6. Skip to content

6. Inter-driver communication

Both hdd.sys and ssd.sys expose a common interface, which fdd.sys interacts with.

The low-level keychip driver exposes this interface on device class 2c5e01f2-3144-449e-86ad-b8c77465ad94.

Using these drivers

When opening the lower level drivers from user space it can be easier to specify a complete device path. These are reproduced below, however it is important to note that fdd.sys exclusively uses the device class.

  • hdd.sys: \\?\USB#VID_0CA3&PID_001B#000000000002#{2c5e01f2-3144-449e-86ad-b8c77465ad94}
  • ssd.sys: \\?\USB#VID_0CA3&PID_0023#000000000002#{2c5e01f2-3144-449e-86ad-b8c77465ad94}

6.1 IOCTL 0x22E104 - Get Driver Version

CTL_CODE(0x22, 0x841, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
Bytes In 0
Bytes Out 4

Retrieve the driver version number. The returned value is a little endian uint32.

ssd.sys returns 0x103, hdd.sys returns 0x102.

6.2 IOCTL 0x22E10C - Raw USB Data Exchange

CTL_CODE(0x22, 0x843, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
Bytes In Any amount <= MaximumTransferSize (default 65536)
Bytes Out Varies by response

Interface with the USB serial device directly, exchanging a URB packet.

6.3 IOCTL 0x22E110 - Initialise Hardware

CTL_CODE(0x22, 0x844, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
Bytes In 0 or 4
Bytes Out 0

Perform required hardware initialisation steps. If present, the argument is a little endian uint32 representing the timeout value to be configured on the device. If unspecified, the timeout defaults to 5000ms.

6.4 IOCTL 0x22E114 - Keychip Command

CTL_CODE(0x22, 0x845, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
Bytes In At least 20
Bytes Out

Perform a keychip-related low-level function. Requests begin with a 19-byte header:

4 bytes4 bytes4 bytes4 bytes3 bytesConstant 20Commandnull paddingPayload lengthnull padding

If no payload is required, a single null byte is appended. Otherwise, the payload is appended after the header.

All valid commands can be found on their own page.

6.5 IOCTL 0x22E118 - Flash Command

CTL_CODE(0x22, 0x846, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)

todo: this

6.6 IOCTL 0x22E11C - N2 Check

CTL_CODE(0x22, 0x847, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
Bytes In 0
Bytes Out 4

The returned value is a little endian uint32 with constant value 1.

This IOCTL is implemented only on ssd.sys.