Main » Forums home » Conventional hard drives

All times are UTC - 5 hours [ DST ]



Post new topic Reply to topic  Page 1 of 1
  [ 14 posts ] 
  Previous topic | Next topic 
Author Message
Elvis
 Post subject: Buffalo DriveStation HD-CX500U2 500GB recovery
PostPosted: April 28th, 2024, 13:36 
Offline

Joined: January 22nd, 2022, 20:09
Posts: 11
Location: Deutschland
I got an old Buffalo DriveStation HD-CX500U2 500GB to save its data. No problem at all, the buffalo breakout board was intact and I was able to connect via USB, find the filesystem and copy out the files.

Next I tried to read the internal SATA disk Samsung HD502HI directly via SATA interface, but I was not able to find a data partition or raw userfiles. So I assume its encrypted in some way and not accessible without the proper buffalo breakout board.

I there a way to save the files without a working breakout board? How would you solve the case with hdd only?

best regards,
Elvis
Top
 Profile  
 
fzabkar
 Post subject: Re: Buffalo DriveStation HD-CX500U2 500GB recovery
PostPosted: April 28th, 2024, 13:49 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15588
Location: Australia
When the drive is in the enclosure, what is the capacity, in sectors, reported by the USB mass storage device? If it is less than the native capacity of the bare drive, this would suggest that there is a reserved section at the end of the user area. If there is no reserved area, then this would suggest that the encryption key is stored in the bridge firmware.

Can you upload the first 100 sectors or so of the encrypted drive? This might help to determine the encryption algorithm.

Can you dump the contents of any flash devices on the bridge PCB?

_________________
A backup a day keeps DR away.
Top
 Profile  
 
Elvis
 Post subject: Re: Buffalo DriveStation HD-CX500U2 500GB recovery
PostPosted: April 28th, 2024, 17:35 
Offline

Joined: January 22nd, 2022, 20:09
Posts: 11
Location: Deutschland
fzabkar wrote:
When the drive is in the enclosure, what is the capacity, in sectors, reported by the USB mass storage device? If it is less than the native capacity of the bare drive, this would suggest that there is a reserved section at the end of the user area. If there is no reserved area, then this would suggest that the encryption key is stored in the bridge firmware.

There is a difference: When I connect the disk directly, there are 1.269.888 sectors more than connected via the breakout board. That corresponds to about 620 MB, the CD partition, which also shows up when using the breakout board, is about 600 MB, which is roughly the same.

Side finding: When connected via breakout board, R-Studio only finds the CD drive partition, but not the data partition or the drive itself. UFS Explorer, on the other hand, does.

fzabkar wrote:
Can you upload the first 100 sectors or so of the encrypted drive? This might help to determine the encryption algorithm.

I manually checked the first 1000 sectors and they are empty, except sector 1, see picture. (HDD directly connected via SATA)

fzabkar wrote:
Can you dump the contents of any flash devices on the bridge PCB?

does not work. I connected another drive to the breakout board, but in windows only some kind of CD-Drive Partition appears, but does not work. No other partition showed up.


Attachments:
Screenshot 2024-04-28 233210.jpg
Screenshot 2024-04-28 233210.jpg [ 158.29 KiB | Viewed 700 times ]
Top
 Profile  
 
fzabkar
 Post subject: Re: Buffalo DriveStation HD-CX500U2 500GB recovery
PostPosted: April 28th, 2024, 17:54 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15588
Location: Australia
The native capacity of your drive is 0x3A386030 sectors.

Starting from offset 0x203, your LBA #1 appears to consist of big-endian LBAs and sector counts.

Code:
0x000000003A386010 = 0x3A386030 - 0x20
0x000000003A380FF0 = 0x3A386030 - 0x5040
0x0000000000005040
0x000000000012C000
0x0000000000131040
0x000000003A24FFB0 = 0x3A386030 - 0x136080 (0x136080 = 0x131040 + 0x5040)
0x0000000000000000
0x0000000000000020
0x0000000000000020
0x0000000000005020

0x136080 x 512 bytes = 650 MB

ISTM that interesting things happen at those LBAs.

_________________
A backup a day keeps DR away.
Top
 Profile  
 
Elvis
 Post subject: Re: Buffalo DriveStation HD-CX500U2 500GB recovery
PostPosted: April 28th, 2024, 19:18 
Offline

Joined: January 22nd, 2022, 20:09
Posts: 11
Location: Deutschland
fzabkar wrote:
The native capacity of your drive is 0x3A386030 sectors.
0x136080 x 512 bytes = 650 MB
ISTM that interesting things happen at those LBAs.


size is correct, nice calculation, my mind blows :-)

here are these 650MB / 620MiB as zip
https://www.dropbox.com/scl/fi/rkyhjnw3 ... 47f3g&dl=1

A RAW Scan reveal 182-198MiB (depending on tool UFS/R-St), which are roughly the same size as the files in the CD-Drive Partition, when connected via breakout board. Also the content of that files is same. This area seems to be not encrypted.

What to do next?
Top
 Profile  
 
fzabkar
 Post subject: Re: Buffalo DriveStation HD-CX500U2 500GB recovery
PostPosted: April 28th, 2024, 19:33 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15588
Location: Australia
In WD's My Books, the encryption key is at the end of the user area, outside the VCD. I have no idea about Buffalo's external drives.

FYI ...

https://www.google.com/search?q=0x136080+x+512+bytes

_________________
A backup a day keeps DR away.
Top
 Profile  
 
fzabkar
 Post subject: Re: Buffalo DriveStation HD-CX500U2 500GB recovery
PostPosted: April 28th, 2024, 20:21 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15588
Location: Australia
Offset 0x26208000 is the end of the VCD and the beginning of an encrypted file system image.

This looks like an encrypted MBR sector 0, with a single partition and no MBR code.

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ   <-- zeros
00000010  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ
........
000001A0  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ
000001B0  BB A7 33 84 03 CB E9 C8 9D E0 B8 31 2F 23 F6 DD  »§3„.ËéÈ.à¸1/#öÝ
000001C0  2B E5 45 24 B2 34 32 C5 E9 01 38 09 BE 06 D1 B9  +åE$²42Åé.8.¾.ѹ   <-- single partition
000001D0  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ   <-- empty partition
000001E0  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ   <-- empty partition
000001F0  C2 0E A0 E5 C1 5F A6 33 77 82 AF 29 32 D1 48 68  Â. åÁ_¦3w‚¯)2ÑHh

This looks like an encrypted boot sector (sector 63) with a BIOS Parameter Block but no boot code:

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00007E00  11 D5 8E CA CA 0A 33 E9 3C 61 02 47 59 55 67 66  .ÕŽÊÊ.3é<a.GYUgf
00007E10  38 D9 DC 98 04 72 B3 0D 51 EC B2 FA 07 15 85 F6  8Ùܘ.r³.Qì²ú..…ö
00007E20  DE 4A B3 1B D2 30 A3 C9 B0 04 9B D1 A8 43 41 4C  ÞJ³.Ò0£É°.›Ñ¨CAL
00007E30  22 F0 7E 13 A0 FD 7A 6F 53 07 29 44 46 41 3F 50  "ð~. ýzoS.)DFA?P
00007E40  B5 C5 C8 79 C0 93 A2 9E 6D 00 D8 48 A0 27 86 66  µÅÈyÀ“¢žm.ØH '†f
00007E50  F3 63 38 61 FE 20 26 57 38 1B 82 B3 51 91 52 59  óc8aþ &W8.‚³Q‘RY
00007E60  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ
00007E70  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ
........
00007EF0  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ
00007F00  A8 3A 79 43 D8 6D E4 65 C9 0E CE CF 7B 8E 89 EB  ¨:yCØmäeÉ.ÎÏ{Ž‰ë
00007F10  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ
........
00007FE0  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ
00007FF0  C2 0E A0 E5 C1 5F A6 33 77 82 AF 29 32 D1 48 68  Â. åÁ_¦3w‚¯)2ÑHh

Offset 0x8A00 is a copy of the boot sector (logical sector #6), so it's a FAT file system.

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00008A00  11 D5 8E CA CA 0A 33 E9 3C 61 02 47 59 55 67 66  .ÕŽÊÊ.3é<a.GYUgf
00008A10  38 D9 DC 98 04 72 B3 0D 51 EC B2 FA 07 15 85 F6  8Ùܘ.r³.Qì²ú..…ö
00008A20  DE 4A B3 1B D2 30 A3 C9 B0 04 9B D1 A8 43 41 4C  ÞJ³.Ò0£É°.›Ñ¨CAL
00008A30  22 F0 7E 13 A0 FD 7A 6F 53 07 29 44 46 41 3F 50  "ð~. ýzoS.)DFA?P
00008A40  B5 C5 C8 79 C0 93 A2 9E 6D 00 D8 48 A0 27 86 66  µÅÈyÀ“¢žm.ØH '†f
00008A50  F3 63 38 61 FE 20 26 57 38 1B 82 B3 51 91 52 59  óc8aþ &W8.‚³Q‘RY
00008A60  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ

_________________
A backup a day keeps DR away.
Top
 Profile  
 
Elvis
 Post subject: Re: Buffalo DriveStation HD-CX500U2 500GB recovery
PostPosted: April 28th, 2024, 20:47 
Offline

Joined: January 22nd, 2022, 20:09
Posts: 11
Location: Deutschland
fzabkar wrote:
Offset 0x26208000 is the end of the VCD and the beginning of an encrypted file system image.

This looks like an encrypted MBR sector 0, with a single partition and no MBR code.

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ   <-- zeros
00000010  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ
........
000001A0  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ
000001B0  BB A7 33 84 03 CB E9 C8 9D E0 B8 31 2F 23 F6 DD  »§3„.ËéÈ.à¸1/#öÝ
000001C0  2B E5 45 24 B2 34 32 C5 E9 01 38 09 BE 06 D1 B9  +åE$²42Åé.8.¾.ѹ   <-- single partition
000001D0  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ   <-- empty partition
000001E0  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ   <-- empty partition
000001F0  C2 0E A0 E5 C1 5F A6 33 77 82 AF 29 32 D1 48 68  Â. åÁ_¦3w‚¯)2ÑHh

This looks like an encrypted boot sector (sector 63) with a BIOS Parameter Block but no boot code:

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00007E00  11 D5 8E CA CA 0A 33 E9 3C 61 02 47 59 55 67 66  .ÕŽÊÊ.3é<a.GYUgf
00007E10  38 D9 DC 98 04 72 B3 0D 51 EC B2 FA 07 15 85 F6  8Ùܘ.r³.Qì²ú..…ö
00007E20  DE 4A B3 1B D2 30 A3 C9 B0 04 9B D1 A8 43 41 4C  ÞJ³.Ò0£É°.›Ñ¨CAL
00007E30  22 F0 7E 13 A0 FD 7A 6F 53 07 29 44 46 41 3F 50  "ð~. ýzoS.)DFA?P
00007E40  B5 C5 C8 79 C0 93 A2 9E 6D 00 D8 48 A0 27 86 66  µÅÈyÀ“¢žm.ØH '†f
00007E50  F3 63 38 61 FE 20 26 57 38 1B 82 B3 51 91 52 59  óc8aþ &W8.‚³Q‘RY
00007E60  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ
00007E70  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ
........
00007EF0  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ
00007F00  A8 3A 79 43 D8 6D E4 65 C9 0E CE CF 7B 8E 89 EB  ¨:yCØmäeÉ.ÎÏ{Ž‰ë
00007F10  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ
........
00007FE0  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ
00007FF0  C2 0E A0 E5 C1 5F A6 33 77 82 AF 29 32 D1 48 68  Â. åÁ_¦3w‚¯)2ÑHh

Offset 0x8A00 is a copy of the boot sector (logical sector #6), so it's a FAT file system.

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00008A00  11 D5 8E CA CA 0A 33 E9 3C 61 02 47 59 55 67 66  .ÕŽÊÊ.3é<a.GYUgf
00008A10  38 D9 DC 98 04 72 B3 0D 51 EC B2 FA 07 15 85 F6  8Ùܘ.r³.Qì²ú..…ö
00008A20  DE 4A B3 1B D2 30 A3 C9 B0 04 9B D1 A8 43 41 4C  ÞJ³.Ò0£É°.›Ñ¨CAL
00008A30  22 F0 7E 13 A0 FD 7A 6F 53 07 29 44 46 41 3F 50  "ð~. ýzoS.)DFA?P
00008A40  B5 C5 C8 79 C0 93 A2 9E 6D 00 D8 48 A0 27 86 66  µÅÈyÀ“¢žm.ØH '†f
00008A50  F3 63 38 61 FE 20 26 57 38 1B 82 B3 51 91 52 59  óc8aþ &W8.‚³Q‘RY
00008A60  58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC  Xè]«ž°Ò5.Õú.ØGŽÌ


I search around in this area for hours :-) I also came over Offset 0x26208000 and thought this must be encrypted zeros and data from here on. I could not interpret it like you, that this seems to be some kind of mbr, but your idea is great! I looked before and after that sector, now I'm looking at the end of the disk, but cant find anything useful.

I also started to investigate the breakout PCB and dumped its bios chip (winbond 25xx), but also no luck: chip detected, but only FF inside... :-/
Top
 Profile  
 
fzabkar
 Post subject: Re: Buffalo DriveStation HD-CX500U2 500GB recovery
PostPosted: April 28th, 2024, 21:02 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15588
Location: Australia
I feel that there is something special in the last 0x20 sectors, but I don't know what that is.

_________________
A backup a day keeps DR away.
Top
 Profile  
 
Elvis
 Post subject: Re: Buffalo DriveStation HD-CX500U2 500GB recovery
PostPosted: April 28th, 2024, 21:06 
Offline

Joined: January 22nd, 2022, 20:09
Posts: 11
Location: Deutschland
fzabkar wrote:
I feel that there is something special in the last 0x20 sectors, but I don't know what that is.


after finding the probably last encrypted data, I exported the last 10MB of the drive.
zip file attached.


Attachments:
SAMSUNG HD502HI last 10MB.zip [12.43 KiB]
Downloaded 12 times
Top
 Profile  
 
Elvis
 Post subject: Re: Buffalo DriveStation HD-CX500U2 500GB recovery
PostPosted: April 28th, 2024, 21:09 
Offline

Joined: January 22nd, 2022, 20:09
Posts: 11
Location: Deutschland
there is sector 1 again, and something called OPT :?:
Top
 Profile  
 
fzabkar
 Post subject: Re: Buffalo DriveStation HD-CX500U2 500GB recovery
PostPosted: April 29th, 2024, 15:24 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15588
Location: Australia
There is a CD ISO image at offset 0xA08000, size 0xC5AC000. If you carve out this image, Windows 10 will mount it as a virtual DVD.

Attached is the file list. It consists of Mac and Windows tools and manuals.


Attachments:
ISO_filelist.7z [2.85 KiB]
Downloaded 16 times

_________________
A backup a day keeps DR away.
Top
 Profile  
 
fzabkar
 Post subject: Re: Buffalo DriveStation HD-CX500U2 500GB recovery
PostPosted: April 29th, 2024, 16:21 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15588
Location: Australia
The user manual states ...

Quote:
* Encryption is only supported with Windows PCs. If encryption is enabled, you will not be able to use the drive with a Macintosh computer. Disable encryption before using this device with Mac OS.

This would suggest that the device does not use hardware encryption. :-???

_________________
A backup a day keeps DR away.
Top
 Profile  
 
fzabkar
 Post subject: Re: Buffalo DriveStation HD-CX500U2 500GB recovery
PostPosted: April 30th, 2024, 1:28 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15588
Location: Australia
I would enable and disable encryption, assuming that is possible, and then compare the drive's contents before and after. Do likewise after setting a password and a password hint (stored as plain text?).

_________________
A backup a day keeps DR away.
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 14 posts ] 

Main » Forums home » Conventional hard drives

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 17 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Switch to mobile style
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group