WD40EZRZ-00WN9B0

[unknown]

Hello
The drive in topic is locked with ata password.
I can read FW modules but i can't find the password with normal method in mod. 02
Has anyone know in which module i can find the password?
MRT can't access the FW.

Thanks in advance.

Attachments

[unknown]

I have made a test with a working drive same family (Giant). And compared mod. 02 before and after lock, but the surprise is it's matched and identical with no differences.

[fzabkar]

The drive in topic is locked with ata password.
I can read FW modules but i can't find the password with normal method in mod. 02
Has anyone know in which module i can find the password?
MRT can't access the FW.

Is it a SED?

Is there anything in modules 0x124 and 0x127?

got HW crypto? On the (in)security of a Self-Encrypting Drive series:
https://eprint.iacr.org/2015/1002.pdf

Facing a protected HDD is not new problem for HDD forensics. As there are already existing commercial solutions (e.g PC-3000), we analyzed the HDD directly with those tools. Their approach seems to follow a straight pattern, which allows SA access by overwriting the RAM/ROM and bypass security features like ATA passwords and optionally AES keys. By forcing SA access and manipulating the SA area 0x124 and 0x127 we were able to unlock the HDD and disable the SATA AES encryption. Note that this works always, independent of the chosen user password and bridge status.

[unknown]

I have made a test with a working drive same family (Giant). And compared mod. 02 before and after lock, but the surprise is it's matched and identical with no differences.

What tools are you using (and working) to read modules on the locked drive (as you stated MRT is not working) ?

Did you try to copy module 02 from unlocked drive to locked drive RAM ?

I have shorted tv9 and 10 before complete calibration to enable access to SA. Now i got a complete backup.

[unknown]

The drive in topic is locked with ata password.
I can read FW modules but i can't find the password with normal method in mod. 02
Has anyone know in which module i can find the password?
MRT can't access the FW.

Is it a SED?

Is there anything in modules 0x124 and 0x127?

got HW crypto? On the (in)security of a Self-Encrypting Drive series:
https://eprint.iacr.org/2015/1002.pdf

Facing a protected HDD is not new problem for HDD forensics. As there are already existing commercial solutions (e.g PC-3000), we analyzed the HDD directly with those tools. Their approach seems to follow a straight pattern, which allows SA access by overwriting the RAM/ROM and bypass security features like ATA passwords and optionally AES keys. By forcing SA access and manipulating the SA area 0x124 and 0x127 we were able to unlock the HDD and disable the SATA AES encryption. Note that this works always, independent of the chosen user password and bridge status.

I will investigate those two mods tomorrow when i get to the office.
Thank you.

[fzabkar]

The attachment contains modules 02, 124, and 127 from the following resource dump:

http://files.hddguru.com/viewer_top.php?file=WDC%20WD40EZRZ-00WN9B0-80.00A80-WD-WCC4E1HDC2TE-0001008B.rar&dir=PC-3000-UDMA%20Support/WDC%20Marvell%20family%20utility/Giant

The SED flag in module 02 is set.

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000860                    00 00 00 00 00 00 01

Attachments

WD40EZRZ.rar

(1.45 KiB) Downloaded 546 times

[unknown]

124 and 127 looks encrypted.
Overwrite those mods from unlocked drive will solve the problem?

[unknown]

Thank you all.
Solved

[rogfanther]

Please, tell us what was the solution.

[lcoughey]

Please, tell us what was the solution.

It is amazing how people can ask for advice on how to do something, but when they get it figured out, they don't want to share how they did it. It should become a forum policy that if you ask a question on this forum and figure it out, you are committed to post the solution. That said, let's give the OP a little time to respond to your request.

[unknown]

Please, tell us what was the solution.

It is amazing how people can ask for advice on how to do something, but when they get it figured out, they don't want to share how they did it. It should become a forum policy that if you ask a question on this forum and figure it out, you are committed to post the solution. That said, let's give the OP a little time to respond to your request.

I have send a pm to him with the solution.
Any way, i have cleared mod. 127 that's all