Main » Forums home » Conventional hard drives

All times are UTC - 5 hours [ DST ]



Post new topic Reply to topic  Page 1 of 1
  [ 11 posts ] 
  Previous topic | Next topic 
Author Message
unknown
 Post subject: WD40EZRZ-00WN9B0
PostPosted: September 25th, 2017, 13:57 
Offline

Joined: October 21st, 2007, 8:48
Posts: 1631
Hello
The drive in topic is locked with ata password.
I can read FW modules but i can't find the password with normal method in mod. 02
Has anyone know in which module i can find the password?
MRT can't access the FW.

Thanks in advance.


Attachments:
IMG_20170925_194635.jpg
IMG_20170925_194635.jpg [ 2.45 MiB | Viewed 12601 times ]
Top
 Profile  
 
unknown
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 25th, 2017, 14:23 
Offline

Joined: October 21st, 2007, 8:48
Posts: 1631
I have made a test with a working drive same family (Giant). And compared mod. 02 before and after lock, but the surprise is it's matched and identical with no differences.
Top
 Profile  
 
fzabkar
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 25th, 2017, 17:45 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15525
Location: Australia
unknown wrote:
The drive in topic is locked with ata password.
I can read FW modules but i can't find the password with normal method in mod. 02
Has anyone know in which module i can find the password?
MRT can't access the FW.

Is it a SED?

Is there anything in modules 0x124 and 0x127?

got HW crypto? On the (in)security of a Self-Encrypting Drive series:
https://eprint.iacr.org/2015/1002.pdf
Quote:
Facing a protected HDD is not new problem for HDD forensics. As there are already existing commercial solutions (e.g PC-3000), we analyzed the HDD directly with those tools. Their approach seems to follow a straight pattern, which allows SA access by overwriting the RAM/ROM and bypass security features like ATA passwords and optionally AES keys. By forcing SA access and manipulating the SA area 0x124 and 0x127 we were able to unlock the HDD and disable the SATA AES encryption. Note that this works always, independent of the chosen user password and bridge status.

_________________
A backup a day keeps DR away.
Top
 Profile  
 
unknown
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 25th, 2017, 18:02 
Offline

Joined: October 21st, 2007, 8:48
Posts: 1631
Spildit wrote:
unknown wrote:
I have made a test with a working drive same family (Giant). And compared mod. 02 before and after lock, but the surprise is it's matched and identical with no differences.


What tools are you using (and working) to read modules on the locked drive (as you stated MRT is not working) ?

Did you try to copy module 02 from unlocked drive to locked drive RAM ?

I have shorted tv9 and 10 before complete calibration to enable access to SA. Now i got a complete backup.
Top
 Profile  
 
unknown
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 25th, 2017, 18:04 
Offline

Joined: October 21st, 2007, 8:48
Posts: 1631
fzabkar wrote:
unknown wrote:
The drive in topic is locked with ata password.
I can read FW modules but i can't find the password with normal method in mod. 02
Has anyone know in which module i can find the password?
MRT can't access the FW.

Is it a SED?

Is there anything in modules 0x124 and 0x127?

got HW crypto? On the (in)security of a Self-Encrypting Drive series:
https://eprint.iacr.org/2015/1002.pdf
Quote:
Facing a protected HDD is not new problem for HDD forensics. As there are already existing commercial solutions (e.g PC-3000), we analyzed the HDD directly with those tools. Their approach seems to follow a straight pattern, which allows SA access by overwriting the RAM/ROM and bypass security features like ATA passwords and optionally AES keys. By forcing SA access and manipulating the SA area 0x124 and 0x127 we were able to unlock the HDD and disable the SATA AES encryption. Note that this works always, independent of the chosen user password and bridge status.

I will investigate those two mods tomorrow when i get to the office.
Thank you.
Top
 Profile  
 
fzabkar
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 25th, 2017, 18:18 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15525
Location: Australia
The attachment contains modules 02, 124, and 127 from the following resource dump:

http://files.hddguru.com/viewer_top.php?file=WDC%20WD40EZRZ-00WN9B0-80.00A80-WD-WCC4E1HDC2TE-0001008B.rar&dir=PC-3000-UDMA%20Support/WDC%20Marvell%20family%20utility/Giant

The SED flag in module 02 is set.

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000860                    00 00 00 00 00 00 01


Attachments:
WD40EZRZ.rar [1.45 KiB]
Downloaded 546 times

_________________
A backup a day keeps DR away.
Top
 Profile  
 
unknown
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 26th, 2017, 9:55 
Offline

Joined: October 21st, 2007, 8:48
Posts: 1631
124 and 127 looks encrypted.
Overwrite those mods from unlocked drive will solve the problem?
Top
 Profile  
 
unknown
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 26th, 2017, 10:25 
Offline

Joined: October 21st, 2007, 8:48
Posts: 1631
Thank you all.
Solved
Top
 Profile  
 
rogfanther
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 26th, 2017, 17:55 
Offline

Joined: October 16th, 2013, 13:21
Posts: 713
Location: Brazil
Please, tell us what was the solution.
Top
 Profile  
 
lcoughey
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 27th, 2017, 9:13 
Offline
User avatar

Joined: February 9th, 2009, 16:13
Posts: 2520
Location: Ontario, Canada
rogfanther wrote:
Please, tell us what was the solution.

It is amazing how people can ask for advice on how to do something, but when they get it figured out, they don't want to share how they did it. It should become a forum policy that if you ask a question on this forum and figure it out, you are committed to post the solution. That said, let's give the OP a little time to respond to your request.

_________________
Luke
Recovery Force Data Recovery
Top
 Profile  
 
unknown
 Post subject: Re: WD40EZRZ-00WN9B0
PostPosted: September 27th, 2017, 11:48 
Offline

Joined: October 21st, 2007, 8:48
Posts: 1631
lcoughey wrote:
rogfanther wrote:
Please, tell us what was the solution.

It is amazing how people can ask for advice on how to do something, but when they get it figured out, they don't want to share how they did it. It should become a forum policy that if you ask a question on this forum and figure it out, you are committed to post the solution. That said, let's give the OP a little time to respond to your request.

I have send a pm to him with the solution.
Any way, i have cleared mod. 127 that's all
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 11 posts ] 

Main » Forums home » Conventional hard drives

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: Eastcoast and 38 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Switch to mobile style
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group