All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 14 posts ] 
Author Message
 Post subject: WD40EZRZ-00WN9B0
PostPosted: September 25th, 2017, 13:57 
Offline

Joined: October 21st, 2007, 8:48
Posts: 1181
Hello
The drive in topic is locked with ata password.
I can read FW modules but i can't find the password with normal method in mod. 02
Has anyone know in which module i can find the password?
MRT can't access the FW.

Thanks in advance.


Attachments:
IMG_20170925_194635.jpg
IMG_20170925_194635.jpg [ 2.45 MiB | Viewed 2163 times ]
Top
 Profile  
 
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 25th, 2017, 14:09 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 9240
Location: Portugal
What tool(s) are you using to access FW ?

Can you read module 02 ? Can you post module 02 ? Can you try to replace module 02 with a copy from an unlocked drive ?

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 25th, 2017, 14:23 
Offline

Joined: October 21st, 2007, 8:48
Posts: 1181
I have made a test with a working drive same family (Giant). And compared mod. 02 before and after lock, but the surprise is it's matched and identical with no differences.


Top
 Profile  
 
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 25th, 2017, 15:04 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 9240
Location: Portugal
unknown wrote:
I have made a test with a working drive same family (Giant). And compared mod. 02 before and after lock, but the surprise is it's matched and identical with no differences.


What tools are you using (and working) to read modules on the locked drive (as you stated MRT is not working) ?

Did you try to copy module 02 from unlocked drive to locked drive RAM ?

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 25th, 2017, 17:45 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 10427
Location: Australia
unknown wrote:
The drive in topic is locked with ata password.
I can read FW modules but i can't find the password with normal method in mod. 02
Has anyone know in which module i can find the password?
MRT can't access the FW.

Is it a SED?

Is there anything in modules 0x124 and 0x127?

got HW crypto? On the (in)security of a Self-Encrypting Drive series:
https://eprint.iacr.org/2015/1002.pdf
Quote:
Facing a protected HDD is not new problem for HDD forensics. As there are already existing commercial solutions (e.g PC-3000), we analyzed the HDD directly with those tools. Their approach seems to follow a straight pattern, which allows SA access by overwriting the RAM/ROM and bypass security features like ATA passwords and optionally AES keys. By forcing SA access and manipulating the SA area 0x124 and 0x127 we were able to unlock the HDD and disable the SATA AES encryption. Note that this works always, independent of the chosen user password and bridge status.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 25th, 2017, 18:02 
Offline

Joined: October 21st, 2007, 8:48
Posts: 1181
Spildit wrote:
unknown wrote:
I have made a test with a working drive same family (Giant). And compared mod. 02 before and after lock, but the surprise is it's matched and identical with no differences.


What tools are you using (and working) to read modules on the locked drive (as you stated MRT is not working) ?

Did you try to copy module 02 from unlocked drive to locked drive RAM ?

I have shorted tv9 and 10 before complete calibration to enable access to SA. Now i got a complete backup.


Top
 Profile  
 
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 25th, 2017, 18:04 
Offline

Joined: October 21st, 2007, 8:48
Posts: 1181
fzabkar wrote:
unknown wrote:
The drive in topic is locked with ata password.
I can read FW modules but i can't find the password with normal method in mod. 02
Has anyone know in which module i can find the password?
MRT can't access the FW.

Is it a SED?

Is there anything in modules 0x124 and 0x127?

got HW crypto? On the (in)security of a Self-Encrypting Drive series:
https://eprint.iacr.org/2015/1002.pdf
Quote:
Facing a protected HDD is not new problem for HDD forensics. As there are already existing commercial solutions (e.g PC-3000), we analyzed the HDD directly with those tools. Their approach seems to follow a straight pattern, which allows SA access by overwriting the RAM/ROM and bypass security features like ATA passwords and optionally AES keys. By forcing SA access and manipulating the SA area 0x124 and 0x127 we were able to unlock the HDD and disable the SATA AES encryption. Note that this works always, independent of the chosen user password and bridge status.

I will investigate those two mods tomorrow when i get to the office.
Thank you.


Top
 Profile  
 
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 25th, 2017, 18:18 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 10427
Location: Australia
The attachment contains modules 02, 124, and 127 from the following resource dump:

http://files.hddguru.com/viewer_top.php?file=WDC%20WD40EZRZ-00WN9B0-80.00A80-WD-WCC4E1HDC2TE-0001008B.rar&dir=PC-3000-UDMA%20Support/WDC%20Marvell%20family%20utility/Giant

The SED flag in module 02 is set.

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000860                    00 00 00 00 00 00 01


Attachments:
WD40EZRZ.rar [1.45 KiB]
Downloaded 68 times

_________________
A backup a day keeps DR away.
Top
 Profile  
 
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 26th, 2017, 9:55 
Offline

Joined: October 21st, 2007, 8:48
Posts: 1181
124 and 127 looks encrypted.
Overwrite those mods from unlocked drive will solve the problem?


Top
 Profile  
 
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 26th, 2017, 10:25 
Offline

Joined: October 21st, 2007, 8:48
Posts: 1181
Thank you all.
Solved


Top
 Profile  
 
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 26th, 2017, 17:55 
Offline

Joined: October 16th, 2013, 13:21
Posts: 631
Location: Brazil
Please, tell us what was the solution.


Top
 Profile  
 
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 27th, 2017, 9:13 
Offline
User avatar

Joined: February 9th, 2009, 16:13
Posts: 2019
Location: Ontario, Canada
rogfanther wrote:
Please, tell us what was the solution.

It is amazing how people can ask for advice on how to do something, but when they get it figured out, they don't want to share how they did it. It should become a forum policy that if you ask a question on this forum and figure it out, you are committed to post the solution. That said, let's give the OP a little time to respond to your request.

_________________
Luke
RAID Data Recovery


Top
 Profile  
 
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 27th, 2017, 10:35 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 9240
Location: Portugal
lcoughey wrote:
rogfanther wrote:
Please, tell us what was the solution.

It is amazing how people can ask for advice on how to do something, but when they get it figured out, they don't want to share how they did it. It should become a forum policy that if you ask a question on this forum and figure it out, you are committed to post the solution. That said, let's give the OP a little time to respond to your request.


I would start by replacing 124 and 127 with copy from unlocked drive....

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 27th, 2017, 11:48 
Offline

Joined: October 21st, 2007, 8:48
Posts: 1181
lcoughey wrote:
rogfanther wrote:
Please, tell us what was the solution.

It is amazing how people can ask for advice on how to do something, but when they get it figured out, they don't want to share how they did it. It should become a forum policy that if you ask a question on this forum and figure it out, you are committed to post the solution. That said, let's give the OP a little time to respond to your request.

I have send a pm to him with the solution.
Any way, i have cleared mod. 127 that's all


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 29 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group