I added some extra debug printfs to sd_get_parms_page4.
A screenshot is at http://www.falu.nl/~rhialto/pict2015.png.

The sense data that is read from the disk is apparently (transcribed by
hand)

0000000: 860b 0002 0000 1d1c 596f ff00 006f 2020  ........Yo...o  
0000010: 5744 3235 3030 4a42 2d30 3052 4541 3020  WD2500JB-00REA0 
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................


        printf("sd_get_parms_page4: big=%d\n", big);
        if (big) {
                poffset = sizeof scsipi_sense.header.big;
                poffset += _2btol(scsipi_sense.header.big.blk_desc_len);
        } else {
                poffset = sizeof scsipi_sense.header.small;
                poffset += scsipi_sense.header.small.blk_desc_len;
        }

big = 1, sizeof scsipi_sense.header.big = 8, blk_desc_len points to the
"1d1c",  so poffset becomes 0x1d1c + 8 = 0x1d24, which is apparently
ridiculously large.

        pages = (void *)((u_long)&scsipi_sense + poffset);
        printf("&scsipi_sense=%p, poffset=0x%x, pages=%p\n", &scsipi_sense, poffset, pages);
#if 1
        { int i; unsigned char *p;
printf("page 4 sense:"); for (i = sizeof(scsipi_sense), p = (void *)&scsipi_sense; i; i--, p++) printf(" %02x", *p); printf("\n");
printf("page 4 pg_code=%d sense=%p/%p\n", pages->rigid_geometry.pg_code, &scsipi_sense, pages);
        }
#endif

The sense data is printed, but "page 4 pg_code=..." isn't, so the crash
must be while dereferencing ``pages''.

Now the question is, what is a reasonable value for poffset, and is the
wanted data actually present at that offset? (Given this data, it should
be between 8 and 16...)

-Olaf.
-- 
___ Olaf 'Rhialto' Seibert      -- You author it, and I'll reader it.
\X/ rhialto/at/xs4all.nl        -- Cetero censeo "authored" delendum esse.