Need help recovering data from external WD USB 3 disk

[fzabkar]

ISTM that way too much time has been spent on this project. I can't speak for other labs, but if it is something that is recoverable with DIY methods, it would have taken 1-2 days for a data recovery pro to have fully recovered the data at relatively low price. My lab charges $350 CAD (about $275 USD) for such cases.

ISTM that you don't understand how users value their own time.

[Golr]

Your bridge IC appears to be a JMicron JMS538S which confirms that your bridge PCB does indeed handle the encryption.

When connected on its own, the PCB identifies as a WD My Book 1140. This means that the "ROM" must be valid.

Code:

idVendor:                        0x1058 = Western Digital Technologies, Inc.
idProduct:                       0x1140
bcdDevice:                       0x1016
iManufacturer:                     0x01
     English (United States)  "Western Digital"
iProduct:                          0x02
     English (United States)  "My Book 1140"
iSerialNumber:                     0x05
     English (United States)  "5743415A4148353037363230"

However, when the PCB is attached to your HDD, the USB mass storage device identifies as a JMicron USB to ATA/ATAPI Bridge. Therefore ISTM that there is a problem in the Smartware area at the end of the drive's user area.

Code:

idVendor:                        0x152D = JMicron Technology Corp.
idProduct:                       0x0539
bcdDevice:                       0x0100
iManufacturer:                     0x01
     English (United States)  "JMicron"
iProduct:                          0x02
     English (United States)  "USB to ATA/ATAPI Bridge"
iSerialNumber:                     0x05
     English (United States)  "57442D5743415A4148353037363230"

IIUC, your key sector would suggest that the Smartware area begins at sector 0xE8DF8800, ie LBA 3906963456.

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  57 44 76 31 89 D4 00 00 00 88 DF E8 00 00 00 00  WDv1‰Ô...ˆßè....
                                  ^^^^^^^^^^^

ISTM that your best DIY approach would be reallymine. Perhaps cloning the drive with ddrescue or HDDSuperClone would be advisable. You might also consider applying the mod_02 patch with HDDSuperTool just in case the drive has a "slow responding" problem.

Ok Let me check and get back to you.

Best Regards
Golr

[fzabkar]

You can copy the Smartware sectors (3906963456 - 3907029167) to a binary image and then open this image in 7-Zip. If everything is OK, then I believe that the first directory should be "WD Unlocker" (at least in some implementations of Smartware).

[Golr]

You can copy the Smartware sectors (3906963456 - 3907029167) to a binary image and then open this image in 7-Zip. If everything is OK, then I believe that the first directory should be "WD Unlocker" (at least in some implementations of Smartware).

You are absolutely right. I followed the process and was able to recover the Smartware.



Best Regards,
Golr

[fzabkar]

So the VCD appears to be OK, the bridge firmware is valid, the key sector is present, but the bridge identifies as a JMicron. Weird.

It looks like reallymine is the way to go.

[Golr]

So the VCD appears to be OK, the bridge firmware is valid, the key sector is present, but the bridge identifies as a JMicron. Weird.

Could this be because the PCB can't find the VCD as the drive was initialized?

[Roberto]

I have now managed to check the content of your uploaded key sector.
It needed some programming work, but now it's done.

I am now able to solve your case...if it is possible to take a whole encrypted image from the drive.
Please use dmde to take that image because dmde doesn't compress the image file.

If you have done that, then I'll tell you what to do next.

[fzabkar]

I have now managed to check the content of your uploaded key sector.
It needed some programming work, but now it's done.

Nice!

[Golr]

I have now managed to check the content of your uploaded key sector.
It needed some programming work, but now it's done.

I am now able to solve your case...if it is possible to take a whole encrypted image from the drive.
Please use dmde to take that image because dmde doesn't compress the image file.

If you have done that, then I'll tell you what to do next.

Hello Roberto,

Thanks a lot for your work! I have taken the image of the drive by dmde. What should I do next?

Best Regards,
Golr

[Roberto]

Thanks a lot for your work! I have taken the image of the drive by dmde. What should I do next?
Golr

You're welcome. Please check your private messages!
I need your private email to send you a written program.

But I still have to do some work with the written source code.
I want to compile it in a different language therefore I have to translate it first.

You can use this program to decrypt the taken image.
You need another location with enough free space for the decrypted image.

After the decrypted image is written... you can use dmde to copy this to another hard drive.
The hard drive will contain the unencrypted files.
Don't know if the partitions will also be available.. this depends of the state of your encrypted hdd.
But at least you will be able to scan for lost files.

Please don't forget to come back to tell your results.

Best Regards,
Roberto

[Roberto]

@Golr

Sorry for the long delay
I have now managed to send you the decryption program
Please check it and come back here to tell us if it worked.


Best Regards,
Roberto

[MindMergepk]

@Golr

Sorry for the long delay
I have now managed to send you the decryption program
Please check it and come back here to tell us if it worked.


Best Regards,
Roberto

nice work.
please let us know the outcome as well.

[Golr]

@Golr

Sorry for the long delay
I have now managed to send you the decryption program
Please check it and come back here to tell us if it worked.


Best Regards,
Roberto

Dear Roberto,

Thank you so much for sending me the tool. I am currently waiting for another disk to put the decrypted image in. I'll test out your software as soon as I get it and let you know the outcome.

Best Regards!

[Golr]

Success!!

I was able to recover ALL of my data. fzabkar's guideline was the way to do it. Can't thank him enough!

Here are the steps I took (in case someone needs it in future):

1. connected the drive in a desktop machine's sata port.
2. taken an image (.bin) of the whole drive by DMDE.
3. downloaded and compiled reallymine for my platform (windows 7 ultimate x64)
4. created a decrypted image (.bin) of the image taken by dmde.
syntax: "reallymine <path\filename-of-encrypted-image> <path\filename-of-decrypted-image>"
5. used a software named Active Partition Recovery to open the decrypted .bin file and it showed my lost drive in excellent condition. Even the partition name was intact!


@Roberto
Thanks so much again for sending me your tool but I wasn't able to use it. I tried from command prompt in admin mode in both x86 and x64 Windows but it shows the following:

and then:

But thanks again for your efforts.

Also thanks to everyone else who has tried to help with their comments and suggestions.

Best Regards!
Golr

[Roberto]

Success!!

Great to here you had success.

@Roberto
Thanks so much again for sending me your tool but I wasn't able to use it. I tried from command prompt in admin mode in both x86 and x64 Windows but it shows the following:

and then:

But thanks again for your efforts.
Golr

You're welcome.
I had forgotten to tell you, you have to install dot net 4.5 to make the application executable.



Best Regards,
Roberto

[Roberto]

@Roberto
Thanks so much again for sending me your tool but I wasn't able to use it.
Golr

If you find some time... maybe you could try decrypting the encrypted image with my tool,
despite of the fact that you already have your important data.

I would like to have the confirmation that my tool is working and would be happy about your feedback.

You can download .dot Net Framework from the microsoft homepage:
https://www.microsoft.com/de-de/downloa ... x?id=30653

There is also an offline installer:
https://www.microsoft.com/de-de/downloa ... x?id=42642

With .dot Net Framework installed there should be no problems in running the application.

Best Regards,
Roberto

[nakata_1]

Roberto, Hi Roberto.
I'm very grateful for your help. Can you send me password to unrar file ImageDecrypt_v1.0_build2310.rar?
Tks so much Bro.

[nakata_1]

Roberto, Hi Roberto.
I'm very grateful for your help. Can you send me password to unrar file ImageDecrypt_v1.0_build2310.rar?
Tks so much Bro.

Please read - viewtopic.php?f=1&t=35048

Tks so much for support.

[HaQue]

nice choice on protector.. it is do-able, but a pig to reverse engineer