmware is big enough but not huge (16KB PROM, not full), so it didn’t take me long to identify the dispatch table (actually two) that handles commands. I hesitate to say ATA commands, since this is obviously not an IDE controller, but the register and command interface is extremely similar to ATA.

Here’s what the controller accepts; commands not listed are immediately aborted:

• 1xh — RECALIBRATE, the low nibble is ignored
• 20-23h — this covers READ SECTOR(S) and READ LONG, with and without retry
• 30-33h — WRITE SECTOR(S) and WRITE LONG, again with and without retry
• 40-41h — READ VERIFY SECTOR(S), with and without retry
• 50h — FORMAT TRACK
• 7xh — SEEK, the low nibble is ignored
• 90h — EXECUTE DRIVE DIAGNOSTIC
• 91h — INITIALIZE DRIVE PARAMETERS
• A0h, ADh — unknown purpose
• C4h/C5h/C6h — READ/WRITE MULTIPLE, SET MULTIPLE MODE
• E0h — ESDI COMMAND
• E4h/E8h — READ/WRITE BUFFER
• ECh — IDENTIFY
• EFh — SET FEATURES

The command names above are the same as the ATA specification where applicable. Some of these commands warrant a closer look.

SET FEATURES — the Feature Register must contain AAh or 55h; in response, the command enables or disables read-ahead, respectively. Other values cause the command to fail.

SET MULTIPLE MODE — if the value in Sector Count Register is zero, READ/WRITE MULTIPLE is disabled. Values from 1 to 14 enable READ/WRITE MULTIPLE. Other values cause SET MULTIPLE MODE to fail; while ATA specifies that this disables READ/WRITE MULTIPLE, the WD1007V does not change the multiple mode setting in this case.

ESDI COMMAND — this is obviously not an ATA command; in fact ATA says that the E0h command code is used for STANDBY IMMEDIATE. This command is used to send a 16-bit command to the attached ESDI drive and get a 16-bit response back. The WD1007V BIOS uses this command quite a bit. The Cylinder Low/High registers are used for input and output, but with byte swapping (the low byte of the 16-bit command word/result is in Cylinder High Register). At least some SMS OMTI ESDI controllers also supported this command.

A0h, ADh — these commands do not exist in ATA (the A0h command code was later used for the PACKET command designed for ATAPI devices). I don’t know what these commands do, but they do communicate with the drive. The A0h command is used by the WD1007V BIOS when formatting. These commands might be accessing some kind of a service cylinder on the drive.

IDENTIFY — this command returns a surprisingly large subset of what the first version of ATA defined. The first 10 words are simply what the ESDI drive itself returns through the REQUEST CONFIGURATION command. The serial number is all zeros, which is quite interesting—obviously the controller has no way to provide a drive serial number, yet bothers providing something that sort of looks like one. The firmware revision is ‘REV. A5’ and the model number ‘WD1007V’. The firmware also fills out the buffer type and size (32KB), ECC length (4 or 7 bytes, depending on a jumper setting), and the current MULTIPLE MODE setting.

The very last word of the IDENTIFY buffer is used to report the controller’s current jumper settings. I’m told this was initially a debug-only feature inadvertently left enabled in a late night build, discovered by Compaq, and requested as a permanent feature.

All in all, the WD1007V firmware is largely ATA command set compatible, and includes several enhancements to the basic AT disk command set: IDENTIFY, READ/WRITE BUFFER, READ/WRITE MULTIPLE and SET MULTIPLE, as well as the SET FEATURES command to enable/disable read-ahead.