All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 27 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: WD My Book Essential 1TB won't Unlock
PostPosted: March 29th, 2015, 4:33 
Offline

Joined: September 18th, 2008, 7:34
Posts: 39
Hi,

I'm trying to help a friend by recovery her photos from a WD My Book Essential. Unfortunately I'm not the first one to try so disk has been altered. First I was given the disk out of its enclosure, It's working well, I started to recover data from it and noticed the docs from the VCD and understood why the rest of the data was gibberish. I requested the USB bridge and was lucky because they recovered it from the trash.

When I plugged it, it identified as the Initio combo device and wouldn't mount the drive. After a while I managed to flash it using "Apollo 1607E Firmware Updater v2.018-v2.019 (1.0.8.6).exe" and now the drive is mounting as well as the VCD. Content on the VCD is ok. I have the password to the drive, I'm sure it's good because it's her kid's names. However when I try to unlock the drive I get "bad password".

I checked sector 1953517576 and key/password looks correct:
Image

However when I mount the drive without USB Bridge I get a NTFS partition so I guess someone made a partition on it and (quick) formated the drive. I don't think removing the partition will be enough, there is probably data to put back.

Can someone by chance tell me which data that should be in place of the partition table?

I think the data is still there because I can still see a lot of encrypted data on the disk.

Thank you for your help!

PS: model is WDBAAF0010HBK 00 1TB USB 2.0


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 29th, 2015, 12:38 
Offline

Joined: September 18th, 2008, 7:34
Posts: 39
I found this project:
https://github.com/andlabs/reallymine

It seems there are two different kind of driver, one has GPT whereas the other has a different MBR. Maybe I'm mixing things, but if I restore his MBR to my drive, should I get the drive in raw mode back?

Also he says that there are two places where the key is stored, one as a sector at the end of the disk, another in a system area. I know where the first is as I showed it above, maybe the system area is corrupted one that makes unlock fail.


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 29th, 2015, 13:06 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3561
Location: Chicago
what's the password?

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 29th, 2015, 13:10 
Offline

Joined: September 18th, 2008, 7:34
Posts: 39
Hi,

I sent you a PM with the PW, I prefer not to share it publicly, it's not mine.


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 29th, 2015, 16:36 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3561
Location: Chicago
The password is correct for the key sector you have shown, so "bad password" message does not belong to the password but maybe to incorrect key sector location or something else

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 29th, 2015, 16:43 
Offline
User avatar

Joined: April 3rd, 2011, 0:19
Posts: 2003
Location: Providence, RI
Are you working with the original drive or an image of it? If it's the original drive, you may want to clone to another as I've seen drives with bad sectors show as locked simply because they stop responding when you put the password in.

If you're working from an image of the original, make sure that you have set the LBA to be the same as the original drive is as shown when SATA connected (not as shown when USB connected).

_________________
Data Medics - Hard Drive, SSD, and RAID Data Recovery Service Company


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 30th, 2015, 2:19 
Offline

Joined: September 18th, 2008, 7:34
Posts: 39
Doomer wrote:
The password is correct for the key sector you have shown, so "bad password" message does not belong to the password but maybe to incorrect key sector location or something else


Thanks a lot, that's a good info, I was afraid the password was bad or changed. Are you able to extract the AES key from the sector I provided, or just verified the hashing of the password? If you give me the AES key, or procedure I could make a program to decode the block from my drive?


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 30th, 2015, 2:22 
Offline

Joined: September 18th, 2008, 7:34
Posts: 39
data-medics wrote:
Are you working with the original drive or an image of it? If it's the original drive, you may want to clone to another as I've seen drives with bad sectors show as locked simply because they stop responding when you put the password in.

If you're working from an image of the original, make sure that you have set the LBA to be the same as the original drive is as shown when SATA connected (not as shown when USB connected).

I'm working on the original drive, I don't have another 1TB WD drive. I tried with a Seagate drive but the bridge refused it when I tried to format it.

Is there a way to work on an image without the USB bridge?


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 30th, 2015, 2:49 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
You can retrieve the drive's SA modules using SeDiv:

http://sediv2008.narod.ru/Easy3.9Passwo ... 567890.rar
http://sediv2008.narod.ru/Settings.rar

SeDiv WD Read ROM & Modules:
https://www.youtube.com/watch?v=9UgFfhkkAwY

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 30th, 2015, 3:30 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
@fennec, your DMDE screenshot is showing a max LBA of 1953523054. That's a strange number.

In fact the same number (+ 1) appears in the following thread:

http://lime-technology.com/forum/index. ... 618.5;wap2

Quote:
Aug 12 15:50:58 Tower kernel: ata5.00: HPA detected: current 1953523055, native 1953525168
Aug 12 15:50:58 Tower kernel: ata5.00: ATA-8: WDC WD1001FALS-00E8B0, 05.00K05, max UDMA/133
Aug 12 15:50:58 Tower kernel: ata5.00: 1953523055 sectors, multi 0: LBA48 NCQ (depth 31/32)

The full native capacity of the drive should be 1953525168 sectors, so it appears that your drive may have a HPA with a size of around 2000 sectors. I suspect that you, or your friend, may have attached your drive to the SATA port of a GigaByte motherboard (or perhaps Asus). GigaByte's Xpress Recovery BIOS grabs approximately 2000 sectors from the end of the drive and hides a backup copy of itself inside a Host Protected Area (HPA).

Your can use tools such as HDAT2, hdparm, MHDD to remove the HPA.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 30th, 2015, 8:45 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3561
Location: Chicago
fennec wrote:
If you give me the AES key, or procedure I could make a program to decode the block from my drive?

I have the key but the decoding procedure is not straight forward, it is unlikely that you would be able to decrypt the drive with no knowledge of the procedure
But anyway, here is the key
A538A1B8F73104A6C19EB63E5CFAD9C3F227328016C84FF69776CA01F1E6596A

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 30th, 2015, 14:20 
Offline

Joined: September 18th, 2008, 7:34
Posts: 39
fzabkar wrote:

I tried SeDiv on Win 7 and it doesn't work and also using a VM and it refused to work.

I could setup an old machine to run WinXP but it will take me a while. Also I'm working on a laptop with USB adapter.

Is this procedure to check the drive is healthy or to "repair" the content?


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 30th, 2015, 14:25 
Offline

Joined: September 18th, 2008, 7:34
Posts: 39
fzabkar wrote:
@fennec, your DMDE screenshot is showing a max LBA of 1953523054. That's a strange number.

In fact the same number (+ 1) appears in the following thread:

http://lime-technology.com/forum/index. ... 618.5;wap2

Quote:
Aug 12 15:50:58 Tower kernel: ata5.00: HPA detected: current 1953523055, native 1953525168
Aug 12 15:50:58 Tower kernel: ata5.00: ATA-8: WDC WD1001FALS-00E8B0, 05.00K05, max UDMA/133
Aug 12 15:50:58 Tower kernel: ata5.00: 1953523055 sectors, multi 0: LBA48 NCQ (depth 31/32)

The full native capacity of the drive should be 1953525168 sectors, so it appears that your drive may have a HPA with a size of around 2000 sectors. I suspect that you, or your friend, may have attached your drive to the SATA port of a GigaByte motherboard (or perhaps Asus). GigaByte's Xpress Recovery BIOS grabs approximately 2000 sectors from the end of the drive and hides a backup copy of itself inside a Host Protected Area (HPA).

Your can use tools such as HDAT2, hdparm, MHDD to remove the HPA.


I'm using an Asus laptop, but I know the drive passed to an other person before me so maybe he used a Gigabyte mobo, I don't know.

Is there a risk to destroy the data by removing the HPA? I'm currently connecting to the drive directly using an USB adapter, not the USB bridge.

Should I remove the NTFS partition that was created on top of the drive as well as the HPA?


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 30th, 2015, 14:27 
Offline

Joined: September 18th, 2008, 7:34
Posts: 39
Doomer wrote:
fennec wrote:
If you give me the AES key, or procedure I could make a program to decode the block from my drive?

I have the key but the decoding procedure is not straight forward, it is unlikely that you would be able to decrypt the drive with no knowledge of the procedure
But anyway, here is the key
A538A1B8F73104A6C19EB63E5CFAD9C3F227328016C84FF69776CA01F1E6596A


Thanks a lot, I'll try to decrypt the drive with this key and clone the content to another drive. Then I'll try regular recovery tools to see if I can get the data back.


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 30th, 2015, 15:31 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
AIUI, the bridge firmware divides the drive into several sections.

    User area
    SmartWare VCD
    key sector + "hint" sector

AIUI, the firmware expects to find the key sector at a certain offset from the end of the drive. Let's call this LBA X. Now that the drive has been truncated with a HPA, the firmware is looking for the key at LBA X - (1953525168 - 1953523055), ie X - 2113. That is, you have located the key at LBA 1953517576 whereas the firmware is looking for it at 1953515463. If you are feeling adventurous, you could copy the contents of LBA 1953517576 to LBA 1953515463, but only if the latter sector is empty, and only after cloning the drive. Then use the original bridge to decode the data. Of course you will then have the problem of the truncated file system and corrupt partition table. If the other party has formatted the drive as well as initialising it, then you will also have a corrupt boot sector and MFT.

Normally you would remove the HPA, but I'm not aware of any tool that can do this via USB. After removing the HPA, you could examine the tail end of the drive and search for BIOS related text strings (eg "AMIBIOS" or "AWARD"). This will confirm where the HPA originated.

My next question is, why did the bridge firmware originally identify itself as an Initio device? Was it because it could not find the VCD, and was this because it was looking for it in the wrong place? If the firmware expects to find the VCD at a certain offset (Y) from the end of the drive rather than at an absolute sector address, then perhaps it is now looking for it at Y - 2113. Moreover, since you have updated the firmware, and assuming that the update also writes to the VCD, has the update now been written to sector Y or to sector Y - 2113? If the latter, then this will will have overwritten the tail end of the user area. Worse still, if you now remove the HPA, will the firmware once again be unable to find the VCD, in which case will it again identify itself as an Initio device and require a second update?

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 30th, 2015, 17:30 
Offline

Joined: September 18th, 2008, 7:34
Posts: 39
LBA 1953515463 contains only zeroes, so I copied sector 1953517576 content there. Unfortunately password is still not accepted.

I'll try to setup a physical machine to use direct SATA connections instead of USB.

I don't know what the original issue was. I suspect the bridge failed, maybe someone tried to update the firmware, but I doubt it, they are not advanced users. I saw similar complains on some WD forums...

The update does not write the VCD, it's 4MB whereas the VCD content is about 500MB. Strange thing is that VCD looks in good shape, maybe it's also in a protected area. Creating a partition on the raw disk did not seem to affect it.

I started to write a Java application to decode the disk. I need to find where encrypted area starts, and read about AES encryption and initialization vectors. I know the theory, I need to put it into practice. Key is 256bit and I needed unlimited key strength JCE installed, now Cipher is initializing correctly, I need to plug the drive back...

Thank you Doomer, fzabkar and data-medics!


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 30th, 2015, 17:55 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
I would remove the HPA. This will not harm your data. It will simply restore the drive's native capacity.

I would also determine at which LBA the VCD begins. This should define the size of the visible user area. When the drive is behind its original bridge, the firmware presents the enclosure as two separate devices, a USB mass storage device (HDD) plus a Virtual CD. I would compare the max LBA reported for the HDD when inside the enclosure against the starting sector for the VCD.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 31st, 2015, 14:06 
Offline

Joined: September 18th, 2008, 7:34
Posts: 39
I completed my program but it's not working, I tried to poke at various random areas of the disk but regular AES always gives "Given final block not properly padded". I tried sliding windows on sectors but no chance.

Someone suggested that bytes should be swapped by 32bit blocks, in and/or out, but no luck.

I also tried AES/ECB/NoPadding decryption is "working" but I get garbage out where the area I'm working looks like a pattern (https://filippo.io/the-ecb-penguin/) so I should get something out.

What is the encryption used on those WD drives, am I missing something?


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: March 31st, 2015, 14:28 
Offline

Joined: September 18th, 2008, 7:34
Posts: 39
I also copied key sector at LBA0 and use the bridge. Did not work. I restored the LBA from here:
https://github.com/andlabs/reallymine/b ... veBmbr.bin

Not better :(

This week-end I'll work on building a machine to connect to Sata and remove HPA.


Top
 Profile  
 
 Post subject: Re: WD My Book Essential 1TB won't Unlock
PostPosted: April 1st, 2015, 3:22 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2785
Location: Kuwait
fennec wrote:
Doomer wrote:
The password is correct for the key sector you have shown, so "bad password" message does not belong to the password but maybe to incorrect key sector location or something else


Thanks a lot, that's a good info, I was afraid the password was bad or changed. Are you able to extract the AES key from the sector I provided, or just verified the hashing of the password? If you give me the AES key, or procedure I could make a program to decode the block from my drive?


Am sure that your problem is ELSE WHERE
it is where you started @ the 1st. place
Dig more.. and good luck

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 27 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 48 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group