September 25th, 2017, 13:57
September 25th, 2017, 14:23
September 25th, 2017, 17:45
unknown wrote:The drive in topic is locked with ata password.
I can read FW modules but i can't find the password with normal method in mod. 02
Has anyone know in which module i can find the password?
MRT can't access the FW.
Facing a protected HDD is not new problem for HDD forensics. As there are already existing commercial solutions (e.g PC-3000), we analyzed the HDD directly with those tools. Their approach seems to follow a straight pattern, which allows SA access by overwriting the RAM/ROM and bypass security features like ATA passwords and optionally AES keys. By forcing SA access and manipulating the SA area 0x124 and 0x127 we were able to unlock the HDD and disable the SATA AES encryption. Note that this works always, independent of the chosen user password and bridge status.
September 25th, 2017, 18:02
Spildit wrote:unknown wrote:I have made a test with a working drive same family (Giant). And compared mod. 02 before and after lock, but the surprise is it's matched and identical with no differences.
What tools are you using (and working) to read modules on the locked drive (as you stated MRT is not working) ?
Did you try to copy module 02 from unlocked drive to locked drive RAM ?
September 25th, 2017, 18:04
fzabkar wrote:unknown wrote:The drive in topic is locked with ata password.
I can read FW modules but i can't find the password with normal method in mod. 02
Has anyone know in which module i can find the password?
MRT can't access the FW.
Is it a SED?
Is there anything in modules 0x124 and 0x127?
got HW crypto? On the (in)security of a Self-Encrypting Drive series:
https://eprint.iacr.org/2015/1002.pdfFacing a protected HDD is not new problem for HDD forensics. As there are already existing commercial solutions (e.g PC-3000), we analyzed the HDD directly with those tools. Their approach seems to follow a straight pattern, which allows SA access by overwriting the RAM/ROM and bypass security features like ATA passwords and optionally AES keys. By forcing SA access and manipulating the SA area 0x124 and 0x127 we were able to unlock the HDD and disable the SATA AES encryption. Note that this works always, independent of the chosen user password and bridge status.
September 25th, 2017, 18:18
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000860 00 00 00 00 00 00 01
September 26th, 2017, 9:55
September 26th, 2017, 10:25
September 26th, 2017, 17:55
September 27th, 2017, 9:13
rogfanther wrote:Please, tell us what was the solution.
September 27th, 2017, 11:48
lcoughey wrote:rogfanther wrote:Please, tell us what was the solution.
It is amazing how people can ask for advice on how to do something, but when they get it figured out, they don't want to share how they did it. It should become a forum policy that if you ask a question on this forum and figure it out, you are committed to post the solution. That said, let's give the OP a little time to respond to your request.
Powered by phpBB © phpBB Group.