The main function to reflash the HDD firmware receives an external payload,
which can be compressed by LZMA. The disk is targeted by a specific serial
number and reprogrammed by a series of ATA commands. For example, in the
case of Seagate drives, we see a chain of commands: “FLUSH CACHE” (E7) →
“DOWNLOAD MICROCODE” (92) → “IDENTIFY DEVICE” (EC) → WRITE “LOG EXT” (3F).
Depending on the reflashing request, there might be some unclear data
manipulations written to the drive using “WRITE LOG EXT” (3F). For WD
drives, there is a sub-routine searching for ARM NOP opcodes in read data,
and then used further in following writes. Overall, the plugin uses a lot of
undocumented, vendor-specific ATA commands, for the drives mentioned above
as well as all the others. 

The EQUATION group’s HDD firmware reprogramming module is extremely rare.
During our research, we’ve only identified a few victims who were targeted
by this module. This indicates that it is probably only kept for the most
valuable victims or for some very unusual circumstances.