View topic - MRT can't decrypt WD. EDEK starts with 57 44 01 33

Main » Forums home » Conventional hard drives

All times are UTC - 5 hours [ DST ]

MRT can't decrypt WD. EDEK starts with 57 44 01 33

Page 1 of 1

[ 18 posts ]

Previous topic | Next topic

Author

Message

michael chiklis

Post subject: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 10th, 2023, 7:11

Joined: December 5th, 2011, 5:38
Posts: 1626
Location: Italy

I received this WD30EZRX-00MMMB0 drive without the enclosure.
MRT can't decrypt it !!
I found the edek at 5860528136 LBA, the same edek is also present on mod 25... but it's strange.
It does not start with WD (57 44 01 14) but starts with WD 3 (57 44 01 33) bytes.

Attachment:

edek.jpg [ 462.68 KiB | Viewed 21001 times ]

Is it possible to decrypt it without the controller?
Have you ever seen such type of edek, can you confirm that is Initio INIC-1607E encryption?

_________________
My firmware database:
https://mega.nz/folder/O01DkBRI#MxP2J6ZNqXDcrX40I8MoQQ

Top

fzabkar

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 10th, 2023, 12:07

Joined: September 8th, 2009, 18:21
Posts: 15539
Location: Australia

If you don't know the product, you can enter the drive's serial number into WD's warranty checker.

https://support-en.wd.com/app/warrantystatusweb

_________________
A backup a day keeps DR away.

Top

michael chiklis

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 10th, 2023, 13:44

Joined: December 5th, 2011, 5:38
Posts: 1626
Location: Italy

No result !

Attachment:

no result.jpg [ 89.63 KiB | Viewed 20881 times ]

_________________
My firmware database:
https://mega.nz/folder/O01DkBRI#MxP2J6ZNqXDcrX40I8MoQQ

Top

fzabkar

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 10th, 2023, 14:16

Joined: September 8th, 2009, 18:21
Posts: 15539
Location: Australia

The size of the user area appears to be 0x15d4fa000 (= 5860466688) LBAs. Can you carve out the firmware area from sector 5860466688 to the end of the drive (66480 sectors)? Perhaps someone will recognise something.

_________________
A backup a day keeps DR away.

Top

michael chiklis

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 10th, 2023, 17:56

Joined: December 5th, 2011, 5:38
Posts: 1626
Location: Italy

https://www.mediafire.com/file/0jar890j ... 33167.rar/

_________________
My firmware database:
https://mega.nz/folder/O01DkBRI#MxP2J6ZNqXDcrX40I8MoQQ

Top

fzabkar

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 10th, 2023, 19:38

Joined: September 8th, 2009, 18:21
Posts: 15539
Location: Australia

It looks like the OP partitioned and formatted the drive outside the enclosure. It might just be a red herring, though.

Key

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

01E01000  57 44 01 33 00 00 00 00 02 00 00 00 00 00 00 00  WD.3............
01E01010  03 00 00 01 5D 4F A0 00 00 00 00 01 5D 4F A0 00  ....]O .....]O .
01E01020  00 00 00 00 00 00 F0 00 20 00 00 00 00 00 00 00  ......ð. .......
01E01030  00 00 00 00 00 00 00 00 00 00 00 00 57 44 01 33  ............WD.3
01E01040  47 46 54 C6 82 E6 E4 A0 CB 22 AB 07 C0 90 C4 83  GFTÆ‚æä Ë"«.À.Äƒ
01E01050  FB F4 96 81 62 26 D7 A6 20 92 FB 23 E8 35 12 96  ûô–.b&×¦ ’û#è5.–
........
01E011F0  A5 37 B0 FF 32 01 92 97 92 E1 D1 D9 B0 29 80 DA  ¥7°ÿ2.’—’áÑÙ°)€Ú

NTFS boot sector at end of 3TB volume
start sector = 264192
size = 5860268031 sectors

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

01FFFE00  EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00  ëR.NTFS    .....
01FFFE10  00 00 00 00 00 F8 00 00 3F 00 FF 00 00 08 04 00  .....ø..?.ÿ.....
01FFFE20  00 00 00 00 80 00 80 00 FF 97 4C 5D 01 00 00 00  ....€.€.ÿ—L]....
01FFFE30  00 00 0C 00 00 00 00 00 02 00 00 00 00 00 00 00  ................
01FFFE40  F6 00 00 00 01 00 00 00 82 D5 C6 3A FB C6 3A 98  ö.......‚ÕÆ:ûÆ:˜
01FFFE50  00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB 68 C0 07  ....ú3ÀŽÐ¼.|ûhÀ.
01FFFE60  1F 1E 68 66 00 CB 88 16 0E 00 66 81 3E 03 00 4E  ..hf.Ëˆ...f.>..N
........
01FFFF80  74 09 B4 0E BB 07 00 CD 10 EB F2 C3 0D 0A 45 72  t.´.»..Í.ëòÃ..Er
01FFFF90  72 6F 72 65 20 6C 65 74 74 75 72 61 20 64 61 20  rore lettura da 
01FFFFA0  64 69 73 63 6F 00 0D 0A 42 4F 4F 54 4D 47 52 20  disco...BOOTMGR 
01FFFFB0  6D 61 6E 63 61 6E 74 65 00 0D 0A 42 4F 4F 54 4D  mancante...BOOTM
01FFFFC0  47 52 20 63 6F 6D 70 72 65 73 73 6F 00 0D 0A 43  GR compresso...C
01FFFFD0  54 52 4C 2B 41 4C 54 2B 43 41 4E 43 20 70 65 72  TRL+ALT+CANC per
01FFFFE0  20 72 69 61 76 76 69 61 72 65 0D 0A 00 20 72 65   riavviare... re
01FFFFF0  73 74 61 72 74 0D 0A 00 8C A6 B9 CD 00 00 55 AA  start...Œ¦¹Í..Uª

GPT partition table
MS Reserved -- 34 - 262177
Basic Data -- 264192 - 5860532223

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

02071E00  16 E3 C9 E3 5C 0B B8 4D 81 7D F9 2D F0 02 15 AE  .ãÉã\.¸M.}ù-ð..®
02071E10  B2 31 27 B6 42 16 75 45 A8 73 B3 08 AB E2 82 7B  ²1'¶B.uE¨s³.«â‚{
02071E20  22 00 00 00 00 00 00 00 21 00 04 00 00 00 00 00  ".......!.......
02071E30  00 00 00 00 00 00 00 00 4D 00 69 00 63 00 72 00  ........M.i.c.r.
02071E40  6F 00 73 00 6F 00 66 00 74 00 20 00 72 00 65 00  o.s.o.f.t. .r.e.
02071E50  73 00 65 00 72 00 76 00 65 00 64 00 20 00 70 00  s.e.r.v.e.d. .p.
02071E60  61 00 72 00 74 00 69 00 74 00 69 00 6F 00 6E 00  a.r.t.i.t.i.o.n.
02071E70  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
02071E80  A2 A0 D0 EB E5 B9 33 44 87 C0 68 B6 B7 26 99 C7  ¢ Ðëå¹3D‡Àh¶·&™Ç
02071E90  86 78 6E 55 A1 A3 36 43 BD 39 D5 5E 37 4C A9 63  †xnU¡£6C½9Õ^7L©c
02071EA0  00 08 04 00 00 00 00 00 FF 9F 50 5D 01 00 00 00  ........ÿŸP]....
02071EB0  00 00 00 00 00 00 00 00 42 00 61 00 73 00 69 00  ........B.a.s.i.
02071EC0  63 00 20 00 64 00 61 00 74 00 61 00 20 00 70 00  c. .d.a.t.a. .p.
02071ED0  61 00 72 00 74 00 69 00 74 00 69 00 6F 00 6E 00  a.r.t.i.t.i.o.n.

EFI PART
start sector = 34
last sector = 5860533167

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

02075E00  45 46 49 20 50 41 52 54 00 00 01 00 5C 00 00 00  EFI PART....\...
02075E10  49 D2 50 25 00 00 00 00 AF A3 50 5D 01 00 00 00  IÒP%....¯£P]....
02075E20  01 00 00 00 00 00 00 00 22 00 00 00 00 00 00 00  ........".......
02075E30  8E A3 50 5D 01 00 00 00 9F BC 58 17 80 DB 1D 4E  Ž£P]....Ÿ¼X.€Û.N
02075E40  AF 50 E6 0C 76 68 10 54 8F A3 50 5D 01 00 00 00  ¯Pæ.vh.T.£P]....
02075E50  80 00 00 00 80 00 00 00 6A 20 96 B3 00 00 00 00  €...€...j –³....

_________________
A backup a day keeps DR away.

Top

michael chiklis

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 10th, 2023, 20:03

Joined: December 5th, 2011, 5:38
Posts: 1626
Location: Italy

Thank you,
those sector i've already seen, but i still don't understand why mrt seem to not like this edek.
Mrt hangs while trying to calculate decryption, usually it decrypts right away.
Something must be wrong in that edek, never seen one which begins with 57 44 01 33 but i've seen few which started with 57 44 01 14 and mrt was able to decrypt them.
Maybe some particular encryption?

_________________
My firmware database:
https://mega.nz/folder/O01DkBRI#MxP2J6ZNqXDcrX40I8MoQQ

Top

lcoughey

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 10th, 2023, 20:04

Joined: February 9th, 2009, 16:13
Posts: 2520
Location: Ontario, Canada

fzabkar wrote:

It looks like the OP partitioned and formatted the drive outside the enclosure. It might just be a red herring, though.

I see this very frequently.

_________________
Luke
Recovery Force Data Recovery

Top

fzabkar

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 10th, 2023, 20:30

Joined: September 8th, 2009, 18:21
Posts: 15539
Location: Australia

Do you have an example of a "WD" 0x01 0x14 key sector?

_________________
A backup a day keeps DR away.

Top

fzabkar

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 11th, 2023, 2:53

Joined: September 8th, 2009, 18:21
Posts: 15539
Location: Australia

This document describes the key sectors and the decryption process:

https://www.datarecoveryperth.net.au/blog/wdencrypt.pdf

This is an Initio key sector:

Code:

00000000 57 44 01 14 00 00 00 00 00 00 00 00 00 00 00 00 |WD..............|
00000010 00 00 00 00 1d 07 68 00 00 00 00 00 1d 07 68 00 |......h.......h.|
00000020 00 00 00 00 00 14 e0 00 20 00 00 00 00 00 00 00 |......à. .......|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 57 44 01 14 |............WD..|
00000040 32 92 ed 81 13 26 9e 98 df 1b a4 87 ef c6 37 3c |2.í..&..ß.¤.ïÆ7<|

The structure is similar to yours. The LBA parameters are in the same place and are big-endian. In this case the drive is a 250GB model -- 0x1d076800 sectors.

_________________
A backup a day keeps DR away.

Top

Amarbir[CDR-Labs]

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 12th, 2023, 14:18

Joined: August 15th, 2006, 3:01
Posts: 3471
Location: CDRLabs @ Chandigarh [ India ]

Michael ,
Even UFS Pro Can Decrypt WD Drive Try The Trial

_________________
Regards
Amarbir S Dhillon , Chandigarh Data Recovery Labs [India]
Logical,Semi Physical And Physical Data Recovery
Website-> http://www.chandigarhdatarecovery.com

Top

fzabkar

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 12th, 2023, 15:10

Joined: September 8th, 2009, 18:21
Posts: 15539
Location: Australia

Someone at the reallymine web site claims that these drives use two modes of encryption, either ECB or CBC. If you examine two sectors which you know are zero-filled, are their encrypted contents identical? This will be ECB mode, which is the default. Otherwise you may have a CBC encrypted drive.

I would examine sector 5860466687 and work backwards. This should be the end of the user area.

_________________
A backup a day keeps DR away.

Top

michael chiklis

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 12th, 2023, 16:53

Joined: December 5th, 2011, 5:38
Posts: 1626
Location: Italy

Amarbir[CDR-Labs] wrote:

Michael ,
Even UFS Pro Can Decrypt WD Drive Try The Trial

yes i know, but it didn't !

_________________
My firmware database:
https://mega.nz/folder/O01DkBRI#MxP2J6ZNqXDcrX40I8MoQQ

Top

Amarbir[CDR-Labs]

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 13th, 2023, 1:22

Joined: August 15th, 2006, 3:01
Posts: 3471
Location: CDRLabs @ Chandigarh [ India ]

michael chiklis wrote:

Amarbir[CDR-Labs] wrote:

Michael ,
Even UFS Pro Can Decrypt WD Drive Try The Trial

yes i know, but it didn't !

Well,
Try The Trial Then Whats the big deal and follow fzabkars instructions he knows whats what

_________________
Regards
Amarbir S Dhillon , Chandigarh Data Recovery Labs [India]
Logical,Semi Physical And Physical Data Recovery
Website-> http://www.chandigarhdatarecovery.com

Top

michael chiklis

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 13th, 2023, 13:41

Joined: December 5th, 2011, 5:38
Posts: 1626
Location: Italy

Sectors behind LBA 5860466687 should be all zero (between 5860464640 - 5860466687).
They're all encrypted with same bytes exept 2 sectors (LBA 5860466648 & LBA 5860466680) where only some bytes are different .

Attachment:

encypted all same after 5860464640.jpg [ 520.07 KiB | Viewed 20291 times ]

Attachment:

encypted all same behind 5860466687.jpg [ 520.6 KiB | Viewed 20291 times ]

Attachment:

LBA 5860466648.jpg [ 526.7 KiB | Viewed 20291 times ]

Attachment:

LBA 5860466680.jpg [ 525.7 KiB | Viewed 20291 times ]

_________________
My firmware database:
https://mega.nz/folder/O01DkBRI#MxP2J6ZNqXDcrX40I8MoQQ

Top

fzabkar

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 13th, 2023, 15:08

Joined: September 8th, 2009, 18:21
Posts: 15539
Location: Australia

LBA 5860466680 is the encrypted "EFI PART" sector. This would be a copy of LBA 1.

LBA 5860466648 is the first encrypted GPT partition table sector. This would be a copy of LBA 2.

Perhaps you could create a dummy bin file consisting of a single encrypted physical sector and ask a friend with PC3K to decrypt it for you?

encrypted_zeros_sector + LBA 5860466680 + LBA 5860466648 + 5 x encrypted_zeros_sectors
Alternatively, you might like to post the key and dummy sector to the reallymine web site (if it is still active).

https://github.com/andlabs/reallymine/issues

_________________
A backup a day keeps DR away.

Top

fzabkar

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 13th, 2023, 15:33

Joined: September 8th, 2009, 18:21
Posts: 15539
Location: Australia

LBA 5860464639 could be a copy of the NTFS boot sector.

_________________
A backup a day keeps DR away.

Top

fzabkar

Post subject: Re: MRT can't decrypt WD. EDEK starts with 57 44 01 33

Posted: December 13th, 2023, 16:35

Joined: September 8th, 2009, 18:21
Posts: 15539
Location: Australia

I wonder if your encryption algorithm differs from the usual one, ie AES-256-ECB.

XTS has two keys. For example, 256-bit XTS has two 128-bit keys.

https://eprint.iacr.org/2015/1002.pdf (page 5)

Table 3: My Passport HW AES mode list

_________________
A backup a day keeps DR away.

Top

Page 1 of 1

[ 18 posts ]

Main » Forums home » Conventional hard drives

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 159 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum